CN112019489B

CN112019489B - Verification method and device

Info

Publication number: CN112019489B
Application number: CN201910472664.0A
Authority: CN
Inventors: 罗海燕; 戴明增; 曾清海; 李�赫
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2019-05-31
Filing date: 2019-05-31
Publication date: 2022-03-04
Anticipated expiration: 2039-05-31
Also published as: WO2020238957A1; CN112019489A

Abstract

The application provides a verification method and a verification device, and relates to the technical field of communication. In the method, the terminal receives a first verification code generated according to a first root key and the identifier of the first node from the first node, and verifies the validity of the first node according to the identifier of the first node, the first root key and the first verification code. The first root key is a root key used for communication between the terminal and the access network equipment.

Description

Verification method and device

Technical Field

The present application relates to the field of communications technologies, and in particular, to a verification method and apparatus.

Background

For device-to-device (D2D for short) communication and vehicle networking (V2X for short) communication (a special D2D communication), a sending end and a receiving end respectively obtain a shared key from a server (e.g., near field communication (ProSe) function (function)), and then perform two-way handshake based on the shared key, thereby achieving the purpose of mutual authentication. The method is mainly suitable for mutual authentication between two terminals with symmetrical roles (namely, identical functions). In addition, since the server is located in a Data Network (DN) of the core network, it takes a long time for the sending end or the receiving end to obtain the shared secret key, which results in a long time for the sending end (or the receiving end) to verify the receiving end (or the sending end).

Disclosure of Invention

The embodiment of the application provides a verification method and a verification device, which are used for reducing the time for verifying a receiving end (or a transmitting end) by a transmitting end (or the receiving end).

In order to achieve the above purpose, the embodiments of the present application provide the following technical solutions:

in a first aspect, there is provided a verification method, which may be performed by a terminal or a chip in the terminal, including: the terminal receives a first verification code generated according to the first root key and the first node identification from the first node, and verifies the validity of the first node according to the first node identification, the first root key and the first verification code. The first root key is a root key used for communication between the terminal and the access network equipment. In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided by the first aspect, when verifying the validity of the first node, the terminal may verify the validity of the first node according to the first root key, the received identifier of the first node, and the first verification code, without acquiring the shared key from the server, and therefore, the time for the terminal to verify the validity of the first node may be shortened.

In one possible implementation, the terminal and the first node communicate over a sidelink.

In one possible implementation, the method further includes: the terminal sends a first request message for requesting to be associated to the first node, the first node is responsible for allocating transmission resources of a side link, and the first request message comprises an RRC message sent by the terminal to the access network equipment. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to acquire the shared key from the server. According to the possible implementation mode, when the validity of the terminal is verified, the access network equipment can verify the validity of the terminal according to the RRC message without the first node acquiring the shared key from the server, so that the time for verifying the validity of the terminal can be shortened.

In one possible implementation, the method further includes: the terminal sends a first request message for requesting to be associated to the first node, the first node is responsible for allocating transmission resources of a side link, the first request message comprises a third verification code, and the third verification code is used for verifying the legality of the terminal. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to acquire the shared key from the server. According to the possible implementation manner, when the validity of the terminal is verified, the access network equipment can verify the validity of the terminal according to the third verification code generated by the first root key and sent by the terminal, and the first node does not need to acquire the shared key from the server, so that the time for verifying the validity of the terminal can be shortened.

In a possible implementation manner, the sending, by the terminal, the first request message to the first node includes: the terminal receives a notification message broadcasted by the first node in a side link, and sends a first request message to the first node according to the notification message. The notification message includes indication information indicating that the first node is a node responsible for allocating transmission resources of the sidelink.

In a possible implementation manner, the verifying, by the terminal, the validity of the first node according to the identifier of the first node, the first root key, and the first verification code includes: and the terminal generates a second verification code according to the identifier of the first node and the first root key, and verifies the validity of the first node according to the second verification code and the first verification code.

In a second aspect, there is provided a verification method, including: the first node receives a first verification code generated according to the first root key and the identifier of the first node from the access network device, and sends the first verification code and the identifier of the first node to the terminal, wherein the identifier of the first node and the first verification code are used for verifying the validity of the first node. The first root key is a root key used for communication between the terminal and the access network equipment. In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided by the second aspect, when verifying the validity of the first node, the terminal may verify the validity of the first node according to the first root key, the received identifier of the first node, and the first verification code, without acquiring the shared key from the server, so that the time for the terminal to verify the validity of the first node may be shortened.

In one possible implementation, the method further includes: the method comprises the steps that a first node receives a first request message used for requesting to be associated to the first node from a terminal, the first node is responsible for allocating transmission resources of a side link, and the first request message comprises an RRC message sent to access network equipment by the terminal; and the first node sends a second request message comprising an RRC message to the access network equipment according to the first request message, wherein the RRC message is used for verifying the legality of the terminal by the access network equipment. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to acquire the shared key from the server. According to the possible implementation mode, when the validity of the terminal is verified, the access network equipment can verify the validity of the terminal according to the RRC message without the first node acquiring the shared key from the server, so that the time for verifying the validity of the terminal can be shortened.

In one possible implementation, the method further includes: the method comprises the steps that a first node receives a first request message for requesting to be associated to the first node from a terminal, the first node is responsible for allocating transmission resources of a side link, the first request message comprises a third verification code, and the third verification code is used for verifying the legality of the terminal; and the first node sends a second request message comprising a third verification code to the access network equipment according to the first request message. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to acquire the shared key from the server. According to the possible implementation manner, when the validity of the terminal is verified, the access network equipment can verify the validity of the terminal according to the third verification code generated by the first root key and sent by the terminal, and the first node does not need to acquire the shared key from the server, so that the time for verifying the validity of the terminal can be shortened.

In one possible implementation, the method further includes: the first node broadcasts a notification message in the side link, wherein the notification message comprises indication information used for indicating that the first node is a node responsible for allocating the transmission resource of the side link.

In a third aspect, an authentication method is provided, which may be performed by an access network device or a chip in the access network device, and includes: the access network equipment receives a second request message comprising an RRC message sent to the access network equipment by the terminal from the first node and decodes the RRC message; if the decoding is successful, the access network equipment determines that the terminal is legal; and if the decoding is unsuccessful, the access network equipment determines that the terminal is illegal. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to acquire the shared key from the server. In the method provided by the third aspect, when verifying the validity of the terminal, the access network device may verify the validity of the terminal according to the RRC message without the first node acquiring the shared key from the server, so that the time for verifying the validity of the terminal may be shortened.

In one possible implementation, the method further includes: the access network equipment sends a first verification code for verifying the validity of the first node to the first node.

In a fourth aspect, an authentication method is provided, which may be performed by an access network device or a chip in the access network device, and includes: and the access network equipment receives a second request message comprising a third verification code from the first node, and verifies the validity of the terminal according to the identifier of the first node, the first root key and the third verification code. The third verification code is used for verifying the validity of the terminal, the third verification code is generated according to the identifier of the first node and the first root key, and the first root key is a root key used for communication between the terminal and the access network equipment. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to acquire the shared key from the server. In the method provided by the fourth aspect, when verifying the validity of the terminal, the access network device may verify the validity of the terminal according to the third verification code generated by the first root key and sent by the terminal, without the need for the first node to obtain the shared key from the server, and therefore, the time for verifying the validity of the terminal may be shortened.

In a possible implementation manner, the verifying, by the access network device, the validity of the terminal according to the identifier of the first node, the first root key, and the third verification code includes: and the access network equipment generates a fourth verification code according to the identifier of the first node and the first root key, and verifies the validity of the first node according to the fourth verification code and the third verification code.

In a fifth aspect, there is provided an authentication method, which may be performed by a terminal or a chip in the terminal, including: a terminal receives an identifier of a first node and a first key freshness parameter from access network equipment, wherein the first node is a terminal node of application layer data of the terminal; the terminal receives a first verification code from the first node, wherein the first verification code is generated according to a second root key, and the second root key is a root key used for communication between the terminal and the first node; and the terminal verifies the validity of the first node according to the identifier of the first node, the freshness parameter of the first key and the first verification code. In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided in the fifth aspect, when verifying the validity of the first node, the terminal verifies the validity of the first node according to the identifier of the first node and the freshness parameter of the first key, which are acquired from the access network device. The terminal can realize the validity verification of the first node without acquiring the shared key from the server, so the time for the terminal to verify the validity of the first node can be shortened.

In one possible implementation, the terminal and the first node communicate via a sidelink.

In one possible implementation, the method further includes: the terminal sends a first request message to the first node, wherein the first request message is used for requesting to be associated to the first node, the first node is responsible for allocating transmission resources of a side link, the first request message comprises a third verification code, and the third verification code is used for verifying the validity of the terminal. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to acquire the shared key from the server. According to the possible implementation manner, the terminal can send the first verification code to the first node, and when the validity of the terminal is verified, the first node can verify the validity of the terminal according to the first verification code sent by the terminal without acquiring the shared key from the server, so that the time for the first node to verify the validity of the terminal can be shortened.

In a possible implementation manner, the verifying, by the terminal, the validity of the first node according to the identifier of the first node, the freshness parameter of the first key, and the first verification code includes: the terminal generates the second root key according to a first root key, the identifier of the first node and the freshness parameter of the first key, wherein the first root key is a root key used for communication between the terminal and the access network equipment; the terminal generates a second verification code according to the second root secret key; and the terminal verifies the validity of the first node according to the second verification code and the first verification code.

In a possible implementation manner, the sending, by the terminal, the first request message to the first node includes: the terminal receives a notification message broadcasted by the first node in a side link, wherein the notification message comprises indication information, and the indication information is used for indicating that the first node is a node responsible for allocating transmission resources of the side link; and the terminal sends the first request message to the first node according to the notification message.

In a possible implementation manner, the first request message further includes an identifier of the terminal.

In one possible implementation, the method further includes: the terminal generates a security protection key of data between the terminal and the first node according to the second root key; and the terminal transmits data with the first node according to the security protection key.

In a sixth aspect, there is provided a verification method, which may be performed by a first node or a chip in the first node, including: a first node generates a first verification code according to a second root key, wherein the second root key is a root key used for communication between the terminal and the first node, and the first node is a terminal node of application layer data of the terminal; and the first node sends the first verification code to the terminal. In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided in the sixth aspect, the access network device may send the identifier of the first node and the freshness parameter of the first key to the terminal, and when verifying the validity of the first node, the terminal may verify the validity of the first node according to the identifier of the first node and the freshness parameter of the first key, which are obtained from the access network device. The terminal can realize the validity verification of the first node without acquiring the shared key from the server, so the time for the terminal to verify the validity of the first node can be shortened.

In one possible implementation, the method further includes: the first node receives a first request message from the terminal, where the first request message is used to request association to the first node, the first node is responsible for allocating transmission resources of a sidelink, the first request message includes a third verification code, the third verification code is used to verify the validity of the terminal, and the third verification code is generated according to the second root key; and the first node verifies the legality of the terminal according to the second root key and the third verification code. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to acquire the shared key from the server. According to the possible implementation manner, when the terminal validity is verified, the first node can verify the terminal validity according to the first verification code sent by the terminal without acquiring the shared key from the server, so that the time for the first node to verify the terminal validity can be shortened.

In a possible implementation manner, the first request message includes an identifier of the terminal, and before the first node verifies the validity of the terminal according to the second root key and the third verification code, the method further includes: and the first node acquires the second root key according to the identifier of the terminal.

In one possible implementation, the method further includes: the first node receives the identity of the terminal and the second root key from the access network device.

In one possible implementation, the method further includes: the first node broadcasts a notification message in a side link, wherein the notification message comprises indication information, and the indication information is used for indicating that the first node is a node responsible for allocating transmission resources of the side link.

In one possible implementation, the method further includes: the first node generates a security protection key of data between the first node and the terminal according to the second root key; and the first node performs data transmission with the terminal according to the security protection key.

In a seventh aspect, a verification method is provided, which may be executed by a first access network device or a chip in the first access network device, and includes: a first access network device sends a switching request message to a second access network device, wherein the switching request message is used for requesting the second access network device to switch a terminal from the first access network device to the second access network device, and the switching request message comprises an identifier of the terminal; the first access network equipment receives a switching reply message from the second access network equipment, wherein the switching reply message comprises an identifier of a second node and a second key freshness parameter, the second node is a node to be associated after the terminal is switched and responsible for allocating resources of a side link to the terminal, and the identifier of the second node and the second key freshness parameter are used for verifying the legality of the terminal and/or the second node; and the first access network equipment sends the identifier of the second node and the second key freshness parameter to the terminal. In the method provided by the seventh aspect, in a scenario where the terminal is switched from the first access network device to the second access network device, the first access network device sends the identifier of the second node and the freshness parameter of the second key to the terminal, so that it is ensured that the terminal can successfully perform validity verification with the second node after being switched to the second access network device.

In an eighth aspect, there is provided an authentication method, which may be performed by a second access network device or a chip in the second access network device, including: a second access network device receives a switching request message from a first access network device, wherein the switching request message is used for requesting the second access network device to switch a terminal from the first access network device to the second access network device, and the switching request message comprises an identifier of the terminal; the second access network equipment sends a switching reply message to the first access network equipment, wherein the switching reply message comprises an identifier of a second node and a second key freshness parameter, the second node is a node to be associated after the terminal is switched and responsible for allocating resources of a side link to the terminal, and the identifier of the second node and the second key freshness parameter are used for verifying the legality of the terminal and/or the second node; and the second access network equipment sends the identifier of the terminal and a third key to the second node, wherein the third key is a root key for communication between the terminal and the second node, and the third key is used for verifying the validity of the terminal and/or the second node. In the method provided by the eighth aspect, under the scenario that the terminal is switched from the first access network device to the second access network device, the identifier of the second node and the freshness parameter of the second key are sent to the terminal through the first access network device, so that the terminal can be ensured to successfully perform validity verification with the second node after being switched to the second access network device.

