CN112039838B - Secondary authentication method and system suitable for different application scenes of mobile communication - Google Patents
Secondary authentication method and system suitable for different application scenes of mobile communication Download PDFInfo
- Publication number
- CN112039838B CN112039838B CN202010679582.6A CN202010679582A CN112039838B CN 112039838 B CN112039838 B CN 112039838B CN 202010679582 A CN202010679582 A CN 202010679582A CN 112039838 B CN112039838 B CN 112039838B
- Authority
- CN
- China
- Prior art keywords
- authentication
- secondary authentication
- client
- server
- eap
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the wireless communication field, and discloses a secondary authentication method and a system suitable for different application scenes of mobile communication. The invention separates the secondary authentication carrier, the secondary authentication client and the EAP client at the terminal side from each other to realize the decoupling between the authentication calculation, the authentication protocol and the bearing overhead; the AAA server and the secondary authentication server at the network side are separated from each other to realize the decoupling between the communication function and the authentication function. Through the cooperation of flexibility support of the terminal side and the network side, the secondary authentication can meet various differentiated requirements on the architecture, and meanwhile, the requirement of flexible deployment of all functional entities can be met.
Description
Technical Field
The invention relates to the technical field of wireless communication, in particular to a secondary authentication method and a secondary authentication system suitable for different application scenes of mobile communication.
Background
Authentication is a security means of a scenario in a mobile communication system, and is mainly used for authenticating the validity of the identity of a functional entity. The 2G system provides one-way authentication capability, i.e. the network authenticates the terminal and not the terminal, thus presenting a way of attack by the pseudo base station. Entering the 3G and 4G era, the 3GPP perfects the authentication mechanism and provides a bidirectional authentication capability, i.e., the network authenticates the terminal, and the terminal also authenticates the network at the same time, and this authentication is more suitable for the 2C mode, i.e., the situation that the operator provides services for the public user. Later, the combination of mobile communication and industry, operators could provide private line services for industry users in addition to public users. In terms of security, in addition to the bi-directional main Authentication provided by the operator, Authentication of LNS + AAA is provided for the private line, which is often called AAA Authentication (AAA is Authentication, Authorization, Accounting, i.e. Authentication, Authorization and Accounting, respectively). The authentication method is characterized in that user name and password information of an industrial user are configured in an SIM card, the user name and password information are brought to a PGW (packet access Network) Network element through NAS (Network attached storage) information in the process of main authentication, AAA authentication is realized between the PGW Network element and an AAA server deployed at the DN (Data Network ) of the industrial user on the basis of Radius or Diameter protocol, and after the authentication is passed, an LNS (Internet service system) deployed at the DN of the industrial user is used for distributing an IP (Internet protocol) address of a special line for the terminal and providing access control capability. Entering the 5G era, 3GPP proposes a secondary Authentication mechanism that better meets the needs of the industry, and makes a transition from 2C to 2B, and compares AAA Authentication of 3G/4G, and secondary Authentication of 5G is also an access Authentication facing the industry, but the 5G network only provides a secondary Authentication channel uniformly carried based on EAP (Extensible Authentication Protocol), and the secondary Protocol is equivalent to an application layer Protocol and is completely autonomously selected and determined by the industry, and at the same time, the secondary Authentication is an end-to-end Authentication from a terminal to AAA, so that the Authentication capability is greatly improved.
However, the AAA authentication as a secondary authentication prototype in the 3G/4G era and the currently-known secondary authentication by 3GPP in 5G are still insufficient for different application scenarios.
1) The authentication protocol is single, the AAA authentication of 3G/4G only specifies two protocols of Radius and Diameter, the secondary authentication of 5G only defines EAP as a bottom layer bearing protocol, and does not specify and describe an upper layer authentication protocol, and the existing authentication protocol cannot adapt to the differentiation requirements of different application scenes on the authentication protocol;
2) the authentication algorithm is single, whether the authentication is 3G/4G AAA authentication or 5G secondary authentication, although the authentication algorithm is not specified, the authentication algorithm is actually a specific international open algorithm which is used by default, and the authentication algorithm cannot adapt to the differentiated safety requirements of different industries and different scenes on the authentication algorithm;
3) the authentication method is single, the AAA authentication of 3G/4G takes a user name plus a password as the authentication method, the secondary authentication of 5G does not make clear regulation on the authentication method, but still takes the password as the main principle according to the conventional principle, and the differentiation requirements of different application scenes on the authentication method cannot be met;
4) the entity boundary is unclear, although the AAA authentication of 3G/4G comes from the terminal and the AAA server, the two peer parties of the authentication protocol are actually the PGW and the AAA server, and are not end-to-end authentication in the protocol; although the secondary authentication of 5G specifies that the peer of the authentication protocol is the terminal and the AAA server, how to divide work and provide authentication capability in the terminal is not specified, and the requirement for the differentiation of the carrier by the authentication protocol and the authentication calculation under different conditions cannot be met;
5) the function deployment is rigid, the deployment of the authentication protocol and the authentication calculation is integrated no matter the AAA authentication of 3G/4G or the secondary authentication of 5G, and simultaneously, the AAA server is deployed at the user DN and cannot adapt to the differentiated requirements of different scenes on the deployment modes.
Therefore, with the help of the development opportunity of the new generation broadband mobile communication, in order to better cater to the development of intelligent manufacturing and industry 4.0, a secondary authentication method and a secondary authentication system suitable for different application scenes of mobile communication are urgently needed to be provided, so that the five problems are solved.
Disclosure of Invention
In order to solve the above problems, the present invention provides a secondary authentication method and system suitable for different application scenarios of mobile communication, which can be adapted to various typical application scenarios, can be adapted to different authentication carriers and credentials, can be adapted to differentiated requirements of different industries on authentication algorithms, and can be adapted to differentiated deployment modes of different AAA authentication services, so as to meet various differentiated and customized authentication requirements on the premise of meeting the 3GPP standard.
