CN204929264U - Certification system of basic station, first network equipment and basic station - Google Patents
Certification system of basic station, first network equipment and basic station Download PDFInfo
- Publication number
- CN204929264U CN204929264U CN201520416973.3U CN201520416973U CN204929264U CN 204929264 U CN204929264 U CN 204929264U CN 201520416973 U CN201520416973 U CN 201520416973U CN 204929264 U CN204929264 U CN 204929264U
- Authority
- CN
- China
- Prior art keywords
- base station
- authentication information
- authentication
- information
- network device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 claims abstract description 27
- 238000000034 method Methods 0.000 claims description 54
- 230000008569 process Effects 0.000 claims description 16
- 238000005516 engineering process Methods 0.000 claims description 9
- 238000012858 packaging process Methods 0.000 claims description 2
- 238000003466 welding Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 10
- 238000010295 mobile communication Methods 0.000 description 10
- 230000008901 benefit Effects 0.000 description 9
- 230000000694 effects Effects 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000011664 signaling Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000001228 spectrum Methods 0.000 description 2
- GNFTZDOKVXKIBK-UHFFFAOYSA-N 3-(2-methoxyethoxy)benzohydrazide Chemical compound COCCOC1=CC=CC(C(=O)NN)=C1 GNFTZDOKVXKIBK-UHFFFAOYSA-N 0.000 description 1
- FGUUSXIOTUKUDN-IBGZPJMESA-N C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 Chemical compound C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 FGUUSXIOTUKUDN-IBGZPJMESA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012536 packaging technology Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000005476 soldering Methods 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The utility model discloses a certification system of basic station, first network equipment and basic station. Wherein, this basic station includes: communication processor for the authentication selection information of operator is acquireed from the first network equipment, authentication information selector, with communication processor connects for confirm from at least two sets of authentication information of prestore with the first authentication information that authentication selection information matches, perhaps, from the second network equipment download with authentication selection information matches first authentication information, wherein, first authentication information is used for the first network equipment is right the authentication is carried out to the basic station, communication processor, still be used for with first authentication message routing extremely the first network equipment, wherein, by first network equipment foundation first authentication information is right the authentication is carried out to the basic station. The utility model provides a since little basic station can only insert the relatively poor technical problem of little basic station flexibility that an operator caused usually.
Description
Technical Field
The utility model relates to the field of communications, particularly, relate to an authentication system of basic station, first network equipment and basic station.
Background
In a conventional system, a macro base station (e.g., an area covering a radius of 1 km) is usually disposed at a high position to facilitate transmission of wireless signals and expansion of wireless coverage, and the macro base station and a core network connected thereto are usually deployed by an operator, and various functions of a mobile communication system, including providing communication services for a mobile terminal, charging the mobile terminal, authenticating the mobile terminal, and the like, are implemented together by a server and other devices in the core network; the connection between the macro base station and the core network is also responsible for deployment by an operator, for example, laying optical fiber, and the connection is controlled and managed only by the operator.
However, as the demand for mobile communications increases rapidly and the available frequency spectrum for mobile communications decreases gradually, the disadvantages of the operation mode of the macro base station become more and more significant, and the small base stations (including micro base stations, home base stations, etc.) are more and more important, and the coverage area of each small base station is much smaller than that of the macro base station, so that the same wireless frequency spectrum can exert greater value (for example, a 20MHz bandwidth is shared by 1000 UEs in the coverage area of the macro base station, and is shared by only 10 UEs in the coverage area of the small base station, so that the latter can bring faster transmission rate to a single UE). For the small base stations, the number of the small base stations is far more than that of the macro base stations due to the small coverage area, and operators use the existing fixed broadband access as a connection mode for communicating with the core network, and the information transmitted through the connection mode is the same as the information transmitted after a common user accesses the home broadband, and is usually disclosed on the network, for example, connected through the Internet.
The small base station is connected to the core network in a non-operator deployed connection mode, an authentication process exists in the connection between the small base station and the core network, and the core network recognizes the legal identity, the security and the like of the small base station through the authentication process, so that signaling and data transmission related to mobile communication can be carried out on the small base station, for example, HSS/HLR of the core network sends user data to the small base station for authenticating a user after the authentication is passed.
In the prior art, core network devices and macro base station devices of different operators are different, and networks owned by the core network devices and the macro base station devices are also different, so that an operator usually issues technical specifications of a small base station required by the operator, the small base station is convenient to be interconnected and intercommunicated with the core network of the operator, and is cooperatively matched with the macro base station to provide a better mobile communication service, and the like, and the technical specifications limit authentication modes of the small base station; generally, an operator only considers the needs and scenarios of the purchased small base station accessing the operator, and may also avoid the small base station accessing the functions of other operators in order to compete with other operators, so the small base station can only access one operator, which causes inflexibility in the use of the small base station.
In view of the above problems, no effective solution has been proposed.
SUMMERY OF THE UTILITY MODEL
The embodiment of the utility model provides an authentication system of basic station, first network equipment and basic station to at least, solve because the little basic station can only insert the relatively poor technical problem of little basic station flexibility that an operator caused usually.
According to an aspect of the embodiments of the present invention, there is provided a base station, including: a communication processor for acquiring authentication selection information of an operator from a first network device; an authentication information selector, connected to the communication processor, for determining first authentication information matching the authentication selection information from at least two sets of pre-stored authentication information, or downloading the first authentication information matching the authentication selection information from a second network device, wherein the first authentication information is used for the first network device to authenticate the base station; the communication processor is further configured to send the first authentication information to the first network device, where the first network device authenticates the base station according to the first authentication information.