In a ninth aspect, there is provided an authentication apparatus comprising: a communication unit and a processing unit; the communication unit is configured to receive, from a first node, a first verification code and an identifier of the first node, where the first verification code is generated according to a first root key and the identifier of the first node, and the first root key is a root key used for communication between the verification apparatus and an access network device; and the processing unit is used for verifying the validity of the first node according to the identifier of the first node, the first root key and the first verification code.

In one possible implementation, the authentication device and the first node communicate over a sidelink.

In a possible implementation manner, the communication unit is further configured to send a first request message to the first node, where the first request message is used to request to associate to the first node, and the first node is responsible for allocating transmission resources of a side link, and the first request message includes a radio resource control RRC message sent by the authentication apparatus to the access network device.

In a possible implementation manner, the communication unit is further configured to send a first request message to the first node, where the first request message is used to request to associate to the first node, and the first node is responsible for allocating transmission resources of a sidelink, and the first request message includes a third verification code, and the third verification code is used to verify the validity of the verification apparatus.

In a possible implementation manner, the communication unit is further configured to receive a notification message broadcasted by the first node in a sidelink, where the notification message includes indication information, and the indication information is used to indicate that the first node is a node responsible for allocating transmission resources of a sidelink; the communication unit is further configured to send the first request message to the first node according to the notification message.

In a possible implementation manner, the processing unit is specifically configured to: generating a second verification code according to the identifier of the first node and the first root key; and verifying the validity of the first node according to the second verification code and the first verification code.

In a tenth aspect, there is provided an authentication apparatus comprising: a communication unit and a processing unit; the processing unit is configured to receive, by the communication unit, a first verification code from an access network device, where the first verification code is generated according to a first root key and an identifier of the verification apparatus, and the first root key is a root key used for communication between a terminal and the access network device; the processing unit is further configured to send the first verification code and the identifier of the verification device to the terminal through the communication unit, where the identifier of the verification device and the first verification code are used to verify the validity of the verification device.

In one possible implementation, the terminal and the authentication device communicate via a sidelink.

In a possible implementation manner, the processing unit is further configured to receive, by the communication unit, a first request message from the terminal, where the first request message is used to request association to the authentication device, and the authentication device is responsible for allocating transmission resources of a sidelink, where the first request message includes an RRC message sent by the terminal to the access network device; the processing unit is further configured to send a second request message to the access network device through the communication unit according to the first request message, where the second request message includes the RRC message, and the RRC message is used by the access network device to verify the validity of the terminal.

In a possible implementation manner, the processing unit is further configured to receive, by the communication unit, a first request message from the terminal, where the first request message is used to request association to the authentication device, and the authentication device is responsible for allocating transmission resources of a sidelink, where the first request message includes a third authentication code, and the third authentication code is used to verify validity of the terminal; the processing unit is further configured to send a second request message to the access network device through the communication unit according to the first request message, where the second request message includes the third verification code.

In a possible implementation manner, the processing unit is further configured to broadcast, by the communication unit, a notification message in the sidelink, where the notification message includes indication information indicating that the authentication apparatus is a node responsible for allocating transmission resources of the sidelink.

In an eleventh aspect, there is provided an authentication apparatus comprising: a communication unit and a processing unit; the communication unit is configured to receive a second request message from the first node, where the second request message includes an RRC message sent by the terminal to the authentication apparatus; the processing unit is configured to decode the RRC message; if the decoding is successful, the processing unit determines that the terminal is legal; and if the decoding is unsuccessful, the processing unit determines that the terminal is illegal.

In a possible implementation manner, the communication unit is further configured to send a first verification code to the first node, where the first verification code is used to verify the validity of the first node.

In a twelfth aspect, there is provided an authentication apparatus comprising: a communication unit and a processing unit; the communication unit is configured to receive a second request message from a first node, where the second request message includes a third verification code, the third verification code is used to verify the validity of a terminal, the third verification code is generated according to an identifier of the first node and a first root key, and the first root key is a root key used for communication between the terminal and the verification apparatus; and the processing unit is used for verifying the validity of the terminal according to the identifier of the first node, the first root key and the third verification code.

In a possible implementation manner, the processing unit is specifically configured to: generating a fourth verification code according to the identifier of the first node and the first root key; and verifying the validity of the first node according to the fourth verification code and the third verification code.

In a thirteenth aspect, there is provided an authentication apparatus having a function of implementing any one of the methods provided in the fifth, sixth, seventh, or eighth aspects. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more units corresponding to the above functions. For example, the apparatus may include a processing unit to perform the acts of processing (e.g., acts other than transmitting and/or receiving) in the fifth aspect, the sixth aspect, the seventh aspect, or the eighth aspect, and a communication unit to perform the acts of transmitting and/or receiving in the fifth aspect, the sixth aspect, the seventh aspect, or the eighth aspect. Optionally, the actions performed by the communication unit are performed under the control of the processing unit. Optionally, the communication unit includes a transmitting unit and a receiving unit, in this case, the transmitting unit is configured to perform the transmitting action in the fifth aspect, the sixth aspect, the seventh aspect or the eighth aspect, and the receiving unit is configured to perform the receiving action in the fifth aspect, the sixth aspect, the seventh aspect or the eighth aspect. The device may be in the form of a chip product.

In a fourteenth aspect, there is provided an authentication apparatus comprising: a processor. The processor is connected with the memory, and the memory is used for storing computer-executable instructions, and the processor executes the computer-executable instructions stored by the memory, so as to implement any one of the methods provided by any one of the first aspect to the eighth aspect. The memory and the processor may be integrated together or may be separate devices. If the latter is the case, the memory may be located inside the authentication device or outside the authentication device.

In one possible implementation, a processor includes logic circuitry and an input interface and/or an output interface. Wherein the output interface is used for executing the sent action in the corresponding method, and the input interface is used for executing the received action in the corresponding method.

In one possible implementation, the authentication apparatus further includes a communication interface and a communication bus, and the processor, the memory, and the communication interface are connected by the communication bus. The communication interface is used for executing the actions of transceiving in the corresponding method. The communication interface may also be referred to as a transceiver. Optionally, the communication interface comprises a transmitter and a receiver, in which case the transmitter is configured to perform the act of transmitting in the respective method and the receiver is configured to perform the act of receiving in the respective method.

In one possible implementation, the verification means is present in the product form of a chip.

In a fifteenth aspect, a computer-readable storage medium is provided, comprising instructions which, when executed on a computer, cause the computer to perform any one of the methods provided in any one of the first to eighth aspects.

In a sixteenth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform any of the methods provided in any of the first to eighth aspects.

For technical effects brought by any implementation manner of the ninth aspect to the sixteenth aspect, reference may be made to technical effects brought by corresponding implementation manners of the first aspect to the eighth aspect, and details are not repeated here.

It should be noted that, all possible implementation manners of any one of the above aspects may be combined without departing from the scope of the claims.

Drawings

Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application;

fig. 2 is a schematic diagram illustrating a communication protocol stack according to an embodiment of the present application;

fig. 3 to fig. 10 are interaction flowcharts of a verification method according to an embodiment of the present application, respectively;

fig. 11 is a schematic diagram illustrating an exemplary verification apparatus according to an embodiment of the present disclosure;

fig. 12 and fig. 13 are respectively a schematic hardware structure diagram of an authentication apparatus according to an embodiment of the present application;

fig. 14 is a schematic hardware structure diagram of a terminal according to an embodiment of the present disclosure;

fig. 15 is a schematic hardware structure diagram of a network device according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. Where in the description of the present application, "/" indicates an OR meaning, for example, A/B may indicate A or B, unless otherwise indicated. "and/or" herein is merely an association describing an associated object, and means that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. Also, in the description of the present application, "a plurality" means two or more than two, and "at least one" means one or more, unless otherwise specified.

In addition, in order to facilitate clear description of technical solutions of the embodiments of the present application, in the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same items or similar items having substantially the same functions and actions. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance.

The technical scheme of the embodiment of the application can be applied to various communication systems. For example: orthogonal frequency-division multiple access (OFDMA), single carrier frequency-division multiple access (SC-FDMA), and other systems. The term "system" may be used interchangeably with "network". The OFDMA system may implement wireless technologies such as evolved universal radio access (E-UTRA), Ultra Mobile Broadband (UMB), and the like. E-UTRA is an evolved version of the Universal Mobile Telecommunications System (UMTS). The third generation partnership project (3rd generation partnership project, 3GPP) is using a new version of E-UTRA in Long Term Evolution (LTE) and various versions based on LTE evolution. The fifth generation (5th-generation, abbreviated as 5G) communication system and the New Radio (NR) communication system are the next generation communication systems under study. In addition, the communication system can also be applied to future-oriented communication technologies, and the technical solutions provided by the embodiments of the present application are all applied.

The method provided by the embodiment of the application can be applied to various service scenarios, for example, an enhanced mobile bandwidth (eMBB) service scenario, an ultra-reliable and low latency communication (URLLC) service scenario, an internet of things (IoT) service scenario, and an industrial IoT (IIoT).

The traditional cellular network communication mainly includes communication between an access network device and a terminal, and when the terminal communicates with the access network device, data of the terminal can be transmitted to a core network device through the access network device. With the introduction of D2D communication, communication between terminals has increased. When the terminals communicate with each other, an end-to-end peer application layer is provided between the two terminals, and the user plane data of one terminal (denoted as terminal a) can be terminated at the other terminal (denoted as terminal B), that is, after the user plane data of terminal a is sent to terminal B, the user plane data is processed at the application layer of terminal B, and does not need to be sent to other devices. Subsequently, a special D2D communication mode of V2X is introduced. For D2D communication or V2X communication, transmission (transmission here can be understood as transmission and/or reception) resources used by the terminal can be obtained by any one of the following methods: the method 1, an access network device allocates transmission resources for semi-persistent scheduling (SPS) or dynamic allocation of a terminal; the method 2, the terminal selects transmission resources from the transmission resource pool according to one or more transmission resource pools on one or more carriers broadcasted by the access network equipment, for example, the terminal can select the transmission resources according to the channel busy proportion of the resource pool after channel sensing is carried out by itself; method 3, selecting a transmission resource from a pool of transmission resources pre-configured by a server (e.g., a V2X control function). In the above methods 2 and 3, the transmission resource pool may include time domain resources and/or frequency domain resources, for example, the transmission resource pool may include frequency domain resources composed of one or more radio Resource Blocks (RBs) and/or time frequency resources composed of one or more RBs on a specific slot or a set of slots.

Currently, in order to improve the efficiency of resource allocation, a Local Resource Coordinator (LRC) node is proposed to allocate a transmission resource of a sidelink, where the LRC node refers to a node having a function of scheduling a local resource (e.g., a resource pool) in a local area (e.g., an area smaller than a cell), and for example, the LRC node may allocate a transmission resource of a sidelink between a terminal and the LRC node, or allocate a transmission resource of a sidelink between a terminal and a terminal, and the like. The local resources for which the LRC node is responsible may be allocated by the access network device, or may be perceived by the access network device through channel sensing (for example, the access network device broadcasts one or more transmission resource pools on one or more carriers, and the LRC node selects transmission resources from the transmission resource pools, for example, the LRC node selects transmission resources according to a channel busy ratio of the resource pools after performing channel sensing by itself).

Fig. 1 is a schematic diagram of a communication system provided in the present application. Referring to fig. 1, the terminal and the access network device may communicate with each other through a cellular wireless link (i.e., Uu port), the LRC node and the access network device may communicate with each other through a cellular wireless link (i.e., Uu port), and the terminal and the LRC node may communicate with each other through a sidelink wireless link (i.e., PC5 port). The terminal and the access network device can communicate in three ways. The first mode is as follows: the terminal can only communicate directly with the access network device. The second way is: the terminal may communicate with the access network device only via the LRC node. The third mode is as follows: the terminal can communicate with the access network device directly or through the LRC node.

In the first mode, the terminal may establish a Radio Resource Control (RRC) connection (hereinafter referred to as Uu-RRC connection) with the access network device. In the second and third modes, the terminal may establish Uu-RRC connection with the access network device first, and then establish connection with the LRC node, or may establish connection with the LRC node first, and then establish Uu-RRC connection with the access network device through the LRC node (at this time, the LRC node is a relay). The connection between the terminal and the LRC node may be a side link RRC connection (also referred to as PC5-RRC connection) or other connections (for example, establishing association or establishing a connection hereinafter).

For the transmission between the LRC node and the terminal, in one case, the control plane signaling and/or the user plane data of the access network device need to be sent to the terminal through the LRC node, and the control plane signaling and/or the user plane data of the terminal need to be sent to the access network device through the LRC node. At this time, the LRC node may act as a relay between the terminal and the access network device. In another case, the user plane data of the terminal may be terminated at the LRC node, that is, an end-to-end peer application layer may be provided between the terminal and the LRC node, and the user plane data of the terminal is sent to the LRC node and then processed at the application layer of the LRC node, and does not need to be sent to other devices.

It should be noted that the user plane data in the embodiment of the present application may also be referred to as application layer data.

It should be noted that there may be an RRC layer (referred to as PC5-RRC layer) on the LRC node that is equivalent to the terminal and an RRC layer (referred to as Uu-RRC layer) that is equivalent to the access network device, in which case, the RRC message exchanged between the terminal and the LRC node may be referred to as PC5-RRC message, and the RRC message exchanged between the LRC node and the access network device may be referred to as Uu-RRC message_LRCMessages, RRC messages that interact between a terminal and an access network device may be referred to as Uu-RRC_UEA message. Or, there may not be a PC5-RRC layer peer to terminal and a Uu-RRC layer peer to access network device on the LRC node, in this case, only RRC messages may be exchanged between the terminal and the access network device, and the RRC messages exchanged between the terminal and the access network device may also be referred to as Uu-RRC messages_UEA message. Alternatively, the LRC node may not have a PC5-RRC layer peer to terminal but a Uu-RRC layer peer to access network device, in which case the RRC messages exchanged between the LRC node and the access network device may be referred to as Uu-RRC_LRCMessages, RRC messages interacted between a terminal and an access network device, may also be referred to as Uu-RRC_UEA message.

