CN110087338B - Method and equipment for authenticating narrowband Internet of things - Google Patents

Method and equipment for authenticating narrowband Internet of things Download PDF

Info

Publication number
CN110087338B
CN110087338B CN201910330355.XA CN201910330355A CN110087338B CN 110087338 B CN110087338 B CN 110087338B CN 201910330355 A CN201910330355 A CN 201910330355A CN 110087338 B CN110087338 B CN 110087338B
Authority
CN
China
Prior art keywords
terminal
base station
authentication
autn
mme entity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910330355.XA
Other languages
Chinese (zh)
Other versions
CN110087338A (en
Inventor
吕叶青
王昕�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hisense Co Ltd
Original Assignee
Hisense Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hisense Co Ltd filed Critical Hisense Co Ltd
Priority to CN201910330355.XA priority Critical patent/CN110087338B/en
Publication of CN110087338A publication Critical patent/CN110087338A/en
Application granted granted Critical
Publication of CN110087338B publication Critical patent/CN110087338B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access
    • H04W74/08Non-scheduled access, e.g. ALOHA
    • H04W74/0833Random access procedures, e.g. with 4-step access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/30Connection release

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method and equipment for authenticating a narrowband Internet of things, which are used for solving the problems that authentication operation is not performed and potential safety hazards are introduced when a small data packet is transmitted by randomly accessing Msg3 in the prior art. The terminal generates an authentication quadruplet according to the RAND in the received RRC connection release request, wherein the RRC connection release request is sent by the MME entity through the base station; and after determining that the AUTN in the authentication quadruplet is the same as the AUTN in the RRC connection release request sent by the MME entity through the base station, the terminal sends a random access Msg3 message containing a small data packet and an RES to the base station, so that the base station processes the small data packet after the MME entity passes authentication on the terminal according to the RES. The terminal authenticates the network before transmitting the data, and the network authenticates the terminal before receiving the data, thereby improving the security.