According to the utility model discloses on the other hand of the embodiment, still provide a first network equipment, include: a transmitter configured to transmit authentication selection information of an operator to a base station, wherein the base station determines first authentication information matching the authentication selection information from at least two sets of authentication information stored in advance, or the base station downloads the first authentication information matching the authentication selection information from a second network device, wherein the first authentication information is used for the first network device to authenticate the base station; a receiver, configured to receive the first authentication information returned by the base station; and an authentication information processor connected to the receiver, for authenticating the base station according to the first authentication information.
According to the utility model discloses on the other hand of the embodiment, still provide the authentication system of a basic station, include: a base station having any of the above features and a first network device having any of the above features to establish a connection with the base station.
In the embodiment of the present invention, the base station is adopted to obtain the authentication selection information of the operator from the first network device; the base station determines first authentication information matched with the authentication selection information from at least two groups of pre-stored authentication information, or downloads the first authentication information matched with the authentication selection information from second network equipment, wherein the first authentication information is used for the first network equipment to authenticate the base station; the base station sends the first authentication information to the first network equipment, wherein the first network equipment authenticates the base station according to the first authentication information, and the purpose of flexibly determining different authentication information according to different operators is achieved by pre-storing at least two groups of authentication information in the base station or downloading the authentication information from the second network equipment, so that the technical effect of improving the flexibility of the base station in use is achieved, and the technical problem of poor flexibility of the small base station caused by the fact that the small base station can only be accessed to one operator is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without undue limitation to the invention. In the drawings:
fig. 1 is a schematic flow chart illustrating an alternative authentication method of a base station according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an alternative network architecture for operating an authentication method of a base station according to an embodiment of the present invention;
fig. 3 is an interaction diagram illustrating an alternative authentication method of a base station according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a network architecture for operating another alternative authentication method for a base station according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of an alternative authentication method of a base station according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an alternative base station according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an alternative communication processor according to an embodiment of the present invention;
fig. 8 is a schematic diagram of an alternative communication processor according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an alternative first network device according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an authentication system of an optional base station according to an embodiment of the present invention.
Detailed Description
In order to make the technical solution of the present invention better understood, the technical solution of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments in the present invention, all other embodiments obtained by a person skilled in the art without creative efforts shall belong to the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
There is also provided, in accordance with an embodiment of the present invention, a method embodiment of a method for authenticating a base station, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Under the above operating environment, the present application provides an authentication method of a base station as shown in fig. 1. Fig. 1 is a flowchart of an authentication method of a base station according to a first embodiment of the present invention.
As shown in fig. 1, the method for authenticating a base station may include the following implementation steps:
step S102, the base station acquires authentication selection information of an operator from the first network equipment.
In the above step S102, the base station may be a small base station (including a micro base station, a pico base station, a home base station, etc.), and the first network device may be a core network. The base station is connected to the core network in a non-operator deployed connection mode, an authentication process exists when the base station is connected with the core network, and the core network approves legal identity, safety and the like of the small base station through the authentication process, so that signaling and data transmission related to mobile communication can be carried out on the small base station, and therefore the base station needs to acquire authentication selection information of an operator at first.
Step S104, the base station determines first authentication information matched with the authentication selection information from at least two groups of pre-stored authentication information, or the base station downloads the first authentication information matched with the authentication selection information from the second network equipment, wherein the first authentication information is used for the first network equipment to authenticate the base station.
In the foregoing step S104, one implementation manner of the present invention is that the base station includes at least two sets of authentication information, for example, the small cell includes a plurality of SIM (subscriber identity module) cards (for example, SIM cards installed on the same mobile phone), or includes a plurality of certificates, or other identification information.
In the foregoing step S104 of the present application, another implementation manner is that the base station includes repeatedly writable authentication information, the base station downloads the first authentication information matched with the authentication selection information from the second network device, and the editable authentication information is, for example, a repeatedly writable SIM card (the information amount of the authentication information is generally small, and generally can support more authentication information, such as ten authentication information), or an embedded UICC. For the embedded UICC, there are two implementation ways, one is to adopt SMD (surface mounted devices) chip package process, that is, the SIM card chip is directly soldered on the chip inside the base station; one is to adopt an SIP (system in package) process, i.e. a SIM card chip and a chip inside a base station are packaged together, and the appearance looks like a chip, as if there is no SIM card. The advantage of editable authentication information over the previous embodiment is that only one 'soft' SIM card needs to be embedded in the base station, and the size and cost of the base station can be reduced by means of repeated writing.
Step S106, the base station sends the first authentication information to the first network equipment, wherein the first network equipment authenticates the base station according to the first authentication information.
In step S106 of the present application, after determining the first authentication information, the base station may send the first authentication information to the first network device, so that the first network device authenticates the base station according to the first authentication information, optionally, the first network device adopts an EAP-AKA (extensible authentication protocol-authentication key agreement) technology, authenticates the base station based on the first authentication information, and the following embodiments of the authentication method will be described in detail, which is not described herein again.