Illustratively, referring to fig. 2, fig. 2 shows a schematic diagram of a protocol stack architecture of a terminal, an LRC node and access network equipment. This example is drawn by way of example without the PC5-RRC layer and the Uu-RRC layer on the LRC node. Wherein, the protocol stack of terminal includes from top to bottom: an RRC layer that is peer to an access network device, a Packet Data Convergence Protocol (PDCP) layer that is peer to an access network device, a Radio Link Control (RLC) layer that is peer to an LRC node, a Medium Access Control (MAC) layer that is peer to an LRC node, and a Physical (PHY) layer that is peer to an LRC node. At port PC5, the protocol stack of the LRC node includes, from top to bottom: an RLC layer peering to the terminal, an MAC layer peering to the terminal, and a PHY layer peering to the terminal. At the Uu port, the protocol stack of the LRC node includes, from top to bottom: an adaptation (Adapt) layer peer to access network device, an RLC layer peer to access network device, a MAC layer peer to access network device, and a PHY layer peer to access network device. The protocol stack of the access network equipment comprises from top to bottom: an RRC layer equivalent to the terminal, a PDCP layer equivalent to the terminal, an Adapt layer equivalent to the LRC node, an RLC layer equivalent to the LRC node, a MAC layer equivalent to the LRC node, and a PHY layer equivalent to the LRC node.

The LRC node is primarily responsible for allocating the transmission resources of the Sidelink (Sidelink). Allocating transmission resources of the sidelink may include one or more of: the method comprises the steps of allocating transmission resources of a side link between a terminal and the terminal, allocating transmission resources of the side link between an LRC node and the terminal, and forwarding the transmission resources of the side link configured for the terminal by access network equipment to the terminal.

In the case that the access network device configures transmission resources of a side link for the terminal, the access network device configures a side link resource pool for the terminal, and the terminal can subsequently perform channel sensing on resources in the side link resource pool and then select resources from the side link resource pool to perform data transmission of the side link. In another possible implementation manner, the access network device configures a sidelink resource for the terminal, and the terminal performs sidelink data transmission on the given sidelink resource.

The LRC node may be an internet of things terminal, a Relay Node (RN), an Integrated Access and Backhaul (IAB) node, a controller in the IIoT, an internet of vehicles terminal, and the like. The LRC node may also be referred to as a local manager (local manager), a local control node, a user group header (UE header or header UE), a scheduling user (scheduling UE), etc. The LRC node in this embodiment of the application may be specified by an access network device, may also be selected by a terminal, and may also be preconfigured (for example, some terminals are preconfigured as the LRC node), which is not specifically limited in this embodiment of the application.

An access network device is an entity on the network side for transmitting signals, receiving signals, or both. The access network device may be a device deployed in a Radio Access Network (RAN) to provide a wireless communication function for a terminal, for example, a base station. The access network device may be a macro base station, a micro base station (also referred to as a small station), a relay station, an Access Point (AP), or the like in various forms, and may also include a control node in various forms, such as a network controller. The control node may be connected to a plurality of base stations, and configure resources for a plurality of terminals under the coverage of the plurality of base stations. In systems using different radio access technologies, the names of devices that function as base stations may differ. For example, a global system for mobile communication (GSM) or Code Division Multiple Access (CDMA) network may be referred to as a Base Transceiver Station (BTS), a Wideband Code Division Multiple Access (WCDMA) network may be referred to as a base station (NodeB), an LTE system may be referred to as an evolved node b (eNB or eNodeB), a 5G communication system or an NR communication system may be referred to as a next generation base station (gNB), and the present application does not limit specific names of the base stations. The access network device may also be a wireless controller in a Cloud Radio Access Network (CRAN) scene, an access network device in a Public Land Mobile Network (PLMN) network for future evolution, a transmission and reception node (TRP) in the PLMN network, and the like.

A terminal is an entity on the user side for receiving signals, or transmitting signals, or both. The terminal is used to provide one or more of voice services and data connectivity services to the user. A terminal may be referred to as a User Equipment (UE), a terminal device, an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user equipment. The terminal may be a Mobile Station (MS), a subscriber unit (subscriber unit), an unmanned aerial vehicle (drone), an IoT device, a Station (ST) in a Wireless Local Area Network (WLAN), a cellular phone (cellular phone), a smart phone (smart phone), a cordless phone, a wireless data card, a tablet computer, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA) device, a laptop computer (laptop computer), a Machine Type Communication (MTC) terminal, a handheld device having a wireless communication function, a computing device, or other processing device connected to a wireless modem, a vehicle-mounted device, and a wearable device (also called a wearable smart device). The terminal may also be a terminal in a next generation communication system, e.g. a terminal in a 5G communication system or a terminal in a PLMN for future evolution, a terminal in an NR communication system, etc.

For the communication system shown in fig. 1, when performing validity verification between the terminal and the LRC node, if the method in the prior art is adopted, both the terminal and the LRC node need to obtain a shared key from a server (e.g., ProSe function), and then perform handshake based on the shared key, thereby achieving the purpose of mutual verification. Since the server is located in the DN of the core network, it takes a long time for the terminal and the LRC node to acquire the shared key, which results in a long time for the terminal to verify the validity of the LRC node, or for the LRC node to verify the validity of the terminal. In order to solve the problem, embodiments of the present application provide various authentication methods in which the LRC node and the terminal do not need to obtain a shared key from the server, and therefore, the time for validity authentication of the first node and/or the terminal may be shortened.

In order to make the embodiments of the present application clearer, a brief description is first made of some concepts mentioned in the embodiments of the present application.

(1) Security protection key

A security protection key refers to a key that may be used to implement security protection of data.

The security protection keys may include one or more of the following: encryption keys, decryption keys, integrity protection keys, etc.

The sending end encrypts the plaintext according to the encryption key and the encryption algorithm to generate a ciphertext. And the receiving terminal decrypts the ciphertext according to the decryption key and the decryption algorithm to generate a plaintext. If a symmetric encryption method is used, the encryption key and the decryption key are the same. The sending end uses a key to encrypt (at this time, the key is an encryption key), and the receiving end uses the key to decrypt (at this time, the key is a decryption key).

The integrity protection key is a parameter input by the sending end when integrity protection is carried out on the plaintext or the ciphertext according to an integrity protection algorithm. The receiving end can carry out integrity verification on the data subjected to integrity protection according to the same integrity protection algorithm and the integrity protection key.

The encryption key may include an encryption key of a control plane and an encryption key of a user plane. The decryption keys may include a control plane decryption key and a user plane decryption key. The integrity protection key may include an integrity protection key of a control plane and an integrity protection key of a user plane.

(2) Root key

The root key in the embodiment of the present application refers to a key on the access network side for generating a verification code used for validity verification between the terminal and other devices, and/or for generating a security protection key between the terminal and other devices. The other device may be an LRC node or an access network device.

The root keys referred to in the embodiments of the present application include root keys used for communication between the terminal and the access network device (e.g., hereinafter, first root key), and root keys used for communication between the terminal and the LRC node (e.g., hereinafter, second root key and third root key).

The root key used for communication between the terminal and the access network device may be denoted as K_eNB/K_gNBThe root key used for communication between the terminal and the LRC node may be noted asK_LRC。K_LRCCan be according to K_eNB/K_gNBAnd (4) generating. In addition, based on K_LRCA control plane ciphering key and a control plane integrity protection key between the terminal and the LRC node may be generated.

(3) Key freshness parameter

The key freshness parameter refers to a freshness parameter for updating a key. For example, the key freshness parameter may be a freshness parameter for updating the root key.

(4) Sidelink (sidelink)

A sidelink refers to a link for communication between a terminal and an LRC node, or a link for communication between a terminal and a terminal. The side link may also be referred to as a PC5 port link.

(5) Identification of terminal

The identifier of the terminal in this embodiment may be a cell radio network temporary identifier (C-RNTI), or C-RNTI + a cell identifier of the terminal in a cellular network, or an identifier of the terminal in a side link, and the like.

The identifier of the terminal on the side link refers to an identifier for identifying the terminal on the side link by the LRC node. The identification of the terminal on the sidelink may also be referred to as near field communication user identification (ProSe UE ID) or the identification of the terminal on port PC 5.

For example, referring to fig. 2, the identifier of the terminal in the side link may be carried in the MAC layer header, or may be carried in the MAC layer header and the PHY layer header. For example, the length of the ProSe UE ID is 24 bits, and the 24 bits may be all included in the MAC layer header, and in this case, the identifier of the terminal in the side link may also be referred to as the layer 2 identifier of the terminal (which may be denoted as UE L2 ID). Or where 8 bits are contained in the PHY layer header and the remaining 16 bits are contained in the MAC layer header.

(6) Identification of LRC nodes

In this embodiment, the identifier of the LRC node may be allocated to the first node by the access network device, or may be generated by the access network device itself.

The identifier of the LRC node (e.g., the first node and the second node in the following description) may be an identifier of the LRC node on a side link, and at this time, the identifier of the LRC node is used to identify the LRC node on the side link (at this time, the identifier of the LRC node is carried in a MAC layer header or a MAC layer header and a PHY layer header, and specifically, when the LRC node is used as a transmitting end, the identifier or a part of the identifier of the LRC node may be carried in a Source (SRC) address field of the MAC layer header). Illustratively, the identity of the LRC node at the sideline may be the C-RNTI of the LRC node.

The identity of the LRC node may also be an identity of the LRC node at the cellular network (e.g., C-RNTI).

The identifier of the LRC node may also be an identifier used by the LRC node in a routing process, for example, a MAC address of the LRC node or an Internet Protocol (IP) address of the LRC node.

(7) Notification message

The notification message in the embodiments of the present application is a message that is broadcast by a first node (e.g., an LRC node) on a sidelink. The notification message includes indication information (denoted as first indication information), where the first indication information is used to indicate that the first node is a node responsible for allocating transmission resources of the sidelink (or it may be understood that the first indication information is used to indicate that the first node is an LRC node), for example, the notification message includes a scheduling header indication (scheduling header indication), and when a value of the scheduling header indication is configured to be 1, that is, the first node is a node responsible for allocating transmission resources of the sidelink. For another example, the first indication information may be implemented by a message type (message type) included in the notification message, for example, when the message type is a certain message type, the message type indicates that a node (i.e., the first node) sending the notification message is a node responsible for allocating transmission resources of the sidelink (or it may be understood that the first indication information is used to indicate that the first node is the LRC node).

Optionally, the notification message may further include information for indicating the first node, and the information for indicating the first node may include one or more of the following items: the identity of the first node (which may refer to the relevant content of the identity of the LRC node described above) and the regional information.

The area identity is an identity of an area served by the first node. The first node may have a correspondence with an area identifier of a served area, and the terminal may have the correspondence, and may determine the first node according to the area identifier. The correspondence between the first node in the terminal and the area identity of the served area may be sent (or broadcast) to the terminal by the access network device.

The area information is information indicating an area served by the first node. The region information may include a region identification and/or location information for the region (e.g., longitude, latitude, radius, length, width, etc. information for the region). The terminal may determine the first node according to the area information. For example, the first node has a correspondence with the area information of the served area, and the terminal may determine the first node according to the correspondence between the first node and the area information of the served area. In this case, the correspondence between the first node in the terminal and the area information of the served area may be transmitted (or broadcast) to the terminal by the access network device. For another example, the terminal may determine the area identifier according to the location information of the area, and determine the first node according to the area identifier, for example, the terminal may determine the first node according to a correspondence between the first node and the area identifier of the served area, and a correspondence between the area identifier of the area and the location information of the area. In this case, the correspondence between the first node in the terminal and the area identifier of the served area, and the correspondence between the area identifier of the area and the location information of the area may be transmitted (or broadcast) to the terminal by the access network device.

(8) Signaling radio bearer (SRB for short)

The SRBs include SRB0 and SRB 1. The SRB0 is a default SRB, and when the terminal initially accesses the cellular network, the terminal sends an RRC connection establishment request message, such as an RRC establishment request (RRC Setup request), an RRC reestablishment request (RRC request), an RRC recovery request (RRC resume request), through the SRB 0. SRB1 is an SRB established during the process of establishing Uu-RRC connection between the terminal and the access network equipment, and can be used for transmitting Uu-RRC_UEA message.

It should be noted that, in the embodiments of the present application, the meanings and the obtaining methods of the first root key and the second root key may be mutually referred, and are not limited. In addition, in the following embodiments, the identifier of the terminal is taken as an identifier of the terminal in the side link as an example for description, and in a specific implementation, the identifier of the terminal may also be an identifier of the terminal in the cellular network.

Example one

After the terminal establishes Uu-RRC connection with the access network equipment, the core network authenticates the terminal. After the authentication is successful, a root key (denoted as a first root key) used for communication between the terminal and the access network device is generated, and the first root key is stored in the terminal and the access network device. In the verification method, a terminal verifies the validity of a first node based on a first root key, and an access network device verifies the validity of the first node based on the first root key or Uu-RRC sent by the terminal_UEThe message verifies the validity of the terminal. Here, the legitimacy may also be referred to as trustworthiness. In the embodiments of the present application, the legality may be regarded as credible, and the non-legality may be regarded as untrustworthy, which is not described in detail later.

As shown in fig. 3, the authentication method includes:

301. the terminal sends a first request message to the first node. Accordingly, the first node receives a first request message from the terminal.

Wherein the first request message is for requesting association to the first node. In case that there is a PC5-RRC layer in the protocol stack of the first node that is peer to the terminal, the first request message may be a PC5-RRC message.

Optionally, the first request message includes an identifier of the terminal on the sidelink, and the first node may determine the terminal associated with the request according to the identifier of the terminal on the sidelink. The identifier of the terminal in the side link may be carried in the SRC address field of the MAC layer header of the first request message. In the embodiments of the present application, the description about the identifier of the terminal in the side link may be referred to above, and is not repeated.