The invention relates to a secondary authentication system suitable for different application scenes of mobile communication, which comprises:
the secondary authentication carrier is used for authentication calculation processing;
the secondary authentication client is used for providing analysis and encapsulation of a terminal side authentication protocol;
the EAP client is used for realizing the analysis and encapsulation of an EAP bearer protocol;
AAA server, which is used to provide general functions except authentication function, including bottom layer communication and EAP bearing related function; the EAP client cooperates with the AAA server to provide peer-to-peer interaction of the bottom layer EAP;
the secondary authentication server is used for providing authentication calculation and protocol encapsulation and analysis; the secondary authentication carrier, the secondary authentication client and the secondary authentication server are matched to provide peer-to-peer interaction of upper-layer authentication;
the secondary authentication carrier, the secondary authentication client and the EAP client are arranged at a terminal side and are separated from each other to realize decoupling among authentication calculation, an authentication protocol and bearing overhead; the AAA server and the secondary authentication server are arranged on the network side and are separated from each other to realize decoupling between the communication function and the authentication function.
Further, on the premise of keeping the functions of the EAP client and the AAA server fixed, a differentiated authentication protocol is provided by the secondary authentication client and the secondary authentication server, so as to implement a secondary authentication function with differentiated capabilities:
for an eMB scene with the characteristic of high bandwidth, the EAP client and the secondary authentication client are combined and arranged, and the secondary authentication client and the secondary authentication server realize a high-strength authentication protocol;
for an mMTC scene with the characteristics of low power consumption and narrow band, the EAP client is separated from the secondary authentication client and is deployed at the edge of a network or a non-3GPP access point, and the secondary authentication client and the secondary authentication server realize a lightweight authentication protocol so as to reduce the overhead brought to air interface resources by authentication;
for the uRLLC scene with the characteristic of low time delay, the secondary authentication client and the secondary authentication server realize a low time delay authentication protocol so as to reduce the time delay of authentication.
Further, on the premise of keeping the functions of the EAP client and the AAA server fixed, different secondary authentication bearers are attached as needed to support differentiated authentication capabilities, or different authentication credentials are adapted through the secondary authentication client to provide assistance:
for an eMB scene with the characteristic of high bandwidth, a TF card with rich computing resources is independently attached to serve as the secondary authentication carrier to ensure the secondary authentication strength, or the secondary authentication client supporting the biological feature matching certificate is adopted on the basis of the measure to improve the usability;
for an mMTC scene with the characteristic of low power consumption, the eSIM of the terminal of the Internet of things is reused as the secondary authentication carrier to reduce the power consumption of secondary authentication, or the EAP client is separated on the basis of the measures to further reduce the power consumption of the secondary authentication, or the secondary authentication client supporting the user name and the password is adopted to reduce the overhead of the carrier;
for the uRLLC scene with the characteristic of low time delay, a high-speed carrier with a high-speed interface is used as the secondary authentication carrier to reduce the time delay of authentication, or the AAA server is preposed on the basis of the measure to further reduce the time delay of authentication, or the secondary authentication client supporting passwords or certificates is adopted to reduce the participation of people in the authentication process.
Further, on the premise of keeping the functions of the EAP client and the AAA server fixed, for different industry users, the secondary authentication bearer and the secondary authentication server provide the qualification of the differential authentication algorithm, and the secondary authentication client and the secondary authentication server provide authentication protocols of different strengths:
for common public users, the virtual or common secondary authentication carrier is used, an international public authentication algorithm is loaded, and a universal secondary authentication function is provided by matching the secondary authentication client and the secondary authentication server which provide a standard authentication protocol;
for vertical industry users with high safety requirements, the secondary authentication carrier and the secondary authentication server qualified by a domestic authentication algorithm are used, and the secondary authentication client and the secondary authentication server which provide a standard authentication protocol are matched to provide a secondary authentication function of a domestic system;
for the key industry users, the secondary authentication carrier and the secondary authentication server qualified by a special authentication algorithm are used, and the secondary authentication client and the secondary authentication server providing a special authentication protocol are matched to provide the secondary authentication function of a special system.
Further, for different application modes, the AAA server and the secondary authentication server in different deployment modes are provided to provide a secondary authentication service function:
for a user in a private line application mode, the boundary between the user and a common operator is at a DN entrance, and in the mode, the AAA server and the secondary authentication server which are deployed at the DN are provided, and the AAA server is connected with the UPF through a private line;
for a user in a private network application mode, the boundary between the user and a common operator is at the boundary of a core network home network and a visited network, and in this mode, the AAA server and the secondary authentication server deployed in the core network home network are provided, and the AAA server can be directly called by the SMF.
The invention discloses a secondary authentication method applicable to different application scenes of mobile communication, which comprises the following steps:
setting a secondary authentication carrier, a secondary authentication client and an EAP client which are separated from each other on a terminal side to realize decoupling between authentication calculation, an authentication protocol and bearing overhead; the secondary authentication carrier is used for authentication calculation processing, the secondary authentication client is used for providing analysis and encapsulation of a terminal side authentication protocol, and the EAP client is used for realizing analysis and encapsulation of an EAP bearer protocol;
the AAA server and the secondary authentication server which are separated from each other are arranged on the network side to realize the decoupling between the communication function and the authentication function; the AAA server is used for providing general functions except authentication functions, including bottom layer communication and EAP bearing related functions; the secondary authentication server is used for providing authentication calculation and protocol encapsulation and analysis;
the EAP client cooperates with the AAA server to provide peer-to-peer interaction of the bottom layer EAP; the secondary authentication carrier, the secondary authentication client and the secondary authentication server are matched to provide peer-to-peer interaction of upper-layer authentication.
Further, on the premise of keeping the functions of the EAP client and the AAA server fixed, a differentiated authentication protocol is provided by the secondary authentication client and the secondary authentication server, so as to implement a secondary authentication function with differentiated capabilities:
for an eMB scene with the characteristic of high bandwidth, the EAP client and the secondary authentication client are combined and arranged, and the secondary authentication client and the secondary authentication server realize a high-strength authentication protocol;
for an mMTC scene with the characteristics of low power consumption and narrow band, the EAP client is separated from the secondary authentication client and is deployed at the edge of a network or a non-3GPP access point, and the secondary authentication client and the secondary authentication server realize a lightweight authentication protocol so as to reduce the overhead brought to air interface resources by authentication;
for the uRLLC scene with the characteristic of low time delay, the secondary authentication client and the secondary authentication server realize a low time delay authentication protocol so as to reduce the time delay of authentication.