Therefore, the purpose of flexibly determining different authentication information according to different operators is achieved by pre-storing at least two groups of authentication information in the base station or downloading the authentication information from the second network equipment, the technical effect of improving the flexibility of the base station in use is achieved, and the technical problem of poor flexibility of the small base station caused by the fact that the small base station can only be accessed to one operator is solved.
Optionally, the downloading, by the base station, the first authentication information matching the authentication selection information from the second network device includes: the base station sends the equipment identity ID of the base station to second network equipment; the base station receives first authentication information returned by the second network equipment, wherein the second network equipment determines the first authentication information matched with the authentication selection information according to the equipment ID; or the base station sends the first request to the second network equipment, wherein the base station generates the first request according to the authentication selection information, and the first request comprises an identifier of the first authentication information; and the base station receives first authentication information returned by the second network equipment, wherein the second network equipment determines the first authentication information according to the identifier of the first authentication information.
The embodiment of the utility model provides an in which authentication information can be confirmed by the basic station and downloaded, can confirm which authentication information that the basic station needs by second network equipment according to the authentication optional information of operator, for example, the basic station sends the equipment ID of basic station to second network equipment, and this first authentication information is confirmed according to the equipment ID to second network equipment, and then returns to the basic station, all should be in the utility model discloses within the protection scope.
As an optional implementation manner, before the base station downloads the first authentication information matching the authentication selection information from the second network device, the method may further include:
in step S10, the base station searches whether there is first authentication information matching the authentication selection information in at least two sets of authentication information stored in advance.
And the base station downloads the first authentication information from the second network equipment under the condition that the first authentication information matched with the authentication selection information does not exist in at least two groups of pre-stored authentication information.
In the above step S10, the base station may include not only a fixed SIM card (which is not writable), but also a rewritable SIM card, which supports writing of the authentication information, so that the authentication information can be flexibly changed. For example, the base station is a base station customized for the china mobile, and the fixed SIM card stores authentication information of the china mobile; the repeatedly written SIM card can pass the authentication of other operators as a more flexible mode, for example, the authentication can pass the authentication of China Unicom and/or China telecom, the authentication can be used as a backup scheme of the former authentication mode, for example, the authentication is preferentially carried out through authentication information of China Mobile, if the connection with the core network of China Mobile is interrupted, the repeatedly written SIM card is automatically switched to be used for the authentication of China Unicom, so that the communication can be ensured not to be interrupted, and the like.
Optionally, the authentication selection information includes one or a combination of several of the following: PLMN (public land mobile network) information, IP (internet protocol) address of the first network device, name of the operator.
Optionally, the first authentication information includes one or a combination of several of the following: the SIM card of the un-programmable customer identification module, the SIM card, the certificate and the embedded UICC which can be repeatedly programmed.
In the following, the authentication method for a base station provided by the embodiment of the present invention is described in detail by taking the above base station as a small base station as an example:
as a first implementation manner, at least two sets of authentication information may be stored in the small cell, for example, the small cell includes multiple SIM cards (SIM cards installed on the same mobile phone), multiple certificates, or other identification information.
Taking the SIM card as an example for illustration, the small cell includes a plurality of SIM cards, each SIM card is used for authenticating one operator (for example, china mobile), so that the small cell can be used for authenticating core networks (equivalent to the first network device) of a plurality of operators. For example, an operator sells the small base station to a user and deploys the small base station in a home environment, and after the user moves, the user may not support the connection of the small base station to the core network of the original operator due to the limitation of the fixed broadband transmission of the new home, so that the user can replace the operator (such as china unicom) and continue to enjoy mobile communication services through the small base station (provided that the small base station can reach the technical specifications of these multiple operators, and this point will be easily realized as the Long-term evolution (Long-term evolution) technology is gradually popularized and the standardization of the small base station of LTE is more and more widely accepted; or when the user travels abroad, the second SIM card information included in the small cell may be used in this manner to authenticate the small cell through the core network of the operator of the traveling country (e.g., Sprint in the united states), so as to continue to enjoy the high-speed mobile communication service. Or in other scenarios, services provided by more than one operator may be obtained in this manner. Before and after the small base station changes the operator, different authentication information is used for passing the authentication of the core network of the operator. For example, the small base station accesses a home broadband network (e.g. broadband provided by a cell) of a user, before the user moves, the small base station uses the SIM card 1 therein to authenticate a core network of china mobile, and after the user moves, the SIM card 2 therein is used to authenticate a core network of china unicom, wherein a gateway connected to the small base station may be connected to core networks of different operators, or the small base station is directly connected to core networks of different operators.
Further, the method can also obtain the benefits brought by the ranging (radio access network sharing) technology of the small base station. In the existing system, each operator deploys network devices (including base stations, core networks and the like) according to the situation of the operator, and the network devices are assets of each operator and cannot be shared with other operators; however, the small cell is usually deployed in indoor environments such as hot spots, offices or homes, which are usually limited by various aspects and are not convenient for deploying devices of multiple operators (for example, each home usually does not purchase multiple small cells, and an infrastructure such as a pole that can be used for erecting a small cell in a certain hot spot is scarce), therefore, by using the authentication method of the base station of the present invention, the function of sharing the small cell can be achieved simply by replacing the authentication information, that is, the small cell can be connected to the core networks of multiple operators, so that users of multiple operators can access the networks of the multiple operators through the same small cell, as shown in fig. 2.
In fig. 2, the small cell is connected to a gateway, which is in turn connected to the core networks of a plurality of operators, thereby implementing the method of the present invention. The connection mode is not limited, and may be wired or wireless connection, and the connection mode is deployed in a user home, and is connected to a gateway through a home broadband, and the gateway is connected to core networks of multiple operators through a backbone network. The small base station comprises a plurality of SIM card slots, and a plurality of SIM cards can be accommodated for authenticating different operators. It will be appreciated that the small base station may also be connected directly to different operators (i.e. there may be no security gateway between the small base station and the core network), for example via an Internet connection. In order to ensure security, a secure tunnel, such as IPSec (Internet protocol security), may also be established in advance.
The utility model discloses in, the cell site still includes authentication information selector, for example, the network equipment that china moved sends the authentication selection information of operator to the cell site and includes the PLMN (public land mobile network) information (for example PLMNID) that china moved, and authentication information selector then passes through the authentication core network according to this PLMN information, selection SIM card 1. The authentication selection information of the operator may also be other information, such as an IP address of the core network, a name of the operator, and the like, but the present invention is not limited thereto.
Optionally, the small cell communicates with the core network device through a security gateway to complete Authentication of the small cell by the core network, for example, the small cell is deployed in a home by a user and is in an insecure area for an operator, the security gateway and the core network device are deployed by the operator and are in a secure area for the operator, wherein the AAA server mainly functions to verify, authorize and account (Authentication, Authorization, Accounting), that is, to verify the authority of the user, authorize the user to enjoy corresponding services, and record the use of network resources by the user, and the HSS (home subscriber server)/HLR (home location register) is a server in the core network for storing user subscription information.
For example, the authentication (authorization) between the small cell site and the security gateway may be performed based on information in the SIM card, and an example of implementing EAP-AKA bidirectional authentication between the small cell site and the core network using IKEv2 is given below, where the small cell site equipment identity and the user identity (pre-stored, similar to a mobile phone number) are stored in a USIM (universal subscriber identity module) card built in the small cell site, and the network may also be authenticated by the USIM card, and an authentication result may be calculated according to an input parameter.
As shown in fig. 3, a procedure performed on a small cell by using EAP-AKA technology for a first network device (e.g., AAA server) is as follows:
step a, the small base station sends an IKE _ SA _ INIT request to the security gateway.
And step b, the security gateway sends an IKE _ SA _ INIT response.
Step c, the small base station sends the equipment identification and the user identification of the small base station in the first authentication message, and the security gateway judges to use EAP authentication.
The equipment identifier and the user identifier of the small cell are both IMSIs of the USIM card built in the small cell.
Step d, the security gateway sends an authentication request message of the empty EAPAVP to the AAA server, and carries the identity obtained in the IKE _ AUTH.
Step e, AAA server obtains device file and authentication vector from HSS/HLR.
The device file may include information of a user, package information, and the like; the authentication vector is used for authenticating the terminal and identifying whether the terminal is a legal terminal.
Step f, AAA server initiates authentication challenge.
And step g, the security gateway sends an IKE _ AUTH response to the small base station.
The IKE _ AUTH response may include EAP-Request or AKA-Challenge received from the AAA server, and may further include an identity, a certificate, and an AUTH parameter of the security gateway, so that the small cell station authenticates the security gateway.
And step h, the small base station sends the response of the authentication challenge.
Wherein the small cell can verify the certificate of the security gateway and calculate EAP-AKARES.
Step I, the security gateway sends EAP-Response or AKA-Challenge to the AAA server.
Step J, when all authentications are successful, the AAA server sends an authentication result.
Wherein the authentication result contains an EAP success and a keymentarity of the security gateway. The keymentary should contain the MSK generated during the authentication process. All authentication comprises authentication of the security gateway by the small base station and authentication of messages sent by the security gateway by the AAA.
And step K, the security gateway generates AUTH load of AUTH authentication IKE _ SA _ INIT by using the MSK.
That is, the security gateway generates an AUTH payload from the MSK, which is used to authenticate the previous IKE SA INIT.
And step L, the security gateway sends the EAP success message to the small base station.
The utility model discloses in, different operators' core network is authenticated the little basic station through different authentication information, and the technique that the authentication was used is the same, and IKEv2 technique for example mentioned above makes the little basic station can adapt different operator core networks.
Similarly, the small cell may also include multiple certificates, and the certificates are already stored in the small cell before the small cell leaves the factory, or are downloaded into the small cell manually after the small cell leaves the factory, so that the same effect is achieved, and details are not repeated here.
As a second implementation manner, the small cell includes re-writable authentication information, where the re-writable authentication information is, for example, a re-writable SIM or an embedded UICC. For the latter, there are two implementation manners, one is to adopt an SMD chip package process, that is, a SIM card chip is directly soldered on a terminal module chip (equivalent to the chip inside the base station); one is to adopt the SIP packaging technology, namely, the SIM card chip and the terminal module chip are packaged into a whole, and the appearance looks like a chip, and the SIM card is not existed. The advantage of editable authentication information over the previous embodiment is that only one 'soft' SIM card needs to be embedded inside the small base station, and the size and cost of the small base station are reduced by means of repeated writing.
The utility model discloses in, creatively can be applied to the basic station with repeatedly writing SIM or embedded UICC to make the authentication information of basic station side storage can be changed by the flexibility, can reach above-mentioned effect equally.