Optionally, the first node is a node responsible for allocating transmission resources of the sidelink, that is, the first node is an LRC node.

Optionally, the terminal and the first node communicate via a sidelink.

Optionally, the first node is a termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated at the first node.

The scenario in which the terminal determines to perform step 301 may be scenario 1 or scenario 2 below.

Scene 1,

Before step 301, when the access network device determines that the terminal is located within the communication distance of the first node according to the measurement report of the terminal or the location information reported by the terminal, etc., the access network device may pass Uu-RRC_UEThe message informs the terminal of the association to the first node. The terminal can be in the Uu-RRC_UEStep 301 is performed triggered by a message. The Uu-RRC_UEThe message contains the identity of the first node and may also contain an association indication. And the terminal determines to be associated to the first node according to the association indication and the identifier of the first node. For the description of the identifier of the first node in the embodiments of the present application, refer to the above, and are not described again.

In scenario 1, when the access network device sends the identifier of the first node, the sent identifier may be the identifier of the first node on the side link, so that the terminal identifies the first node on the side link.

In a first case, the identifier of the first node on the side link may be generated by itself, and in this case, the process of the access network device acquiring the identifier of the first node on the side link may include: when the LRC node is used as a terminal to access the access network equipment, the access network equipment can distribute the identifier of the cellular network for the LRC node, and the LRC node can be used as the terminal to establish Uu-RRC connection with the access network equipment and then can pass the Uu-RRC connection_LRCAnd the message reports the identification of the LRC node on the side link to the access network equipment. The access network equipment receives the Uu-RRC_LRCAnd after the message, acquiring the identifier of the LRC node on the side link, and establishing a corresponding relation between the identifier of the LRC node on the side link and the identifier of the LRC node on the cellular network. In this case, if the subsequent first node sends Uu-RRC to the access network device_LRCThe message, the access network device may determine the first node according to the time-frequency resource included in the uplink grant previously allocated to the first nodeAnd then, determining the identifier of the first node on the side link according to the identifier of the first node on the cellular network. It should be noted that, in the method, a correspondence exists between the time-frequency resource allocated by the access network device for the LRC node and the LRC node.

In the second case, the identity of the first node on the side link may be assigned by the access network device, for example, the identity of the first node on the side link may be a C-RNTI assigned by the access network device for the first node. In this case, the access network device may directly obtain the identifier of the first node on the side link.

Scene 2,

The first node broadcasts a notification message in the side link, wherein the notification message comprises first indication information, and the first indication information is used for indicating that the first node is a node responsible for allocating transmission resources of the side link. The implementation method of the first indication information can be referred to above, and is not described herein again. In this case, the step 301 may include, in a specific implementation: the terminal receives a notification message broadcasted by the first node in a side link, and sends a first request message to the first node according to the notification message.

In scenario 2, in a possible implementation manner, if the terminal receives the notification message broadcast by the first node, it indicates that the terminal is located in the coverage area or the communication area of the first node, and in this case, the terminal may send the first request message to the first node. In another possible implementation manner, the notification message may further include information indicating the first node. In this another implementation manner, before step 301, the access network device may indicate, to the terminal, one or more LRC nodes allowing the terminal to associate, and at this time, if the information included in the notification message received by the terminal indicates that the first node is one of the one or more LRC nodes allowing the terminal to associate, that is, if the terminal finds that the first node is an LRC node allowing the access network device to associate with itself, the terminal sends a first request message to the first node.

302. And the first node sends a second request message to the access network equipment according to the first request message.

Accordingly, the access network device receives the second request message from the first node.

And the second request message is used for the access network equipment to verify the validity of the terminal. Optionally, the second request message includes an identifier of the terminal on the sidelink, and the access network device may determine which terminal is validated according to the identifier of the terminal on the sidelink.

303. And the access network equipment verifies the validity of the terminal according to the second request message.

There may be two possible implementation manners for verifying the validity of the terminal, which are denoted as implementation manner 1 and implementation manner 2, and the following describes implementation manner 1 and implementation manner 2 respectively.

The implementation mode 1,

The first request message comprises Uu-RRC sent by the terminal to the access network equipment_UEA message. For example, Uu-RRC where the terminal sends to the access network equipment_UEThe message may be encapsulated in the first request message. After receiving the first request message, the first node sends the Uu-RRC in the first request message_UEThe message is carried in the second request message and is sent to the access network equipment. In addition, the first node is joining the Uu-RRC_UEWhen the message is carried in the second request message and sent to the access network device, the identifier of the terminal on the side link may be obtained in the first request message, and the identifier of the terminal on the side link is carried in an Adapt layer header of the second request message. In this case, the step 303 may include, when implemented specifically: access network equipment pair Uu-RRC_UEThe message is decoded, if the decoding is successful, the access network equipment determines that the terminal is legal; and if the decoding is unsuccessful, the access network equipment determines that the terminal is illegal. Specifically, the access network device identifies the Uu-RRC according to the identifier of the terminal in the side link included in the Adapt layer of the second request message_UEThe message is sent to the PDCP layer entity corresponding to the SRB1 of the terminal for processing. Particularly, when the Adapt layer includes the identifier of the terminal on the sidelink (assuming that the terminal reports the identifier of the terminal on the sidelink to the access network device before that), the access network device may find the PDCP entity corresponding to the SRB1 of the terminal according to the identifier of the terminal on the sidelink, and the access network device uses the Uu-RRC to send the PDCP entity to the access network device_UEMessage is sent toThe PDCP entity decodes, if the decoding is successful, the access network equipment determines that the terminal is legal; otherwise, the terminal is considered to be illegal.

In implementation 1, it should be noted that, after the Uu-RRC connection is established between the terminal and the access network device, the Uu-RRC connection between the terminal and the access network device is established_UEThe message itself is encrypted by a control plane key between the terminal and the access network device. Therefore, Uu-RRC of the terminal_UEThe message is forwarded to the access network equipment through the first node, and the access network equipment sends Uu-RRC to the terminal_UEIf the message decoding is successful, the terminal is legal.

In implementation 1, the method further includes: the terminal sends indication information (marked as second indication information) to the first node, wherein the second indication information is used for indicating Uu-RRC in the first request message_UEThe message is a Uu-RRC message sent to the access network equipment.

In one case, the second indication information may be carried in the first request message. Illustratively, it may be carried in a MAC layer header of the first request message. Specifically, the function of the second indication information may be implemented by a Logical Channel Identity (LCID) parameter in a MAC layer header in the first request message. For example, the LCID parameter may indicate Uu-RRC in the first request message when the value of the LCID parameter is 0 (or 1)_UEThe message is a Uu-RRC message sent to the access network equipment.

In another case, the second indication information may not be carried in the first request message, and the second indication information may be carried in a Sidelink Control Indicator (SCI).

Implementation mode 2,

The first request message comprises a third verification code, and the third verification code is used for verifying the legality of the terminal. The terminal may generate the third authenticator based on the first root key and at least one of the identity of the first node and the identity of the terminal on the side link. After receiving the first request message, the first node may carry the third verification code in the first request message in the second request message and send the second request message to the access network device. In this case, the step 303 may include, when implemented specifically: and the access network equipment verifies the validity of the terminal according to at least one of the identifier of the first node and the identifier of the terminal on the side link, the first root key and the third verification code.

In implementation 2, when implemented specifically, step 303 may include: and the access network equipment generates a fourth verification code according to the first root key and at least one of the identifier of the first node and the identifier of the terminal on the side link, and verifies the validity of the terminal according to the third verification code and the fourth verification code. The method for generating the fourth verification code by the access network device and the method for generating the third verification code by the terminal are the same, optionally, a method for generating the third verification code by the terminal and the fourth verification code by the access network device may be preconfigured or negotiated between the terminal and the access network device, for example, the terminal may be preconfigured between the terminal and the access network device to generate the third verification code according to the first root key and the identifier of the first node, and the access network device may generate the fourth verification code according to the first root key and the identifier of the first node. And when the access network equipment determines that the third verification code is the same as the fourth verification code, determining that the terminal is legal, otherwise, determining that the terminal is illegal.

In the specific implementation of step 303, when the access network device needs to adopt the identifier of the first node in the process of generating the fourth verification code, and the identifier of the first node is an identifier of an LRC node (in this embodiment, the LRC node that the terminal requests to associate with is the first node) that the terminal requests to associate with, then the access network device needs to determine the node that the terminal requests to associate with, which may specifically be obtained by any one of the following methods: method 1, the access network device may determine that the node that the terminal requests to associate is the node that sends the second request message (i.e., the first node). Method 2, the second request message may further include an identifier of a node (i.e. an identifier of the first node) that the terminal requests to associate with, and the access network device determines the node that the terminal requests to associate with according to the identifier.

In implementation manner 2, the second request message may include an identifier of the terminal on the sidelink, and before step 303, the access network device may obtain the first root key according to the identifier of the terminal on the sidelink included in the second request message, so as to verify the validity of the terminal according to the first root key.

The method for the access network device to obtain the first root key may include the first possible implementation manner and the second possible implementation manner. The first possible implementation manner is a manner of acquiring the first root key after Uu-RRC connection is established between the terminal and the access network device, and the second possible implementation manner is a manner of acquiring the first root key when the Uu-RRC connection is not established between the terminal and the access network device. Specifically, the method comprises the following steps:

in a first possible implementation manner, a Uu-RRC connection has been established between the terminal and the access network device, and the access network device stores a context of the terminal, where the context of the terminal includes the first root key. The access network device may determine the context of the terminal according to the identifier of the terminal in the side link, and obtain the first root key from the context of the terminal.

In a second possible implementation manner, the Uu-RRC connection is not established between the terminal and the access network device, and the terminal may send, to the first node, the Uu-RRC for applying for establishing the Uu-RRC connection_UEA message. The first node transmits the Uu-RRC_UEMessages (e.g., Uu-RRC)_UEA connection establishment request message, that is, an RRC connection establishment request message sent by the terminal to the access network device) is forwarded to the access network device, and the access network device replies a Uu-RRC message to the terminal through the first node_UEMessages (e.g., Uu-RRC)_UEA connection setup message, i.e., an RRC connection setup message sent by the access network device to the terminal), thereby establishing a Uu-RRC connection between the access network device and the terminal. The subsequent core network can authenticate the terminal through Uu-RRC connection between the terminal and the access network equipment. Eventually the access network device may obtain the first root key from the core network. For the method for the first node to determine whether the Uu-RRC message sent by the terminal is the Uu-RRC message sent to the access network device, reference may be made to the description of relevant parts in implementation 1, and details are not repeated here.

In implementation mode 2, optionally, the second request message further includes node association information (for example, an identifier of the first node), where the node association information is used to inform the access network of the configurationA terminal is prepared to request association to the first node, thereby triggering the access network device to authenticate the terminal. In implementation 2, the second request message may be Uu-RRC_LRCA message.

304. And the access network equipment sends a second response message to the first node, wherein the second response message is used for indicating the verification result or the association result. Accordingly, the first node receives the second response message from the access network device.

Wherein the second response message may be Uu-RRC_LRCMessages (e.g., Uu-RRC)_LRCA reconfiguration message, i.e. an RRC reconfiguration message sent by the access network device to the first node). The verification result is used for indicating the validity of the terminal, and may be success or failure, where success represents that the terminal is legal and failure represents that the terminal is illegal. The association result is used to indicate whether the terminal is allowed to associate to the first node.

The verification result or the association result may be indicated by a message type of the second response message, for example, if the association result is that the terminal is allowed to associate with the first node, the second response message may be an association allowing message, and if the association result is that the terminal is not allowed to associate with the first node, the second response message may be a non-association allowing message.

The result of the verification or the result of the association may also be indicated by an indication in the second response message. For example, when the indication information corresponding to the association result is true (or 1), it indicates that the terminal is allowed to associate with the first node, and when the indication information corresponding to the association result is false (or 0), it indicates that the terminal is not allowed to associate with the first node.

It should be noted that, in the embodiments of the present application, since the first node has access to the access network device, the first node is trusted by the access network device. Under the condition that the access network equipment verifies the legality of the terminal, if the access network equipment indicates that the terminal is legal to the first node, the first node considers that the terminal is legal.

305. And the first node sends a first response message to the terminal according to the second response message, wherein the first response message is used for indicating the association result.

The association result may be indicated by a message type of the first response message, for example, if the association result is that the terminal is allowed to associate to the first node, the first response message may be an association success message, and if the association result is that the terminal is not allowed to associate to the first node, the first response message may be an association failure message.

The association result may also be indicated by an indication information in the first response message. For example, when the indication information corresponding to the association result is true (or 1), it indicates that the terminal is successfully associated with the first node, and when the indication information corresponding to the association result is false (or 0), it indicates that the terminal is not successfully associated with the first node.

Wherein, in case that there is a PC5-RRC layer in the protocol stack of the first node that is peer to the terminal, the first response message may be a PC5-RRC message.

The steps 301 to 305 are optional steps.

306. The access network device sends a first authentication code to the first node.

Accordingly, the first node receives the first authentication code from the access network device.

The first verification code is used for the terminal to verify the validity of the first node. The first authenticator is generated based on the first root key and at least one of the identity of the first node and the identity of the terminal on the side link.

It should be noted that the access network device may carry the first verification code in the second response message, and send the second verification code to the first node. At this point, step 304 and step 306 may be combined into the same step. In this case, for the second response message, no matter whether the validity of the terminal verified by the access network device in step 303 is successful, the second response message includes the identifier of the terminal on the side link, the first verification code, and the verification result (or the association result). In another possible implementation manner, when the verification result is failed or the association result is not allowed in step 303, the second response message only includes the verification result or the association result; when the verification result is successful or the association result is allowed in step 303, the second response message may only include the identifier of the terminal on the side link and the first verification code.

307. The first node sends the first verification code and the identification of the first node to the terminal.

Accordingly, the terminal receives the first verification code and the identity of the first node from the first node.

The first verification code sent by the first node to the terminal and the identifier of the first node are used for the terminal to verify the validity of the first node.