Description

Method and equipment for authenticating narrow-band Internet of things
Technical Field
The invention relates to the technical field of communication, in particular to a method and equipment for authenticating a narrowband Internet of things.
Background
At present, the cellular internet of things technology is widely applied to the scenes of the internet of things such as intelligent meter reading and environment monitoring due to the characteristics of low power consumption, wide coverage and the like, small data packets are not frequently sent in the scenes, and the internet of things equipment can still cause huge signaling overhead on the base station side due to the quantity of the equipment. When the internet of things equipment is in a non-connection state, if a data sending process triggered by an upper layer occurs, the terminal needs to establish a data link with a network;
on an air interface side, a flow related to data transmission based on a data plane comprises signaling such as random access (Msg 1/2/3), an attachment request, radio Resource Control (RRC) configuration, RRC configuration completion and the like; the data transmission based on the control plane relates to the signaling of random access request (Msg 1/2/3), attachment request, RRC direct transfer and the like. And at the terminal of the Internet of things with the interaction requirement of only small data packets, the signaling overhead and occupied time-frequency resources for establishing the data link are greater than the overhead and occupied time-frequency resources for data transmission.
For the above scenario, in the prior art, when the control plane carries data, the small data packet is carried in a certain uplink signaling, that is, uplink data transmission is performed through the randomly accessed Msg3, so as to reduce signaling overhead and occupation of time and frequency resources, but when the small data packet is transmitted through the randomly accessed Msg3, as shown in fig. 1, the flow chart of data transmission through the Msg3 is shown, it can be known from the flow chart that, after a random access request is performed, an attachment request is performed, after the attachment request is performed, an authentication flow is performed, it can be known that, after the attachment request is received, an authentication flow is performed, and when a data link is established, authentication is not required; therefore, when the small data packet is transmitted through the random access Msg3, authentication operation is not performed before the random access process, and potential safety hazards are introduced.
Disclosure of Invention
The invention provides a method and equipment for authenticating a narrowband Internet of things, which are used for solving the problems that authentication operation is not performed and potential safety hazards are introduced when a small data packet is transmitted by randomly accessing Msg3 in the prior art.
In a first aspect, an embodiment of the present invention provides a method for authenticating a narrowband internet of things, where the method is applied to a terminal, and the method includes:
the terminal generates an authentication quadruplet according to a random access identifier (RAND) in a received Radio Resource Control (RRC) connection release request, wherein the RRC connection release request is sent by an Mobility Management Entity (MME) through a base station;
after determining that the AUTN (authentication Token) in the authentication quadruplet is the same as the AUTN in the RRC connection release request sent by the MME entity through the base station, the terminal sends a random access Msg3 message containing a small data packet and an RES (Response) to the base station, so that the base station processes the small data packet after the MME entity passes authentication on the terminal according to the RES.
In the method, the terminal determines the RAND and the AUTN carried in the RRC connection release request while receiving the RRC connection release request sent by the MME entity through the base station, generates the authentication quadruplet according to the RAND, compares the AUTN in the generated authentication quadruplet with the AUTN carried in the RRC connection release request, sends the random access Msg3 message containing the small data packet and the RES to the base station after determining that the AUTN in the authentication quadruplet is the same as the AUTN carried in the RRC connection release request, authenticates the network according to the received RAND and AUTN before the terminal sends the Msg3 message containing the small data packet to the base station in the process, and sends the Msg3 message containing the small data packet to the base station after determining that the network passes the authentication, so that the safety is improved.
In a possible implementation manner, before the terminal generates an authentication quadruplet according to the RAND in the received RRC connection release request, the terminal determines that the RAND and AUTN in the RRC connection release request are valid.
According to the method, the terminal generates the authentication quadruplet according to the RAND in the received RRC connection release request after the RAND and the AUTN in the received RRC connection release request are valid, so that the accuracy of the generated authentication quadruplet is ensured, and the accuracy of authentication is further ensured.
In one possible implementation manner, the terminal determines whether RAND and AUTN in the RRC connection release request are valid by:
the terminal determines a sequence number SQN according to the RAND and the AUTN in the RRC connection release request;
if the terminal determines that the Sequence Number (SQN) is greater than the maximum SQN in the prestored SQNs UE And if not, determining that the RAND and the AUTN in the RRC connection release request are invalid.
In the method, the terminal determines the SQN according to the RAND and the AUTN in the RRC connection release request and determines whether the RAND and the AUTN in the received RRC connection release request are valid according to the SQN, so that the valid AUTN can be calculated according to the RAND, the authentication accuracy is ensured, and the safety is further ensured.
In a second aspect, an embodiment of the present invention provides a method for authenticating a narrowband internet of things, where the method is applied to an MME entity, and the method includes:
the MME entity carries the received RAND and AUTN sent by the HSS (Home Subscriber Server) in the RRC connection release request and sends the RRC connection release request to the terminal through the base station, so that the terminal authenticates the network according to the RAND and AUTN;
the MME entity authenticates the terminal according to the received RES sent by the base station, wherein the RES is carried in a random access Msg3 message sent to the base station after the terminal determines that the network authentication is passed;
and the MME entity informs a base station to process the small data packet in the random access Msg3 message after the authentication of the terminal is passed.
In the method, the MME entity carries the received RAND and AUTN in the RRC connection release request and sends the RRC connection release request to the terminal through the base station, so that the terminal authenticates the network before sending a small data packet according to the received RAND and AUTN; and after the MME entity receives the RES, authenticating the terminal according to the RES, wherein the RES is carried in a random access Msg3 message sent to the base station after the terminal is determined to pass the network authentication, after the terminal is determined to pass the authentication, the MME entity informs the base station that the terminal passes the authentication so that the base station processes small data packets in the random access Msg3 message, and performs authentication twice when the small data packets are transmitted through the random access Msg3 message, so that the small data packets are sent to a safe network by the terminal, the small data packets sent by the terminal are smoothly received by the network, and the safety is improved.
In a possible implementation manner, the MME entity sends a received terminal identifier sent by the base station to the HSS, where the terminal identifier is determined by the base station according to a UE-ID (User Identification, terminal identity) carried in a random access Msg3 message sent by the base station after the terminal determines that the network authentication is passed;