Further, on the premise of keeping the functions of the EAP client and the AAA server fixed, different secondary authentication bearers are attached as needed to support differentiated authentication capabilities, or different authentication credentials are adapted through the secondary authentication client to provide assistance:
for an eMB scene with the characteristic of high bandwidth, a TF card with rich computing resources is independently attached to serve as the secondary authentication carrier to ensure the secondary authentication strength, or the secondary authentication client supporting the biological feature matching certificate is adopted on the basis of the measure to improve the usability;
for an mMTC scene with the characteristic of low power consumption, the eSIM of the terminal of the Internet of things is reused as the secondary authentication carrier to reduce the power consumption of secondary authentication, or the EAP client is separated on the basis of the measures to further reduce the power consumption of the secondary authentication, or the secondary authentication client supporting the user name and the password is adopted to reduce the overhead of the carrier;
for the uRLLC scene with the characteristic of low time delay, a high-speed carrier with a high-speed interface is used as the secondary authentication carrier to reduce the time delay of authentication, or the AAA server is preposed on the basis of the measure to further reduce the time delay of authentication, or the secondary authentication client supporting passwords or certificates is adopted to reduce the participation of people in the authentication process.
Further, on the premise of keeping the functions of the EAP client and the AAA server fixed, for different industry users, the secondary authentication bearer and the secondary authentication server provide the qualification of the differential authentication algorithm, and the secondary authentication client and the secondary authentication server provide authentication protocols of different strengths:
for common public users, the virtual or common secondary authentication carrier is used, an international public authentication algorithm is loaded, and a universal secondary authentication function is provided by matching the secondary authentication client and the secondary authentication server which provide a standard authentication protocol;
for vertical industry users with high safety requirements, the secondary authentication carrier and the secondary authentication server qualified by a domestic authentication algorithm are used, and the secondary authentication client and the secondary authentication server which provide a standard authentication protocol are matched to provide a secondary authentication function of a domestic system;
for the key industry users, the secondary authentication carrier and the secondary authentication server qualified by a special authentication algorithm are used, and the secondary authentication client and the secondary authentication server providing a special authentication protocol are matched to provide the secondary authentication function of a special system.
Further, for different application modes, the AAA server and the secondary authentication server in different deployment modes are provided to provide a secondary authentication service function:
for a user in a private line application mode, the boundary between the user and a common operator is at a DN entrance, and in the mode, the AAA server and the secondary authentication server which are deployed at the DN are provided, and the AAA server is connected with the UPF through a private line;
for a user in a private network application mode, the boundary between the user and a common operator is at the boundary of a core network home network and a visited network, and in this mode, the AAA server and the secondary authentication server deployed in the core network home network are provided, and the AAA server can be directly called by the SMF.
The invention has the beneficial effects that:
the invention utilizes the characteristics of the 5G network and the secondary authentication mechanism specified by the current 3GPP standard, provides a flexible and customizable secondary authentication method and system which are applicable to different application scenes and are oriented to different industries, and compared with the traditional AAA authentication of 3G/4G and the secondary authentication specified by the current 5G 3GPP protocol, the invention has great improvement in the aspects of customizable protocol, customizable algorithm, flexibly customizable authentication carrier and certificate and the like, and can also be applicable to the deployment modes of mobile edge computing, non-3GPP access and private networks. The method has wide application range, and is not only suitable for a 5G mobile communication system, but also suitable for a future mobile communication system. Particularly, the method can provide powerful technical support for constructing a high-safety private network based on public network infrastructure and implementing the military and civil fusion strategy.
The invention sets the separated secondary authentication carrier, secondary authentication client and EAP client at the terminal side, which can realize the decoupling between the authentication calculation, authentication protocol and the load cost; the AAA server and the secondary authentication server which are separated from each other are arranged on the network side, so that the decoupling between the communication function and the authentication function can be realized. Through the cooperation of flexibility support of the terminal side and the network side, the secondary authentication can meet various differentiated requirements on the architecture, and meanwhile, the requirement of flexible deployment of all functional entities can be met.
The EAP client of the invention is matched with the AAA server, and can provide the peer-to-peer interaction of the bottom layer EAP; the secondary authentication carrier, the secondary authentication client and the secondary authentication server are matched, peer-to-peer interaction of upper-layer authentication can be provided, and through the matching of the two layers, a secondary authentication function with differentiation capability can be provided under the condition of not providing requirements for a mobile communication network.
Drawings
FIG. 1 is a schematic diagram of a secondary authentication system of the present invention;
FIG. 2 is a schematic diagram of a secondary authentication system according to embodiment 1;
FIG. 3 is a schematic diagram of the secondary authentication process in embodiment 1;
FIG. 4 is a schematic diagram of a secondary authentication system according to embodiment 2;
FIG. 5 is a schematic diagram of the secondary authentication process in embodiment 2;
FIG. 6 is a schematic diagram of a secondary authentication system according to embodiment 3;
FIG. 7 is a schematic diagram of the secondary authentication process in embodiment 3;
FIG. 8 is a schematic diagram of a secondary authentication system according to embodiment 4;
FIG. 9 is a schematic diagram of the secondary authentication process in embodiment 4;
FIG. 10 is a schematic view of a secondary authentication system according to embodiment 5;
FIG. 11 is a schematic diagram of the secondary authentication process in embodiment 5;
FIG. 12 is a schematic view of a secondary authentication system according to embodiment 6;
FIG. 13 is a schematic diagram of the secondary authentication process in embodiment 6;
FIG. 14 is a schematic view of a secondary authentication system according to embodiment 7;
fig. 15 is a schematic diagram of the secondary authentication process in embodiment 7.
Detailed Description
In order to more clearly understand the technical features, objects, and effects of the present invention, specific embodiments of the present invention will now be described. It should be understood that the detailed description and specific examples, while indicating the preferred embodiment of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that "secondary authentication" refers specifically to a secondary authentication concept in a mobile communication system, and especially refers to a secondary authentication concept in a 5G mobile communication system, that is, "EAP based secondary authentication by an external DN-AAA server" described in the 3GPP standard.
As shown in fig. 1, the secondary authentication system applicable to different application scenarios of mobile communication provided by the present invention includes a secondary authentication bearer, a secondary authentication client, an EAP client, an AAA server, and a secondary authentication server, where the secondary authentication bearer is used for authentication calculation processing, the secondary authentication client is used for providing terminal-side authentication protocol analysis and encapsulation, the EAP client is used for implementing EAP bearer protocol analysis and encapsulation, the AAA server is used for providing general functions other than authentication functions, including underlying communication and EAP bearer related functions, and the secondary authentication server is used for providing authentication calculation and protocol encapsulation and analysis. The EAP client cooperates with the AAA server to provide peer-to-peer interaction of the bottom layer EAP; the secondary authentication carrier, the secondary authentication client and the secondary authentication server are matched, peer-to-peer interaction of upper-layer authentication can be provided, and through the matching of the two layers, a secondary authentication function with differentiation capability can be provided under the condition of not providing requirements for a mobile communication network.
In addition, in the secondary authentication method applicable to different application scenarios of mobile communication, the secondary authentication carrier, the secondary authentication client and the EAP client at the terminal side are separated from each other, so that the decoupling between authentication calculation, authentication protocol and bearing overhead is realized; the AAA server and the secondary authentication server at the network side are separated from each other to realize the decoupling between the communication function and the authentication function. Through the cooperation of flexibility support of the terminal side and the network side, the secondary authentication can meet various differentiated requirements on the architecture, and meanwhile, the requirement of flexible deployment of all functional entities can be met.
Example 1
For the enhanced Mobile Broadband (enhanced Mobile Broadband) private line scenario with high security level, the secondary authentication system applicable to this application scenario includes a dedicated TF authentication card, a secondary authentication client, a 5G network, an AAA server, and a dedicated secondary authentication server, as shown in fig. 2. The AAA server and the dedicated secondary authentication server are deployed in a core network home network and connected to a UPF (user plane function). The special TF authentication card and the special secondary authentication server use a special authentication algorithm, and a special high-strength authentication protocol based on a public key cryptosystem is used between the secondary authentication client and the special secondary authentication server.
The specific secondary authentication process is shown in fig. 3, and includes the following steps:
s101, UPF triggers AAA server to start secondary authentication according to 5G standard flow, and AAA server and EAP client end establish EAP exchange relation.
S102, the AAA server obtains the authentication request from the special secondary authentication server.
S103, generating a random number by the special secondary authentication server, and encrypting the random number and IDDN (ID of Data Network, DN identity identifier) by using the public key PK _ UE and the special authentication algorithm to obtain M1Then using the private key SK _ DN and the special authentication algorithm to pair M1And a random number signature to obtain h1. EAP will (M) through AAA server1,h1) And sending the information to the secondary authentication client.
S104, the secondary authentication client firstly carries out the processing on the received M1Decrypting the h-key by using the private key SK _ UE and the special authentication algorithm to obtain a random number and an IDDN, and then using the public key PK _ DN and the special authentication algorithm to perform the decryption on the received h-key1And checking the signature, if the signature fails, the authentication fails, and terminating the session. Otherwise, acquiring fingerprint information and generating identity by special authentication algorithmIdentification code, calculating cipher text M from identification code and IDUE (User Equipment identity identifier) by using public key PK _ DN and special authentication algorithm2Then using the private key SK _ UE and the special authentication algorithm to pair M2Signed with the ID to obtain h2. Will (M)2,h2) And sending the information to a special secondary authentication server through the EAP.
S105, the special secondary authentication server firstly performs the processing on the received M2Decrypting with private key SK _ DN and special authentication algorithm to obtain ID code and IDUE, verifying ID code, and then using public key PK _ UE and special authentication algorithm to receive h2And (4) checking the signature, and if the signature fails, the authentication fails. Otherwise, the authentication is successful, and the authentication result message is protected by a special authentication algorithm and then sent to the secondary authentication client through the AAA server EAP.
Example 2
For the eMBB private network scenario with high security level, the secondary authentication system suitable for this application scenario includes a dedicated SIM card, a secondary authentication client, a 5G access network, a core network visited network (a common operator network), a 5G dedicated home network, an AAA server, and a dedicated secondary authentication server, as shown in fig. 4. Wherein, the AAA server and the special secondary authentication server are deployed in the core network home network and connected with the SMF. The special SIM card and the special secondary authentication server use a special authentication algorithm, and a special high-strength authentication protocol based on a public key cryptosystem is used between the secondary authentication client and the special secondary authentication server.
The specific secondary authentication process is shown in fig. 5, and includes the following steps:
s201, SMF (Session management function) of the special home network of 5G triggers the AAA server to start secondary authentication according to 5G standard flow, and the AAA server establishes EAP exchange relationship with the EAP client.
S202, the AAA server obtains an authentication request from the special secondary authentication server.
S203, the special secondary authentication server generates a random number, and the random number and the IDDN are encrypted by using a public key PK _ UE and a special authentication algorithm to obtain M1Reuse the private keySK _ DN and dedicated authentication algorithm pair M1And a random number signature to obtain h1. EAP will (M) through AAA server1,h1) And sending the information to the secondary authentication client.
S204, the secondary authentication client firstly carries out the processing on the received M1Decrypting the h-key by using the private key SK _ UE and the special authentication algorithm to obtain a random number and an IDDN, and then using the public key PK _ DN and the special authentication algorithm to perform the decryption on the received h-key1And checking the signature, if the signature fails, the authentication fails, and terminating the session. Otherwise, acquiring fingerprint information, generating ID code by special authentication algorithm, and calculating cipher text M by ID code and IDUE by public key PK _ DN and special authentication algorithm2Then using the private key SK _ UE and the special authentication algorithm to pair M2Signed with the ID to obtain h2. Will (M)2,h2) And sending the information to a special secondary authentication server through the EAP.
S205, the special secondary authentication server firstly performs the processing to the received M2Decrypting with private key SK _ DN and special authentication algorithm to obtain ID code and IDUE, verifying ID code, and then using public key PK _ UE and special authentication algorithm to receive h2And (4) checking the signature, and if the signature fails, the authentication fails. Otherwise, the authentication is successful, and the authentication result message is protected by a special authentication algorithm and then sent to the secondary authentication client through the AAA server EAP.
Example 3
For the eMBB scenario with the common security level, the secondary authentication system applicable to this application scenario includes a virtual soft authentication card, a secondary authentication client, a 5G network, an AAA server, and a common secondary authentication server, as shown in fig. 6. The virtual soft authentication card and the common secondary authentication server use a domestic authentication algorithm, and a common high-strength authentication protocol EAP-TTLS based on a public key cryptosystem is used between the secondary authentication client and the AAA server.
The specific secondary authentication process is shown in fig. 7, and includes the following steps:
s301, UPF triggers AAA Server to start secondary authentication according to 5G standard flow, secondary authentication client (EAP client) sends EAP response [ Identity ] to AAA Server to establish EAP exchange relation, AAA Server obtains authentication request from common secondary authentication Server (containing TTLS Server).
S302, the common secondary authentication server sends an EAP request TTLS/Start through the AAA server and starts TLS handshake. The secondary authentication client sends an EAP response client _ hello, and the common secondary authentication server sends an EAP request through the AAA server, wherein the EAP request contains authentication information and a certificate of the common secondary authentication server, so that the secondary authentication client performs one-way TLS authentication on the common secondary authentication server.
And S303, the secondary authentication client authenticates the common secondary authentication server through a domestic authentication algorithm and a digital certificate of the common secondary authentication server, continuously exchanges authentication information with the common secondary authentication server after the authentication is passed, generates a shared key until a mutual confirmation parameter (change _ cipher _ spec), determines a TLS recording layer encryption mechanism, successfully shakes hands of the TLS, and establishes a TLS tunnel.
S304, in the tunnel stage, the secondary authentication client acquires the password information, uses CHAP as the authentication mechanism after the tunnel is established, generates the user authentication information through the domestic authentication algorithm, packages the user authentication information into EAP response, and forwards the authentication information to the common secondary authentication server through the AAA server.
S305, the common secondary authentication server adopts a domestic authentication algorithm to complete user authentication, and sends an authentication result to the secondary authentication client through the AAA server.
Example 4
For an mtc (massive Machine Type of Communication, i.e. a large-scale internet of things) scenario with a high security level, a secondary authentication system suitable for this application scenario includes a dedicated eSIM card (Embedded-SIM card), a dedicated password authentication client, a 5G network, an MEC (mobile edge computing) node, an N3IWF (Non-3GPP InterWorking Function) network element, an AAA server, and a dedicated secondary authentication server, as shown in fig. 8. The special eSIM card and the special secondary authentication server use a special low-power authentication algorithm, and a symmetric key is shared between the secondary authentication client and the special secondary authentication server to use a special lightweight authentication protocol.
The specific secondary authentication process is shown in fig. 9, and includes the following steps:
s401, UPF triggers AAA server to start secondary authentication according to 5G standard flow, AAA server and EAP client end build EAP exchange relation.
S402, the AAA server obtains an authentication request from the special secondary authentication server.
And S403, the special secondary authentication server generates a random number as a challenge code _ DN, and sends the challenge code _ DN to the secondary authentication client through the EAP of the AAA server.
S404, the secondary authentication client generates a random number as a challenge code _ UE, the password information is acquired, an identity identification code is generated by a special low-power-consumption authentication algorithm, and the challenge code _ DN, the challenge code _ UE and the identity identification code are encrypted by a shared symmetric key and the special low-power-consumption authentication algorithm to obtain M1. Will M1And sending the information to a special secondary authentication server through the EAP.
S405, decrypting M by using shared symmetric key and special low-power-consumption authentication algorithm for special secondary authentication server1And obtaining the challenge code _ DN, the challenge code _ UE and the identification code, verifying the identification code, comparing the received challenge code _ DN with the challenge code _ DN, and if the received challenge code _ DN is not equal, failing to authenticate. Otherwise, the challenge code _ UE is encrypted by using the common symmetric key and a special low-power authentication algorithm to obtain M2. Will M2The challenge code is sent to the secondary authentication client by the AAA server EAP.
S406, the secondary authentication client decrypts the received M by using the shared symmetric key and the special low-power authentication algorithm2And obtaining the challenge code _ UE, comparing the received challenge code _ UE with the challenge code _ UE, and if the challenge code _ UE is not equal, failing to authenticate. Otherwise, the authentication is successful. And protecting the authentication result message by using a special low-power-consumption authentication algorithm and then sending the protected authentication result message to a special secondary authentication server through EAP.
S407, the special secondary authentication server sends the authentication result to the secondary authentication client through the AAA server and the EAP client.
Example 5
For an mtc scenario with a common security level, a secondary authentication system suitable for this application scenario includes a virtual software authentication card, a secondary authentication client, a 5G network, an MEC node, an N3IWF network element, an AAA server, and a common secondary authentication server, as shown in fig. 10. The virtual software authentication card and the common secondary authentication server use a general low-power authentication algorithm, and a general lightweight authentication protocol EAP-FAST based on a symmetric key cryptosystem is used between the secondary authentication client and the AAA server.
The specific secondary authentication process is shown in fig. 11, and includes the following steps:
s501, the UPF triggers the AAA Server to start secondary authentication according to a 5G standard process, the AAA Server establishes an EAP exchange relationship with the EAP client, the common secondary authentication Server (comprising the TLS Server) and the secondary authentication client complete PAC certificate distribution, the AAA Server receives an EAP response [ user name ] sent by the secondary authentication client through the EAP client, and then acquires an authentication request from the common secondary authentication Server.
S502, the common secondary authentication server sends FAST/Start to the secondary authentication client through the AAA server and the EAP client, and enters into the TLS tunnel establishment phase.
S503, the secondary authentication client generates handshake information (client _ hello), wherein the handshake information comprises the random number of the secondary authentication client and PAC-Opaque, and an EAP response/client _ hello is formed and sent to the common secondary authentication server through the EAP client and the AAA server.
S504, the common secondary authentication server decodes the PAC-Opaque to obtain the PAC-Key and the identity of the secondary authentication client, generates a server _ hello containing a random number, and forms EAP request/server _ hello completion information which is sent to the secondary authentication client through the AAA server and the EAP client.
S505, the secondary authentication client uses a general low power consumption authentication algorithm to separate the random number of the common secondary authentication server from the received server _ hello, verifies the common secondary authentication server, and sends EAP response/completion information formed by the ChangeCipherSpec and Finished messages to the common secondary authentication server through the EAP client and the AAA server.
And S506, verifying the completion information of the secondary authentication client by the common secondary authentication server, and establishing the TLS tunnel by adopting a general low-power-consumption authentication algorithm. And sending an EAP request/GTC identity request to the secondary authentication client through the AAA server and the EAP client.
S507, the secondary authentication client acquires the password information, generates user authentication information through a general low-power authentication algorithm, packages the user authentication information into an EAP response and sends the EAP response to the common secondary authentication server through the EAP client and the AAA server.
And S508, the common secondary authentication server adopts a general low-power authentication algorithm to complete user authentication, and sends an authentication result to the secondary authentication client through the AAA server and the EAP client.
Example 6
For a high-security level urrllc (Ultra-reliable and Low Latency Communications) scenario, a secondary authentication system suitable for this application scenario includes a dedicated high-speed authentication card, a secondary authentication client, a 5G network, an MEC node, an AAA server, and a dedicated secondary authentication server, as shown in fig. 12. The special high-speed authentication card and the special secondary authentication server use a special low-delay authentication algorithm, and a symmetric key is shared between the secondary authentication client and the special secondary authentication server to use a special low-delay authentication protocol.
The specific secondary authentication process is shown in fig. 13, and includes the following steps:
s601, UPF triggers AAA server to start secondary authentication according to 5G standard flow, and AAA server and EAP client end build EAP exchange relation.
S602, the AAA server obtains the authentication request from the special secondary authentication server.
S603, the special secondary authentication server generates a random number, the random number and the IDDN are encrypted by using a shared symmetric key and a special low-delay authentication algorithm to obtain M1, and the M is encrypted by using the special low-delay authentication algorithm1And random number generation message authentication code h1. EAP will (M) through AAA server1,h1) And sending the information to the secondary authentication client.
S604, the secondary authentication client firstly performs the received M1Common pairDecrypting the secret key and the special low-delay authentication algorithm to obtain random number and IDDN, and calculating h according to the same method of S6031And is associated with the received h1And comparing, and if not, failing to authenticate. Otherwise, obtaining password information and generating an identity identification code by a special low-delay authentication algorithm, and encrypting the identity identification code and IDUE by using a shared symmetric key and the special low-delay authentication algorithm to obtain M2Then from M2Generating a message verification code h with an identification code2. Will (M)2,h2) And sending the information to a special secondary authentication server through the EAP.
S605, the special secondary authentication server firstly performs the processing to the received M2Decrypting by using a common symmetric key and a special low-delay authentication algorithm to obtain an identity identification code and IDUE, verifying the identity identification code, and calculating h according to the same method of S6042And is associated with the received h2A comparison is made. If not, authentication fails. Otherwise, the authentication is successful. And protecting the authentication result message by using a special low-delay authentication algorithm and then sending the authentication result message to the secondary authentication client through an EAP (authentication, authorization and accounting) server.
Example 7
For the uRLLC scenario with a common security level, the secondary authentication system applicable to this application scenario includes a general high-speed authentication card, a secondary authentication client, a 5G network, an MEC node, an AAA server, and a common secondary authentication server, as shown in FIG. 14. The universal high-speed authentication card and the common secondary authentication server use a universal low-delay authentication algorithm, and a universal low-delay authentication protocol EAP-FAST based on a symmetric key cryptosystem is used between the secondary authentication client and the AAA server.
The specific secondary authentication process is shown in fig. 15, and includes the following steps:
s701, UPF triggers an AAA Server to start secondary authentication according to a 5G standard process, the AAA Server establishes an EAP exchange relationship with an EAP client, a common secondary authentication Server (comprising a TLS Server) and the secondary authentication client complete PAC certificate distribution, the AAA Server receives an EAP response [ user name ] sent by the secondary authentication client through the EAP client, and then acquires an authentication request from the common secondary authentication Server.
S702, the common secondary authentication server sends FAST/Start to the secondary authentication client through the AAA server and the EAP client, and enters into TLS tunnel establishment phase.
S703, the secondary authentication client generates handshake information (client _ hello), wherein the handshake information comprises the random number of the secondary authentication client and PAC-Opaque, and an EAP response/client _ hello is formed and sent to the common secondary authentication server through the EAP client and the AAA server.
S704, the common secondary authentication server decodes the PAC-Opaque to obtain the PAC-Key and the identity of the secondary authentication client, generates a server _ hello containing a random number, and forms EAP request/server _ hello completion information which is sent to the secondary authentication client through the AAA server and the EAP client.
S705, the secondary authentication client uses a general low-delay authentication algorithm to separate the random number of the common secondary authentication server from the received server _ hello, verifies the common secondary authentication server, and sends EAP response/completion information consisting of ChangeCipherSpec and Finished messages to the common secondary authentication server through the EAP client and the AAA server.
And S706, verifying the completion information of the secondary authentication client by the common secondary authentication server, and establishing the TLS tunnel by adopting a general low-delay authentication algorithm. And sending an EAP request/GTC identity request to the secondary authentication client through the AAA server and the EAP client.
S707, the secondary authentication client obtains the password information, generates the user authentication information through the general low-delay authentication algorithm, packages the user authentication information into an EAP response and sends the EAP response to the common secondary authentication server through the EAP client and the AAA server.
S708, the common secondary authentication server adopts a general low-delay authentication algorithm to complete user authentication, and sends an authentication result to the secondary authentication client through the AAA server and the EAP client.
The foregoing is illustrative of the preferred embodiments of this invention, and it is to be understood that the invention is not limited to the precise form disclosed herein and that various other combinations, modifications, and environments may be resorted to, falling within the scope of the concept as disclosed herein, either as described above or as apparent to those skilled in the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (4)
1. A secondary authentication system suitable for different application scenes of mobile communication is characterized by comprising the following components:
the secondary authentication carrier is used for authentication calculation processing;
the secondary authentication client is used for providing analysis and encapsulation of a terminal side authentication protocol;
the EAP client is used for realizing the analysis and encapsulation of an EAP bearer protocol;
AAA server, which is used to provide general functions except authentication function, including bottom layer communication and EAP bearing related function; the EAP client cooperates with the AAA server to provide peer-to-peer interaction of the bottom layer EAP;
the secondary authentication server is used for providing authentication calculation and protocol encapsulation and analysis; the secondary authentication carrier, the secondary authentication client and the secondary authentication server are matched to provide peer-to-peer interaction of upper-layer authentication;
the secondary authentication carrier, the secondary authentication client and the EAP client are arranged at a terminal side and are separated from each other to realize decoupling among authentication calculation, an authentication protocol and bearing overhead; the AAA server and the secondary authentication server are arranged on the network side and are separated from each other to realize decoupling between a communication function and an authentication function;
on the premise of keeping the functions of the EAP client and the AAA server fixed, the secondary authentication function with differentiation capability is realized by providing a differentiation authentication protocol by the secondary authentication client and the secondary authentication server: for an eMB scene with the characteristic of high bandwidth, the EAP client and the secondary authentication client are combined and arranged, and the secondary authentication client and the secondary authentication server realize a high-strength authentication protocol; for an mMTC scene with the characteristics of low power consumption and narrow band, the EAP client is separated from the secondary authentication client and is deployed at the edge of a network or a non-3GPP access point, and the secondary authentication client and the secondary authentication server realize a lightweight authentication protocol so as to reduce the overhead brought to air interface resources by authentication; for the uRLLC scene with the characteristic of low time delay, the secondary authentication client and the secondary authentication server realize a low time delay authentication protocol so as to reduce the time delay of authentication;
on the premise of keeping the functions of the EAP client and the AAA server fixed, aiming at different industry users, providing the qualification of a differential authentication algorithm through the secondary authentication carrier and the secondary authentication server, and providing authentication protocols with different strengths through the secondary authentication client and the secondary authentication server: for common public users, the virtual or common secondary authentication carrier is used, an international public authentication algorithm is loaded, and a universal secondary authentication function is provided by matching the secondary authentication client and the secondary authentication server which provide a standard authentication protocol; for vertical industry users with high safety requirements, the secondary authentication carrier and the secondary authentication server qualified by a domestic authentication algorithm are used, and the secondary authentication client and the secondary authentication server which provide a standard authentication protocol are matched to provide a secondary authentication function of a domestic system; for the key industry users, the secondary authentication carrier and the secondary authentication server qualified by a special authentication algorithm are used, and the secondary authentication function of a special system is provided by matching the secondary authentication client and the secondary authentication server which provide a special authentication protocol;
for different application modes, the AAA server and the secondary authentication server in different deployment modes are provided to provide a secondary authentication service function: for a user in a private line application mode, the boundary between the user and a common operator is at a DN entrance, and in the mode, the AAA server and the secondary authentication server which are deployed at the DN are provided, and the AAA server is connected with the UPF through a private line; for a user in a private network application mode, the boundary between the user and a common operator is at the boundary of a core network home network and a visited network, and in this mode, the AAA server and the secondary authentication server deployed in the core network home network are provided, and the AAA server can be directly called by the SMF.
2. The system according to claim 1, wherein different secondary authentication bearers are attached to support differentiated authentication capabilities or different authentication credentials are adapted by the secondary authentication client to provide assistance on the premise of keeping the functions of the EAP client and the AAA server fixed:
for an eMB scene with the characteristic of high bandwidth, a TF card with rich computing resources is independently attached to serve as the secondary authentication carrier to ensure the secondary authentication strength, or the secondary authentication client supporting the biological feature matching certificate is adopted on the basis of the measure to improve the usability;
for an mMTC scene with the characteristic of low power consumption, the eSIM of the terminal of the Internet of things is reused as the secondary authentication carrier to reduce the power consumption of secondary authentication, or the EAP client is separated on the basis of the measures to further reduce the power consumption of the secondary authentication, and the secondary authentication client supporting the user name and the password is adopted to reduce the overhead of the carrier;
for the uRLLC scene with the characteristic of low time delay, a high-speed carrier with a high-speed interface is used as the secondary authentication carrier to reduce the time delay of authentication, or the AAA server is preposed on the basis of the measure to further reduce the time delay of authentication, and the secondary authentication client supporting passwords or certificates is adopted to reduce the participation of people in the authentication process.
3. A secondary authentication method suitable for different application scenes of mobile communication is characterized in that:
setting a secondary authentication carrier, a secondary authentication client and an EAP client which are separated from each other on a terminal side to realize decoupling between authentication calculation, an authentication protocol and bearing overhead; the secondary authentication carrier is used for authentication calculation processing, the secondary authentication client is used for providing analysis and encapsulation of a terminal side authentication protocol, and the EAP client is used for realizing analysis and encapsulation of an EAP bearer protocol;
the AAA server and the secondary authentication server which are separated from each other are arranged on the network side to realize the decoupling between the communication function and the authentication function; the AAA server is used for providing general functions except authentication functions, including bottom layer communication and EAP bearing related functions; the secondary authentication server is used for providing authentication calculation and protocol encapsulation and analysis;
the EAP client cooperates with the AAA server to provide peer-to-peer interaction of the bottom layer EAP; the secondary authentication carrier, the secondary authentication client and the secondary authentication server are matched to provide peer-to-peer interaction of upper-layer authentication;
on the premise of keeping the functions of the EAP client and the AAA server fixed, the secondary authentication function with differentiation capability is realized by providing a differentiation authentication protocol by the secondary authentication client and the secondary authentication server: for an eMB scene with the characteristic of high bandwidth, the EAP client and the secondary authentication client are combined and arranged, and the secondary authentication client and the secondary authentication server realize a high-strength authentication protocol; for an mMTC scene with the characteristics of low power consumption and narrow band, the EAP client is separated from the secondary authentication client and is deployed at the edge of a network or a non-3GPP access point, and the secondary authentication client and the secondary authentication server realize a lightweight authentication protocol so as to reduce the overhead brought to air interface resources by authentication; for the uRLLC scene with the characteristic of low time delay, the secondary authentication client and the secondary authentication server realize a low time delay authentication protocol so as to reduce the time delay of authentication;
on the premise of keeping the functions of the EAP client and the AAA server fixed, aiming at different industry users, providing the qualification of a differential authentication algorithm through the secondary authentication carrier and the secondary authentication server, and providing authentication protocols with different strengths through the secondary authentication client and the secondary authentication server: for common public users, the virtual or common secondary authentication carrier is used, an international public authentication algorithm is loaded, and a universal secondary authentication function is provided by matching the secondary authentication client and the secondary authentication server which provide a standard authentication protocol; for vertical industry users with high safety requirements, the secondary authentication carrier and the secondary authentication server qualified by a domestic authentication algorithm are used, and the secondary authentication client and the secondary authentication server which provide a standard authentication protocol are matched to provide a secondary authentication function of a domestic system; for the key industry users, the secondary authentication carrier and the secondary authentication server qualified by a special authentication algorithm are used, and the secondary authentication function of a special system is provided by matching the secondary authentication client and the secondary authentication server which provide a special authentication protocol;
for different application modes, the AAA server and the secondary authentication server in different deployment modes are provided to provide a secondary authentication service function: for a user in a private line application mode, the boundary between the user and a common operator is at a DN entrance, and in the mode, the AAA server and the secondary authentication server which are deployed at the DN are provided, and the AAA server is connected with the UPF through a private line; for a user in a private network application mode, the boundary between the user and a common operator is at the boundary of a core network home network and a visited network, and in this mode, the AAA server and the secondary authentication server deployed in the core network home network are provided, and the AAA server can be directly called by the SMF.
4. The secondary authentication method as claimed in claim 3, wherein different secondary authentication bearers are attached as required to support differentiated authentication capability or different authentication credentials are adapted by the secondary authentication client to assist in maintaining the functions of the EAP client and the AAA server fixed:
for an eMB scene with the characteristic of high bandwidth, a TF card with rich computing resources is independently attached to serve as the secondary authentication carrier to ensure the secondary authentication strength, or the secondary authentication client supporting the biological feature matching certificate is adopted on the basis of the measure to improve the usability;
for an mMTC scene with the characteristic of low power consumption, the eSIM of the terminal of the Internet of things is reused as the secondary authentication carrier to reduce the power consumption of secondary authentication, or the EAP client is separated on the basis of the measures to further reduce the power consumption of the secondary authentication, or the secondary authentication client supporting the user name and the password is adopted to reduce the overhead of the carrier;
for the uRLLC scene with the characteristic of low time delay, a high-speed carrier with a high-speed interface is used as the secondary authentication carrier to reduce the time delay of authentication, or the AAA server is preposed on the basis of the measure to further reduce the time delay of authentication, or the secondary authentication client supporting passwords or certificates is adopted to reduce the participation of people in the authentication process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010679582.6A CN112039838B (en) | 2020-07-15 | 2020-07-15 | Secondary authentication method and system suitable for different application scenes of mobile communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010679582.6A CN112039838B (en) | 2020-07-15 | 2020-07-15 | Secondary authentication method and system suitable for different application scenes of mobile communication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112039838A CN112039838A (en) | 2020-12-04 |
| CN112039838B true CN112039838B (en) | 2022-03-15 |
Family
ID=73579231
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010679582.6A Active CN112039838B (en) | 2020-07-15 | 2020-07-15 | Secondary authentication method and system suitable for different application scenes of mobile communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112039838B (en) |
Family Cites Families (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1549482B (en) * | 2003-05-16 | 2010-04-07 | 华为技术有限公司 | Method for realizing high rate group data service identification |
| CN1801704B (en) * | 2004-12-31 | 2010-12-08 | 华为技术有限公司 | Method and system for user access core network |
| CN101163000B (en) * | 2006-10-13 | 2011-03-02 | 中兴通讯股份有限公司 | Secondary authentication method and system |
| US8539559B2 (en) * | 2006-11-27 | 2013-09-17 | Futurewei Technologies, Inc. | System for using an authorization token to separate authentication and authorization services |
| US8356176B2 (en) * | 2007-02-09 | 2013-01-15 | Research In Motion Limited | Method and system for authenticating peer devices using EAP |
| CN101247239A (en) * | 2008-03-10 | 2008-08-20 | 中兴通讯股份有限公司 | Authenticated authorization accounting system and implementing method thereof |
| CN101772020B (en) * | 2009-01-05 | 2011-12-28 | 华为技术有限公司 | Method and system for authentication processing, 3GPP authentication authorization accounting server and user device |
| CN102056122A (en) * | 2009-11-10 | 2011-05-11 | 中兴通讯股份有限公司 | Separate management method of authentication charging and system |
| CN102238544A (en) * | 2010-05-06 | 2011-11-09 | 中兴通讯股份有限公司 | Mobile network authentication method and system |
| WO2018137873A1 (en) * | 2017-01-27 | 2018-08-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Secondary authentication of a user equipment |
| CN117412290A (en) * | 2017-05-08 | 2024-01-16 | 摩托罗拉移动有限责任公司 | Method for authenticating to mobile communication network |
| AU2017423732B2 (en) * | 2017-07-20 | 2021-07-15 | Huawei International Pte Ltd | Network security management method, and apparatus |
| CN109391597B (en) * | 2017-08-10 | 2021-04-30 | 中国电信股份有限公司 | Authentication method, authentication system, and communication system |
| CN110996322B (en) * | 2019-11-28 | 2021-07-30 | 楚天龙股份有限公司 | Method for realizing secondary authentication of terminal |
| CN111131258B (en) * | 2019-12-26 | 2022-04-08 | 中移(成都)信息通信科技有限公司 | Safe private network architecture system based on 5G network slice |
-
2020
- 2020-07-15 CN CN202010679582.6A patent/CN112039838B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112039838A (en) | 2020-12-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2060052B1 (en) | Security authentication and key management within an infrastructure-based wireless multi-hop network | |
| CA2490131C (en) | Key generation in a communication system | |
| EP1540878B1 (en) | Linked authentication protocols | |
| Shin et al. | Wireless network security and interworking | |
| CN1764107B (en) | Method of authenticating a mobile network node in establishing a peer-to-peer secure context | |
| US8094821B2 (en) | Key generation in a communication system | |
| CN109314638A (en) | Cipher key configuration and security strategy determine method, apparatus | |
| EP1766915A1 (en) | Method and system for controlling access to communication networks, related network and computer program therefor | |
| WO2012174959A1 (en) | Group authentication method, system and gateway in machine-to-machine communication | |
| Sun et al. | Privacy-preserving device discovery and authentication scheme for D2D communication in 3GPP 5G HetNet | |
| CN101616410A (en) | A kind of cut-in method of cellular mobile communication networks and system | |
| CN109768861A (en) | Massive D2D anonymous discovery authentication and key agreement method | |
| Zhu et al. | Research on authentication mechanism of cognitive radio networks based on certification authority | |
| CN112039838B (en) | Secondary authentication method and system suitable for different application scenes of mobile communication | |
| CN115412909A (en) | Communication method and device | |
| EP4250641A1 (en) | Method, devices and system for performing key management | |
| Safdar et al. | Limitations of existing wireless networks authentication and key management techniques for MANETs | |
| CN115278660A (en) | Access authentication method, device and system | |
| CN113784351A (en) | Slicing service verification method and device | |
| KR101068426B1 (en) | Inter-working function for a communication system | |
| Narmadha et al. | Performance analysis of signaling cost on EAP-TLS authentication protocol based on cryptography | |
| Arbaugh et al. | Report on DIMACS Workshop on Mobile and Wireless Security | |
| Almuhaideb et al. | Authentication in ubiquitous networking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |