TWI641271B - Access authentication method, UE and access equipment - Google Patents

Access authentication method, UE and access equipment Download PDF

Info

Publication number
TWI641271B
TWI641271B TW106126677A TW106126677A TWI641271B TW I641271 B TWI641271 B TW I641271B TW 106126677 A TW106126677 A TW 106126677A TW 106126677 A TW106126677 A TW 106126677A TW I641271 B TWI641271 B TW I641271B
Authority
TW
Taiwan
Prior art keywords
user terminal
network function
network
access
temporary identification
Prior art date
Application number
TW106126677A
Other languages
Chinese (zh)
Other versions
TW201808028A (en
Inventor
侯雲靜
Original Assignee
電信科學技術研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 電信科學技術研究院 filed Critical 電信科學技術研究院
Publication of TW201808028A publication Critical patent/TW201808028A/en
Application granted granted Critical
Publication of TWI641271B publication Critical patent/TWI641271B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本發明提供一種存取認證方法、使用者終端和存取設備,該方法可包括:使用者終端向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該UE是否已認證。 The invention provides an access authentication method, a user terminal and an access device. The method may include: the user terminal sends a temporary identification to the access network, so that the access network sends the temporary identification to a network function, The network function determines whether the UE is authenticated according to the temporary identification.

Description

一種存取認證方法、UE和存取設備 Access authentication method, UE and access equipment

本發明屬於通信技術領域,特別是關於一種存取認證方法、使用者終端(User Equipment,UE)和存取設備。 The present invention belongs to the field of communication technology, and particularly relates to an access authentication method, a user terminal (User Equipment, UE), and an access device.

在通信系統中,UE在不同位置或者不同場景等情況下經常需要通過不同的存取網連接核心網。例如:UE通過一存取網連接到核心網後,UE再通過另一存取網連接核心網。然而,目前通信系統中,UE每次通過存取網連接核心網時,都需要執行認證過程。而每次認證過程都存在信令的交互動作,這樣就會存在信令浪費的問題。 In a communication system, the UE often needs to connect to the core network through different access networks in different situations or scenarios. For example, after the UE is connected to the core network through one access network, the UE is connected to the core network through another access network. However, in current communication systems, each time the UE connects to the core network through the access network, it needs to perform an authentication process. And each time there is an interaction of signaling in the authentication process, there will be a problem of wasting signaling.

本發明的目的在於提供一種存取認證方法、UE和存取設備,解決信令浪費的問題。 An object of the present invention is to provide an access authentication method, a UE, and an access device to solve the problem of signal waste.

為了達到上述目的,本發明實施例提供一種存取認證方法,包括:UE向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該UE是否已認證。 In order to achieve the above object, an embodiment of the present invention provides an access authentication method, including: the UE sends a temporary identification to the access network, so that the access network sends the temporary identification to a network function, and the network function according to the The temporary identification determines whether the UE is authenticated.

可選的,該臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識。 Optionally, the temporary identifier is a temporary identifier assigned by the network function to the UE when the UE connects to the core network through another access network.

可選的,該方法還包括:若該UE未認證,該UE執行該網路功能發起的認證過程,其中,該UE未認證為該網路功能根據該臨時標識沒有查找到該UE的上下文。 Optionally, the method further includes: if the UE is not authenticated, the UE performs an authentication process initiated by the network function, wherein the UE is not authenticated as the network function has not found the context of the UE according to the temporary identity.

可選的,該UE還向該存取網發送有安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊判斷該UE合法性。 Optionally, the UE also sends security verification information to the access network, and the access network also sends the security verification information to the network function, so that the network function judges that the UE is legal based on the security verification information Sex.

可選的,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。 Optionally, the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature.

可選的,該方法還包括:若該驗證不通過,該UE執行該網路功能發起的認證過程;或者若該驗證不通過,該UE接收該網路功能通過該UE已經連接的存取網發送的新的標識;或者若該驗證不通過,該使用者終端接收該網路功能返回的拒絕訊息。 Optionally, the method further includes: if the verification fails, the UE performs an authentication process initiated by the network function; or if the verification fails, the UE receives the network function through an access network to which the UE is already connected The new identification sent; or if the verification fails, the user terminal receives a rejection message returned by the network function.

本發明實施例還提供一種存取認證方法,包括:存取設備接收UE發送的一臨時標識;該存取設備向網路功能發送該臨時標識,以使該網路功能根據該臨時標識判斷該UE是否已認證。 An embodiment of the present invention further provides an access authentication method, including: an access device receives a temporary identification sent by the UE; the access device sends the temporary identification to a network function, so that the network function determines the temporary identification based on the temporary identification. Whether the UE is authenticated.

可選的,該臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識,其中,該其他存取網不包括該存取設備。 Optionally, the temporary identifier is a temporary identifier assigned to the UE by the network function when the UE is connected to the core network through another access network, wherein the other access network does not include the access device.

可選的,該方法還包括:若該網路功能根據該臨時標識查找到該UE的上下文,則表示該UE已認證,該存取設備接收該網路功能發送的該UE已認證的提示資訊。 Optionally, the method further includes: if the network function finds the context of the UE according to the temporary identifier, it indicates that the UE is authenticated, and the access device receives the authentication information of the UE sent by the network function. .

可選的,該存取設備還接收有該UE發送的安全驗證資訊, 且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊對該UE進行認證。 Optionally, the access device further receives security verification information sent by the UE, And the access network also sends the security verification information to the network function, so that the network function authenticates the UE according to the security verification information.

可選的,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。 Optionally, the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature.

本發明實施例還提供一種UE,包括:發送模組,用於向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該UE是否已認證。 An embodiment of the present invention further provides a UE, including: a sending module, configured to send a temporary identification to an access network, so that the access network sends the temporary identification to a network function, and the network function according to the temporary identification Determine whether the UE is authenticated.

可選的,該臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識。 Optionally, the temporary identifier is a temporary identifier assigned by the network function to the UE when the UE connects to the core network through another access network.

可選的,該UE還包括:第一執行模組,用於若該UE未認證,執行該網路功能發起的認證過程,其中,該UE未認證為該網路功能根據該臨時標識沒有查找到該UE的上下文。 Optionally, the UE further includes: a first execution module configured to perform an authentication process initiated by the network function if the UE is not authenticated, wherein the UE is not authenticated as the network function is not found according to the temporary identifier To the context of this UE.

可選的,該UE還向該存取網發送有安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊判斷該UE合法性。 Optionally, the UE also sends security verification information to the access network, and the access network also sends the security verification information to the network function, so that the network function judges that the UE is legal based on the security verification information Sex.

可選的,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。 Optionally, the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature.

可選的,該UE還包括:第二執行模組,用於若該驗證不通過,執行該網路功能發起的認證過程;或者第一接收模組,用於若該驗證不通過,接收該網路功能通過該UE已經連接的存取網發送的新的標識;或者第二接收模組,用於若該驗證不通過,接收該網路功能返回的拒絕訊息。 Optionally, the UE further includes: a second execution module for performing an authentication process initiated by the network function if the verification fails, or a first receiving module for receiving the verification if the verification fails A new identification sent by the network function through the access network to which the UE is already connected; or a second receiving module for receiving a rejection message returned by the network function if the authentication fails.

本發明實施例還提供一種存取設備,包括:第一接收模組, 用於接收UE發送的一臨時標識;發送模組,用於向網路功能發送該臨時標識,以使該網路功能根據該臨時標識判斷該UE是否已認證。 An embodiment of the present invention further provides an access device, including: a first receiving module, A receiving module is used to receive a temporary identification sent by the UE; a sending module is used to send the temporary identification to a network function, so that the network function judges whether the UE is authenticated according to the temporary identification.

可選的,該臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識,其中,該其他存取網不包括該存取設備。 Optionally, the temporary identifier is a temporary identifier assigned to the UE by the network function when the UE is connected to the core network through another access network, wherein the other access network does not include the access device.

可選的,該存取設備還包括:第二接收模組,用於若該網路功能根據該臨時標識查找到該UE的上下文,則表示該UE已認證,接收該網路功能發送的該UE已認證的提示資訊。 Optionally, the access device further includes a second receiving module configured to, if the network function finds the context of the UE according to the temporary identifier, it indicates that the UE is authenticated and receives the network function sent by the network function. UE certified prompt information.

可選的,該存取設備還接收有該UE發送的安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊對該UE進行認證。 Optionally, the access device further receives the security verification information sent by the UE, and the access network also sends the security verification information to the network function, so that the network function sends the security verification information to the UE according to the security verification information. For certification.

可選的,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。 Optionally, the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature.

本發明實施例還提供一種使用者終端,包括:處理器、收發機、記憶體、使用者介面和匯流排介面,其中:處理器,用於讀取記憶體中的程式,執行下列過程:通過收發機向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該使用者終端是否已認證;收發機,用於在處理器的控制下接收和發送資料。 An embodiment of the present invention further provides a user terminal, including a processor, a transceiver, a memory, a user interface, and a bus interface. The processor is configured to read a program in the memory and execute the following processes: The transceiver sends a temporary identification to the access network, so that the access network sends the temporary identification to the network function, and the network function judges whether the user terminal is authenticated according to the temporary identification; the transceiver is used for Receive and send data under the control of the processor.

本發明實施例還提供一種存取設備,包括:處理器、收發機、記憶體、使用者介面和匯流排介面,其中:處理器,用於讀取記憶體中的程式,執行下列過程:通過收發機接收UE發送的一臨時標識;通過收發機向網路功能發送該臨時標識,以使該網路功能根據該臨時標識判斷該使用 者終端是否已認證;收發機,用於在處理器的控制下接收和發送資料。 An embodiment of the present invention further provides an access device, including a processor, a transceiver, a memory, a user interface, and a bus interface. The processor is configured to read a program in the memory and execute the following processes: The transceiver receives a temporary identification sent by the UE; the temporary identification is sent to the network function through the transceiver, so that the network function judges the use according to the temporary identification Whether the user terminal has been authenticated; the transceiver is used to receive and send data under the control of the processor.

本發明的上述技術方案至少具有如下有益效果。本發明實施例,UE向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該UE是否已認證。這樣UE只需要向存取網發送一臨時標識,網路功能就可以根據臨時標識判斷UE是否已認證,從而可以避免了UE每通過一存取網連接到核心網時,都需要執行認證過程,以減少信令浪費。 The above technical solution of the present invention has at least the following beneficial effects. In the embodiment of the present invention, the UE sends a temporary identification to the access network, so that the access network sends the temporary identification to a network function, and the network function determines whether the UE is authenticated according to the temporary identification. In this way, the UE only needs to send a temporary identification to the access network, and the network function can determine whether the UE is authenticated based on the temporary identification, thereby avoiding the need for the UE to perform an authentication process every time it connects to the core network through an access network. To reduce signaling waste.

201、701-702‧‧‧步驟 201, 701-702 ‧‧‧ steps

800‧‧‧UE 800‧‧‧UE

801‧‧‧發送模組 801‧‧‧ sending module

802‧‧‧第一執行模組 802‧‧‧The first execution module

803‧‧‧第二執行模組 803‧‧‧Second executive module

804‧‧‧第一接收模組 804‧‧‧First receiving module

805‧‧‧第二接收模組 805‧‧‧Second receiving module

1100‧‧‧存取設備 1100‧‧‧Access equipment

1101‧‧‧第一接收模組 1101‧‧‧First receiving module

1102‧‧‧發送模組 1102‧‧‧Send Module

1103‧‧‧第二接收模組 1103‧‧‧Second receiving module

1300、1400‧‧‧處理器 1300, 1400‧‧‧ processors

1310、1410‧‧‧收發機 1310, 1410‧‧‧ Transceiver

1320、1420‧‧‧記憶體 1320, 1420‧‧‧Memory

1330、1430‧‧‧使用者介面 1330, 1430‧‧‧ User Interface

圖1為本發明實施例可應用於的網路結構示意圖;圖2為本發明實施例提供的一種存取認證方法的流程示意圖;圖3為本發明實施例提供的另一種存取認證方法的示意圖;圖4為本發明實施例提供的另一種存取認證方法的示意圖;圖5為本發明實施例提供的另一種存取認證方法的示意圖;圖6為本發明實施例提供的另一種存取認證方法的示意圖;圖7為本發明實施例提供的另一種存取認證方法的流程示意圖;圖8為本發明實施例提供的一種UE的結構示意圖;圖9為本發明實施例提供的另一種UE的結構示意圖;圖10為本發明實施例提供的另一種UE的結構示意圖;圖11為本發明實施例提供的一種存取設備的結構示意圖;圖12為本發明實施例提供的另一種存取設備的結構示意圖; 圖13為本發明實施例提供的另一種UE的結構示意圖;以及圖14為本發明實施例提供的另一種存取設備的結構示意圖。 FIG. 1 is a schematic diagram of a network structure applicable to an embodiment of the present invention; FIG. 2 is a schematic flowchart of an access authentication method provided by an embodiment of the present invention; and FIG. 3 is a flowchart of another access authentication method provided by an embodiment of the present invention 4 is a schematic diagram of another access authentication method provided by an embodiment of the present invention; FIG. 5 is a schematic diagram of another access authentication method provided by an embodiment of the present invention; FIG. 6 is another storage method provided by an embodiment of the present invention A schematic diagram of an authentication method; FIG. 7 is a schematic flowchart of another access authentication method according to an embodiment of the present invention; FIG. 8 is a schematic structural diagram of a UE according to an embodiment of the present invention; A structural schematic diagram of a UE; FIG. 10 is a structural schematic diagram of another UE provided by an embodiment of the present invention; FIG. 11 is a structural schematic diagram of an access device provided by an embodiment of the present invention; FIG. 12 is another structural example provided by the embodiment of the present invention Structural diagram of access equipment; FIG. 13 is a schematic structural diagram of another UE according to an embodiment of the present invention; and FIG. 14 is a structural schematic diagram of another access device according to an embodiment of the present invention.

為使本發明要解決的技術問題、技術方案和優點更加清楚,下面將結合附圖及具體實施例進行詳細描述。 In order to make the technical problems, technical solutions, and advantages of the present invention clearer, the following describes in detail with reference to the accompanying drawings and specific embodiments.

參見圖1,圖1為本發明實施例可應用於的網路結構示意圖,如圖1所示,包括UE、非3GPP存取網實體、非3GPP存取層功能(Non-3GPP Access Stratum Function,N3ASF)、控制面功能(CP functions)、用戶面功能(UP functions)、應用功能(Application Function,AF)和資料網路(Data Network,DN)。其中,Y1表示位於UE和非3GPP存取網(例如:WLAN)實體之間的介面,Y2表示位於UE和N3ASF實體之間的介面,Y4表示位於N3ASF實體和非3GPP存取網實體之間的介面,NG1表示位於UE和控制面功能之間的介面,NG2表示位於N3ASF控制面功能之間的介面,也可以理解為無線存取網(Radio Access Network,RAN)和控制面功能之間的介面,NG3表示位於N3ASF和使用者面功能之間的介面,也可以理解為RAN和使用者面功能之間的介面,NG4表示位於控制面功能和使用者面功能之間的介面,NG5表示位於控制面功能和AF之間的介面,NG6表示位於用戶面功能和DN之間的介面。另外,上述N3ASF是存取網路的邏輯組成部分,其終止NG2或者NG3介面。UE和N3ASF之間使用的協定為N3-AS,該協定可以用於在UE和核心網之間透明地傳輸NAS訊息、使用者面承載的資訊和安全資訊。當然,在上述網路結構中還可以包括3GPP存取網實體等其 他存取網實體,對比本發明實施例不作限定。需要說明的是,本發明實施例中並不限定在上述網路結構中實現,上述網路結構僅是一舉例。 Referring to FIG. 1, FIG. 1 is a schematic diagram of a network structure to which an embodiment of the present invention can be applied. As shown in FIG. 1, it includes a UE, a non-3GPP access network entity, and a non-3GPP Access Stratum Function. N3ASF), control plane functions (CP functions), user plane functions (UP functions), application functions (AF) and data network (DN). Among them, Y1 represents the interface between the UE and a non-3GPP access network (eg, WLAN) entity, Y2 represents the interface between the UE and a N3ASF entity, and Y4 represents the interface between the N3ASF entity and the non-3GPP access network entity Interface, NG1 indicates the interface between the UE and the control plane function, and NG2 indicates the interface between the N3ASF control plane function. It can also be understood as the interface between the Radio Access Network (RAN) and the control plane function. , NG3 indicates the interface between N3ASF and user-side functions, which can also be understood as the interface between RAN and user-surface functions, NG4 indicates the interface between control-plane functions and user-surface functions, and NG5 indicates the control-plane interface. Interface between surface function and AF, NG6 represents the interface between user plane function and DN. In addition, the above N3ASF is a logical component of the access network, which terminates the NG2 or NG3 interface. The protocol used between the UE and the N3ASF is N3-AS, which can be used to transparently transmit NAS messages, user plane-borne information, and security information between the UE and the core network. Of course, the above network structure may also include other entities such as 3GPP access network entities. Other access to the network entity is not limited in comparison with the embodiment of the present invention. It should be noted that the embodiments of the present invention are not limited to be implemented in the above network structure, and the above network structure is only an example.

另外,UE可以是手機、平板電腦(Tablet Personal Computer)、膝上型電腦(Laptop Computer)、個人數位助理(personal digital assistant,簡稱PDA)、移動上網裝置(Mobile Internet Device,MID)或可穿戴式設備(Wearable Device)等終端側設備,需要說明的是,在本發明實施例中並不限定UE的具體類型。 In addition, the UE may be a mobile phone, a tablet personal computer, a laptop computer, a personal digital assistant (PDA), a mobile Internet device (MID), or a wearable device. It should be noted that terminal-side equipment such as a wearable device is not limited to a specific type of UE in the embodiment of the present invention.

請參閱圖2,本發明實施例提供一種存取認證方法,如圖2所示,包括以下步驟:201、UE向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該UE是否已認證。 Referring to FIG. 2, an embodiment of the present invention provides an access authentication method. As shown in FIG. 2, the method includes the following steps: 201. The UE sends a temporary identifier to the access network, so that the access network sends the Temporary identification. The network function determines whether the UE is authenticated according to the temporary identification.

本發明實施例中,通過上述步驟可以實現UE向存取網發送上述臨時標識,就可以實現網路功能根據該臨時標識判斷該UR是否已認證,例如:網路功能通過該臨時標識能查找到上述UE的上下文,則表示該UE已經認證,即說明該UE已經通過其他存取網連接到核心網。且網路功能確定UE已認證後,就不需要向該UE發起認證過程。從而通過上述步驟可以實現避免了UE通過不同的存取網路連接到核心網時,執行多次認證過程,以減少信令浪費。 In the embodiment of the present invention, the UE can send the temporary identifier to the access network through the above steps, and then the network function can determine whether the UR is authenticated based on the temporary identifier. For example, the network function can find out through the temporary identifier. The context of the above UE indicates that the UE has been authenticated, which means that the UE has been connected to the core network through another access network. And after the network function determines that the UE has been authenticated, there is no need to initiate an authentication process to the UE. Therefore, the foregoing steps can be implemented to avoid performing multiple authentication processes when the UE is connected to the core network through different access networks to reduce signaling waste.

本發明實施例中,上述網路功能可以是控制面功能。 In the embodiment of the present invention, the network function may be a control plane function.

可選的,上述臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識。 Optionally, the temporary identifier is a temporary identifier assigned by the network function to the UE when the UE connects to the core network through another access network.

該實施方式中,上述臨時標識為UE通過其他存取網連接核 心網時,網路功能為其分配的臨時標識。其中,上述其他存取網可以是與步驟201中的存取網的存取技術不同的存取網,例如:步驟201中的存取網為3GPP存取網,而上述其他存取網則可以是除3GPP存取網之外的存取網,如非3GPP存取網。 In this embodiment, the temporary identifier is that the UE connects to the core through another access network. Temporary ID assigned by the network function when the network is connected. The other access network may be an access network different from the access network in step 201. For example, the access network in step 201 is a 3GPP access network, and the other access networks may be It is an access network other than the 3GPP access network, such as a non-3GPP access network.

可選的,上述方法還包括:若該UE未認證,該UE執行該網路功能發起的認證過程,其中,該UE未認證為該網路功能根據該臨時標識沒有查找到該UE的上下文。 Optionally, the method further includes: if the UE is not authenticated, the UE performs an authentication process initiated by the network function, wherein the UE is not authenticated as the network function has not found the context of the UE according to the temporary identity.

該實施方式中,可以實現若上述網路功能根據上述臨時標識確定上述UE未認證,例如:UE在執行步驟201之前,該UE沒有通過其他存取網連接核心網,則網路功能可以向上述UE發起認證過程,即上述UE執行上述網路功能發起的認證過程。 In this implementation manner, if the network function determines that the UE is not authenticated according to the temporary identifier, for example: before the UE performs step 201, the UE is not connected to the core network through another access network, the network function can report to the above The UE initiates an authentication process, that is, the UE performs the authentication process initiated by the network function.

可選的,上述UE還向該存取網發送有安全驗證資訊,且該存取網(步驟201中的存取網)還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊判斷該UE合法性。 Optionally, the UE also sends security authentication information to the access network, and the access network (access network in step 201) also sends the security authentication information to the network function, so that the network The function judges the legitimacy of the UE according to the security verification information.

其中,上述安全驗證資訊可以是同上述臨時標識一起發送的,例如:向上述存取網發送一攜帶有上述安全驗證資訊和上述臨時標識的訊息。另外,在上述存取網接收到該安全驗證資訊後,也會將該安全驗證資訊發送給上述網路功能,從而該網路功能就可以根據安全驗證資訊判斷上述UE的合法性。這樣可以避免出現惡意終端截獲UE的標識,冒充UE連接到核心網的情況。另外,上述安全驗證資訊可以是UE與網路功能預先協商好的,或者上述安全驗證資訊可以是網路功能預先指定的等等。 The security verification information may be sent together with the temporary identification. For example, a message carrying the security verification information and the temporary identification is sent to the access network. In addition, after the access network receives the security verification information, it also sends the security verification information to the network function, so that the network function can determine the legitimacy of the UE according to the security verification information. In this way, a situation in which a malicious terminal intercepts the identity of the UE and pretends that the UE is connected to the core network can be avoided. In addition, the security verification information may be pre-negotiated by the UE and the network function, or the security verification information may be pre-designated by the network function, and so on.

可選的,上述安全驗證資訊包括如下一項或者多項:加密的 標識、加密的請求訊息或者簽名。 Optionally, the above security verification information includes one or more of the following: encrypted Identification, encrypted request message or signature.

其中,上述請求訊息可以是附著請求或者連接核心網請求,若上述安全驗證資訊中包括上述請求訊息,則網路功能可以是使用上述UE的上下文中的完整性金鑰檢查請求訊息的完整性,以及使用上述上下文中的金鑰解密請求訊息,若解密成功,則確定驗證通過,即確定上述UE是合法的。 The request message may be an attach request or a request to connect to a core network. If the security verification information includes the request message, the network function may be to check the integrity of the request message using the integrity key in the context of the UE. And using the key in the above context to decrypt the request message, if the decryption is successful, it is determined that the verification is passed, that is, it is determined that the UE is legitimate.

其中,上述標識可以是國際移動使用者識別碼(International Mobile Subscriber Identification Number,IMSI)或國際移動設備標識(International Mobile Equipment Identity,IMEI)等。若上述安全驗證資訊中包括上述標識,則網路功能可以是使用上述UE的上下文中的安全資訊對上述標識進行解密,若解密成功,則確定驗證通過,即確定上述UE是合法的。 The identifier may be an International Mobile Subscriber Identification Number (IMSI) or an International Mobile Equipment Identity (IMEI). If the security verification information includes the identifier, the network function may be to use the security information in the context of the UE to decrypt the identifier. If the decryption is successful, it is determined that the verification is passed, that is, the UE is determined to be legitimate.

其中,上述簽名可以是數位簽章。網路功能可以是使用上述UE的上下文中的簽名與上述安全驗證資訊中的簽名進行匹配,若匹配成功,則確定驗證通過,即確定上述UE是合法的。 The signature may be a digital signature. The network function may be to use the signature in the context of the UE to match the signature in the security verification information. If the matching is successful, it is determined that the verification is passed, that is, the UE is determined to be legitimate.

可選的,上述方法還包括:若該驗證不通過,該UE執行該網路功能發起的認證過程;或者若該驗證不通過,該UE接收該網路功能通過該UE已經連接的存取網發送的新的標識;或者若該驗證不通過,該UE接收該網路功能返回的拒絕訊息。 Optionally, the above method further includes: if the verification fails, the UE performs an authentication process initiated by the network function; or if the verification fails, the UE receives the network function through an access network to which the UE is already connected The new identity sent; or if the verification fails, the UE receives a rejection message returned by the network function.

該實施方式中,可以實現若驗證不通過,則UE執行由網路功能發起的認證過程。或者若驗證不通過,則UE接收網路功能通過UE已經連接的存取網發送的新的標識,從而UE可以使用該新的標識進行認證。另外,驗證不通過,接收網路功能返回的拒絕訊息,即表示網路功能拒絕 UE通過上述存取網連接核心網,從而可以避免出現惡意終端截獲UE的標識,冒充UE連接到核心網的情況。 In this embodiment, if the verification fails, the UE can perform an authentication process initiated by a network function. Or if the verification fails, the UE receives a new identity sent by the network function through the access network to which the UE is already connected, so that the UE can use the new identity for authentication. In addition, if the verification fails, if you receive a rejection message from the network function, it means that the network function is rejected. The UE is connected to the core network through the above access network, so that a situation in which a malicious terminal intercepts the identity of the UE and pretends that the UE is connected to the core network can be avoided.

可選的,UE可以是通過一RRC訊息向存取網發送上述臨時標識,且該RRC訊息還包括附著請求。例如:步驟201中的存取網為3GPP存取網,而UE已經通過非3GPP存取網連接核心網,則可以如圖3所示,包括如下步驟:步驟1、UE向3GPP存取網發送RRC訊息,該RRC訊息中包括附著請求和臨時標識,該附著請求可以是加密的附著請求;步驟2、3GPP存取網根據臨時標識得到分配該臨時標識的網路功能,並向網路功能發送NG2介面訊息,訊息中包括附著請求和臨時標識;步驟3、網路功能根據臨時標識查找到UE的上下文,使用上下文中的安全資訊判斷附著請求的安全性,如果附著請求是安全的(例如使用完整性金鑰檢查訊息的完整性,使用金鑰可成功解密附著請求),則網路功能在UE的上下文中存儲新的存取網路(即上述3GPP存取網實體所屬的3GPP存取網)的資訊,然後向3GPP存取網返回NG2介面訊息,訊息中包括附著接受訊息;步驟4、3GPP存取網向UE返回RRC訊息,訊息中包括附著接受訊息。 Optionally, the UE may send the temporary identifier to the access network through an RRC message, and the RRC message further includes an attach request. For example: the access network in step 201 is a 3GPP access network, and the UE has connected to the core network through a non-3GPP access network, as shown in FIG. 3, and includes the following steps: Step 1. The UE sends to the 3GPP access network RRC message. The RRC message includes an attachment request and a temporary identification. The attachment request may be an encrypted attachment request. Step 2. The 3GPP access network obtains the network function assigned the temporary identification according to the temporary identification, and sends the network function to the network function. NG2 interface message, the message includes the attachment request and the temporary identification; Step 3. The network function finds the context of the UE according to the temporary identification, and uses the security information in the context to determine the security of the attachment request. If the attachment request is secure (such as using The integrity key checks the integrity of the message, and the key can be used to successfully decrypt the attach request), then the network function stores a new access network in the context of the UE (that is, the 3GPP access network to which the 3GPP access network entity belongs) ) Information, and then return the NG2 interface message to the 3GPP access network, the message includes an attachment acceptance message; Step 4, the 3GPP access network returns an RRC message to the UE, and the message includes an attachment By the message.

另外,UE還可以通過連接建立訊息向存取網發送上述臨時標識,例如:該連接建立訊息的訊息參數包括上述臨時標識。例如:步驟201中的存取網為非3GPP存取網,而UE已經通過3GPP存取網連接核心網,則可以如圖4所示,包括以下步驟: 步驟1、UE向非3GPP存取網發送連接建立訊息,訊息參數包括UE通過3GPP存取連接到核心網時,網路功能為其分配的臨時標識;步驟2、非3GPP存取網向N3ASF發送連接請求訊息,訊息參數為UE提供的臨時標識。需要說明的是,如果N3ASF和非3GPP存取網合設,則不執行此步驟;步驟3、N3ASF向網路功能發送NG2介面訊息,訊息參數包括存取技術和UE提供的臨時標識;步驟4、網路功能根據UE的臨時標識查找到UE的上下文,發現UE已通過3GPP存取網連接到核心網,網路功能向N3ASF發送NG2介面訊息,訊息中攜帶已認證的提示資訊;步驟5、N3ASF向非3GPP存取網發送連接回復訊息,訊息中攜帶已認證的提示資訊。需要說明的是,如果N3ASF和非3GPP存取網合設,則不執行此步驟;步驟6、非3GPP存取網向UE發送連接建立完成訊息。 In addition, the UE may also send the temporary identifier to the access network through the connection establishment message. For example, the message parameter of the connection establishment message includes the temporary identifier. For example, the access network in step 201 is a non-3GPP access network, and the UE has connected to the core network through the 3GPP access network, as shown in FIG. 4, including the following steps: Step 1. The UE sends a connection establishment message to the non-3GPP access network. The message parameters include the temporary identifier assigned by the network function when the UE connects to the core network through 3GPP access. Step 2. The non-3GPP access network sends the N3ASF. Connection request message. The message parameter is a temporary identifier provided by the UE. It should be noted that this step is not performed if N3ASF and non-3GPP access network are combined; step 3, N3ASF sends the NG2 interface message to the network function, the message parameters include the access technology and the temporary identification provided by the UE; step 4 The network function finds the context of the UE according to the UE's temporary identity. It is found that the UE has connected to the core network through the 3GPP access network. The network function sends an NG2 interface message to the N3ASF. The message carries the certified prompt information. Step 5. The N3ASF sends a connection reply message to the non-3GPP access network, and the message carries the authentication prompt information. It should be noted that if the N3ASF and the non-3GPP access network are combined, this step is not performed; step 6, the non-3GPP access network sends a connection establishment completion message to the UE.

另外,該實施方式中,上述連接建立訊息還可以包括加密的標識或者簽名,例如:在該實施方式中,UE還可使用安全上下文對UE的IMSI或IMEI進行加密,並將加密後的IMSI或IMEI通過步驟1發送給非3GPP存取網實體。即上述實施方式中,步驟1、2和3的訊息還攜帶有加密後的IMSI或IMEI,或簽名。在步驟3時,網路功能使用臨時標識查找到UE的上下文,然後使用上下文中的安全資訊對IMSI和IMEI解密,或對簽名進行驗證,如果能夠解密出UE的IMSI和IMEI或簽名正確,則說明該UE是正確的UE。如果解密出的標識不同於UE上下文中的IMSI或IMEI, 或簽名不正確,則說明該UE是惡意終端冒充的。 In addition, in this embodiment, the connection establishment message may further include an encrypted identification or signature. For example, in this embodiment, the UE may also use the security context to encrypt the IMSI or IMEI of the UE, and encrypt the IMSI or IMEI after encryption. The IMEI is sent to the non-3GPP access network entity through step 1. That is, in the foregoing embodiment, the messages in steps 1, 2 and 3 also carry the encrypted IMSI or IMEI, or a signature. In step 3, the network function uses the temporary identity to find the context of the UE, and then uses the security information in the context to decrypt the IMSI and IMEI, or verify the signature. If the UE's IMSI and IMEI can be decrypted or the signature is correct, then This indicates that the UE is a correct UE. If the decrypted identity is different from the IMSI or IMEI in the context of the UE, Or the signature is incorrect, it means that the UE is posing as a malicious terminal.

另外,該實施方式中,由於UE和存取網之間傳輸的是連接建立訊息和連接完成訊息,從而可以實現擴展UE和非3GPP存取網之間的協議。 In addition, in this embodiment, since a connection establishment message and a connection completion message are transmitted between the UE and the access network, the protocol between the UE and the non-3GPP access network can be extended.

另外,上述UE還可以通過可擴展認證協議(Extensible authentication protocol,EAP)回應訊息向存取網發送上述臨時標識。例如:步驟201中的存取網可以是非3GPP存取網,而UE已經通過3GPP存取網連接到核心網,可以如圖5所示,包括以下步驟:步驟1、UE和非3GPP存取網之間建立連接;步驟2、非3GPP存取網向UE發送EAP-REQ/Identity訊息,發起EAP認證過程;步驟3、UE向非3GPP存取網返回EAP-RSP/Identity訊息,訊息中攜帶有UE的臨時標識;步驟4、非3GPP存取網將EAP-RSP/Identity訊息發送給N3ASF,需要說明的是如果N3ASF和非3GPP存取網合設,則不執行此步驟;步驟5、N3ASF將EAP-RSP/Identity訊息發送給網路功能;步驟6、網路功能發現UE已通過3GPP存取連接到核心網,網路功能不再次對UE執行認證過程,其向N3ASF返回EAP-Success訊息;步驟7、N3ASF向非3GPP存取網返回EAP-Success訊息,需要說明的是,如果N3ASF和非3GPP存取網路合設,則不執行此步驟;步驟8、非3GPP存取網向UE返回EAP-Success訊息。 In addition, the UE may also send the temporary identification to the access network through an Extensible Authentication Protocol (EAP) response message. For example, the access network in step 201 may be a non-3GPP access network, and the UE has been connected to the core network through the 3GPP access network, as shown in FIG. 5, and includes the following steps: Step 1. The UE and the non-3GPP access network Establish a connection between them; Step 2, the non-3GPP access network sends an EAP-REQ / Identity message to the UE to initiate the EAP authentication process; step 3, the UE returns an EAP-RSP / Identity message to the non-3GPP access network, the message carries UE's temporary identity; Step 4. The non-3GPP access network sends the EAP-RSP / Identity message to N3ASF. It should be noted that if N3ASF and non-3GPP access network are combined, this step will not be performed. Step 5. N3ASF will The EAP-RSP / Identity message is sent to the network function. Step 6. The network function finds that the UE has connected to the core network through 3GPP access. The network function does not perform the authentication process on the UE again, it returns an EAP-Success message to the N3ASF. Step 7. The N3ASF returns an EAP-Success message to the non-3GPP access network. It should be noted that if N3ASF and the non-3GPP access network are combined, this step is not performed. Step 8. The non-3GPP access network returns to the UE. EAP-Success message.

其中,為了確保UE是合法的UE,UE還可在EAP-RSP/Identity 訊息中攜帶加密後的IMSI、IMEI或簽名。 Among them, in order to ensure that the UE is a legitimate UE, the UE may also perform EAP-RSP / Identity The message carries the encrypted IMSI, IMEI, or signature.

另外,該實施方式中,不需要擴展UE和非3GPP存取網之間的協議。 In addition, in this embodiment, there is no need to extend the protocol between the UE and the non-3GPP access network.