and when the MME entity authenticates the terminal according to the RES, the MME entity authenticates the terminal according to the received RES sent by the base station and the received XRES (Expected Response) corresponding to the terminal identifier returned by the HSS.
According to the method, a specific scheme that the MME entity authenticates the terminal is given, the terminal is authenticated according to the received RES sent by the terminal and the XRES returned by the HSS according to the terminal identification, the terminal safety is determined, and the authentication is more accurate.
In a third aspect, an embodiment of the present invention provides a method for authenticating a narrowband internet of things, where the method is applied to a base station, and the method includes:
a base station receives a random access Msg3 message which is sent by a terminal after the terminal passes the network authentication and contains a small data packet and RES;
the base station sends RES in the random access Msg3 message to an MME entity so that the MME entity authenticates the terminal according to the RES;
and the base station processes the small data packet in the random access Msg3 message after determining that the terminal passes the authentication according to the authentication notification of the MME entity.
In the method, the base station receives the random access Msg3 message which is sent by the terminal after the network authentication is passed and carries the small data packet and the RES, and sends the RES to the MME entity, so that the MME entity authenticates the terminal according to the RES, receives the notification sent by the MME entity after the terminal authentication is passed, and further processes the received small data packet.
In a possible implementation manner, the base station sends a terminal identifier determined according to the UE-ID in the random access Msg3 message to an MME entity, so that the MME entity authenticates the terminal according to the RES and the XRES corresponding to the terminal identifier returned by the HSS that is received.
In a fourth aspect, an embodiment of the present invention provides a terminal, where the terminal includes: at least one processing unit and at least one memory unit, wherein the memory unit stores program code, and when the program code is executed by the processing unit, the processing unit is specifically configured to:
generating an authentication quadruplet according to the RAND in the received RRC connection release request, wherein the RRC connection release request is sent by a Mobile Management Entity (MME) entity through a base station;
and after determining that the authentication token AUTN in the authentication quadruplet is the same as the AUTN in the RRC connection release request sent by the MME entity through the base station, sending a random access Msg3 message containing a small data packet and an authentication response RES to the base station, so that the base station processes the small data packet after the MME entity passes the authentication of the terminal according to the RES.
In a fifth aspect, an embodiment of the present invention provides an MME entity, where the MME entity includes: at least one processing unit and at least one storage unit, wherein the storage unit stores program code, and when the program code is executed by the processing unit, the processing unit is specifically configured to:
the received RAND and AUTN sent by the HSS are carried in an RRC connection release request and are sent to the terminal through the base station, so that the terminal authenticates the network according to the RAND and AUTN;
authenticating the terminal according to the received RES sent by the base station, wherein the RES is carried in a random access Msg3 message sent to the base station after the terminal determines that the network authentication is passed;
and after the authentication of the terminal is passed, informing a base station to process the small data packet in the random access Msg3 message.
In a sixth aspect, an embodiment of the present invention provides a base station, where the base station includes: at least one processing unit and at least one memory unit, wherein the memory unit stores program code, and when the program code is executed by the processing unit, the processing unit is specifically configured to:
receiving a random access Msg3 message which is sent by a terminal after the network authentication is determined to pass and contains a small data packet and RES;
sending RES in the random access Msg3 message to an MME entity so that the MME entity authenticates a terminal according to the RES;
and processing the small data packet in the random access Msg3 message after the authentication of the terminal is determined to pass according to the authentication notification of the MME entity.
In addition, for technical effects brought by any one implementation manner of the fourth aspect to the sixth aspect, reference may be made to technical effects brought by different implementation manners of the first aspect to the third aspect, and details are not described herein again.
These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described hereinafter.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a prior art NAS security flow diagram;
fig. 2 is a structural diagram of a system for authenticating a narrowband internet of things according to an embodiment of the present invention;
fig. 3 is a flowchart of an overall method for authenticating a narrowband internet of things according to an embodiment of the present invention;
fig. 4 is a first terminal structure diagram according to an embodiment of the present invention;
fig. 5 is a structural diagram of a second terminal according to an embodiment of the present invention;
fig. 6 is a first MME entity structure diagram according to an embodiment of the present invention;
fig. 7 is a second MME entity structure diagram according to an embodiment of the present invention;
fig. 8 is a first base station structure diagram according to an embodiment of the present invention;
fig. 9 is a structural diagram of a second base station according to an embodiment of the present invention;
fig. 10 is a flowchart of a method for authenticating a narrowband internet of things applied to a terminal according to an embodiment of the present invention;
fig. 11 is a flowchart of a method for authenticating a narrowband internet of things applied to an MME entity according to an embodiment of the present invention;
fig. 12 is a flowchart of a method for authenticating a narrowband internet of things applied to a base station according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
1. In the embodiment of the present invention, the term "and/or" describes an association relationship of an associated object, and indicates that three relationships may exist, for example, a and/or B, and may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. 2. In the embodiment of the present invention, a "terminal" is a device having a wireless communication function, and may be a mobile phone (mobile phone), a tablet computer (pad), a computer with a wireless transceiving function, a Mobile Station (MS), and the like.
3. The authentication quadruplet in the embodiment of the invention is a parameter used in the authentication process and the security authentication process, and mainly comprises the following steps: RAND, AUTN, XRES, K ASME
Because a terminal in an NB-IoT (Narrow Band Internet of Things based on cellular) system has a strong power saving requirement, when a terminal service is finished, the terminal quickly returns to an idle state to achieve lower power consumption, for a terminal only supporting a control plane, an MME entity sends an RRC connection release request to a base station, and the base station forwards the received RRC connection release request to the terminal;
the embodiment of the invention carries authentication parameters for authentication in the RRC connection release request, the terminal authenticates the network according to the authentication parameters in the received RRC connection release request, and after the network is authenticated, a small data packet and RES are sent to a base station through Msg3 so as to authenticate the terminal according to the RES; and the terminal authenticates the network before the Msg3 message so as to ensure the safety of the network and reduce potential safety hazards.