In the embodiment of the application, the access network equipment generates the first verification code and then sends the first verification code to the first node, and the first node sends the first verification code and the identifier of the first node to the terminal, so that the terminal can verify the validity of the first node.

It should be noted that, the first node may carry the first verification code and the identifier of the first node in the first response message, and send the first verification code and the identifier of the first node to the terminal. At this time, step 305 and step 307 may be combined into the same step. In this case, the identifier of the first node may carry the SRC address field at the MAC layer header of the first response message. The first verification code may be carried in a MAC layer header of the first response message or may be carried in a payload of the first response message.

308. And the terminal verifies the validity of the first node according to the first root key, the first verification code and at least one of the identifier of the first node and the identifier of the terminal in the side link.

Optionally, the step 308 includes, in specific implementation:

11) the terminal generates a second verification code according to the first root key and at least one of the identifier of the first node and the identifier of the terminal in the side link.

12) And the terminal verifies the validity of the first node according to the second verification code and the first verification code.

The method for the access network equipment to generate the first verification code is the same as the method for the terminal to generate the second verification code. Optionally, the method for generating the first verification code by the access network device and the method for generating the second verification code by the terminal may be preconfigured or negotiated between the terminal and the access network device, for example, the access network device may be preconfigured to generate the first verification code according to the first root key and the identifier of the first node, and the preconfigured terminal may generate the second verification code according to the first root key and the identifier of the first node. And step 12) during specific implementation, if the terminal determines that the first verification code is the same as the second verification code, the terminal determines that the first node is legal, otherwise, the terminal determines that the first node is illegal.

In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided in the first embodiment, when verifying the validity of the first node, the terminal may verify the validity of the first node according to the first root key, the received identifier of the first node, and the first verification code, without acquiring the shared key from the server, so that time for the terminal to verify the validity of the first node may be shortened. When the validity of the terminal is verified, the access network equipment verifies the validity of the terminal according to Uu-RRC_UEThe message, or the access network device verifies the validity of the terminal according to the third verification code and the fourth verification code generated by the first root key, and notifies the first node, without the first node acquiring the shared key from the server, so that the time for the first node to verify the validity of the terminal can be shortened. In addition, in the first embodiment, since the first root key is stored in the access network device and the terminal, the validity of the terminal and the first node can be verified conveniently and quickly between the terminal and the access network device.

It should be noted that, in the first embodiment, when verifying the validity of the terminal and the first node, the validity of the terminal may be verified before, or the validity of the first node may be verified before (in this case, steps 306 to 308 may be executed before step 301). The embodiment of the present application is not particularly limited to this.

Example two

The second embodiment provides a verification method, and the main differences from the verification method provided by the first embodiment include but are not limited to: 1. the validity verification of the terminal is not performed by the access network equipment any more, but by the first node; 2. the verification of the validity of the terminal by the first node and the verification of the validity of the first node by the terminal are no longer based on the first root key but on the second root key. The second root key is a root key used for communication between the terminal and the first node, and the second root key may be generated according to the first root key. For the description related to the first root key, reference may be made to embodiment one, and details are not described here.

As shown in fig. 4, the verification method provided in the second embodiment includes:

400. and the access network equipment sends the identifier of the terminal on the side link and the second root key to the first node. Accordingly, the first node receives the identifier of the terminal on the side link and the second root key from the access network device. The first node may determine the terminal to communicate with the first node using the second root key based on the identity of the terminal on the sidelink.

Prior to step 400, the access network device may generate a second root key according to the first root key and the first key freshness parameter. The access network device may specifically be implemented in the following manner 1, manner 2, or manner 3.

Mode 1, a second root key is generated according to the first root key, the identifier of the first node and the freshness parameter of the first key.

And 2, generating a second root key according to the first root key, the identifier of the first node, the freshness parameter of the first key and the identifier of the terminal on the side link.

And 3, generating a second root key according to the first root key, the first key freshness parameter and the identifier of the terminal on the side link.

401. And the access network equipment sends the identification of the first node and the first key freshness parameter to the terminal.

Accordingly, the terminal receives the identity of the first node and the first key freshness parameter from the access network device.

For example, the identity of the first node and the first key freshness parameter may be carriedIn Uu-RRC_UEMessages (e.g., Uu-RRC)_UEReconfiguration message, i.e. RRC reconfiguration message sent by the access network device to the terminal).

Before step 401, if the access network device receives Uu-RRC carrying the identifier of the terminal on the side link sent by the terminal_UEThe access network equipment can find the context of the terminal according to the identifier of the terminal on the side link, the context of the terminal comprises a first key freshness parameter, and the access network equipment can carry the first key freshness parameter on Uu-RRC_UEAnd sending the message to the terminal. Illustratively, the Uu-RRC_UEThe message may be Uu-RRC_UEA reconfiguration message.

The terminal may generate a second root key based on the first root key and the first key freshness parameter. The method for generating the second root key by the terminal is the same as the method for generating the second root key by the access network device, for example, the terminal and the access network device may both generate the second root key in the above-mentioned mode 1, mode 2, or mode 3, and specifically, which mode is used may be pre-configured or determined by negotiation between the access network device and the terminal.

The execution sequence of step 401 and step 400 is not sequential.

402. The terminal sends a first request message to the first node. Accordingly, the first node receives a first request message from the terminal.

The first request message is used for requesting to be associated to the first node, the first request message comprises a third verification code, and the third verification code is used for verifying the validity of the terminal.

The terminal may generate a third authenticator based on the second root key and one or more of the terminal's identity at the sidelink and the identity of the first node. Specifically, the present invention can be implemented in the following one way or two ways or three ways.

In the first mode, the terminal generates the third verification code directly according to the second root key and one or more of the terminal side link identification and the first node identification.

And secondly, the terminal generates an encryption key of a control plane between the terminal and the LRC node according to the second root key, and then generates a third verification code according to the encryption key of the control plane between the terminal and the LRC node and one or more of the identifier of the side link of the terminal and the identifier of the first node.

And thirdly, the terminal generates an integrity protection key of a control plane between the terminal and the LRC node according to the second root key, and then generates a third verification code according to the integrity protection key of the control plane between the terminal and the LRC node and one or more of the identifier of the side link of the terminal and the identifier of the first node.

Optionally, the first request message further includes one or more of an identifier of the terminal on the sidelink, association request information, and an identifier of the first node.

It should be noted that the role of the first request message may be characterized by the association request information in the first request message, or may be characterized by the message type of the first request message. In the latter case, the first request message may be an association request (in this case, the first request message does not include association request information). The terminal side link identification is used for determining the terminal associated with the request by the node receiving the first request message. The identity of the first node is used to indicate the node with which the terminal requests association.

403. And the first node verifies the legality of the terminal according to the second root key and the third verification code.

Step 403 may include, in particular implementation: and the first node generates a fourth verification code according to the second root key, and verifies the validity of the terminal according to the fourth verification code and the third verification code.

The method for generating the fourth verification code by the first node is the same as the method for generating the third verification code by the terminal. Optionally, the method for generating the third authentication code by the terminal and the fourth authentication code by the first node may be preconfigured or negotiated between the terminal and the first node, for example, the terminal may be preconfigured between the terminal and the first node to generate the third authentication code according to the second root key and the identifier of the first node, and the first node may be preconfigured to generate the fourth authentication code according to the second root key and the identifier of the first node. And if the first node determines that the fourth verification code is the same as the third verification code, determining that the terminal is legal, otherwise, determining that the terminal is illegal.

Before step 403, optionally, the method further includes: and the first node acquires the second root key according to the identifier of the terminal on the side link.

404. And the first node sends a first response message to the terminal, wherein the first response message is used for indicating the association result.

And when the first node verifies that the terminal is legal, the association result is successful. And when the first node verifies that the terminal is illegal, the association result is association failure.

The association result may be indicated by the message type of the first response message, or may be indicated by one indication information in the first response message. Specifically, reference may be made to the related description in step 305 in the first embodiment, and details are not repeated here.

405. The first node generates a first verification code according to the second root key.

The first verification code is used for the terminal to verify the validity of the first node.

406. The first node sends a first verification code to the terminal. Accordingly, the terminal receives the first authentication code from the first node.

Optionally, the terminal and the first node communicate via a sidelink.

The first node may send the terminal the first verification code in the first response message in step 404. In this case, step 404 and step 406 may be combined into the same step.

407. And the terminal verifies the validity of the first node according to the second root key.

In step 407, in a specific implementation, the terminal may generate a second verification code according to the second root key, and verify the validity of the first node according to the second verification code and the first verification code.

The method for generating the first verification code by the first node is the same as the method for generating the second verification code by the terminal. Optionally, the method for generating the second authentication code by the terminal and the first authentication code by the first node may be preconfigured or negotiated between the terminal and the first node, for example, the terminal may be preconfigured between the terminal and the first node to generate the second authentication code according to the second root key and the identifier of the first node, and the first authentication code may be generated by preconfigured the first node according to the second root key and the identifier of the first node. In step 407, in a specific implementation, if the terminal determines that the first verification code is the same as the second verification code, the terminal determines that the first node is legal, otherwise, the terminal determines that the first node is illegal.

In the embodiment shown in fig. 4, step 400, step 402, step 403 and step 404 are optional steps.

It should be noted that, in the second embodiment, when verifying the validity of the terminal and the first node, the validity of the terminal may be verified before, or the validity of the first node may be verified before (in this case, step 405, step 406, and step 407 may be executed before step 402). The embodiment of the present application is not particularly limited to this.

In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided in the second embodiment, when verifying the validity of the first node, the terminal generates the second verification code according to the first root key, the identifier of the first node and the freshness parameter of the first key, which are obtained from the access network device, and then verifies the validity of the first node according to the first verification code and the second verification code. The terminal can realize the validity verification of the first node without acquiring the shared key from the server, so the time for the terminal to verify the validity of the first node can be shortened. When the terminal validity is verified, the first node can generate a fourth verification code according to the second root key sent by the access network equipment, and then verify the terminal validity according to the third verification code and the fourth verification sent by the terminal without acquiring a shared key from the server, so that the time for the first node to verify the terminal validity can be shortened.

Optionally, the method further includes: the terminal generates a security protection key of data between the terminal and the first node according to the second root key; and the terminal transmits data with the first node according to the security protection key.

Optionally, the method further includes: the first node generates a security protection key of data between the first node and the terminal according to the second root key; and the first node performs data transmission with the terminal according to the security protection key.

The data security protection key between the first node and the terminal may include a user plane data security protection key and/or a control plane data security protection key, the user plane data transmission is performed between the terminal and the first node through the user plane data security protection key, and the control plane data transmission is performed through the control plane data security protection key, so that the data security is ensured.

EXAMPLE III

This embodiment provides a verification method, and the verification process of the validity of the first node is the same as the verification process of the validity of the first node in the second embodiment. The validity verification of the terminal can be implemented in three ways, and two ways of the three ways are the same as the first way and the second way of the first embodiment. As shown in fig. 5, the following describes a verification method provided in the third embodiment specifically, where the verification method includes:

501. as in step 402 above.

502. As in step 301 above.

503. As in step 302 above.

504. As in step 303 above.

505. As in step 304 above.

506. As in step 305 above.

There are three ways to verify the validity of the terminal in steps 502 to 506. The first of the three implementations is the same as implementation 1 in embodiment one. The second implementation of the three implementations is the same as implementation 2 of the first embodiment. In a third implementation manner of the three implementation manners, the terminal may generate a second root key according to the first root key (see the description of relevant parts in embodiment two for a specific generation manner), generate a third verification code according to the second root key, and send the third verification code carried in the first request message to the first node, where the first node includes the third verification code in the first request message in the second request message and sends the third verification code to the access network device, and the access network device compares the received third verification code with a fourth verification code generated according to the second root key, and if the third verification code is the same as the fourth verification code, determines that the terminal is legal, and if the fourth verification code is different from the fourth verification code, determines that the terminal is illegal. In a third implementation manner, the method for generating the third verification code by the terminal and the method for generating the fourth verification code by the access network device are the same, and the method may be preconfigured, or may be determined by negotiation between the access network device and the terminal, for example, the terminal may be preconfigured to generate the third verification code according to the second root key and the identifier of the first node, and the preconfigured access network device also generates the fourth verification code according to the second root key and the identifier of the first node.

507. As in step 400 above.

Before step 507, the access network device may generate the second root key, and the generation method may refer to the description of relevant parts in embodiment two, which is not described herein again. The access network device may send the identifier of the terminal on the sidelink and the second root key to the first node in the second response message carried in step 505. In this case, step 505 and step 507 may be combined into the same step.

508. As in step 405 above.

Step 507 and step 508 may be performed before any of step 501 to step 506.

509. As in step 406 above.

In the case that steps 507 and 508 are performed before step 506, the access network device may send the first authentication code to the first node in the first response message in step 506. In this case, step 506 and step 509 may be combined into the same step.

510. As in step 407 above.

If the first implementation manner or the second implementation manner is adopted for the validity verification of the terminal in steps 502 to 506, step 501 may be executed before step 510, and the execution order of the steps in steps 502 to 509 is not sequential. For example, the identifier of the first node and the first key freshness parameter in step 501 may be forwarded to the terminal through the first node, for example, carried in the second response message and the first response message and sent to the terminal.

It should be noted that, in the third embodiment, when verifying the validity of the terminal and the first node, the validity of the terminal may be verified before, or the validity of the first node may be verified before (in this case, steps 508 to 510 may be executed before step 504). The embodiment of the present application is not particularly limited to this.

In the embodiment shown in fig. 5, steps 502 to 507 are optional steps.