上述UE還可以通過一協定請求訊息向存取網發送上述臨時標識,例如:步驟201中的存取網可以是包括N3ASF的存取網,UE已經通過3GPP存取網連接核心網,可以如圖6所示,包括以下步驟:步驟1、UE向N3ASF發送N3-AS請求訊息,訊息中包括UE通過3GPP存取核心網時網路功能為其分配的臨時標識;步驟2、N3ASF根據臨時標識得到分配該臨時標識的網路功能,然後向網路功能發送NG2介面訊息,訊息中包括存取技術和臨時標識;步驟3、網路功能根據臨時標識查找到UE的上下文,這說明UE已通過3GPP存取執行過認證過程,其向N3ASF返回NG2介面訊息,訊息中包括已認證提示資訊;步驟4、N3ASF向UE返回N3-AS回復訊息,訊息中包括已認證提示資訊;另外,為了確保UE是合法的UE,步驟1和2的訊息中還可以包括加密後的IMSI、IMEI或簽名。 The UE may also send the temporary identification to the access network through an agreement request message. For example, the access network in step 201 may be an access network including N3ASF. The UE has connected to the core network through the 3GPP access network, as shown in the figure. As shown in Figure 6, it includes the following steps: Step 1. The UE sends an N3-AS request message to the N3ASF. The message includes the temporary identifier assigned by the network function when the UE accesses the core network through 3GPP. Step 2. The N3ASF obtains the temporary identifier based on the temporary identifier. Allocate the network function of the temporary identity, and then send an NG2 interface message to the network function, which includes the access technology and the temporary identity; Step 3. The network function finds the context of the UE based on the temporary identity, which indicates that the UE has passed 3GPP The access has performed the authentication process, which returns an NG2 interface message to the N3ASF, which includes the authenticated prompt information. Step 4. The N3ASF returns a N3-AS reply message to the UE, which includes the authenticated prompt information. In addition, to ensure that the UE is For legitimate UEs, the messages in steps 1 and 2 may also include the encrypted IMSI, IMEI, or signature.

需要說明的是,本發明實施例中介紹的多種可選的實施方式中,彼此可以相互結合實現,也可以單獨實現,對此本發明實施例不作限定。 It should be noted that among the various optional implementation modes described in the embodiments of the present invention, they may be implemented in combination with each other or separately, which is not limited in this embodiment of the present invention.

本發明實施例,UE向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該UE是 否已認證。這樣UE只需要向存取網發送一臨時標識,網路功能就可以根據臨時標識判斷UE是否已認證,從而可以避免了UE每通過一存取網連接到核心網時,都需要執行認證過程,以減少信令浪費。 In the embodiment of the present invention, the UE sends a temporary identification to the access network, so that the access network sends the temporary identification to the network function, and the network function determines whether the UE is based on the temporary identification. No Certified. In this way, the UE only needs to send a temporary identification to the access network, and the network function can determine whether the UE is authenticated based on the temporary identification, thereby avoiding the need for the UE to perform an authentication process every time it connects to the core network through an access network. To reduce signaling waste.

請參閱圖7,圖7是本發明實施例提供的另存取認證方法,如圖7所示,包括以下步驟:701、存取設備接收UE發送的一臨時標識;702、存取設備向網路功能發送該臨時標識,以使該網路功能根據該臨時標識判斷該UE是否已認證。 Please refer to FIG. 7. FIG. 7 is another access authentication method provided by an embodiment of the present invention. As shown in FIG. 7, it includes the following steps: 701, the access device receives a temporary identification sent by the UE; 702, the access device sends to the network The channel function sends the temporary identification, so that the network function determines whether the UE is authenticated according to the temporary identification.

需要說明的是,上述存取設備可以是圖2所示的實施例中步驟201中的存取網中的存取設備,其中,圖2所示的實施例中步驟201中的存取網的任意實施方式都可以實現該存取設備實體,此處不作贅述。 It should be noted that the above access device may be the access device in the access network in step 201 in the embodiment shown in FIG. 2, wherein the access network in step 201 in the embodiment shown in FIG. 2 Any implementation manner can implement the access device entity, and details are not described herein.

可選的,該臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識,其中,該其他存取網不包括該存取設備。 Optionally, the temporary identifier is a temporary identifier assigned to the UE by the network function when the UE is connected to the core network through another access network, wherein the other access network does not include the access device.

可選的,該方法還包括:若該網路功能根據該臨時標識查找到該UE的上下文,則表示該UE已認證,該存取設備接收該網路功能發送的該UE已認證的提示資訊。 Optionally, the method further includes: if the network function finds the context of the UE according to the temporary identifier, it indicates that the UE is authenticated, and the access device receives the authentication information of the UE sent by the network function. .

可選的,該存取設備還接收有該UE發送的安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊對該UE進行認證。 Optionally, the access device further receives the security verification information sent by the UE, and the access network also sends the security verification information to the network function, so that the network function sends the security verification information to the UE according to the security verification information. For certification.

可選的,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。 Optionally, the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature.

需要說明的是,本實施例作為與圖2-6所示的實施例中對應的存取網(步驟201中的存取網)的實施方式,其具體的實施方式可以參見圖2-6所示的實施例的相關說明,以為避免重複說明,本實施例不再贅述。本實施例中,同樣可以實現減少信令浪費。 It should be noted that this embodiment is an implementation manner of the access network corresponding to the embodiment shown in FIG. 2-6 (the access network in step 201). For a specific implementation manner, refer to FIG. 2-6. The related descriptions of the illustrated embodiments are not repeated in this embodiment to avoid repetitive descriptions. In this embodiment, signaling waste can also be reduced.

請參見圖8,圖中示出一種UE結構,如圖8所示,UE 800包括如下模組:發送模組801,用於向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該UE是否已認證。 Please refer to FIG. 8, which shows a UE structure. As shown in FIG. 8, the UE 800 includes the following modules: a sending module 801 configured to send a temporary identification to the access network to make the access network to the network The network function sends the temporary identification, and the network function determines whether the UE is authenticated according to the temporary identification.

可選的,該臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識。 Optionally, the temporary identifier is a temporary identifier assigned by the network function to the UE when the UE connects to the core network through another access network.

可選的,如圖9所示,UE 800還包括:第一執行模組802,用於若該UE未認證,執行該網路功能發起的認證過程,其中,該UE未認證為該網路功能根據該臨時標識沒有查找到該UE的上下文。 Optionally, as shown in FIG. 9, the UE 800 further includes: a first execution module 802 configured to perform an authentication process initiated by the network function if the UE is not authenticated, wherein the UE is not authenticated as the network The function does not find the context of the UE according to the temporary identity.

可選的,該UE還向該存取網發送有安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊判斷該UE合法性。 Optionally, the UE also sends security verification information to the access network, and the access network also sends the security verification information to the network function, so that the network function judges that the UE is legal based on the security verification information Sex.

可選的,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。 Optionally, the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature.

可選的,如圖10所示,UE 800還包括:第二執行模組803,用於若該驗證不通過,執行該網路功能發起的認證過程;或者第一接收模組804,用於若該驗證不通過,接收該網路功能通過該UE已經連接的存取網發送的新的標識;或者第二接收模組805,用於若該驗證不通過,接收該 網路功能返回的拒絕訊息。 Optionally, as shown in FIG. 10, the UE 800 further includes: a second execution module 803 for performing an authentication process initiated by the network function if the verification fails, or a first receiving module 804 for If the verification fails, receiving a new identity sent by the network function through the access network to which the UE is already connected; or a second receiving module 805 for receiving the verification if the verification fails Reject message returned by network function.

需要說明的是,本實施例中上述UE 800可以是本發明實施例中方法實施例中任意實施方式的UE,本發明實施例中方法實施例中UE的任意實施方式都可以被本實施例中的上述UE 800所實現,以及達到相同的有益效果,此處不再贅述。 It should be noted that the above-mentioned UE 800 in this embodiment may be a UE in any of the method embodiments in the embodiments of the present invention, and any embodiment of the UE in the method embodiments in the embodiments of the present invention may be used in this embodiment. The above-mentioned UE 800 is implemented, and the same beneficial effects are achieved, which will not be repeated here.

請參見圖11,本發明實施例提供一種存取設備,如圖11所示,存取設備1100包括以下模組:第一接收模組1101,用於接收UE發送的一臨時標識;發送模組1102,用於向網路功能發送該臨時標識,以使該網路功能根據該臨時標識判斷該UE是否已認證。 Referring to FIG. 11, an embodiment of the present invention provides an access device. As shown in FIG. 11, the access device 1100 includes the following modules: a first receiving module 1101 for receiving a temporary identifier sent by the UE; and a sending module 1102. Send the temporary identification to a network function, so that the network function determines whether the UE is authenticated according to the temporary identification.

可選的,該臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識,其中,該其他存取網不包括該存取設備。 Optionally, the temporary identifier is a temporary identifier assigned to the UE by the network function when the UE is connected to the core network through another access network, wherein the other access network does not include the access device.