The network architecture and the service scenario described in the embodiment of the present invention are for more clearly illustrating the technical solution of the embodiment of the present invention, and do not form a limitation on the technical solution provided in the embodiment of the present invention, and it can be known by a person of ordinary skill in the art that the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems with the evolution of the network architecture and the occurrence of a new service scenario.
As shown in fig. 2, a structure diagram of a system for performing authentication according to an embodiment of the present invention is shown, where the system includes: a terminal 10, an MME entity 20 and a base station 30.
The terminal 10 is configured to: generating an authentication quadruplet according to the RAND in the received RRC connection release request, wherein the RRC connection release request is sent by the MME entity through the base station 30; after determining that the AUTN in the authentication quadruplet is the same as the AUTN in the received RRC connection release request sent by the MME entity 20 through the base station 30, sending a random access Msg3 message including a small data packet and an RES to the base station 30, so that the base station 30 processes the small data packet after the MME entity 20 passes authentication on the terminal 10 according to the RES;
the MME entity 20 is configured to: the received RAND and AUTN sent by the HSS are carried in an RRC connection release request and are sent to the terminal 10 through the base station 30, so that the terminal 10 authenticates the network according to the RAND and AUTN; authenticating the terminal 10 according to the received RES sent by the base station 30, wherein the RES is carried in a random access Msg3 message sent by the base station 30 after the terminal 10 determines that the network authentication is passed; after the authentication of the terminal 10 is passed, the base station 30 is informed to process the small data packet in the random access Msg3 message;
the base station 30 is configured to: receiving a random access Msg3 message which is sent by a terminal 10 and contains a small data packet and RES after the network authentication is determined to pass; sending RES in the random access Msg3 message to MME entity 20, so that MME entity 20 authenticates terminal 10 according to the RES; and processing the small data packet in the random access Msg3 message after determining that the terminal 10 passes the authentication according to the authentication notification of the MME entity 20.
In the scheme, when receiving an RRC connection release request sent by an MME entity through a base station, a terminal determines an RAND and an AUTN carried in the RRC connection release request, generates an authentication quadruple according to the RAND, compares the AUTN in the generated authentication quadruple with the AUTN carried in the RRC connection release request, determines that the AUTN in the generated authentication quadruple is the same as the AUTN in the received RRC connection release request, and sends a random access Msg3 message containing a small data packet and an RES to the base station, so that the RES received by the base station is sent to the MME entity, the MME entity authenticates the terminal according to the RES, and notifies the base station to process the received small data packet after the authentication is passed;
in the process, before the terminal sends the Msg3 message containing the small data packet and the RES to the base station, the terminal authenticates the network according to the received RAND and AUTN, after the AUTN in the authentication quadruplet is determined to be the same as the AUTN in the RRC connection release request sent by the MME entity through the base station, the Msg3 message containing the small data packet and the RES is sent to the base station, and the base station receives the Msg3 message and processes the small data packet after the MME entity determines the safety of the terminal according to the RES.
In the embodiment of the present invention, the RRC release request is sent by the MME entity to the base station when the terminal needs to quickly return to an idle state when the terminal service is ended, and the RRC release request carries an RAND for generating an authentication quadruplet for next transmission and an AUTN for performing network authentication.
The RAND and the AUTN in the RRC connection release Request are returned by the HSS according to a preset Authentication encryption algorithm and a secret key K value after an MME entity sends an Authentication Data Request (Authentication Data Request) to the HSS;
the authentication data request carries a terminal identifier, the quantity of authentication parameters required to be acquired by an MME entity and the like;
the terminal identifier is used for uniquely identifying the terminal device, and specifically includes, but is not limited to, part or all of the following:
IMSI (International Mobile Subscriber Identity), USIM (Universal Subscriber Identity Module).
After receiving the request, the HSS inputs the following parameters into a preset authentication encryption algorithm and generates an authentication quadruplet according to a preset secret key K value.
Wherein the parameters include: RAND, SQN, LTE K (Long Term Evolution Key), SN ID (Service Node Identification);
RAND: the HSS generates a random number RAND for each authentication process of each user as a key input variable of each authentication;
SQN: maintained by the HSS, synchronized after each successful authentication (i.e. passing of authentication);
LTE K: a Key written in when a user opens an account and signs a contract in an HSS;
SN ID: the PLMN ID (Public Land Mobile network identity) of the current service of the user.
Wherein the generated authentication quadruplet comprises: RAND, AUTN, XRES, K ASME
RAND: as the input of each authentication calculation process, the random number is transmitted to the terminal, so that the terminal generates an authentication quadruplet for authentication according to the random number;
AUTN: the calculation result is transmitted to the terminal so that the terminal authenticates the network according to the AUTN;
XRES: the calculation result is transmitted to the MME entity so that the MME entity authenticates the terminal according to the result;
K ASME : all sources of encryption and integrity keys transmit the calculation result to the MME entity so that the MME entity can use the key to generate the encryption key K of the NAS layer NASenc And NAS layer integrity protection Key K NASint And the method is used for encrypting and integrity protecting the signaling message between the MME entity and the terminal.
And after determining the authentication quadruplet, the HSS sends the RAND and the AUTN in the generated authentication quadruplet to the MME entity.
And the MME entity carries the received RAND and AUTN in the RRC connection release request and sends the RRC connection release request to the base station.
And the base station transmits the received RRC connection release request to the terminal.
It should be noted that, in the embodiment of the present invention, the HSS may further generate the K ASME Sending the data together with the RAND and the AUTN to an MME entity, and the MME entity sending the data according to the K ASME Determining K ASME And sending the determined index value to the base station together with the RAND and the AUTN, and the base station sending the received K ASME The index value, the RAND and the AUTN are transmitted to the terminal so that the terminal can transmit the index value, the RAND and the AUTN according to the K ASME Determines the ciphering and integrity of the signalling messages between the MME entity and the terminal.
After receiving the RAND and the AUTN in the RRC connection release request sent by the MME entity through the base station, the terminal calculates the SQN according to the RAND and the AUTN in the RRC connection release request, and calculates the calculated SQN and the maximum SQN in the prestored SQN UE Comparing, and determining whether the RAND and the AUTN in the received RRC connection release request are effective or not according to a comparison result;
if the terminal determines that the calculated SQN is larger than the maximum SQN in the prestored SQNs UE Determining that the RAND and the AUTN in the received RRC connection release request are valid, and generating an authentication quadruple according to the valid RAND after determining that the RAND and the AUTN in the received RRC connection release request are valid; or