In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided in the third embodiment, when verifying the validity of the first node, the terminal generates the second verification code according to the first root key, the identifier of the first node and the freshness parameter of the first key, which are obtained from the access network device, and then verifies the validity of the first node according to the first verification code and the second verification code. The terminal can realize the validity verification of the first node without acquiring the shared key from the server, so the time for the terminal to verify the validity of the first node can be shortened. When the validity of the terminal is verified, the access network equipment verifies the validity of the terminal according to Uu-RRC_UEThe message, or the access network device verifies the validity of the terminal according to the third verification code and the fourth verification code generated by the first root key, or the access network device verifies the validity of the terminal according to the third verification code and the fourth verification code generated by the second root key, and notifies the first node, without the first node acquiring the shared key from the server, so that the time for the first node to verify the validity of the terminal can be shortened.

Optionally, the method further includes: the terminal generates a security protection key of data between the terminal and the first node according to the second root key; and the terminal transmits data with the first node according to the security protection key. For a detailed description of the optional method, reference may be made to the related description in embodiment two, and details are not repeated here.

Optionally, the method further includes: the first node generates a security protection key of data between the first node and the terminal according to the second root key; and the first node performs data transmission with the terminal according to the security protection key. For a detailed description of the optional method, reference may be made to the related description in embodiment two, and details are not repeated here.

Example four

If the terminal needs to be switched from one access network device (marked as a first access network device) to another access network device (marked as a second access network device). In order to ensure that the terminal successfully performs validity verification with the LRC node after the handover, a fourth embodiment provides a verification method, as shown in fig. 6, including:

601. the first access network device sends a switching request message to the second access network device.

Accordingly, the second access network device receives the handover request message from the first access network device.

The switching request message is used for requesting the second access network device to switch the terminal from the first access network device to the second access network device, and the switching request message includes the identifier of the terminal.

602. And the second access network equipment sends a switching reply message to the first access network equipment.

Accordingly, the first access network device receives a handover reply message from the second access network device.

Wherein the handover reply message comprises an identification of the second node and a second key freshness parameter. The second node is an LRC node, and the second node is a node responsible for allocating transmission resources of the side link after the terminal is handed over, for example, after the terminal is associated with the second node after the handover is completed, the second node may allocate transmission resources of the side link for the terminal. The second node may be the same node as the first node, or may be different nodes. Wherein the second key freshness parameter is used to update the third key. The third key is a root key for communication between the terminal and the second node, and the third key is used for verifying the validity of the terminal and/or the second node.

Prior to step 602, the second access network device may determine a second node.

603. And the first access network equipment sends the identification of the second node and the second key freshness parameter to the terminal.

Accordingly, the terminal receives the identity of the second node and the second key freshness parameter from the first access network device.

After the terminal is handed over from the first access network device to the second access network device, when the second access network device is the access network device in the second embodiment and the third embodiment, the second access network device may verify the legitimacy of the terminal and the second node by using the method shown in fig. 4 or fig. 5, and in specific implementation, only the first node in fig. 4 or fig. 5 needs to be replaced by the second node, and the second root key needs to be replaced by the third key. In addition, step 401 in fig. 4 may not be performed, and step 501 in fig. 5 may not be performed.

The method provided by the fourth embodiment may send, to the terminal, the identifier of the second node and the second key freshness parameter through the first access network device in a scenario where the terminal is switched from the first access network device to the second access network device, so as to ensure that the terminal can successfully perform validity verification with the second node after being switched to the second access network device.

EXAMPLE five

This embodiment provides an authentication method in which the procedure of authenticating the validity of the terminal is the same as in the second embodiment. The difference between the verification of the validity of the first node and the first, second, and third embodiments is that the terminal in the first, second, and third embodiments needs to generate a verification code, but the terminal in this embodiment does not need to generate a verification code, and the terminal can directly verify the validity of the first node by using the access network device and the verification code sent by the first node.

As shown in fig. 7, the authentication method includes:

701. and the access network equipment sends the identifier of the first node, the first verification code and the third verification code to the terminal.

The first verification code is used for verifying the validity of the first node, and the third verification code is used for verifying the validity of the terminal. Both the first and second verification codes may be generated according to the second root key, which is described in the second embodiment.

702. The terminal sends a first request message to the first node.

Accordingly, the first node receives a first request message from the terminal.

Wherein the first request message is for requesting association to the first node. The first request message includes a third authentication code.

Optionally, the first request message may further include an identifier of the terminal on the sidelink.

Optionally, the terminal and the first node communicate via a sidelink. The first node is a termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated at the first node.

The scenario in which the terminal determines to execute step 702 may also be scenario 1 or scenario 2 in the first embodiment, which is not described herein again.

703. And the first node verifies the legality of the terminal according to the second root key and the third verification code.

Prior to step 703, the method may further comprise: the access network device sends the second root key to the first node, and correspondingly, the first node receives the second root key from the access network device.

For the description of step 703, reference may be made to the description related to step 403 in embodiment two, which is not described herein again.

704. The first node sends a first response message to the terminal.

Accordingly, the terminal receives the first response message from the first node.

The first response message is used to indicate the association result, and the specific implementation can be seen in step 404 in the second embodiment. The first response message includes the second verification code. The second verification code is generated by the first node, and a method for generating the second verification code by the first node is the same as the method for generating the first verification code by the access network device, which may specifically refer to the description of the relevant part in embodiment two, and is not described herein again.

705. And the terminal verifies the validity of the first node according to the first verification code and the second verification code.

For the description of step 705, reference may be made to the description related to step 407 in embodiment two, and details are not repeated here.

After step 705, the first node and the terminal may also generate a security protection key for communication between the first node and the terminal based on the second root key. For details, reference may be made to the description of the relevant parts in the second embodiment, which is not described herein again.

In the fifth embodiment, when verifying the validity of the terminal and the first node, the validity of the terminal may be verified before, or the validity of the first node may be verified before (in this case, step 704 and step 705 may be executed before step 702). The embodiment of the present application is not particularly limited to this.

It should be noted that fig. 7 is drawn to verify the validity of both the first node and the terminal. In actual implementation, only the validity of the terminal may be verified, in which case, steps 704 and 705 are optional steps, or only the validity of the first node may be verified, in which case, steps 702 and 703 are optional steps.

It should be noted that, in addition to generating the first verification code and the third verification code by using the method in the second embodiment, the first verification code and the third verification code may also be generated according to a root key used for communication between the first node and the access network device, at this time, a method for generating the verification codes is similar to the method for generating the verification codes in the first embodiment or the second embodiment, and the only difference is that the first root key or the second root key is replaced by the root key used for communication between the first node and the access network device, which is not described herein again.

In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided in the fifth embodiment, mutual validity verification can be performed between the first node and the terminal directly based on the verification code sent by the access network device, and a shared key does not need to be acquired from the server, so that time for validity verification of the first node and the terminal can be shortened. In addition, the terminal does not need to generate the verification code, so that the realization complexity of the terminal can be avoided being increased, and the power consumption of the terminal is further avoided being increased.

EXAMPLE six

The fifth embodiment provides a verification method, which is the same as the fifth embodiment in that a terminal does not need to generate a verification code, and the difference from the fifth embodiment is that in the fifth embodiment, a first node needs to generate the verification code, and in this embodiment, a first node does not need to generate the verification code, the verification codes in the terminal and the first node can both be sent by an access network device, and the terminal and the first node can perform validity verification on the terminal and the first node based on the verification code sent by the access network device.

As shown in fig. 8, the authentication method includes:

801. and the access network equipment sends the first verification code and the third verification code to the terminal. Accordingly, the terminal receives the first authentication code and the third authentication code from the access network device.

The first verification code is used for verifying the validity of the first node, and the third verification code is used for verifying the validity of the terminal.

The first verification code may be generated according to the first root key or the second root key, which may be specifically described in the description of the first embodiment or the second embodiment.

The third authentication code may be an identity (e.g., a local identity) assigned to the terminal by the access network device for identifying the terminal between the access network device and the first node. Alternatively, the third verification code may be an identifier assigned to the terminal by the first node and used for identifying the terminal between the access network device and the first node. Alternatively, the third authentication code is generated by the access network device according to the first root key or the second root key, which may be specifically described in the description of the first embodiment or the second embodiment.

Optionally, the terminal may first send a request for the first verification code and the third verification to the first nodeAnd then the first node sends an authentication code request message 2 for requesting the first authentication code and the third authentication code to the access network equipment, wherein the authentication code request message 2 comprises the identifier of the terminal on the side link (or the identifier of the terminal on the cellular network). The access network equipment finds the terminal according to the identifier of the terminal on the side link (or the identifier of the terminal on the cellular network), and the access network equipment passes the Uu-RRC_UEThe message sends the first verification code and the third verification code to the terminal. The verification code request message 2 may include an identifier assigned by the first node to the terminal when the first node assigns an identifier to the terminal, and the verification code request message 2 does not include an identifier assigned by the first node to the terminal when the first node does not assign an identifier to the terminal.

Optionally, the access network device further sends the identifier of the first node to the terminal, so that the terminal determines the node that needs to be associated.

802. The access network device sends the first authentication code and the third authentication code to the first node. Accordingly, the first node receives the first authentication code and the third authentication code from the access network device.

The execution sequence of step 801 and step 802 is not sequential.

803. The terminal sends the third verification code to the first node. Accordingly, the first node receives the third authentication code from the terminal.

The third verification code may be carried in a first request message, where the first request message is used to request association to the first node.

The scenario determined by the terminal to execute step 803 may also be scenario 1 or scenario 2 in the first embodiment, which is not described herein again.

804. The first node determines whether the third verification code received from the access network device is the same as the third verification code received from the terminal, if so, the first node determines that the terminal is legal, otherwise, the first node determines that the terminal is illegal.

805. The first node sends a first verification code to the terminal. Accordingly, the terminal receives the first authentication code from the first node.

Optionally, the first verification code may be carried in a reply message of the first request message sent by the first node to the terminal.

806. The terminal determines whether the first verification code received from the access network device is the same as the first verification code received from the first node, if so, the terminal determines that the first node is legal, otherwise, the terminal determines that the first node is illegal.

In the sixth embodiment, when verifying the validity of the terminal and the first node, the validity of the terminal may be verified before, or the validity of the first node may be verified before (in this case, step 805 and step 806 may be executed before step 803). The embodiment of the present application is not particularly limited to this.

It should be noted that fig. 8 is drawn to verify the validity of both the first node and the terminal. In actual implementation, only the validity of the terminal may be verified, in which case steps 805 and 806 are optional steps. It is also possible to verify only the validity of the first node, in which case steps 803 to 804 are optional steps.

In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided in the sixth embodiment, mutual validity verification can be performed between the first node and the terminal directly based on the verification code sent by the access network device, and a shared key does not need to be acquired from the server, so that time for validity verification of the first node and the terminal can be shortened. In addition, the terminal and the first node do not need to generate verification codes, so that the realization complexity of the terminal and the first node can be avoided being increased, and further the power consumption of the terminal is avoided being increased.

EXAMPLE seven

The embodiment provides a verification method, which is the same as the sixth embodiment in that a terminal and a first node do not need to generate verification codes, and the difference from the sixth embodiment is that the first node and the terminal do not need to acquire the verification codes, and the terminal and the first node transmit trust through information transmission, so that the legitimacy of the first node and the terminal is verified. As shown in fig. 9, the authentication method includes:

901. the terminal sends a first request message to the first node.

Accordingly, the first node receives a first request message from the terminal.

The first request message is used for requesting to be associated to the first node, and the first request message comprises a first Uu-RRC (radio resource control) message of the terminal to the access network equipment_UEA message.

The scenario determined by the terminal to execute step 901 may also be scenario 1 or scenario 2 in the first embodiment, which is not described herein again.

902. The first node sends the first Uu-RRC in the first request message_UEThe message is sent to the access network device.

Correspondingly, the access network equipment receives the first Uu-RRC transmitted by the terminal from the first node_UEA message.

Illustratively, the first Uu-RRC_UEThe message may be carried in the second request message.

903. The access network equipment transmits a first Uu-RRC according to the first node_UEThe message verifies the validity of the terminal.

In step 903, in a specific implementation, the method for verifying the validity of the terminal may refer to the related description in implementation manner 1 in embodiment one, and is not described herein again.

904. And if the terminal is legal, the access network equipment sends the second root key to the first node, or sends the second root key and the identifier of the terminal on the side link.

Accordingly, the first node receives the second root key from the access network device, or receives the second root key and the identity of the terminal on the sidelink.

For example, the second root key, or the second root key and the identifier of the terminal on the sidelink, may be carried in a second response message, where the second response message is a response message of the second request message.

905. And the first node determines that the terminal is legal according to the second root key or the second root key and the identifier of the terminal on the side link.

It should be noted that, after the access network device verifies that the terminal is legal, the second root key, or the second root key and the identifier of the terminal on the sidelink are sent to the first node, which is equivalent to transmitting the trust of the terminal to the first node, and the first node recognizes the legality of the terminal as long as receiving the second root key, or the second root key and the identifier of the terminal on the sidelink.

After step 905, the first node may send the association result to the terminal. Accordingly, the terminal receives the association result from the first node, and the terminal may determine whether to associate with the first node successfully according to the association result. Specifically, if the association result is successful, the terminal determines that the association is successful with the first node according to the association result, otherwise, the terminal determines that the association is not successful with the first node. For the description of the association result, reference may be made to the related description in the first embodiment, and details are not repeated here.

906. If the terminal is legal, the access network equipment sends a second Uu-RRC to the terminal through the first node_UEA message. Correspondingly, the terminal receives the second Uu-RRC sent by the terminal from the access network equipment through the first node_UEA message.

Wherein the second Uu-RRC_UEThe message is a first Uu-RRC_UEA reply message to the message. Second Uu-RRC_UEThe message may contain an identification of the first node.

Information sent by the access network device to the first node in step 904 (second root key, or second root key and terminal identity in sidelink) and information sent by the access network device to the first node in step 906 (second Uu-RRC)_UEMessage) may be carried in the same message, or may be carried in different messages to be sent, which is not specifically limited in this embodiment of the present application. For example, the information sent by the access network device to the first node in step 904 and the information sent by the access network device to the first node in step 906 may both be carried in the second response message and sent, and the second response message is sentThe second response message is a response message of the second request message.