可選的,如圖12所示,存取設備1100還包括:第二接收模組1103,用於若該網路功能根據該臨時標識查找到該UE的上下文,則表示該UE已認證,接收該網路功能發送的該UE已認證的提示資訊。 Optionally, as shown in FIG. 12, the access device 1100 further includes: a second receiving module 1103, configured to, if the network function finds the context of the UE according to the temporary identifier, it indicates that the UE is authenticated and receives The authentication information sent by the network function that the UE has been authenticated.

可選的,該存取設備還接收有該UE發送的安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊對該UE進行認證。 Optionally, the access device further receives the security verification information sent by the UE, and the access network also sends the security verification information to the network function, so that the network function sends the security verification information to the UE according to the security verification information. For certification.

可選的,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。 Optionally, the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature.

需要說明的是,本實施例中上述存取設備1100可以是本發明實施例中方法實施例中任意實施方式的存取設備,本發明實施例中方法 實施例中存取設備的任意實施方式都可以被本實施例中的上述存取設備1100所實現,以及達到相同的有益效果,此處不再贅述。 It should be noted that the access device 1100 in this embodiment may be an access device in any implementation manner of the method embodiment in the embodiment of the present invention. The method in the embodiment of the present invention Any implementation manner of the access device in this embodiment can be implemented by the above-mentioned access device 1100 in this embodiment, and the same beneficial effects are achieved, and details are not described herein again.

參見圖13,圖中示出一種UE的結構,該UE包括:處理器1300、收發機1310、記憶體1320、使用者介面1330和匯流排介面,其中:處理器1300,用於讀取記憶體1320中的程式,執行下列過程:通過收發機1310向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該UE是否已認證。其中,收發機1310,用於在處理器1300的控制下接收和發送資料。 Referring to FIG. 13, a structure of a UE is shown. The UE includes: a processor 1300, a transceiver 1310, a memory 1320, a user interface 1330, and a bus interface, where the processor 1300 is configured to read memory. The program in 1320 executes the following process: sending a temporary identification to the access network through the transceiver 1310, so that the access network sends the temporary identification to the network function, and the network function determines whether the UE is based on the temporary identification verified. The transceiver 1310 is configured to receive and send data under the control of the processor 1300.

在圖13中,匯流排架構可以包括任意數量的互聯的匯流排和橋,具體由處理器1300代表的一個或多個處理器和記憶體1320代表的記憶體的各種電路連結在一起。匯流排架構還可以將諸如週邊設備、穩壓器和功率管理電路等之類的各種其他電路連結在一起,這些都是本領域所公知的,因此,本文不再對其進行進一步描述。匯流排介面提供介面。收發機1310可以是多個元件,即包括發送機和接收機,提供用於在傳輸介質上與各種其他裝置通信的單元。針對不同的使用者設備,使用者介面1330還可以是能夠外接內接需要設備的介面,連接的設備包括但不限於小鍵盤、顯示器、揚聲器、麥克風、操縱桿等。 In FIG. 13, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 1300 and various circuits of the memory represented by the memory 1320 are connected together. The bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art, and therefore, they will not be further described herein. The bus interface provides an interface. The transceiver 1310 may be a plurality of elements, including a transmitter and a receiver, providing a unit for communicating with various other devices on a transmission medium. For different user equipments, the user interface 1330 may also be an interface capable of externally connecting internally required devices. The connected devices include, but are not limited to, a keypad, a display, a speaker, a microphone, a joystick, and the like.

處理器1300負責管理匯流排架構和通常的處理,記憶體1320可以存儲處理器1300在執行操作時所使用的資料。 The processor 1300 is responsible for managing the bus architecture and general processing, and the memory 1320 can store data used by the processor 1300 when performing operations.

可選的,該臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識。 Optionally, the temporary identifier is a temporary identifier assigned by the network function to the UE when the UE connects to the core network through another access network.

可選的,處理器1300還用於:若該UE未認證,執行該網 路功能發起的認證過程,其中,該UE未認證為該網路功能根據該臨時標識沒有查找到該UE的上下文。 Optionally, the processor 1300 is further configured to: if the UE is not authenticated, execute the network The authentication process initiated by the network function, wherein the UE is not authenticated as the network function has not found the context of the UE according to the temporary identity.

可選的,處理器1300還通過收發機1310向該存取網發送有安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊判斷該UE合法性。 Optionally, the processor 1300 also sends the security verification information to the access network through the transceiver 1310, and the access network also sends the security verification information to the network function, so that the network function is based on the security verification Information to determine the legitimacy of the UE.

可選的,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。 Optionally, the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature.

可選的,處理器1300還用於:若該驗證不通過,執行該網路功能發起的認證過程;或者若該驗證不通過,接收該網路功能通過該UE已經連接的存取網發送的新的標識;或者若該驗證不通過,該UE通過該存取網連接核心網的請求被該網路功能拒絕。 Optionally, the processor 1300 is further configured to: if the verification fails, execute the authentication process initiated by the network function; or if the verification fails, receive the network function sent by the access network to which the UE is already connected. A new identity; or if the verification fails, the UE's request to connect to the core network through the access network is rejected by the network function.

需要說明的是,本實施例中上述UE可以是本發明實施例中方法實施例中任意實施方式的UE,本發明實施例中方法實施例中UE的任意實施方式都可以被本實施例中的上述UE所實現,以及達到相同的有益效果,此處不再贅述。 It should be noted that the UE in this embodiment may be a UE in any of the method embodiments in the embodiments of the present invention, and any embodiment of the UE in the method embodiments in the embodiments of the present invention may be used in this embodiment. The above-mentioned UE achieves and achieves the same beneficial effects, and is not repeated here.

參見圖14,圖中示出一種存取設備的結構,該存取設備包括:處理器1400、收發機1410、記憶體1420、使用者介面1430和匯流排介面,其中:處理器1400,用於讀取記憶體1420中的程式,執行下列過程:通過收發機1410接收UE發送的一臨時標識;通過收發機1410向網路功能發送該臨時標識,以使該網路功能根據該臨時標識判斷該UE是否已認證。其中,收發機1410,用於在處理器1400的控制下接收和發送資料。 Referring to FIG. 14, a structure of an access device is shown. The access device includes: a processor 1400, a transceiver 1410, a memory 1420, a user interface 1430, and a bus interface. The processor 1400 is used for Read the program in the memory 1420 and execute the following process: receiving a temporary identification sent by the UE through the transceiver 1410; sending the temporary identification to the network function through the transceiver 1410, so that the network function judges the Whether the UE is authenticated. The transceiver 1410 is configured to receive and send data under the control of the processor 1400.

在圖14中,匯流排架構可以包括任意數量的互聯的匯流排 和橋,具體由處理器1400代表的一個或多個處理器和記憶體1420代表的記憶體的各種電路連結在一起。匯流排架構還可以將諸如週邊設備、穩壓器和功率管理電路等之類的各種其他電路連結在一起,這些都是本領域所公知的,因此,本文不再對其進行進一步描述。匯流排介面提供介面。收發機1410可以是多個元件,即包括發送機和接收機,提供用於在傳輸介質上與各種其他裝置通信的單元。針對不同的使用者設備,使用者介面1430還可以是能夠外接內接需要設備的介面,連接的設備包括但不限於小鍵盤、顯示器、揚聲器、麥克風、操縱桿等。 In Figure 14, the bus architecture can include any number of interconnected buses And the bridge, specifically one or more processors represented by the processor 1400 and various circuits of the memory represented by the memory 1420 are connected together. The bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art, and therefore, they will not be further described herein. The bus interface provides an interface. The transceiver 1410 may be multiple elements, including a transmitter and a receiver, providing a unit for communicating with various other devices over a transmission medium. For different user devices, the user interface 1430 may also be an interface capable of externally connecting and connecting the required devices. The connected devices include, but are not limited to, a keypad, a display, a speaker, a microphone, a joystick, and the like.

處理器1400負責管理匯流排架構和通常的處理,記憶體1420可以存儲處理器1400在執行操作時所使用的資料。 The processor 1400 is responsible for managing the bus architecture and general processing, and the memory 1420 can store data used by the processor 1400 when performing operations.

可選的,該臨時標識為該UE通過其他存取網連接核心網時,該網路功能為該UE分配的臨時標識,其中,該其他存取網不包括該存取設備。 Optionally, the temporary identifier is a temporary identifier assigned to the UE by the network function when the UE is connected to the core network through another access network, wherein the other access network does not include the access device.

可選的,處理器1400還用於:若該網路功能根據該臨時標識查找到該UE的上下文,則表示該UE已認證,接收該網路功能發送的該UE已認證的提示資訊。 Optionally, the processor 1400 is further configured to: if the network function finds the context of the UE according to the temporary identifier, it means that the UE is authenticated, and receive prompt information that the UE is authenticated and sent by the network function.