If the terminal determines that the calculated SQN is not greater than the maximum SQN in the prestored SQNs UE And after confirming that the RAND and the AUTN in the received RRC connection release request are invalid, sending instruction information for regenerating the RAND and the AUTN to the base station so that the terminal continuously executes the steps of judging whether the RAND and the AUTN are valid or not according to the newly received RAND and AUTN.
In the embodiment of the invention, after the terminal determines that the RAND and the AUTN in the RRC connection release request are valid, the terminal bases on the RAND in the RRC connection release request according to the RAND in the RRC connection release requestGenerating an authentication quadruplet by a preset authentication encryption algorithm and a secret key K value, wherein the authentication quadruplet comprises: RAND, AUTN, RES, K ASME
Further, the terminal compares the AUTN in the authentication quadruplet generated according to the RAND in the RRC connection release request with the AUTN in the received RRC connection release request;
if the AUTN in the generated authentication quadruplet is the same as the AUTN in the received RRC connection release request, sending a random access Msg3 message carrying a small data packet to the base station; or
If the AUTN in the generated authentication quadruplet is different from the AUTN in the received RRC connection release request, stopping sending the random access Msg3 message to the base station;
the random access Msg3 message sent by the terminal to the base station further includes: RES, UE-ID, etc.
A base station receives an Msg3 message sent by a terminal, and determines a terminal identifier according to a UE-ID in the Msg3 message;
the UE-ID is a global unique identifier (user) temporary identifier (GUTI) used by the terminal to access the network last time, that is, an old-GUTI, and the UE-ID is used to obtain the terminal identifier during the Identity authentication process on the network side.
And after determining the terminal identifier, the base station sends the terminal identifier and the RES in the Msg3 message to the MME entity.
And the MME entity transmits the received terminal identification to the HSS.
And after receiving the terminal identification sent by the MME entity, the HSS generates an authentication quadruple through a preset authentication encryption algorithm and a secret key K value, and returns XRES in the generated authentication quadruple to the MME entity.
And the MME entity receives the XRES returned by the HSS and authenticates the terminal according to the received RES sent by the base station and the received expected response XRES corresponding to the terminal identifier returned by the HSS.
And when the terminal is authenticated according to the received RES sent by the base station and the received expected response XRES corresponding to the terminal identifier returned by the HSS, comparing the XRES returned by the HSS with the received RES sent by the base station, if the XRES is the same as the RES, determining that the terminal passes the authentication, and otherwise, determining that the terminal does not pass the authentication.
And after the MME entity passes the authentication of the terminal, sending a notification that the authentication passes to the base station.
And after receiving the notification of passing the terminal authentication returned by the MME entity, the base station processes the small data packet carried in the random access Msg3 message sent by the terminal.
As shown in fig. 3, a flowchart of an overall method for performing authentication according to an embodiment of the present invention specifically includes the following steps:
step 300, the MME entity sends an RRC connection release request carrying the RAND and the AUTN to a base station;
step 310, the base station transparently transmits the received RRC connection release request carrying the RAND and the AUTN to the terminal;
step 320, the terminal determines the SQN according to the RAND and the AUTN in the RRC connection release request, determines the effectiveness of the RAND and the AUTN in the RRC connection release request according to the determined SQN, and generates an authentication quadruplet according to the RAND;
step 330, the terminal determines that the AUTN in the generated authentication quadruplet is the same as the AUTN carried in the RRC connection release request;
step 340, the terminal carries the RES, the small data packet and the UE-ID in the determined authentication quadruplet in the Msg3 and sends the Msg3 to the base station;
step 350, after receiving the Msg3, the base station determines a terminal identifier according to the UE-ID in the Msg 3;
step 360, the base station sends the determined terminal identifier and the RES in the Msg3 to the MME entity;
step 370, after receiving the terminal identifier sent by the base station, the mme entity sends the terminal identifier to the HSS;
380, after receiving the terminal identifier sent by the MME entity, the HSS generates an authentication quadruplet through a preset authentication encryption algorithm and a secret key K value;
step 390, the HSS returns the XRES in the generated authentication quadruplet to the MME entity;
step 391, the mme entity determines that the received XRES and RES are the same;
step 392, the MME entity returns an authentication notice that the terminal authentication passes to the base station;
step 393, after the base station receives the authentication notification returned by the MME entity to determine that the terminal passes the authentication, the base station processes the received small data packet in the Msg 3.
As shown in fig. 4, a first structure diagram of a terminal provided in an embodiment of the present invention includes: at least one processing unit 400 and at least one storage unit 410, wherein the storage unit 410 stores program code, and when the program code is executed by the processing unit 400, the processing unit 400 is specifically configured to:
generating an authentication quadruplet according to the RAND in the received RRC connection release request, wherein the RRC connection release request is sent by a Mobile Management Entity (MME) entity through a base station;
and after determining that the authentication token AUTN in the authentication quadruplet is the same as the AUTN in the RRC connection release request sent by the MME entity through the base station, sending a random access Msg3 message containing a small data packet and an authentication response RES to the base station, so that the base station processes the small data packet after the MME entity passes the authentication of the terminal according to the RES.
Optionally, the processing unit 400 is further configured to:
and after determining that the RAND and the AUTN in the RRC connection release request are valid, generating an authentication quadruplet according to the received RAND in the RRC connection release request.
Optionally, the processing unit 400 is further configured to determine whether RAND and AUTN in the RRC connection release request are valid by:
determining a sequence number SQN according to the RAND and the AUTN in the RRC connection release request;
if the SQN is determined to be larger than the maximum SQN in the prestored SQNs UE If the RAND and AUTN in the RRC connection release request are determined to be valid, otherwise, the RAND and A in the RRC connection release request are determinedUTN is not valid.
As shown in fig. 5, a second terminal structure diagram provided in an embodiment of the present invention includes: a generating module 500 and a first transmitting module 510;
the generating module 500 is configured to: generating an authentication quadruplet according to the RAND in the received RRC connection release request, wherein the RRC connection release request is sent by the MME entity through the base station;
the first sending module 510 is configured to: and after determining that the AUTN in the authentication quadruplet is the same as the AUTN in the RRC connection release request sent by the MME entity through the base station, sending a random access Msg3 message containing a small data packet and an authentication response RES to the base station, so that the base station processes the small data packet after the MME entity passes the authentication of the terminal according to the RES.
Optionally, the generating module 500 is further configured to:
and after determining that the RAND and the AUTN in the RRC connection release request are valid, generating an authentication quadruplet according to the RAND in the received RRC connection release request.