Specifically, the user may connect the small cell to the authentication information input device, download the authentication information to the small cell, and use the authentication information for authentication of the core network. The downloading method is not limited, and for example, the downloading may be performed through a wired connection or a Wireless method, and the Wireless method includes NFC (near field communication), bluetooth, Wifi (Wireless-Fidelity), and the like. Particularly, after the small cell is connected to the second network device, the authentication information is directly acquired from the second network device, and is downloaded to the small cell and then used for the authentication of the small cell by the core network.
The "core network" for authenticating the small cell mentioned in the present invention generally includes a network device capable of authenticating the validity or security of the small cell, and the specific network element is not limited, such as HSS/HLR, or security gateway, etc.
As a third implementation manner, as shown in fig. 4, the small cell may further include two types of authentication information, one type is editable authentication information, and the other type is fixed authentication information.
In fig. 4, the small cell includes not only a fixed SIM card (non-programmable) but also a rewritable SIM card, which supports writing of authentication information so that the authentication information can be flexibly changed. Thus, the small base station can also obtain the benefits brought by the two authentication information storage devices, for example, the small base station is customized for China Mobile, and the fixed SIM card stores the authentication information of China Mobile; the repeatedly written SIM card can pass the authentication of other operators as a more flexible mode, for example, the authentication can pass the authentication of China Unicom and/or China telecom, the authentication can be used as a backup scheme of the former authentication mode, for example, the authentication is preferentially carried out through authentication information of China Mobile, if the connection with the core network of China Mobile is interrupted, the repeatedly written SIM card is automatically switched to be used for the authentication of China Unicom, thereby ensuring that the communication is not interrupted.
The terminal in the present invention may be a mobile phone (or a mobile phone), or other devices capable of sending or receiving wireless signals, including a PDA (personal digital assistant), a wireless modem, a wireless communication device, a handheld device, a laptop computer, a cordless phone, a WLL (wireless local loop) station, a CPE (customer premise equipment) or a Mifi (portable broadband wireless device) capable of converting mobile signals into Wifi signals, an intelligent appliance, or other devices capable of communicating with a mobile communication network spontaneously without human operations.
The base station may be a macro base station (macro base station), a micro base station (pico base station), a NodeB, an ENB (evolved node b), a home enhanced base station, a relay station, an access point, an RRU (remote radio unit), an RRH (remote radio head), or the like.
The air interface between the base station and the terminal is not limited, and may be CDMA (code division multiple access) 2000, WCDMA (wideband code division multiple access), WiMAX (world interoperability for microwave access), LTE-Advanced, and the like.
The utility model discloses the authentication method of basic station has following advantage at least:
1. the problem that the small base station can only be connected to the core network of one operator in the prior art is solved, and the small base station can be taken away (the operator is changed in scenes of moving home, going out of country and the like) for the first time.
2. Further bringing the benefit of ranging, the small cell can be connected to the core networks of multiple operators, which is beneficial to improving the utilization efficiency of the small cell and the popularization and use of the small cell.
3. The benefits of these functions are obtained while minimizing the size and cost of the small base station.
In the embodiment of the present invention, the base station is adopted to obtain the authentication selection information of the operator from the first network device; the base station determines first authentication information matched with the authentication selection information from at least two groups of pre-stored authentication information, or downloads the first authentication information matched with the authentication selection information from second network equipment, wherein the first authentication information is used for the first network equipment to authenticate the base station; the base station sends the first authentication information to the first network equipment, wherein the first network equipment authenticates the base station according to the first authentication information, and the purpose of flexibly determining different authentication information according to different operators is achieved by pre-storing at least two groups of authentication information in the base station or downloading the authentication information from the second network equipment, so that the technical effect of improving the flexibility of the base station in use is achieved, and the technical problem of poor flexibility of the small base station caused by the fact that the small base station can only be accessed to one operator is solved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of action combinations, but those skilled in the art should understand that the present invention is not limited by the described action sequence, because some steps can be performed in other sequences or simultaneously according to the present invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solution of the present invention essentially or the portions contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), and includes a plurality of instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to execute the method of the embodiments of the present invention.
Example 2
According to an embodiment of the present invention, there is also provided a method embodiment of an authentication method of a base station, it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different from that herein.
Under the above operating environment, the present application provides an authentication method of a base station as shown in fig. 5. Fig. 5 is a flowchart of an authentication method of a base station according to the second embodiment of the present invention.
Step S502, the first network device sends the authentication selection information of the operator to the base station, wherein the base station determines the first authentication information matched with the authentication selection information from at least two groups of pre-stored authentication information, or the base station downloads the first authentication information matched with the authentication selection information from the second network device, wherein the first authentication information is used for the first network device to authenticate the base station.
In the above step S502 of the present application, the base station may be a small base station (including a micro base station, a pico base station, a home base station, and the like), and the first network device may be a core network. The base station is connected to the core network in a non-operator deployed connection mode, an authentication process exists when the base station is connected with the core network, and the core network approves legal identity, safety and the like of the small base station through the authentication process, so that signaling and data transmission related to mobile communication can be carried out on the small base station, and therefore the base station needs to acquire authentication selection information of an operator at first.
Optionally, one implementation manner is that the base station includes at least two sets of authentication information, for example, the small cell includes multiple SIM cards (for example, SIM cards installed on the same mobile phone), or includes multiple certificates, or other identification information. Another implementation manner is that the base station includes rewritable authentication information, the base station downloads the first authentication information matching the authentication selection information from the second network device, and the rewritable authentication information is, for example, a rewritable SIM card (the information amount of the authentication information is generally small, and generally can support more authentication information, such as dozens of them), or an embedded UICC. For the embedded UICC, two realization modes are provided, one is to adopt an SMD (surface mounted device) chip packaging process, namely a SIM card chip is directly welded on a chip in a base station; one is to adopt an SIP (system in package) process, i.e. a SIM card chip and a chip inside a base station are packaged together, and the appearance looks like a chip, as if there is no SIM card. The advantage of editable authentication information over the previous embodiment is that only one 'soft' SIM card needs to be embedded in the base station, and the size and cost of the base station can be reduced by means of repeated writing.
Wherein downloading, by the base station from the second network device, the first authentication information that matches the authentication selection information comprises: the base station sends the equipment identity ID of the base station to second network equipment; the base station receives first authentication information returned by the second network equipment, wherein the second network equipment determines the first authentication information matched with the authentication selection information according to the equipment ID; or the base station sends the first request to the second network equipment, wherein the base station generates the first request according to the authentication selection information, and the first request comprises an identifier of the first authentication information; and the base station receives first authentication information returned by the second network equipment, wherein the second network equipment determines the first authentication information according to the identifier of the first authentication information.
Optionally, the authentication selection information includes one or a combination of several of the following: public Land Mobile Network (PLMN) information, an IP address of the first network device, and a name of an operator; the first authentication information comprises one or more of the following combinations: the SIM card of the un-programmable customer identification module, the SIM card, the certificate and the embedded UICC which can be repeatedly programmed.
Step S504, the first network device receives the first authentication information returned by the base station.
In step S504, after determining the first authentication information, the base station may send the first authentication information to the first network device, so that the first network device authenticates the base station according to the first authentication information.
Step S506, the first network device authenticates the base station according to the first authentication information.
The authenticating, by the first network device, the base station according to the first authentication information includes: the first network equipment adopts an extensible authentication protocol-key negotiation mechanism EAP-AKA technology, and authenticates the base station based on the first authentication information.
In the embodiment of the present invention, the base station is adopted to obtain the authentication selection information of the operator from the first network device; the base station determines first authentication information matched with the authentication selection information from at least two groups of pre-stored authentication information, or downloads the first authentication information matched with the authentication selection information from second network equipment, wherein the first authentication information is used for the first network equipment to authenticate the base station; the base station sends the first authentication information to the first network equipment, wherein the first network equipment authenticates the base station according to the first authentication information, and the purpose of flexibly determining different authentication information according to different operators is achieved by pre-storing at least two groups of authentication information in the base station or downloading the authentication information from the second network equipment, so that the technical effect of improving the flexibility of the base station in use is achieved, and the technical problem of poor flexibility of the small base station caused by the fact that the small base station can only be accessed to one operator is solved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of action combinations, but those skilled in the art should understand that the present invention is not limited by the described action sequence, because some steps can be performed in other sequences or simultaneously according to the present invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solution of the present invention essentially or the portions contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), and includes a plurality of instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to execute the method of the embodiments of the present invention.
Example 3
According to the embodiment of the present invention, there is also provided an apparatus embodiment for implementing the above method embodiment, and the apparatus provided by the above embodiment of the present application can be operated on a base station.
Fig. 6 is a schematic structural diagram of a base station according to a third embodiment of the present application.
As shown in fig. 6, the base station may include a communication processor 602 and an authentication information selector 604.
Wherein, the communication processor 602 is configured to obtain authentication selection information of an operator from a first network device; an authentication information selector 604, connected to the communication processor 602, configured to determine, from at least two sets of pre-stored authentication information, first authentication information that matches the authentication selection information, or download, from a second network device, the first authentication information that matches the authentication selection information, where the first authentication information is used for the first network device to authenticate the base station; the communication processor 602 is further configured to send the first authentication information to the first network device, where the first network device authenticates the base station according to the first authentication information.
Optionally, the first authentication information includes one or a combination of several of the following: a subscriber identity module SIM card which can not be written, a SIM card which can be written repeatedly, a certificate and an embedded universal integrated circuit card UICC; wherein, in a case that the first authentication information includes the unwritable SIM card, the base station further includes: and the at least two SIM card slots are used for accommodating the non-writable SIM card.
In a case where the first authentication information includes the certificate, the base station further includes: at least two authentication information stores for storing the certificate.
In a case where the first authentication information includes the rewritable SIM card, the base station further includes: at least one SIM card slot for receiving the re-writable SIM card.
Optionally, the embedded UICC is obtained by directly soldering a SIM card chip to a chip inside the base station by using a surface mount technology SMD chip package process; or, the embedded UICC is obtained by integrally packaging a SIM card chip and a chip inside the base station by using a system in package SIP process.
Optionally, as shown in fig. 7, the communication processor 602 includes: a first transmitting circuit 702 and a first receiving circuit 704.
The first sending circuit 702 is configured to send the device identity ID of the base station to the second network device; a first receiving circuit 704, configured to receive the first authentication information returned by the second network device, where the first authentication information matching the authentication selection information is determined by the second network device according to the device ID.
Optionally, as shown in fig. 8, the communication processor 602 includes: a second transmitting circuit 802 and a second receiving circuit 804.