可選的,處理器1400通過收發機1410還接收有該UE發送的安全驗證資訊,且通過收發機1410還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊對該UE進行認證。 Optionally, the processor 1400 also receives the security verification information sent by the UE through the transceiver 1410, and further sends the security verification information to the network function through the transceiver 1410, so that the network function is based on the security verification information. The UE is authenticated.

可選的,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。 Optionally, the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature.

需要說明的是,本實施例中上述存取設備可以是本發明實施 例中方法實施例中任意實施方式的存取設備,本發明實施例中方法實施例中存取設備的任意實施方式都可以被本實施例中的上述存取設備所實現,以及達到相同的有益效果,此處不再贅述。 It should be noted that the access device in this embodiment may be an implementation of the present invention. The access device in any of the method embodiments in the example, any implementation method of the access device in the method embodiment in the embodiment of the present invention can be implemented by the above access device in this embodiment, and achieve the same benefits The effect is not repeated here.

在本申請所提供的幾個實施例中,應該理解到,所揭露方法和裝置,可以通過其它的方式實現。例如,以上所描述的裝置實施例僅僅是示意性的,例如,該單元的劃分,僅僅為一種邏輯功能劃分,實際實現時可以有另外的劃分方式,例如多個單元或元件可以結合或者可以集成到另一個系統,或一些特徵可以忽略,或不執行。另一點,所顯示或討論的相互之間的耦合或直接耦合或通信連接可以是通過一些介面,裝置或單元的間接耦合或通信連接,可以是電性,機械或其它的形式。 In the several embodiments provided in this application, it should be understood that the disclosed methods and devices may be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner. For example, multiple units or elements may be combined or integrated. To another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, which may be electrical, mechanical or other forms.

另外,在本發明各個實施例中的各功能單元可以集成在一個處理單元中,也可以是各個單元單獨物理包括,也可以兩個或兩個以上單元集成在一個單元中。上述集成的單元既可以採用硬體的形式實現,也可以採用硬體加軟體功能單元的形式實現。 In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be separately physically included, or two or more units may be integrated into one unit. The above integrated unit may be implemented in the form of hardware, or in the form of hardware plus software functional units.

上述以軟體功能單元的形式實現的集成的單元,可以存儲在一個電腦可讀取存儲介質中。上述軟體功能單元存儲在一個存儲介質中,包括若干指令用以使得一台電腦設備(可以是個人電腦,伺服器,或者網路設備等)執行本發明各個實施例該收發方法的部分步驟。而前述的存儲介質包括:隨身碟、移動硬碟、唯讀記憶體(Read-Only Memory,簡稱ROM)、隨機存取記憶體(Random Access Memory,簡稱RAM)、磁碟或者光碟等各種可以存儲程式碼的介質。 The integrated unit implemented in the form of a software functional unit may be stored in a computer-readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute part of the steps of the transmitting and receiving method of each embodiment of the present invention. The foregoing storage medium includes: a portable disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, etc. Coded media.

以上所述是本發明的優選實施方式,應當指出,對於本技術 領域的普通技術人員來說,在不脫離本發明所述原理的前提下,還可以作出若干改進和潤飾,這些改進和潤飾也應視為本發明的保護範圍。 The above is a preferred embodiment of the present invention, and it should be noted that for the present technology For those of ordinary skill in the art, without departing from the principles described in the present invention, several improvements and retouches can be made, and these improvements and retouches should also be regarded as the protection scope of the present invention.

Claims (22)

一種存取認證方法,包括:使用者終端向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該使用者終端是否已認證;以及若該網路功能根據該臨時標識查找到該使用者終端的上下文,則表示該使用者終端已經認證,該網路功能不向該使用者終端發起認證過程。An access authentication method includes: a user terminal sends a temporary identification to an access network, so that the access network sends the temporary identification to a network function, and the network function determines whether the user terminal is based on the temporary identification Authenticated; and if the network function finds the context of the user terminal according to the temporary identification, it means that the user terminal has been authenticated, and the network function does not initiate an authentication process to the user terminal. 如請求項1所述的存取認證方法,其中,該臨時標識為該使用者終端通過其他存取網連接核心網時,該網路功能為該使用者終端分配的臨時標識。The access authentication method according to claim 1, wherein the temporary identifier is a temporary identifier assigned by the network function to the user terminal when the user terminal connects to the core network through another access network. 如請求項1所述的存取認證方法,其中,該方法還包括:若該網路功能根據該臨時標識沒有查找到該使用者終端的上下文,則表明該使用者終端未認證,該使用者終端執行該網路功能發起的認證過程。The access authentication method according to claim 1, wherein the method further comprises: if the network function does not find the context of the user terminal according to the temporary identifier, it indicates that the user terminal is not authenticated, and the user The terminal performs the authentication process initiated by the network function. 如請求項1至3中任一項所述的存取認證方法,其中,該使用者終端還向該存取網發送有安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊判斷該使用者終端合法性。The access authentication method according to any one of claims 1 to 3, wherein the user terminal further sends security authentication information to the access network, and the access network also sends the network function to the network function. Security authentication information, so that the network function judges the legitimacy of the user terminal according to the security authentication information. 如請求項4所述的存取認證方法,其中,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。The access authentication method according to claim 4, wherein the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature. 如請求項4所述的存取認證方法,其中,該方法還包括:若該驗證不通過,該使用者終端執行該網路功能發起的認證過程;或者若該驗證不通過,該使用者終端接收該網路功能通過該使用者終端已經連接的存取網發送的新的標識;或者若該驗證不通過,該使用者終端接收該網路功能返回的拒絕訊息。The access authentication method according to claim 4, further comprising: if the verification fails, the user terminal executes an authentication process initiated by the network function; or if the verification fails, the user terminal Receiving a new identification sent by the network function through an access network to which the user terminal is already connected; or if the verification fails, the user terminal receives a rejection message returned by the network function. 一種存取認證方法,包括:存取設備接收使用者終端發送的一臨時標識;該存取設備向網路功能發送該臨時標識,以使該網路功能根據該臨時標識判斷該使用者終端是否已認證;以及若該網路功能根據該臨時標識查找到該使用者終端的上下文,則表示該使用者終端已認證,該存取設備接收該網路功能發送的該使用者終端已認證的提示資訊。An access authentication method includes: an access device receives a temporary identification sent by a user terminal; the access device sends the temporary identification to a network function, so that the network function determines whether the user terminal is based on the temporary identification Authenticated; and if the network function finds the context of the user terminal according to the temporary identification, it indicates that the user terminal is authenticated, and the access device receives a prompt that the user terminal is authenticated sent by the network function Information. 如請求項7所述的存取認證方法,其中,該臨時標識為該使用者終端通過其他存取網連接核心網時,該網路功能為該使用者終端分配的臨時標識,其中,該其他存取網不包括該存取設備。The access authentication method according to claim 7, wherein the temporary identifier is a temporary identifier assigned by the network function to the user terminal when the user terminal connects to the core network through another access network, and the other identifier is The access network does not include the access device. 如請求項7或8所述的存取認證方法,其中,該存取設備還接收有該使用者終端發送的安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊對該使用者終端進行認證。The access authentication method according to claim 7 or 8, wherein the access device further receives security verification information sent by the user terminal, and the access network also sends the security verification information to the network function To enable the network function to authenticate the user terminal based on the security verification information. 如請求項9所述的存取認證方法,其中,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。The access authentication method according to claim 9, wherein the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature. 一種使用者終端,包括:發送模組,用於向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該使用者終端是否已認證;其中,若該網路功能根據該臨時標識查找到該使用者終端的上下文,則表示該使用者終端已經認證,該網路功能不向該使用者終端發起認證過程。A user terminal includes: a sending module for sending a temporary identification to an access network, so that the access network sends the temporary identification to a network function, and the network function judges the user based on the temporary identification Whether the terminal is authenticated; if the network function finds the context of the user terminal according to the temporary identification, it indicates that the user terminal has been authenticated, and the network function does not initiate an authentication process to the user terminal. 如請求項11所述的使用者終端,其中,該臨時標識為該使用者終端通過其他存取網連接核心網時,該網路功能為該使用者終端分配的臨時標識。The user terminal according to claim 11, wherein the temporary identifier is a temporary identifier assigned by the network function to the user terminal when the user terminal connects to the core network through another access network. 如請求項11所述的使用者終端,其中,該使用者終端還包括:第一執行模組,用於若該網路功能根據該臨時標識沒有查找到該使用者終端的上下文,則表明該使用者終端未認證,該使用者終端執行該網路功能發起的認證過程。The user terminal according to claim 11, wherein the user terminal further comprises: a first execution module for indicating that if the network function fails to find the context of the user terminal according to the temporary identifier, The user terminal is not authenticated, and the user terminal performs an authentication process initiated by the network function. 如請求項11至13中任一項所述的使用者終端,其中,該使用者終端還向該存取網發送有安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊判斷該使用者終端合法性。The user terminal according to any one of claims 11 to 13, wherein the user terminal further sends security authentication information to the access network, and the access network also sends the security to the network function. Authentication information, so that the network function judges the legitimacy of the user terminal based on the security authentication information. 如請求項14所述的使用者終端,其中,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。The user terminal according to claim 14, wherein the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature. 如請求項14所述的使用者終端,其中,該使用者終端還包括:第二執行模組,用於若該驗證不通過,執行該網路功能發起的認證過程;或者第一接收模組,用於若該驗證不通過,接收該網路功能通過該使用者終端已經連接的存取網發送的新的標識;或者第二接收模組,用於若該驗證不通過,接收該網路功能返回的拒絕訊息。The user terminal according to claim 14, wherein the user terminal further comprises: a second execution module for performing an authentication process initiated by the network function if the verification fails; or a first receiving module For receiving a new identification sent by the network function through an access network to which the user terminal is connected if the verification fails, or a second receiving module for receiving the network if the verification fails Reject message returned by the function. 一種存取設備,包括:第一接收模組,用於接收使用者終端發送的一臨時標識;發送模組,用於向網路功能發送該臨時標識,以使該網路功能根據該臨時標識判斷該使用者終端是否已認證;以及第二接收模組,用於若該網路功能根據該臨時標識查找到該使用者終端的上下文,則表示該使用者終端已認證,接收該網路功能發送的該使用者終端已認證的提示資訊。An access device includes: a first receiving module for receiving a temporary identification sent by a user terminal; and a sending module for transmitting the temporary identification to a network function so that the network function is based on the temporary identification Judging whether the user terminal is authenticated; and a second receiving module configured to, if the network function finds the context of the user terminal according to the temporary identification, it indicates that the user terminal is authenticated to receive the network function The authentication prompt information sent by the user terminal. 如請求項17所述的存取設備,其中,該臨時標識為該使用者終端通過其他存取網連接核心網時,該網路功能為該使用者終端分配的臨時標識,其中,該其他存取網不包括該存取設備。The access device according to claim 17, wherein the temporary identification is a temporary identification allocated by the network function to the user terminal when the user terminal connects to the core network through another access network, and the other storage Network access does not include the access device. 如請求項17或18所述的存取設備,其中,該存取設備還接收有該使用者終端發送的安全驗證資訊,且該存取網還向該網路功能發送有該安全驗證資訊,以使該網路功能根據安全驗證資訊對該使用者終端進行認證。The access device according to claim 17 or 18, wherein the access device further receives security verification information sent by the user terminal, and the access network also sends the security verification information to the network function, So that the network function authenticates the user terminal based on the security verification information. 如請求項19所述的存取設備,其中,該安全驗證資訊包括如下一項或者多項:加密的標識、加密的請求訊息或者簽名。The access device according to claim 19, wherein the security verification information includes one or more of the following: an encrypted identification, an encrypted request message, or a signature. 一種使用者終端,包括:處理器、收發機、記憶體、使用者介面和匯流排介面,其中:處理器,用於讀取記憶體中的程式,執行下列過程:通過收發機向存取網發送一臨時標識,以使該存取網向網路功能發送該臨時標識,由該網路功能根據該臨時標識判斷該使用者終端是否已認證;以及若該網路功能根據該臨時標識查找到該使用者終端的上下文,則表示該使用者終端已經認證,該網路功能不向該使用者終端發起認證過程;收發機,用於在處理器的控制下接收和發送資料。A user terminal includes: a processor, a transceiver, a memory, a user interface, and a bus interface. The processor is used to read a program in the memory and execute the following process: to the access network through the transceiver Sending a temporary identification so that the access network sends the temporary identification to the network function, and the network function determines whether the user terminal is authenticated based on the temporary identification; and if the network function finds out based on the temporary identification The context of the user terminal indicates that the user terminal has been authenticated, and the network function does not initiate the authentication process to the user terminal; the transceiver is used to receive and send data under the control of the processor. 一種存取設備,包括:處理器、收發機、記憶體、使用者介面和匯流排介面,其中:處理器,用於讀取記憶體中的程式,執行下列過程:通過收發機接收UE發送的一臨時標識;通過收發機向網路功能發送該臨時標識,以使該網路功能根據該臨時標識判斷該使用者終端是否已認證;以及若該網路功能根據該臨時標識查找到該使用者終端的上下文,則表示該使用者終端已認證,該存取設備接收該網路功能發送的該使用者終端已認證的提示資訊;收發機,用於在處理器的控制下接收和發送資料。An access device includes: a processor, a transceiver, a memory, a user interface, and a bus interface. The processor is used to read a program in the memory and execute the following process: receiving the A temporary identification; sending the temporary identification to the network function through the transceiver so that the network function judges whether the user terminal is authenticated based on the temporary identification; and if the network function finds the user based on the temporary identification The context of the terminal means that the user terminal is authenticated, and the access device receives the prompt information that the user terminal has been authenticated sent by the network function; the transceiver is used to receive and send data under the control of the processor.
TW106126677A 2016-08-16 2017-08-08 Access authentication method, UE and access equipment TWI641271B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
??201610676117.0 2016-08-16
CN201610676117.0A CN107770770A (en) 2016-08-16 2016-08-16 A kind of access authentication method, UE and access device