Optionally, the generating module 500 determines whether RAND and AUTN in the RRC connection release request are valid by:
determining a sequence number SQN according to the RAND and the AUTN in the RRC connection release request;
if the SQN is determined to be larger than the maximum SQN in the prestored SQNs UE And if not, determining that the RAND and the AUTN in the RRC connection release request are invalid.
As shown in fig. 6, a first MME entity structure diagram provided in the embodiment of the present invention includes: at least one processing unit 600 and at least one storage unit 610, where the storage unit 610 stores program code, and when the program code is executed by the processing unit 600, the processing unit 600 is specifically configured to:
the received RAND and AUTN sent by the HSS are carried in an RRC connection release request and are sent to the terminal through the base station, so that the terminal authenticates the network according to the RAND and AUTN;
authenticating the terminal according to the received RES sent by the base station, wherein the RES is carried in a random access Msg3 message sent by the base station after the terminal determines that the network authentication is passed;
and after the authentication of the terminal is passed, informing a base station to process the small data packet in the random access Msg3 message.
Optionally, the processing unit 600 is further configured to:
sending a received terminal identifier sent by a base station to an HSS, wherein the terminal identifier is determined by the base station according to a UE-ID carried in a random access Msg3 message sent to the base station after the terminal determines that the network authentication is passed;
and authenticating the terminal according to the received RES sent by the base station and the received expected response XRES corresponding to the terminal identifier returned by the HSS.
As shown in fig. 7, a second MME entity structure diagram provided in the embodiment of the present invention includes: a second sending module 700, an authentication module 710 and a notification module 720;
the second sending module 700 is configured to: the received RAND and AUTN sent by the HSS are carried in an RRC connection release request and are sent to the terminal through the base station, so that the terminal authenticates the network according to the RAND and AUTN;
the authentication module 710 is configured to: authenticating the terminal according to the received RES sent by the base station, wherein the RES is carried in a random access Msg3 message sent to the base station after the terminal determines that the network authentication is passed;
the notification module 720 is configured to: and after the authentication of the terminal is passed, informing a base station to process the small data packet in the random access Msg3 message.
Optionally, the authentication module 710 is further configured to:
sending a received terminal identifier sent by a base station to an HSS, wherein the terminal identifier is determined by the base station according to a UE-ID carried in a random access Msg3 message sent to the base station after the terminal determines that the network authentication is passed;
optionally, the authentication module 710 is specifically configured to:
and authenticating the terminal according to the received RES sent by the base station and the received expected response XRES corresponding to the terminal identifier returned by the HSS.
As shown in fig. 8, a first base station structure diagram provided in the embodiment of the present invention includes: at least one processing unit 800 and at least one storage unit 810, wherein the storage unit 810 stores program code, and when the program code is executed by the processing unit 800, the processing unit 800 is specifically configured to:
receiving a random access Msg3 message which is sent by a terminal after the network authentication is determined to pass and contains a small data packet and RES;
sending RES in the random access Msg3 message to an MME entity so that the MME entity authenticates a terminal according to the RES;
and processing the small data packet in the random access Msg3 message after the authentication of the terminal is determined to pass according to the authentication notification of the MME entity.
Optionally, the processing unit 800 is further configured to:
and sending the terminal identification determined according to the UE-ID in the random access Msg3 message to an MME entity so that the MME entity authenticates the terminal according to the RES and the received XRES corresponding to the terminal identification returned by the HSS.
As shown in fig. 9, a second base station structure diagram provided in the embodiment of the present invention includes: a receiving module 900, a third sending module 910, and a processing module 920.
The receiving module 900 is configured to: receiving a random access Msg3 message which is sent by a terminal after the network authentication is determined to pass and contains a small data packet and RES;
the third sending module 910 is configured to: sending RES in the random access Msg3 message to an MME entity so that the MME entity authenticates the terminal according to the RES;
the processing module 920 is configured to: and processing the small data packet in the random access Msg3 message after the authentication of the terminal is determined to pass according to the authentication notification of the MME entity.
Optionally, the third sending module 910 is further configured to:
and sending the terminal identification determined according to the UE-ID in the random access Msg3 message to an MME entity so that the MME entity authenticates the terminal according to the RES and the received XRES corresponding to the terminal identification returned by the HSS.
Based on the same inventive concept, the embodiment of the invention also provides a method for authenticating the narrowband internet of things, which is applied to a terminal.
As shown in fig. 10, a flowchart of a method for authenticating a narrowband internet of things applied to a terminal according to an embodiment of the present invention specifically includes the following steps:
step 1000, the terminal generates an authentication quadruplet according to the RAND in the received RRC connection release request, wherein the RRC connection release request is sent by the MME entity through the base station;
step 1010, after determining that the AUTN in the authentication quadruplet is the same as the AUTN in the received RRC connection release request sent by the MME entity through the base station, the terminal sends a random access Msg3 message including a small data packet and an RES to the base station, so that the base station processes the small data packet after the MME entity passes authentication on the terminal according to the RES.
Optionally, before the terminal generates the authentication quadruplet according to the RAND in the received RRC connection release request, the method further includes:
and the terminal determines that the RAND and the AUTN in the RRC connection release request are valid.
Optionally, the terminal determines whether the RAND and the AUTN in the RRC connection release request are valid by the following method:
the terminal determines a sequence number SQN according to the RAND and the AUTN in the RRC connection release request;
if the terminal determines that the SQN is larger than the maximum SQN in the prestored SQNs UE And if not, determining that the RAND and the AUTN in the RRC connection release request are invalid.
Based on the same inventive concept, the embodiment of the present invention further provides a method for authenticating a narrowband internet of things, which is applied to an MME entity, and since the method corresponds to the method for authenticating the MME entity in the embodiment of the present invention and the problem solving principle of the method is similar to that of the MME entity, the implementation of the method can refer to the implementation of the MME entity, and repeated details are omitted.
As shown in fig. 11, a flowchart of a method for authenticating a narrowband internet of things applied to an MME entity according to an embodiment of the present invention specifically includes the following steps:
step 1100, the MME entity carries the received RAND and AUTN sent by the HSS in the RRC connection release request and sends the RRC connection release request to the terminal through the base station, so that the terminal authenticates the network according to the RAND and AUTN;