A second sending circuit 802, configured to send a first request to the second network device, where the first request is generated by the authentication selector according to the authentication selection information, and the first request includes an identifier of the first authentication information; a second receiving circuit 804, configured to receive the first authentication information returned by the second network device, where the second network device determines the first authentication information according to the identifier of the first authentication information.
Optionally, the authentication information selector 604 is further configured to, before downloading the first authentication information matching the authentication selection information from the second network device, search, in at least two sets of pre-stored authentication information, whether the first authentication information matching the authentication selection information exists; wherein the authentication information selector downloads the first authentication information from the second network device in a case where the first authentication information matching the authentication selection information does not exist in the at least two sets of authentication information stored in advance.
In the embodiment of the present invention, the base station is adopted to obtain the authentication selection information of the operator from the first network device; the base station determines first authentication information matched with the authentication selection information from at least two groups of pre-stored authentication information, or downloads the first authentication information matched with the authentication selection information from second network equipment, wherein the first authentication information is used for the first network equipment to authenticate the base station; the base station sends the first authentication information to the first network equipment, wherein the first network equipment authenticates the base station according to the first authentication information, and the purpose of flexibly determining different authentication information according to different operators is achieved by pre-storing at least two groups of authentication information in the base station or downloading the authentication information from the second network equipment, so that the technical effect of improving the flexibility of the base station in use is achieved, and the technical problem of poor flexibility of the small base station caused by the fact that the small base station can only be accessed to one operator is solved.
Example 4
According to the embodiment of the present invention, there is also provided an apparatus embodiment for implementing the above method embodiment, and the apparatus provided by the above embodiment of the present application can be operated on the first network device.
Fig. 9 is a schematic structural diagram of a first network device according to a fourth embodiment of the present application.
As shown in fig. 9, the first network device may include: a transmitter 902, a receiver 904, and an authentication information processor 906.
The transmitter 902 is configured to transmit authentication selection information of an operator to a base station, where the base station determines, from at least two sets of pre-stored authentication information, first authentication information matching the authentication selection information, or downloads, from a second network device, the first authentication information matching the authentication selection information, where the first authentication information is used for the first network device to authenticate the base station; a receiver 904, configured to receive the first authentication information returned by the base station; an authentication information processor 906, connected to the receiver 904, configured to authenticate the base station according to the first authentication information.
Optionally, the authentication information processor 906 is configured to perform the following steps to authenticate the base station according to the first authentication information: and authenticating the base station based on the first authentication information by adopting an extensible authentication protocol-key negotiation mechanism EAP-AKA technology.
According to the utility model discloses the embodiment still provides the authentication system of a basic station, and figure 10 is according to the utility model discloses the structural schematic of the authentication system of a basic station of embodiment.
The system comprises: a base station 100 having any of the features described above and a first network device 102 having any of the features described above establishing a connection with said base station 100.
The above embodiment numbers of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to the related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-only memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, a plurality of modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (8)
1. A base station, comprising:
a communication processor for acquiring authentication selection information of an operator from a first network device;
an authentication information selector, connected to the communication processor, configured to determine, from at least two sets of pre-stored authentication information, first authentication information that matches the authentication selection information, or download, from a second network device, the first authentication information that matches the authentication selection information, where the first authentication information is used for the first network device to authenticate the base station;
the communication processor is further configured to send the first authentication information to the first network device, where the first network device authenticates the base station according to the first authentication information.
2. The base station of claim 1, wherein the first authentication information comprises one or more of the following combinations: a subscriber identity module SIM card which can not be written, a SIM card which can be written repeatedly, a certificate and an embedded universal integrated circuit card UICC;
wherein, in a case that the first authentication information includes the unwritable SIM card, the base station further includes: at least two SIM card slots for receiving the non-writeable SIM cards;
in a case where the first authentication information includes the certificate, the base station further includes: at least two authentication information stores for storing the certificate;
in a case where the first authentication information includes the rewritable SIM card, the base station further includes: at least one SIM card slot for receiving the re-writable SIM card.
3. The base station of claim 2,
the embedded universal integrated circuit card UICC is obtained by directly welding an SIM card chip on a chip in the base station by adopting a surface mount technology (SMD) chip mounting and packaging process; or,
the embedded universal integrated circuit card UICC is obtained by adopting a system-in-package SIP process to package a SIM card chip and a chip in the base station into a whole.
4. The base station of any of claims 1 to 3, wherein the communication processor comprises:
a first transmitting circuit, configured to transmit the device identity ID of the base station to the second network device;
and the first receiving circuit is used for receiving the first authentication information returned by the second network equipment, wherein the second network equipment determines the first authentication information matched with the authentication selection information according to the equipment ID.
5. The base station of any of claims 1 to 3, wherein the communication processor comprises:
a second sending circuit, configured to send a first request to the second network device, where the first request is generated by the authentication information selector according to the authentication selection information, and the first request includes an identifier of the first authentication information;
and the second receiving circuit is used for receiving the first authentication information returned by the second network equipment, wherein the second network equipment determines the first authentication information according to the identifier of the first authentication information.
6. Base station according to any of claims 1 to 3,
the authentication information selector is further configured to search, before downloading the first authentication information matching the authentication selection information from the second network device, whether the first authentication information matching the authentication selection information exists in at least two sets of pre-stored authentication information;
wherein the authentication information selector downloads the first authentication information from the second network device in a case where the first authentication information matching the authentication selection information does not exist in the at least two sets of authentication information stored in advance.
7. A first network device, comprising:
a transmitter, configured to transmit authentication selection information of an operator to a base station, where the base station determines, from at least two sets of pre-stored authentication information, first authentication information that matches the authentication selection information, or downloads, from a second network device, the first authentication information that matches the authentication selection information, where the first authentication information is used for the first network device to authenticate the base station;
the receiver is used for receiving the first authentication information returned by the base station;
and the authentication information processor is connected with the receiver and used for authenticating the base station according to the first authentication information.
8. An authentication system of a base station, comprising: the base station according to any of claims 1 to 6, and the first network device according to claim 7 establishing a connection with the base station.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201520416973.3U CN204929264U (en) | 2015-06-16 | 2015-06-16 | Certification system of basic station, first network equipment and basic station |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201520416973.3U CN204929264U (en) | 2015-06-16 | 2015-06-16 | Certification system of basic station, first network equipment and basic station |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN204929264U true CN204929264U (en) | 2015-12-30 |
Family
ID=54978356
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201520416973.3U Active CN204929264U (en) | 2015-06-16 | 2015-06-16 | Certification system of basic station, first network equipment and basic station |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN204929264U (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106257945A (en) * | 2015-06-16 | 2016-12-28 | 北京佰才邦技术有限公司 | The authentication method of base station, Apparatus and system |
| CN112788782A (en) * | 2020-12-31 | 2021-05-11 | 瑞斯康达科技发展股份有限公司 | Small base station, small base station system and small base station system opening method |
| CN114039815A (en) * | 2021-12-07 | 2022-02-11 | 中国电信股份有限公司 | Method and system for realizing sharing of small base station |
-
2015
- 2015-06-16 CN CN201520416973.3U patent/CN204929264U/en active Active
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106257945A (en) * | 2015-06-16 | 2016-12-28 | 北京佰才邦技术有限公司 | The authentication method of base station, Apparatus and system |
| CN106257945B (en) * | 2015-06-16 | 2024-04-09 | 北京佰才邦技术股份有限公司 | Authentication method, device and system of base station |
| CN112788782A (en) * | 2020-12-31 | 2021-05-11 | 瑞斯康达科技发展股份有限公司 | Small base station, small base station system and small base station system opening method |
| CN112788782B (en) * | 2020-12-31 | 2023-08-22 | 瑞斯康达科技发展股份有限公司 | Small base station, small base station system and opening method of small base station system |
| CN114039815A (en) * | 2021-12-07 | 2022-02-11 | 中国电信股份有限公司 | Method and system for realizing sharing of small base station |
| CN114039815B (en) * | 2021-12-07 | 2022-12-20 | 中国电信股份有限公司 | Method and system for realizing sharing of small base station |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9648019B2 (en) | Wi-Fi integration for non-SIM devices | |
| CN111726804B (en) | Unified authentication for integrating small cells and Wi-Fi networks | |
| JP5992554B2 (en) | System and method for authenticating a second client station using first client station credentials | |
| KR101800659B1 (en) | Method and apparatus for setting terminal in mobile telecommunication system | |
| EP2583481B1 (en) | Method and apparatus for relay node management and authorization | |
| CN101610241B (en) | Method, system and device for authenticating binding | |
| CN109964498A (en) | The method and apparatus that remote unit is attached to mobile core network via independent insincere non-3GPP access network | |
| CN107529160B (en) | VoWiFi network access method and system, terminal and wireless access point equipment | |
| CN104378751B (en) | Remotely access the method, equipment and system of cellular mobile network | |
| EP2521387A2 (en) | Method and system for supporting security in a mobile communication system | |
| CN106537944A (en) | Associating a device with another device's network subscription | |
| CN102209324A (en) | Mobile terminal and method for accessing mobile terminal into wireless local area network (WLAN) hotspot | |
| CN104170416A (en) | Online subscription data configuration method, device, and system | |
| CN103828413A (en) | Automatic configuration of a wireless device | |
| CN103297968B (en) | A kind of method, equipment and the system of wireless terminal certification | |
| US20230209340A1 (en) | Method and apparatus for transferring network access information between terminals in mobile communication system | |
| CN102204306A (en) | Method, device and system for machine type communication (mtc) terminal communicating with network through gateway | |
| CN105530589A (en) | Bluetooth beacon device, wireless LAN terminal authentication access system and wireless LAN terminal authentication access method | |
| CN106664558B (en) | Method and device for establishing a connection | |
| CN204929264U (en) | Certification system of basic station, first network equipment and basic station | |
| CN102026163A (en) | Method and device for selecting access to Internet through wireless fidelity access network | |
| CN106257945B (en) | Authentication method, device and system of base station | |
| CN103379490A (en) | Authentication method, device and system of user equipment | |
| US9641531B2 (en) | Node and a method for enabling network access authorization | |
| CN106921967A (en) | Data service handling method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100080 9th and 10th floors, building 1, zone 1, No. 81, Beiqing Road, Haidian District, Beijing Patentee after: Beijing baicaibang Technology Co.,Ltd. Address before: 100080 10-006 block B, building 3, Haidian street, Haidian District, Beijing. Patentee before: Beijing Bai Caibang Technology Co.,Ltd. |