Publications (2)

Publication Number Publication Date
TW201808028A TW201808028A (en) 2018-03-01
TWI641271B true TWI641271B (en) 2018-11-11

Family

ID=61196332

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106126677A TWI641271B (en) 2016-08-16 2017-08-08 Access authentication method, UE and access equipment

Country Status (3)

Country Link
CN (1) CN107770770A (en)
TW (1) TWI641271B (en)
WO (1) WO2018032984A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798833B (en) * 2018-08-03 2023-10-24 华为技术有限公司 Method and device for verifying user equipment identification in authentication process

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101835155A (en) * 2010-03-31 2010-09-15 中兴通讯股份有限公司 Method and system for accessing terminal to fusion network
CN103067337A (en) * 2011-10-19 2013-04-24 中兴通讯股份有限公司 Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN104871511A (en) * 2012-12-19 2015-08-26 瑞典爱立信有限公司 Device authentication by tagging
WO2016004822A1 (en) * 2014-07-10 2016-01-14 华为技术有限公司 Method and apparatus for network switching

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808321B (en) * 2009-02-16 2014-03-12 中兴通讯股份有限公司 Security authentication method
CN104506406B (en) * 2011-11-03 2018-10-30 华为技术有限公司 A kind of authentication equipment
CN104902473A (en) * 2014-04-21 2015-09-09 孟俊 Wireless network access authentication method and device based on CPK (Combined Public Key Cryptosystem) identity authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101835155A (en) * 2010-03-31 2010-09-15 中兴通讯股份有限公司 Method and system for accessing terminal to fusion network
CN103067337A (en) * 2011-10-19 2013-04-24 中兴通讯股份有限公司 Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN104871511A (en) * 2012-12-19 2015-08-26 瑞典爱立信有限公司 Device authentication by tagging
WO2016004822A1 (en) * 2014-07-10 2016-01-14 华为技术有限公司 Method and apparatus for network switching

Also Published As

Publication number Publication date
CN107770770A (en) 2018-03-06
TW201808028A (en) 2018-03-01
WO2018032984A1 (en) 2018-02-22

Similar Documents

Publication Publication Date Title
US10412083B2 (en) Dynamically generated SSID
US10841784B2 (en) Authentication and key agreement in communication network
US11496320B2 (en) Registration method and apparatus based on service-based architecture
US20190261180A1 (en) Network authentication method, and related device and system
EP3308519B1 (en) System, apparatus and method for transferring ownership of a device from manufacturer to user using an embedded resource
US20160242030A1 (en) Key Configuration Method and Apparatus
JP5199405B2 (en) Authentication in communication systems
TW201706900A (en) Method and device for authentication using dynamic passwords
US11997078B2 (en) Secured authenticated communication between an initiator and a responder
CN113556227A (en) Network connection management method and device, computer readable medium and electronic equipment
WO2007034299A1 (en) Re-keying in a generic bootstrapping architecture following handover of a mobile terminal
US20170078288A1 (en) Method for accessing communications network by terminal, apparatus, and communications system
CN101282215A (en) Method and apparatus for distinguishing certificate
WO2022021256A1 (en) Association control method and related apparatus
CN102006298A (en) Method and device for realizing load sharing of access gateway
TWI641271B (en) Access authentication method, UE and access equipment
WO2016176902A1 (en) Terminal authentication method, management terminal and application terminal
WO2016165429A1 (en) Service processing method and apparatus, and terminal
CN111541642A (en) Bluetooth encryption communication method and device based on dynamic secret key and computer equipment
CN113039766A (en) Optimized equal-cost Simultaneous Authentication (SAE) authentication in wireless networks
CN102761869B (en) 802.1X authentication method and equipment
WO2023236925A1 (en) Authentication method and communication device
KR102216848B1 (en) Method for security connection using wireless terminal device
WO2018045841A1 (en) Network access authentication processing method and device
CN117981371A (en) Communication method, device and system