step 1110, the MME entity authenticates the terminal according to the received RES sent by the base station, where the RES is carried in a random access Msg3 message sent to the base station after the terminal determines that the network authentication is passed;
step 1120, the MME entity notifies the base station to process the small data packet in the random access Msg3 message after the authentication of the terminal is passed.
Optionally, the MME entity sends a received terminal identifier of an international mobile subscriber identity sent by the base station to the HSS, where the terminal identifier is determined by the base station according to a terminal identity identifier UE-ID carried in a random access Msg3 message sent by the base station after the terminal determines that the network authentication is passed;
the MME entity authenticates the terminal according to the RES, and the authentication method comprises the following steps:
and the MME entity authenticates the terminal according to the received RES sent by the base station and the received expected response XRES corresponding to the terminal identifier returned by the HSS.
Based on the same inventive concept, the embodiment of the invention also provides a method for authenticating the narrowband internet of things, which is applied to the base station.
As shown in fig. 12, a flowchart of a third method for performing authentication according to an embodiment of the present invention specifically includes the following steps:
step 1200, a base station receives a random access Msg3 message which is sent by a terminal after the terminal determines that the network authentication is passed and contains a small data packet and RES;
step 1210, the base station sends RES in the random access Msg3 message to an MME entity, so that the MME entity authenticates the terminal according to the RES;
step 1220, the base station processes the small data packet in the random access Msg3 message after determining that the terminal passes the authentication according to the authentication notification of the MME entity.
Optionally, the base station sends a terminal identifier determined according to the UE-ID in the random access Msg3 message to an MME entity, so that the MME entity authenticates the terminal according to the RES and the received XRES corresponding to the terminal identifier returned by the HSS.
The present invention is described above with reference to block diagrams and/or flowchart illustrations of methods, apparatus (systems) and/or computer program products according to embodiments of the invention. It will be understood that one block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, and/or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
Accordingly, the present invention may also be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.). Furthermore, the invention can take the form of a computer program product on a computer-usable or computer-readable storage medium having computer-usable or computer-readable program code embodied in the medium for use by or in connection with an instruction execution system. In the context of this document, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A method for authenticating a narrowband Internet of things is characterized by being applied to a terminal and comprising the following steps:
the terminal generates an authentication quadruplet according to a random number RAND in a system message in a received Radio Resource Control (RRC) connection release request, wherein the RRC connection release request is sent by a Mobile Management Entity (MME) entity through a base station;
and after determining that the authentication token AUTN in the authentication quadruplet is the same as the AUTN in the RRC connection release request sent by the MME entity through the base station, the terminal sends a random access Msg3 message containing a small data packet and an authentication response RES to the base station, so that the base station processes the small data packet after the MME entity passes the authentication of the terminal according to the RES.
2. The method of claim 1, wherein before the terminal generates the authentication quadruplet from the RAND in the received RRC connection release request, further comprising:
and the terminal determines that the RAND and the AUTN in the RRC connection release request are valid.
3. The method of claim 2, wherein the terminal determines whether RAND and AUTN in the RRC connection release request are valid by:
the terminal determines a sequence number SQN according to the RAND and the AUTN in the RRC connection release request;
if the terminal determines that the SQN is larger than the maximum SQN in the prestored SQNs UE And if not, determining that the RAND and the AUTN in the RRC connection release request are invalid.
4. A method for authenticating a narrowband Internet of things is applied to an MME entity, and comprises the following steps:
the MME entity carries the received RAND and AUTN sent by the home subscriber server HSS in the RRC connection release request and sends the RRC connection release request to the terminal through the base station, so that the terminal authenticates the network according to the RAND and AUTN;
the MME entity authenticates the terminal according to the received RES sent by the base station, wherein the RES is carried in a random access Msg3 message sent to the base station after the terminal determines that the network authentication is passed;
and the MME entity informs a base station to process the small data packet in the random access Msg3 message after the authentication of the terminal is passed.
5. The method of claim 4, further comprising:
the MME entity sends a received terminal identification sent by the base station to HSS, wherein the terminal identification is determined by the base station according to a terminal identity identification UE-ID carried in a random access Msg3 message sent by the base station after the terminal passes the network authentication;
the MME entity authenticates the terminal according to the RES, and the authentication comprises the following steps:
and the MME entity authenticates the terminal according to the received RES sent by the base station and the received expected response XRES corresponding to the terminal identifier returned by the HSS.
6. A method for authenticating a narrowband Internet of things is applied to a base station and comprises the following steps:
a base station receives a random access Msg3 message which is sent by a terminal after the terminal determines that the network authentication is passed and contains a small data packet and RES;
the base station sends RES in the random access Msg3 message to an MME entity so that the MME entity authenticates the terminal according to the RES;
and the base station processes the small data packet in the random access Msg3 message after determining that the terminal passes the authentication according to the authentication notification of the MME entity.
7. The method of claim 6, further comprising:
and the base station sends the terminal identification determined according to the UE-ID in the random access Msg3 message to an MME entity so that the MME entity authenticates the terminal according to the RES and the received XRES corresponding to the terminal identification returned by the HSS.
8. A terminal, characterized in that the terminal comprises: at least one processing unit and at least one memory unit, wherein the memory unit stores program code, the processing unit being adapted to perform the steps of the method of any of claims 1 to 3 when the program code is executed by the processing unit.
9. An MME entity, comprising: at least one processing unit and at least one memory unit, wherein the memory unit stores program code, the processing unit in particular being adapted to perform the steps of the method according to any of claims 4 to 5 when the program code is executed by the processing unit.
10. A base station, comprising: at least one processing unit and at least one memory unit, wherein the memory unit stores program code, the processing unit in particular being adapted to perform the steps of the method according to any of claims 6 to 7 when the program code is executed by the processing unit.
CN201910330355.XA 2019-04-23 2019-04-23 Method and equipment for authenticating narrowband Internet of things Active CN110087338B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910330355.XA CN110087338B (en) 2019-04-23 2019-04-23 Method and equipment for authenticating narrowband Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910330355.XA CN110087338B (en) 2019-04-23 2019-04-23 Method and equipment for authenticating narrowband Internet of things