The first node sends the association result and the second Uu-RRC to the terminal_UEThe messages can be carried in the same message for sending, and can also be carried in different messages for sending. For example, the association result and the second Uu-RRC sent by the first node to the terminal_UEThe messages may all be carried in a first response message, and the first response message is a response message of the first request message.

907. The terminal receives the second Uu-RRC from the access network equipment_UEThe message determines the legitimacy of the first node.

It should be noted that the access network device assigns the second Uu-RRC_UEThe message is sent to the terminal through the first node, which is equivalent to transmitting the trust of the first node to the terminal, and the terminal successfully analyzes the second Uu-RRC forwarded by the first node_UEAnd after the message, determining that the first node is legal, otherwise, determining that the first node is illegal.

In the seventh embodiment, it should be noted that the first request message may not be a request for requesting association to the first node, and in this case, the terminal may send a request for requesting association to the first node after step 905. At this time, when the first node receives a request for requesting association to the first node from the terminal sent in the sidelink, the first node recognizes the validity of the terminal.

In the seventh embodiment, when verifying the validity of the terminal and the first node, the validity of the terminal may be verified before, or the validity of the first node may be verified before (in this case, step 906 and step 907 may be executed before step 901). The embodiment of the present application is not particularly limited to this.

It should be noted that fig. 9 is drawn to verify the validity of both the first node and the terminal. In actual implementation, only the validity of the terminal may be verified, in which case, steps 906 and 907 are optional steps, or only the validity of the first node may be verified, in which case, steps 901 to 905 are optional steps.

In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided in the seventh embodiment, mutual validity verification can be performed between the first node and the terminal directly based on the information sent by the access network device, and a shared key does not need to be acquired from the server, so that the time for validity verification of the first node and the terminal can be shortened. In addition, the terminal and the first node do not need to generate verification codes, so that the realization complexity of the terminal and the first node can be avoided being increased, and further the power consumption of the terminal is avoided being increased.

Example eight

The embodiment provides an authentication method, where a process of verifying the validity of the terminal by the access network device and a process of verifying the validity of the first node by the terminal are the same as those in the seventh embodiment, and the difference between the embodiment and the seventh embodiment is that the first node does not verify the validity of the terminal based on the second root key, or the second root key and the identifier of the terminal in the sidelink, but verifies the validity of the terminal based on the association result or the authentication result sent by the access network device. As shown in fig. 10, the authentication method includes:

1001. the same as step 901.

1002. A first node sends a second request message to access network equipment, wherein the second request message comprises a first Uu-RRC_UEA message.

Optionally, the second request message further includes node association information, and the access network device may determine that there is a terminal requesting to associate to the first node according to the node association information. For the description of the node association information, reference may be made to the related description of the first embodiment, and details are not repeated here.

1003. The same as step 903.

1004. The access network device sends the association result (or authentication result) to the first node. Accordingly, the first node receives the association result (or authentication result) from the access network device.

For the description of the association result and the verification result, reference may be made to the related description in the first embodiment, and details are not repeated here.

1005. And the first node determines whether the terminal is legal or not according to the association result (or the verification result).

In step 1005, in a specific implementation, if the association result is allowed to associate (or the verification result is successful), the first node determines that the terminal is legal, otherwise, the first node determines that the terminal is illegal.

After step 1005, the first node may send the association result to the terminal. Accordingly, the terminal receives the association result from the first node, and the terminal may determine whether to associate with the first node successfully according to the association result. Specifically, if the association result is successful, the terminal determines that the association is successful with the first node according to the association result, otherwise, the terminal determines that the association is not successful with the first node. For the description of the association result, reference may be made to the related description in the first embodiment, and details are not repeated here.

1006. If the terminal is legal, the access network equipment sends a second Uu-RRC to the terminal through the first node_UEA message. Correspondingly, the terminal receives the second Uu-RRC sent by the terminal from the access network equipment through the first node_UEA message.

Information (association result or verification result) sent by the access network device to the first node in step 1004 and information (second Uu-RRC) sent by the access network device to the first node in step 1006_UEMessage) may be carried in the same message, or may be carried in different messages to be sent, which is not specifically limited in this embodiment of the present application. For example, the information sent by the access network device to the first node in step 1004 and the information sent by the access network device to the first node in step 1006 may both be carried in a second response message, where the second response message is a response message of the second request message.

1007. The same as in step 907.

In the eighth embodiment, it should be noted that the first request message may not be a request for requesting association to the first node, and in this case, the terminal may send a request for requesting association to the first node after step 1005. At this time, when the first node receives a request for requesting association to the first node from the terminal sent in the sidelink, the first node recognizes the validity of the terminal.

In the eighth embodiment, when verifying the validity of the terminal and the first node, the validity of the terminal may be verified before, or the validity of the first node may be verified before (in this case, step 1006 and step 1007 may be executed before step 1001). The embodiment of the present application is not particularly limited to this.

It should be noted that fig. 10 is drawn to verify the validity of both the first node and the terminal. In actual implementation, only the validity of the terminal may be verified, in which case, steps 1006 and 1007 are optional steps, or only the validity of the first node may be verified, and in which case, steps 1001 to 1005 are optional steps.

In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to acquire the shared key from the server. In the method provided in the eighth embodiment, mutual validity verification can be performed between the first node and the terminal directly based on the information sent by the access network device, and a shared key does not need to be acquired from the server, so that time for validity verification of the first node and the terminal can be shortened. In addition, the terminal and the first node do not need to generate verification codes, so that the realization complexity of the terminal and the first node can be avoided being increased, and further the power consumption of the terminal is avoided being increased.

It should be noted that, all the schemes or technical features shown in the embodiments of the present application can be combined without contradiction.

The above-mentioned scheme of the embodiment of the present application is introduced mainly from the perspective of interaction between network elements. It will be appreciated that the various network elements, e.g. the access network equipment, the first node and the terminal, for performing the above-described functions, comprise at least one of corresponding hardware structures and software modules for performing the respective functions. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiment of the present application, the access network device, the first node, and the terminal may be divided according to the above method examples, for example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.

In the case of using an integrated unit, fig. 11 shows a schematic diagram of a possible structure of the authentication apparatus (denoted as the authentication apparatus 110) in the above embodiment, where the authentication apparatus 110 includes a processing unit 1101, a communication unit 1102, and a storage unit 1103. The structure diagram shown in fig. 11 may be used to illustrate the structures of the access network device, the first node and the terminal involved in the above embodiments.

When the schematic configuration diagram shown in fig. 11 is used to illustrate the configuration of the terminal in the above-described embodiment, the processing unit 1101 is configured to control and manage the actions of the terminal, for example, the processing unit 1101 is configured to execute actions performed by the terminal in 301, 305, 307, and 308 in fig. 3, 401, 402, 404, 406, and 407 in fig. 4, 501, 502, 506, 509, and 510 in fig. 5, 603 in fig. 6, 701, 702, 704, and 705 in fig. 7, 801, 803, 805, and 806 in fig. 8, 901, 906, and 907 in fig. 9, 1001, 1006, and 1007 in other processes described in this embodiment of the present application. The processing unit 1101 may communicate with other network entities, e.g. with the first node shown in fig. 3, through the communication unit 1102. The storage unit 1103 is used to store program codes and data of the terminal.

When the schematic configuration shown in fig. 11 is used to illustrate the configuration of the terminal in the above embodiment, the verification device 110 may be a terminal or a chip in the terminal.

When the structure diagram shown in fig. 11 is used to illustrate the structure of the access network device in the above embodiment, the processing unit 1101 is configured to control and manage the actions of the access network device, for example, the processing unit 1101 is configured to execute 302-. The processing unit 1101 may communicate with other network entities, e.g. with the first node shown in fig. 3, through the communication unit 1102. The storage unit 1103 is used to store program codes and data of the access network devices.

When the schematic structure diagram shown in fig. 11 is used to illustrate the structure of the access network device in the foregoing embodiment, the verification apparatus 110 may be an access network device, or may be a chip in the access network device.

When the schematic structure diagram shown in fig. 11 is used to illustrate the structure of the first node in the above embodiment, the processing unit 1101 is used to control and manage the actions of the first node, for example, the processing unit 1101 is used to execute 301-. The processing unit 1101 may communicate with other network entities, e.g. with the terminal shown in fig. 3, through the communication unit 1102. The storage unit 1103 is used to store program codes and data of the first node.

When the schematic structure diagram shown in fig. 11 is used to illustrate the structure of the first node in the above embodiment, the verification apparatus 110 may be the first node, or may be a chip in the first node.

Wherein, when the authentication apparatus 110 is a terminal, a first node or an access network device, the processing unit 1101 may be a processor or a controller, and the communication unit 1102 may be a communication interface, a transceiver circuit, a transceiver apparatus, etc. The communication interface is a generic term, and may include one or more interfaces. The storage unit 1103 may be a memory. When the authentication apparatus 110 is a terminal, a first node or a chip within an access network device, the processing unit 1101 may be a processor or a controller, and the communication unit 1102 may be an input/output interface, a pin or a circuit, etc. The storage unit 1103 may be a storage unit (e.g., a register, a cache, etc.) in the chip, or may be a storage unit (e.g., a read-only memory (ROM), a Random Access Memory (RAM), etc.) located outside the chip in the terminal or the access network device.

The communication unit may also be referred to as a transceiver unit. The antenna and the control circuit having the transmitting and receiving functions in the authentication apparatus 110 may be regarded as the communication unit 1102 of the authentication apparatus 110, and the processor having the processing function may be regarded as the processing unit 1101 of the authentication apparatus 110. Alternatively, a device in the communication unit 1102 for implementing a receiving function may be regarded as a receiving unit, where the receiving unit is configured to perform the receiving step in the embodiment of the present application, and the receiving unit may be a receiver, a receiving circuit, and the like. The device for realizing the transmission function in the communication unit 1102 may be regarded as a transmission unit for performing the steps of transmission in the embodiment of the present application, and the transmission unit may be a transmitter, a transmission circuit, or the like.

The integrated unit in fig. 11, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or an access network device) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. A storage medium storing a computer software product comprising: u disk, removable hard disk, read only memory, random access memory, magnetic or optical disk, etc. for storing program codes.

The elements of FIG. 11 may also be referred to as modules, and the processing elements may be referred to as processing modules, for example.

The embodiment of the present application further provides a schematic diagram of a hardware structure of an authentication apparatus (denoted as authentication apparatus 120), referring to fig. 12 or fig. 13, where the authentication apparatus 120 includes a processor 1201, and optionally further includes a memory 1202 connected to the processor 1201.

The processor 1201 may be a general processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more ics for controlling the execution of programs according to the present disclosure. The processor 1201 may also include a plurality of CPUs, and the processor 1201 may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, or processing cores that process data (e.g., computer program instructions).

The memory 1202 may be a ROM or other type of static storage device that can store static information and instructions, a RAM or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, and is not limited in this respect. The memory 1202 may be separate or integrated with the processor 1201. The memory 1202 may include, among other things, computer program code. The processor 1201 is configured to execute the computer program code stored in the memory 1202, thereby implementing the methods provided by the embodiments of the present application.

In a first possible implementation, referring to fig. 12, the verification apparatus 120 further includes a transceiver 1203. The processor 1201, the memory 1202, and the transceiver 1203 are connected by a bus. The transceiver 1203 is used for communication with other devices or communication networks. Optionally, the transceiver 1203 may include a transmitter and a receiver. The means for performing the receiving function in the transceiver 1203 may be regarded as a receiver for performing the receiving step in the embodiment of the present application. The means for implementing the transmitting function in the transceiver 1203 may be regarded as a transmitter for performing the steps of transmitting in the embodiments of the present application.

Based on the first possible implementation manner, the structure diagram shown in fig. 12 may be used to illustrate the structure of the access network device, the first node, or the terminal involved in the foregoing embodiments.

When the schematic structure diagram shown in fig. 12 is used to illustrate the structure of the terminal in the above embodiment, the processor 1201 is configured to control and manage the actions of the terminal, for example, the processor 1201 is configured to support the terminal to execute actions performed by the terminal in 301, 305, 307, and 308 in fig. 3, 401, 402, 404, 406, and 407 in fig. 4, 501, 502, 506, 509, and 510 in fig. 5, 603 in fig. 6, 701, 702, 704, and 705 in fig. 7, 801, 803, 805, and 806 in fig. 8, 901, 906, and 907 in fig. 9, 1001, 1006, and 1007 in fig. 10, and/or other processes described in this embodiment. The processor 1201 may communicate with other network entities, e.g. the first node shown in fig. 3, via the transceiver 1203. The memory 1202 is used for storing program codes and data of the terminal.

When the structure diagram shown in fig. 12 is used to illustrate the structure of the access network device in the foregoing embodiment, the processor 1201 is configured to control and manage the actions of the access network device, for example, the processor 1201 is configured to support the access network device to execute 302-304 and 306 in fig. 3, 400-401 in fig. 4, 501, 503-505 and 507 in fig. 5, 601-602 in fig. 6, 701 in fig. 7, 801-802 in fig. 8, 902-904 and 906 in fig. 9, 1002-1004 and 1006 in fig. 10, and/or the actions executed by the access network device in other processes described in this embodiment. The processor 1201 may communicate with other network entities, e.g. the first node shown in fig. 3, via the transceiver 1203. Memory 1202 is used for storing program codes and data for access network equipment.

When the structure diagram shown in fig. 12 is used to illustrate the structure of the first node in the above embodiment, the processor 1201 is used to control and manage the actions of the first node, for example, the processor 1201 is used to support the first node to execute the actions of 301-. The processor 1201 may communicate with other network entities, e.g., the terminal shown in fig. 3, through the transceiver 1203. The memory 1202 is used for storing program codes and data of the first node.

In a second possible implementation, the processor 1201 includes logic circuitry and at least one of an input interface and an output interface. Wherein the output interface is used for executing the sent action in the corresponding method, and the input interface is used for executing the received action in the corresponding method.

Based on the second possible implementation manner, referring to fig. 13, the structure diagram shown in fig. 13 may be used to illustrate the structure of the access network device, the first node, or the terminal involved in the foregoing embodiments.

When the schematic structure diagram shown in fig. 13 is used to illustrate the structure of the terminal in the above embodiment, the processor 1201 is configured to control and manage the actions of the terminal, for example, the processor 1201 is configured to support the terminal to execute actions performed by the terminal in 301, 305, 307, and 308 in fig. 3, 401, 402, 404, 406, and 407 in fig. 4, 501, 502, 506, 509, and 510 in fig. 5, 603 in fig. 6, 701, 702, 704, and 705 in fig. 7, 801, 803, 805, and 806 in fig. 8, 901, 906, and 907 in fig. 9, 1001, 1006, and 1007 in fig. 10, and/or other processes described in this embodiment. The processor 1201 may communicate with other network entities, e.g. the first node shown in fig. 3, through at least one of the input interface and the output interface. The memory 1202 is used for storing program codes and data of the terminal.

When the structure diagram shown in fig. 13 is used to illustrate the structure of the access network device in the foregoing embodiment, the processor 1201 is configured to control and manage the actions of the access network device, for example, the processor 1201 is configured to support the access network device to execute 302-304 and 306 in fig. 3, 400-401 in fig. 4, 501, 503-505 and 507 in fig. 5, 601-602 in fig. 6, 701 in fig. 7, 801-802 in fig. 8, 902-904 and 906 in fig. 9, 1002-1004 and 1006 in fig. 10, and/or the actions executed by the access network device in other processes described in this embodiment. The processor 1201 may communicate with other network entities, e.g. the first node shown in fig. 3, through at least one of the input interface and the output interface. Memory 1202 is used for storing program codes and data for access network equipment.

When the structure diagram shown in fig. 13 is used to illustrate the structure of the first node in the above embodiment, the processor 1201 is used to control and manage the actions of the first node, for example, the processor 1201 is used to support the first node to execute the actions of 301-. The processor 1201 may communicate with other network entities, e.g. with the terminal shown in fig. 3, through at least one of the input interface and the output interface. The memory 1202 is used for storing program codes and data of the first node.

Fig. 12 and 13 may also illustrate a system chip in the access network device. In this case, the action executed by the access network device may be implemented by the system chip, and the specific executed action may be referred to above and is not described herein again. Fig. 12 and 13 may also illustrate a system chip in the terminal. In this case, the actions executed by the terminal may be implemented by the system chip, and the specific actions executed may be referred to above and are not described herein again. Fig. 12 and 13 may also illustrate a system chip in the first node. In this case, the action executed by the first node may be implemented by the system chip, and the specific executed action may be referred to above and is not described herein again.

In addition, the embodiment of the present application further provides a schematic diagram of a hardware structure of a terminal (denoted as terminal 140) and a network device (denoted as network device 150), which may specifically refer to fig. 14 and fig. 15, respectively.

Fig. 14 is a schematic diagram of the hardware structure of the terminal 140. For convenience of explanation, fig. 14 shows only main components of the terminal. As shown in fig. 14, the terminal 140 includes a processor, a memory, a control circuit, an antenna, and an input-output device.

The processor is mainly configured to process the communication protocol and the communication data, and control the entire terminal, execute a software program, process data of the software program, for example, to control the terminal to execute actions performed by the terminal in 301, 305, 307, and 308 in fig. 3, 401, 402, 404, 406, and 407 in fig. 4, 501, 502, 506, 509, and 510 in fig. 5, 603 in fig. 6, 701, 702, 704, and 705 in fig. 7, 801, 803, 805, and 806 in fig. 8, 901, 906, and 907 in fig. 9, 1001, 1006, and 1007 in fig. 10, and/or other processes described in this embodiment. The memory is used primarily for storing software programs and data. The control circuit (also referred to as a radio frequency circuit) is mainly used for converting baseband signals and radio frequency signals and processing the radio frequency signals. The control circuit and the antenna together, which may also be called a transceiver, are mainly used for transceiving radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are used primarily for receiving data input by a user and for outputting data to the user.

When the terminal is started, the processor can read the software program in the memory, interpret and execute the instruction of the software program, and process the data of the software program. When data needs to be sent through the antenna, the processor performs baseband processing on the data to be sent, and then outputs baseband signals to a control circuit in the control circuit, and the control circuit performs radio frequency processing on the baseband signals and then sends the radio frequency signals to the outside through the antenna in the form of electromagnetic waves. When data is sent to the terminal, the control circuit receives radio frequency signals through the antenna, converts the radio frequency signals into baseband signals and outputs the baseband signals to the processor, and the processor converts the baseband signals into the data and processes the data.

Those skilled in the art will appreciate that fig. 14 shows only one memory and processor for ease of illustration. In an actual terminal, there may be multiple processors and memories. The memory may also be referred to as a storage medium or a storage device, and the like, which is not limited in this application.

As an alternative implementation manner, the processor may include a baseband processor and a central processing unit, where the baseband processor is mainly used to process a communication protocol and communication data, and the central processing unit is mainly used to control the whole terminal, execute a software program, and process data of the software program. The processor in fig. 14 integrates the functions of the baseband processor and the central processing unit, and those skilled in the art will understand that the baseband processor and the central processing unit may also be independent processors, and are interconnected through a bus or the like. Those skilled in the art will appreciate that the terminal may include a plurality of baseband processors to accommodate different network formats, a plurality of central processors to enhance its processing capability, and various components of the terminal may be connected by various buses. The baseband processor may also be expressed as a baseband processing circuit or a baseband processing chip. The central processing unit may also be expressed as a central processing circuit or a central processing chip. The function of processing the communication protocol and the communication data may be built in the processor, or may be stored in the memory in the form of a software program, and the processor executes the software program to realize the baseband processing function.

Fig. 15 is a schematic diagram of a hardware structure of the network device 150. The network device 150 may be the access network device or the first node described above. The network device 150 may include one or more radio frequency units, such as a Remote Radio Unit (RRU) 1501 and one or more baseband units (BBUs) (also referred to as Digital Units (DUs)) 1502.

The RRU1501, which may be referred to as a transceiver unit, transceiver circuitry, or transceiver, etc., may include at least one antenna 1511 and a radio frequency unit 1512. The RRU1501 is mainly used for transceiving radio frequency signals and converting radio frequency signals and baseband signals. The RRU1501 and the BBU1502 may be physically located together or physically separated, for example, a distributed base station.

The BBU1502 is a control center of a network device, and may also be referred to as a processing unit, and is mainly used for performing baseband processing functions, such as channel coding, multiplexing, modulation, spreading, and the like.

In an embodiment, the BBU1502 may be formed by one or more boards, and the boards may jointly support a radio access network of a single access system (e.g., an LTE network), or may respectively support radio access networks of different access systems (e.g., an LTE network, a 5G network, or other networks). The BBU1502 further includes a memory 1521 and a processor 1522, the memory 1521 being used for storing necessary instructions and data. The processor 1522 is used for controlling the network device to perform necessary actions. The memory 1521 and processor 1522 may serve one or more boards. That is, the memory and processor may be provided separately on each board. Multiple boards may share the same memory and processor. In addition, each single board can be provided with necessary circuits.

It should be understood that when the network device 150 is an access network device in the above embodiments, the network device 150 can perform actions performed by the access network device in 302 and 304 and 306 in fig. 3, 400 and 401 in fig. 4, 501 and 503 and 505 and 507 in fig. 5, 601 and 602 in fig. 6, 701 in fig. 7, 801 and 802 in fig. 8, 902 and 904 and 906 in fig. 9, 1002 and 1004 and 1006 in fig. 10, and/or other processes described in the embodiments of the present application. When the network device 150 is the first node in the above embodiments, the network device 150 can perform the actions performed by the first node in 301-302-304-307 in fig. 3, 400-402-406 in fig. 4, 502-503-505-509 in fig. 5, 601-603 in fig. 6, 702-704 in fig. 7, 802-805 in fig. 8, 901-902-904-906 in fig. 9, 1001-1002-1004-1006 in fig. 10, and/or other processes described in this embodiment. The operations, functions, or operations and functions of the modules in the network device 150 are respectively configured to implement the corresponding flows in the above-described method embodiments. Specifically, reference may be made to the description of the above method embodiments, and the detailed description is appropriately omitted herein to avoid redundancy.

In implementation, the steps of the method provided by this embodiment may be implemented by hardware integrated logic circuits in a processor or instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor. The other descriptions of the processor in fig. 14 and 15 can refer to the descriptions related to the processor in fig. 12 and 13, and are not repeated.

Embodiments of the present application also provide a computer-readable storage medium, which includes instructions that, when executed on a computer, cause the computer to perform any of the above methods.

Embodiments of the present application also provide a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the methods described above.

An embodiment of the present application further provides a communication system, including: a first node and a terminal. Optionally, the system further comprises an access network device.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the present application are all or partially generated upon loading and execution of computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). Computer-readable storage media can be any available media that can be accessed by a computer or can comprise one or more data storage devices, such as servers, data centers, and the like, that can be integrated with the media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

While the present application has been described in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the word "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Although the present application has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the application. Accordingly, the specification and figures are merely exemplary of the present application as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the present application. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A method of authentication, comprising:

a terminal receives a first verification code and an identifier of a first node from the first node, wherein the first verification code is generated according to a first root key and the identifier of the first node, and the first root key is a root key used for communication between the terminal and access network equipment;

the terminal verifies the validity of the first node according to the identifier of the first node, the first root key and the first verification code;

the terminal sends a first request message to the first node, wherein the first request message is used for requesting to be associated to the first node, and the first request message comprises a Radio Resource Control (RRC) message sent by the terminal to the access network equipment.

2. The method of claim 1, wherein the terminal and the first node communicate via a sidelink.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

the terminal sends a first request message to the first node, wherein the first request message is used for requesting to be associated to the first node, the first request message comprises a third verification code, the third verification code is generated according to the identifier of the first node and the first root key, and the third verification code is used for verifying the validity of the terminal.

4. The method of claim 1, wherein the terminal sends a first request message to the first node, comprising:

the terminal receives a notification message broadcasted by the first node in a side link, wherein the notification message comprises indication information, and the indication information is used for indicating that the first node is a node responsible for allocating transmission resources of the side link;

and the terminal sends the first request message to the first node according to the notification message.

5. The method according to any of claims 1-2 and 4, wherein the terminal verifies the validity of the first node according to the identity of the first node, the first root key and the first verification code, and comprises:

the terminal generates a second verification code according to the identifier of the first node and the first root key;

and the terminal verifies the validity of the first node according to the second verification code and the first verification code.

6. A method of authentication, comprising:

a first node receives a first verification code from access network equipment, wherein the first verification code is generated according to a first root key and an identifier of the first node, and the first root key is a root key used for communication between a terminal and the access network equipment;

the first node sends the first verification code and the identifier of the first node to the terminal, and the identifier of the first node and the first verification code are used for verifying the validity of the first node;

the first node receives a first request message from the terminal, wherein the first request message is used for requesting to be associated to the first node, and the first request message comprises a Radio Resource Control (RRC) message sent by the terminal to the access network equipment;

and the first node sends a second request message to the access network equipment according to the first request message, wherein the second request message comprises the RRC message, and the RRC message is used for verifying the legality of the terminal by the access network equipment.

7. The method of claim 6, wherein the terminal and the first node communicate via a sidelink.

8. The method according to claim 6 or 7, characterized in that the method further comprises:

the first node receives a first request message from the terminal, wherein the first request message is used for requesting to be associated to the first node, the first request message comprises a third verification code, the third verification code is generated according to the identifier of the first node and the first root key, and the third verification code is used for verifying the validity of the terminal;

and the first node sends a second request message to the access network equipment according to the first request message, wherein the second request message comprises the third verification code.

9. The method according to claim 6 or 7, characterized in that the method further comprises:

the first node broadcasts a notification message in a side link, wherein the notification message comprises indication information, and the indication information is used for indicating that the first node is a node responsible for allocating transmission resources of the side link.

10. A method of authentication, comprising:

the access network equipment receives a second request message from the first node, wherein the second request message comprises a Radio Resource Control (RRC) message sent to the access network equipment by a terminal;

the access network device decoding the RRC message;

if the decoding is successful, the access network equipment determines that the terminal is legal;

if the decoding is unsuccessful, the access network equipment determines that the terminal is illegal;

and the access network equipment sends a first verification code to the first node, wherein the first verification code is generated according to the first root key and the identifier of the first node, and the first verification code is used for verifying the validity of the first node.

11. A method of authentication, comprising:

the access network equipment receives a second request message from a first node, wherein the second request message comprises a third verification code, the third verification code is used for verifying the validity of a terminal, the third verification code is generated according to the identifier of the first node and a first root key, and the first root key is a root key used for communication between the terminal and the access network equipment;

the access network equipment verifies the validity of the terminal according to the identifier of the first node, the first root key and the third verification code;

12. The method of claim 11, wherein the access network device verifies the validity of the terminal according to the identifier of the first node, the first root key, and the third verification code, and comprises:

the access network equipment generates a fourth verification code according to the identifier of the first node and the first root key;

and the access network equipment verifies the validity of the first node according to the fourth verification code and the third verification code.

13. An authentication apparatus, comprising: a processor coupled with a memory for storing a computer program or instructions, the processor for executing the computer program or instructions stored in the memory to cause the authentication apparatus to perform the method of any of claims 1 to 5, or to cause the authentication apparatus to perform the method of any of claims 6 to 9, or to cause the authentication apparatus to perform the method of claim 10, or to cause the authentication apparatus to perform the method of any of claims 11 to 12.

14. A computer-readable storage medium for storing a computer program or instructions which, when executed, cause the computer to perform the method of any of claims 1 to 5, or cause the computer to perform the method of any of claims 6 to 9, or cause the computer to perform the method of claim 10, or cause the computer to perform the method of any of claims 11 to 12.