Publications (2)

Publication Number Publication Date
CN110087338A CN110087338A (en) 2019-08-02
CN110087338B true CN110087338B (en) 2022-11-04

Family

ID=67416333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910330355.XA Active CN110087338B (en) 2019-04-23 2019-04-23 Method and equipment for authenticating narrowband Internet of things

Country Status (1)

Country Link
CN (1) CN110087338B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
MX2022010428A (en) 2020-02-27 2022-09-07 Fg innovation co ltd User equipment and method for small data transmission.
CN117793710A (en) * 2022-09-21 2024-03-29 华为技术有限公司 Authentication method, communication device and communication system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106034300A (en) * 2015-03-11 2016-10-19 普天信息技术有限公司 Authentication connection method based on TD-LTE wireless communication network and base station
WO2017166271A1 (en) * 2016-04-01 2017-10-05 华为技术有限公司 Small data transmission method and device
CN108683690B (en) * 2018-08-27 2021-11-02 创新维度科技(北京)有限公司 Authentication method, user equipment, authentication device, authentication server and storage medium
CN109495886A (en) * 2018-11-06 2019-03-19 海信集团有限公司 A kind of method and apparatus of data transmission

Also Published As

Publication number Publication date
CN110087338A (en) 2019-08-02

Similar Documents

Publication Publication Date Title
KR102354626B1 (en) Connection resume request method and device
US10003965B2 (en) Subscriber profile transfer method, subscriber profile transfer system, and user equipment
EP1768426A1 (en) Authentication method and corresponding information transmission method
EP2421292A1 (en) Method and device for establishing security mechanism of air interface link
CN109922474B (en) Method for triggering network authentication and related equipment
CN109362108A (en) A kind of methods, devices and systems of safeguard protection
CN108683690B (en) Authentication method, user equipment, authentication device, authentication server and storage medium
US10681546B2 (en) Processing method for sim card equipped terminal access to 3GPP network and apparatus
CN108605225B (en) Safety processing method and related equipment
CN109788474A (en) A kind of method and device of message protection
CN111147422B (en) Method and device for controlling connection between terminal and network
WO2017167102A1 (en) Methods for generating and verifying message integrity authentication information, device, and verification system
Pratas et al. Massive machine-type communication (mMTC) access with integrated authentication
CN102740297B (en) Paging method, device and system
EP2874367A1 (en) Call authentication method, device, and system
CN107104932A (en) Key updating method, apparatus and system
CN110087338B (en) Method and equipment for authenticating narrowband Internet of things
CN109803456B (en) Method and device for requesting to recover connection
CN107659935B (en) Authentication method, authentication server, network management system and authentication system
CN109819439B (en) Method for updating key and related entity
CN109936444B (en) Key generation method and device
CN111278034B (en) Information backup method and device, storage medium and computer equipment
CN108076460B (en) Method and terminal for authentication
CN111343611B (en) Information synchronization method and device
US11576232B2 (en) Method for establishing a connection of a mobile terminal to a mobile radio communication network and communication network device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant