WO2008110099A1 - Method, system and associated device for authenticating apparatus access to a communication network - Google Patents

Method, system and associated device for authenticating apparatus access to a communication network Download PDF

Info

Publication number
WO2008110099A1
WO2008110099A1 PCT/CN2008/070435 CN2008070435W WO2008110099A1 WO 2008110099 A1 WO2008110099 A1 WO 2008110099A1 CN 2008070435 W CN2008070435 W CN 2008070435W WO 2008110099 A1 WO2008110099 A1 WO 2008110099A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
node
request
message
management node
Prior art date
Application number
PCT/CN2008/070435
Other languages
French (fr)
Chinese (zh)
Inventor
Ling Zhang
Zhihui Gu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008110099A1 publication Critical patent/WO2008110099A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communications, and in particular, to an authentication technology for a device to access a communication network.
  • WPAN Wi re les s per sona l area ne twork , wireless personal area network
  • WWAN wireless wide area network
  • WMAN wireless metropolitan area network
  • WLAN wireless local area network
  • the network structure of WP AN is relatively complex, including various network structures such as star, tree and mesh. Multi-hop and self-organization are the main features of WPAN.
  • a coordinator is the central manager in the WP AN, and its functions include the establishment of WPAN, inter-device communication and security management, with strong storage capacity and information processing capability;
  • the functions of the routing node include establishing routing and forwarding data;
  • the end node is typically a user equipment and is the destination for the arrival of information and services.
  • the WPAN includes the parent node and the child node:
  • the first node that establishes a connection with the device is the parent node of the device, and the device is the corresponding child node;
  • the parent node assigns a network address to the child node,
  • the node saves the network address of the parent node;
  • a parent node in the WPAN can have multiple child nodes, but a child node can only have one parent node.
  • Both the parent node and the child node are relative concepts. The same device can be the parent node of one device and the child node of another device.
  • a basic service is authentication, that is, when a user accesses a mobile communication network through these wireless access networks, the identity of the mobile communication network to the user The process of verifying legality. After the authentication is completed, the mobile communication network can authorize the user to access the network resources and perform billing management.
  • the authentication system mainly consists of three functional entities: an authentication server, usually an AAA server (authentication, authorization, and accounting server) for performing authentication functions, generally located in a mobile communication network; an authenticator (Authent icator) for transmitting authentication requests And the authentication message is a client of the authentication server, generally a gateway or a network access point; and a requester (Suppl icant), that is, a device requesting access to the mobile communication network.
  • AAA server authentication, authorization, and accounting server
  • Authent icator authentication, authorization, and accounting server
  • the authentication message is a client of the authentication server, generally a gateway or a network access point
  • a requester Service icant
  • the authentication process of the authentication system is usually: a) the requester issues an authentication request, the authentication process begins; b) the authenticator forwards the authentication request to the authentication server; c) the authenticator passes the authentication message from the authentication server to the requester, such as an identity Request information; d) the requester issues corresponding response information; e) the authenticator passes the response information from the requester to the authentication server; f) the authentication server verifies the identity of the requester based on the response information; g) the authentication server issues the authentication result; h) The authenticator forwards the authentication result to the requester.
  • the c to f steps generally involve the interaction of multiple authentication messages.
  • the authentication framework In the authentication framework, the authentication framework combined with Diameter or RADIUS (remote user dial-in authentication service) and EAP (extensible authentication protocol) is used. Diameter and RADIUS are the core protocols of the authentication system, defining the basic The message format provides a mechanism for reliable transmission; EAP provides a standard mechanism to support multiple authentication methods, which can enhance the security of the authentication system through its application extension on Diameter or RADIUS protocol; EAP only represents a protocol The framework itself does not define any authentication method. In practice, some EAP-based authentication algorithms such as EAP-SIM and EAP-AKA are used to complete the authentication. The EAP-SIM is an authentication algorithm based on the GSM SIM (Subscr iber Ident I ty Module) card, and the ⁇ - ⁇ is an authentication algorithm based on 3G Authentic and Identifier (Key Agreement). .
  • GSM SIM Subscriber iber Ident I ty Module
  • ⁇ - ⁇ is an authentication algorithm based on 3G Authentic and
  • an authentication message interaction between the requester and the authenticator, and an authentication message interaction between the authenticator and the authentication server are included.
  • the data packet is carried by the Diameter or RADIUS protocol; between the requester and the authenticator, the EAP data packet may be carried by a secure transmission protocol defined by the access network, such as EAP0L protocol used in WLAN.
  • the authentication server and the authenticator need to support the Diameter or RADIUS protocol, and the authentication server and the requester need to support the EAP algorithm.
  • the requester ie, WLAN terminal
  • the authenticator 802. IX AP ie, WLAN access point
  • the EAP0L protocol based on the 802.IX framework is used between the WLAN terminal and the WLAN access point
  • the RADIUS protocol is used between the WLAN access point and the authentication server
  • the EAP data packet is carried by the two protocols.
  • the 802.IX framework is only applicable to point-to-point connections between terminal devices and access points.
  • WLAN terminal devices to WLAN access points are usually star networks and therefore meet point-to-point connection requirements.
  • WPAN often has multiple topologies.
  • the terminal equipment and the access point are often multi-hop, so the above WLAN authentication system cannot be directly applied to WPAN.
  • the authentication system includes a requester, an authenticator, a primary authenticator, and an authentication server.
  • the authentication process is: the authenticator receives the requester's authentication request; the authenticator creates a state according to the authentication request (ie, saves the last hop address and records the authentication requester address); the authenticator forwards the authentication request to the primary authenticator, and the primary authenticator
  • the authentication server forwards the authentication request; the authentication server generates the authentication information, and forwards the information to the authenticator through the primary authenticator; the authenticator performs authentication according to the authentication information. Further information relating to the above technical solutions can be found in the U.S. Patent Application Serial No. US20060236377, issued Oct. 19, 2006.
  • the devices as the authenticators are all WLAN terminal devices, and the premise of being the authenticator or the primary authenticator is that the authentication of the authentication server has passed.
  • devices other than the terminal device generally do not have an identity (such as the UMTS subscriber identity card US IM) that the mobile communication network can recognize, and thus cannot be authenticated by the mobile communication network. Therefore, in the process of integration of WPAN and mobile communication networks, a new set of authentication mechanisms needs to be established.
  • Embodiments of the present invention provide an authentication method, system, and device for accessing a communication network of a device, To solve the problem of authentication when the terminal device requesting authentication and the authenticator are multi-hop.
  • An embodiment of the present invention provides an authentication method for a device to access a communication network, including: an authentication management node receiving an authentication request; an authentication management node transmitting the authentication request to an authentication node; and performing an authentication management node between the authentication node and the requesting node The interaction of the authentication message.
  • An embodiment of the present invention further provides an authentication system for a device to access a communication network, including a requesting node, an authentication management node, and an authentication node, where the requesting node is configured to send an authentication request and an authentication message; and the authentication management node is configured to receive the authentication request. And transmitting the authentication request to the authentication node, and transmitting the authentication message during the interaction between the requesting node and the authentication node; the authentication node is configured to interact with the authentication server, and the authentication message is transmitted between the authentication management node and the authentication server.
  • the embodiment of the present invention further provides a communication device, configured to manage an authentication process of a node in a radio access network, including: a receiving unit, configured to receive an authentication message; and an encapsulating unit, configured to encapsulate an authentication message from the authentication node;
  • the decapsulation unit is configured to decapsulate the authentication message from the requesting node, and the sending unit is configured to send the encapsulated authentication message to the requesting node, and send the decapsulated authentication message to the authentication node.
  • the requesting node performs message interaction between the authentication management node and the authentication node, so that the authentication management node can uniformly process the authentication of each node, which is beneficial to the management of the authentication process, and solves the request node and the authentication management.
  • Authentication problems between nodes when multi-hopping Moreover, the architecture of the authentication management node, the authentication node, and the authentication server in the embodiment of the present invention is consistent with the traditional authentication architecture, and can fully support the existing mature authentication mechanism.
  • FIG. 1 is a simplified diagram of an authentication system in accordance with one embodiment of the present invention.
  • FIG. 2 is a schematic diagram of an authentication process of the authentication system shown in FIG. 1;
  • FIG. 3 is a schematic diagram of the requesting node transmitting an authentication request to the authentication management node in FIG. 2;
  • FIG. 4 is a schematic diagram of an authentication message interaction process between a requesting node and an authentication server
  • FIG. 5 is a simplified diagram of a structure of a communication device according to an embodiment of the present invention.
  • the embodiment of the present invention provides an authentication system for the device to access the communication network, including the requesting node, the authentication management node, and the authentication node.
  • the requesting node is configured to send an authentication request and an authentication message
  • the authentication management node is configured to receive the authentication request and deliver the authentication request to the authentication node, and deliver the authentication message during the interaction between the requesting node and the authentication message of the authentication node;
  • the authentication node is configured to interact with an authentication server to transmit an authentication message between the authentication management node and the authentication server.
  • FIG. 1 is a simplified diagram of an authentication system including a requesting node, a relay node 1, a relay node 2, an authentication management node, an authentication node, and an authentication server, in accordance with an embodiment of the present invention.
  • the requesting node is the initiator of the authentication request, and is generally a terminal device that the mobile communication network can recognize, such as a UE (User Equipment), and the requesting node supports related authentication protocols, such as EAP-S IM, EAP-AKA.
  • the authentication management node is responsible for encapsulating or decapsulating the authentication message, transmitting the processed authentication message, and formulating and managing the security policy of the authentication channel, and also recording the authentication result of all the requesting nodes in the WP AN, so as to facilitate the wireless
  • Each node in the access network performs centralized monitoring. Considering the powerful processing power of the coordinator within the WPAN and its status as a central manager, the coordinator is preferred as the authentication management node.
  • the relay node may be one or more relay nodes between the requesting node and the authentication management node, which are determined by the specific network topology.
  • the relay node is usually a routing node within the WPAN and is used to forward the authentication message.
  • the authentication message is transparent to the relay node, so the relay node only needs to pass the intra-network authentication of the WP AN to ensure security.
  • the relay node supports the existing point-to-point authentication mechanism in the WPAN, such as the entity authentication mechanism.
  • the authentication node acts as a client of the authentication server and processes and forwards the authentication message.
  • the authentication node supports the authentication protocol used by the authentication server, such as the Diame ter protocol or the RADIUS protocol, and also supports The authentication protocol used by the authentication management node, and supports the conversion of the two protocols.
  • the authentication node can be the gateway of the WPAN.
  • the authentication server is located in the mobile communication network and is used to perform the authentication algorithm and verify the identity of the requesting node.
  • the authentication server can be a Dameter server or a RADIUS server.
  • the relationship between the authentication management node, the authentication node, and the authentication server conforms to the authentication framework consisting of the requester, the authenticator, and the authentication server in the existing authentication system. That is to say, the authentication node is equivalent to the authenticator, and from the perspective of the authentication node, the authentication request is sent from the authentication management node, and the authentication management node is equivalent to the requester in the existing authentication system.
  • the embodiment of the invention further provides an authentication method for a device to access a communication network, comprising: the authentication management node receiving an authentication request;
  • the authentication management node transmits the authentication request to the authentication node
  • the authentication node interacts with the requesting node through the authentication management node.
  • FIG. 2 is a schematic diagram of an authentication process of the authentication system shown in FIG. 1, specifically:
  • the requesting node sends an authentication request to the authentication management node along the preset authentication channel.
  • the authentication management node sends the authentication request to the authentication node.
  • the authentication management node, the authentication node, and the authentication server perform an interaction of the authentication message according to a certain protocol, such as an EAP-S IM protocol or an EAP-AKA protocol. Meanwhile, the authentication management node and the requesting node are preset.
  • Authentication channel for authentication message interaction including authentication service
  • the authentication management node records the authentication result.
  • the authentication management node notifies the requesting node of the authentication result.
  • Step 201 further includes several steps as shown in FIG. 3:
  • the requesting node sends an authentication request to the relay node 1, where the authentication request is carried by the protocol packet defined by the WP AN, where the packet includes the authentication packet identifier (indicating that the packet is used for authentication), the requesting node address, and the representative address. Identification of the secondary certification process. 302.
  • the relay node 1 identifies the authentication request, transfers to the authentication state, and records the addresses of the requesting node and the last hop node. This record can be achieved by establishing an authentication routing table. Since the requesting node and the previous hopping node are the same, in this step, only the requesting node address needs to be recorded.
  • the relay node in this embodiment is in the authentication state, it pauses processing other services, and receives and processes the authentication message related to the current authentication process.
  • the relay node 1 forwards the authentication request to the relay node 2; if the next hop node of the relay node 1 is the authentication management node, there is no relay node 2;
  • the relay node 2 identifies the authentication request, transfers to the authentication state, and records the addresses of the requesting node and the last hop node, for example, establishing an authentication routing table including the requesting node address and the relay node 1 address;
  • the relay node 2 forwards the authentication request to the authentication management node.
  • the authentication management node identifies the authentication request, records the address of the requesting node and the last hop node, for example, establishes an authentication routing table including the requesting node address and the address of the relay node 2, and creates an authentication information storage space for the requesting node, the storage space. Used to save the request node address, the authentication result (including authentication success or authentication failure), and authorization information;
  • the authentication management node formulates a security policy, such as a preset key algorithm.
  • the neighboring nodes have a parent-child relationship, that is, the direction from the requesting node to the authentication management node, and the next hop node is the parent node of the previous hop node.
  • the relay node 1 is the parent node of the request node
  • the relay node 2 is the parent node of the relay node 1
  • the authentication management node is the parent node of the relay node 2. Since the child node stores the address of the parent node and the parent node is unique, when the child node delivers the message to the parent node, the process of establishing a route is not required, which is beneficial to the fast delivery of the message compared to other random authentication channels.
  • the requesting node needs to look up the routing table before issuing the authentication request. If the routing table entry of the authentication management node is not reached, the requesting node needs to establish a route to the authentication management node, and establish a route. During the process, each of the previous hop nodes needs to select the next hop node and record the address of the next hop node, so that the subsequent path can be followed when the authentication message interaction is performed.
  • both the relay node 1 and the relay node 2 are nodes that have been authenticated by the authentication management node.
  • the requesting node and the authentication management node may also have no relay node, and the requesting node directly sends an authentication request to the authentication management node, and steps 302, 303, 304, and 305 are not required.
  • step 203 The detailed steps of step 203 are as shown in FIG. 4:
  • the EAP-AKA authentication protocol is used between the authentication management node, the authentication node, and the authentication server.
  • the authentication node sends an EAP request to the authentication management node, requesting to obtain an identity identifier.
  • the authentication management node encapsulates the EAP request packet into the WPAN authentication packet, and encrypts according to the security policy.
  • the authentication management node delivers the encapsulated WPAN authentication message to the requesting node through a preset authentication channel, and may have a relay node forwarding in the middle;
  • the requesting node After receiving the WPAN authentication packet, the requesting node decrypts and decapsulates the packet, identifies the EAP request data packet, and encapsulates the EAP response data packet containing the identity identification information into the WPAN authentication packet according to the EAP request, and encrypts according to the security policy; , there may be forwarding of relay nodes in the middle;
  • the authentication management node decrypts and decapsulates the received WP AN authentication packet, and takes out the identity identification information.
  • the authentication management node transmits an EAP response (authentication information response) containing the identity information to the authentication node.
  • EAP response authentication information response
  • the authentication node forwards the EAP response to the authentication server.
  • the authentication server sends an EAP request (authentication information request) containing the AKA challenge information to the authentication node.
  • the authentication node forwards the EAP request to the authentication management entity.
  • the authentication management node encapsulates the EAP request packet into the WPAN authentication packet, and encrypts according to the security policy. 412.
  • the authentication management node delivers the encapsulated WPAN authentication packet to the requesting node through a preset authentication channel, and may be forwarded by the relay node in the middle;
  • the requesting node After receiving the WPAN authentication packet, the requesting node decrypts and decapsulates the packet, identifies the EAP request packet, and encapsulates the EAP response packet containing the AK A response message into the WP AN authentication packet according to the EAP request, according to the security. Policy encryption; point, there may be forwarding of relay nodes in the middle;
  • the authentication management node decrypts and decapsulates the received WP AN authentication, and extracts the AKA response information.
  • the authentication management node passes the EAP response including the AKA response information to the authentication node.
  • the authentication node forwards the EAP response to the authentication server.
  • the authentication server sends the authentication result. For example, when the authentication succeeds, the EAP success information is returned, and the EAP success information is transmitted to the authentication management node by the authentication node.
  • the information included in each authentication message that the authentication node passes to the authentication management node may be collectively referred to as request information, such as information in the EAP request, AKA challenge information, and each authentication message that the requesting node transmits to the authentication management node.
  • request information such as information in the EAP request, AKA challenge information
  • response information such as identity information, AKA response information.
  • the embodiment of the invention further provides a communication device for managing the authentication process of each node in the radio access network, including encapsulating and decapsulating the authentication message, and transmitting the authentication message, and may also include formulating and managing the security policy of the authentication channel.
  • the communication device includes a transmitting unit 501, a packaging unit 502, a receiving unit 503, and a decapsulation unit 504.
  • the sending unit 501 passes the authentication request to the authentication server through the authentication node.
  • the authentication server After receiving the authentication request, the authentication server generates an authentication message, where the authentication message includes the authentication message.
  • the request information of the server is transmitted to the receiving unit 503 of the authentication management node through the authentication node.
  • the encapsulating unit 502 encapsulates the authentication message, and then the sending unit 501 sends the request message to the requesting node.
  • the message then returns an encapsulated authentication message to the communication device, the authentication message containing the response information of the requesting node, and the message is received by the receiving unit 503 of the communication device, and then decapsulated by the decapsulation unit.
  • the communication device further includes an authentication result storage.
  • the unit 505 stores the authentication result after the receiving unit 503 receives the authentication result sent by the authentication server through the authentication node.
  • a fixed node is selected as the communication device
  • the authentication management node is selected as the communication device to centrally process and manage the authentication of all request nodes in the WP AN, which is beneficial to the management and monitoring of the authentication situation
  • the authentication system structure formed by the authentication management node, the authentication node, and the authentication server is consistent with the traditional authentication architecture, and can fully support the existing mature authentication mechanism, and the changes to the mobile communication network are small, and the portability and scalability are relatively good. Strong.
  • the authentication channel between the requesting node and the authentication management node simplifies the process of establishing a route between the requesting node and the authentication management node.
  • the authentication channel formed by the node of the preferred parent-child relationship is more beneficial to ensure network security and stability.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method and system for authenticating apparatus access to a communication network are provided. According to the method and system, an authentication management node receives an authentication request from a request node, then the authentication management node sends the authentication request to an authentication node acting as client of an authentication server; after initiating the authentication process, an authentication message communication between the authentication node and the request node is performed through the authentication management node. Additionally, a communication device for managing an authentication process of all nodes in a radio access network is also provided.

Description

设备接入通信网络的认证方法、 系统及设备  Authentication method, system and device for device accessing communication network
技术领域 Technical field
本发明涉及通信领域, 尤其涉及设备接入通信网络的认证技术。  The present invention relates to the field of communications, and in particular, to an authentication technology for a device to access a communication network.
背景技术 Background technique
WPAN ( wi re les s per sona l area ne twork , 无线个人域网络) , 是相对 于无线广域网 (WWAN ) 、 无线城域网 (WMAN ) 、 无线局域网 (WLAN )等无线 网络而言的一个概念, 指由近距离范围内的设备组成的网络, 典型的通信距 离为 10米。 WP AN内的设备可以使用蓝牙(Blue tooth )、超宽带(而 B )或 Z i gBee 等技术进行通信。  WPAN (Wi re les s per sona l area ne twork , wireless personal area network) is a concept compared to wireless networks such as wireless wide area network (WWAN), wireless metropolitan area network (WMAN), and wireless local area network (WLAN). Refers to a network of devices in close range, with a typical communication distance of 10 meters. Devices within the WP AN can communicate using technologies such as Bluetooth (Blue tooth), Ultra Wide Band (and B) or Z i gBee.
WP AN的网络结构相对复杂, 包括星形、 树形和网状(me sh )等多种网络 结构。 多跳、 自组织是 WPAN的主要特征。 WPAN内的设备包括三种: 协调者、 路由节点和末端节点。其中, 协调者是 WP AN内的中心管理者, 其功能包括 WPAN 的建立、 设备间通信以及安全的管理, 具有较强的存储能力和信息处理能力; 路由节点的功能包括建立路由和转发数据; 末端节点一般为用户设备, 是信 息和业务到达的终点。  The network structure of WP AN is relatively complex, including various network structures such as star, tree and mesh. Multi-hop and self-organization are the main features of WPAN. There are three types of devices in a WPAN: a coordinator, a routing node, and an end node. Among them, the coordinator is the central manager in the WP AN, and its functions include the establishment of WPAN, inter-device communication and security management, with strong storage capacity and information processing capability; the functions of the routing node include establishing routing and forwarding data; The end node is typically a user equipment and is the destination for the arrival of information and services.
WPAN中包括父节点和子节点: 设备加入 WPAN时, 第一个与该设备建立连 接的节点就是该设备的父节点, 该设备就是相应的子节点; 父节点会为子节 点分配一个网络地址, 子节点会保存父节点的网络地址; WPAN中一个父节点 可以拥有多个子节点, 但一个子节点只能拥有一个父节点。 父节点和子节点 都是相对的概念, 同一设备可以是某一设备的父节点同时又是另一设备的子 节点。  The WPAN includes the parent node and the child node: When the device joins the WPAN, the first node that establishes a connection with the device is the parent node of the device, and the device is the corresponding child node; the parent node assigns a network address to the child node, The node saves the network address of the parent node; a parent node in the WPAN can have multiple child nodes, but a child node can only have one parent node. Both the parent node and the child node are relative concepts. The same device can be the parent node of one device and the child node of another device.
在 WPAN、 WLAN (无线局域网)等无线接入网与移动通信网络的融合中, 一个基本的业务就是认证, 即用户通过这些无线接入网络接入移动通信网络 时, 移动通信网络对用户身份的合法性进行验证的过程。 认证完成后, 移动 通信网络才能对用户访问网络资源进行授权, 并进行计费管理。 认证系统主要包含三个功能实体: 认证服务器,通常是 AAA服务器(认证、 授权和计费服务器) , 用于执行认证功能, 一般位于移动通信网络; 认证器 ( Authent icator ) , 用于传递认证请求和认证消息,是认证服务器的客户端, 一般是网关或网络接入点; 请求者 ( Suppl icant ) , 即请求接入移动通信网 络的设备。 该认证系统的认证过程通常为: a )请求者发出认证请求, 认证过 程开始; b )认证器向认证服务器转发认证请求; c )认证器向请求者传递来 自认证服务器的认证消息, 例如身份标识请求信息; d )请求者发出相应的应 答信息; e )认证器向认证服务器传递来自请求者的应答信息; f )认证服务 器根据应答信息对请求者身份进行验证; g )认证服务器发出认证结果; h ) 认证器向请求者转发认证结果。 上述过程中, c到 f步骤一般涉及多次认证消 息的交互。 In the convergence of a wireless access network such as WPAN and WLAN (Wireless Local Area Network) and a mobile communication network, a basic service is authentication, that is, when a user accesses a mobile communication network through these wireless access networks, the identity of the mobile communication network to the user The process of verifying legality. After the authentication is completed, the mobile communication network can authorize the user to access the network resources and perform billing management. The authentication system mainly consists of three functional entities: an authentication server, usually an AAA server (authentication, authorization, and accounting server) for performing authentication functions, generally located in a mobile communication network; an authenticator (Authent icator) for transmitting authentication requests And the authentication message is a client of the authentication server, generally a gateway or a network access point; and a requester (Suppl icant), that is, a device requesting access to the mobile communication network. The authentication process of the authentication system is usually: a) the requester issues an authentication request, the authentication process begins; b) the authenticator forwards the authentication request to the authentication server; c) the authenticator passes the authentication message from the authentication server to the requester, such as an identity Request information; d) the requester issues corresponding response information; e) the authenticator passes the response information from the requester to the authentication server; f) the authentication server verifies the identity of the requester based on the response information; g) the authentication server issues the authentication result; h) The authenticator forwards the authentication result to the requester. In the above process, the c to f steps generally involve the interaction of multiple authentication messages.
在认证框架上, 通常釆用 Diameter或 RADIUS (远端用户拨入认证服务) 与 EAP (可扩展的认证协议)相结合的认证框架, 其中 Diameter和 RADIUS都是 认证系统的核心协议, 定义了基本的消息格式并提供了可靠传输的机制; EAP 提供了一种支持多种认证方法的标准机制, 通过其在 Diameter或 RADIUS协议 上的应用扩展能够增强认证系统的安全性; EAP只代表一种协议框架, 本身没 有定义任何认证方法, 实际中会釆用某种基于 EAP的认证算法如 EAP-SIM、 EAP- AKA等完成认证。 其中 EAP- SIM是基于 GSM SIM ( Subscr iber Ident i ty Module , 客户识别模块) 卡的认证算法, ΕΑΡ-ΑΚΑ是基于 3G 的 ΑΚΑ ( Authent icat ion and Key Agreement , 认证和密钥协商) 的认证算法。  In the authentication framework, the authentication framework combined with Diameter or RADIUS (remote user dial-in authentication service) and EAP (extensible authentication protocol) is used. Diameter and RADIUS are the core protocols of the authentication system, defining the basic The message format provides a mechanism for reliable transmission; EAP provides a standard mechanism to support multiple authentication methods, which can enhance the security of the authentication system through its application extension on Diameter or RADIUS protocol; EAP only represents a protocol The framework itself does not define any authentication method. In practice, some EAP-based authentication algorithms such as EAP-SIM and EAP-AKA are used to complete the authentication. The EAP-SIM is an authentication algorithm based on the GSM SIM (Subscr iber Ident I ty Module) card, and the ΕΑΡ-ΑΚΑ is an authentication algorithm based on 3G Authentic and Identifier (Key Agreement). .
在一次认证过程中, 包括了请求者和认证器的认证消息交互、 以及认证 器和认证服务器之间的认证消息交互。 具体来说, 在认证服务器和认证器之 间, 由 Diameter或 RADIUS协议来承载 ΕΑΡ数据包; 在请求者和认证器之间, 可 以由接入网络定义的安全传输协议来承载 EAP数据包, 如 WLAN中使用的 EAP0L 协议。 在实体功能要求上, 认证服务器和认证器需要支持 Diameter或 RADIUS 协议, 认证服务器和请求者需要支持 EAP算法。 以 WLAN和 3G网络互通的认证系统为例, 包括请求者 (即 WLAN终端) 、 认 证器 802. IX AP (即 WLAN接入点)和认证服务器。 WLAN终端和 WLAN接入点之 间釆用基于 802. IX框架的 EAP0L协议, WLAN接入点和认证服务器之间釆用 RADIUS协议, EAP数据包由这两种协议进行承载。 In an authentication process, an authentication message interaction between the requester and the authenticator, and an authentication message interaction between the authenticator and the authentication server are included. Specifically, between the authentication server and the authenticator, the data packet is carried by the Diameter or RADIUS protocol; between the requester and the authenticator, the EAP data packet may be carried by a secure transmission protocol defined by the access network, such as EAP0L protocol used in WLAN. In terms of physical function requirements, the authentication server and the authenticator need to support the Diameter or RADIUS protocol, and the authentication server and the requester need to support the EAP algorithm. Take the authentication system of WLAN and 3G network interworking as an example, including the requester (ie, WLAN terminal), the authenticator 802. IX AP (ie, WLAN access point), and the authentication server. The EAP0L protocol based on the 802.IX framework is used between the WLAN terminal and the WLAN access point, and the RADIUS protocol is used between the WLAN access point and the authentication server, and the EAP data packet is carried by the two protocols.
802. IX框架只适用于终端设备到接入点之间的点到点连接方式, WLAN的 终端设备到 WLAN接入点通常是星形网络, 因此符合点到点的连接要求。而 WPAN 往往存在多种拓朴结构,终端设备与接入点之间往往是多跳的,所以上述 WLAN 的认证系统并不能直接应用于 WPAN。  The 802.IX framework is only applicable to point-to-point connections between terminal devices and access points. WLAN terminal devices to WLAN access points are usually star networks and therefore meet point-to-point connection requirements. However, WPAN often has multiple topologies. The terminal equipment and the access point are often multi-hop, so the above WLAN authentication system cannot be directly applied to WPAN.
WPAN内部存在简单的认证机制, 例如在 Z i gbee网络的实体认证( Ent i ty Authent i ca t ion )机制中, WPAN中的两个设备可以利用地址、 密钥等信息进 行相互认证 , 但这种机制也只能应用于点到点的消息认证。  There is a simple authentication mechanism inside the WPAN. For example, in the Entity Authentive Authentication mechanism of the Z i gbee network, two devices in the WPAN can mutually authenticate each other by using information such as an address and a key, but The mechanism can only be applied to point-to-point message authentication.
现有技术中还有一种设备以多跳方式接入移动通信网络的认证方法及系 统。 该认证系统包括请求者、 认证者、 主要认证者和认证服务器。 认证过程 为: 认证者接收请求者的认证请求; 认证者根据认证请求创建一个状态 (即 保存上一跳地址并记录认证请求者地址) ; 认证者向主要认证者转发认证请 求, 主要认证者向认证服务器转发认证请求; 认证服务器生成认证信息, 并 通过主要认证者将该信息转发给认证者; 认证者根据认证信息进行认证。 在 公开号为 US20060236377 ( 2006年 10月 19日公开)的美国专利申请中, 还可以 发现更多与上述技术方案相关的信息。  There is also an authentication method and system for accessing a mobile communication network in a multi-hop mode in the prior art. The authentication system includes a requester, an authenticator, a primary authenticator, and an authentication server. The authentication process is: the authenticator receives the requester's authentication request; the authenticator creates a state according to the authentication request (ie, saves the last hop address and records the authentication requester address); the authenticator forwards the authentication request to the primary authenticator, and the primary authenticator The authentication server forwards the authentication request; the authentication server generates the authentication information, and forwards the information to the authenticator through the primary authenticator; the authenticator performs authentication according to the authentication information. Further information relating to the above technical solutions can be found in the U.S. Patent Application Serial No. US20060236377, issued Oct. 19, 2006.
根据上述技术方案, 作为认证者的设备都是 WLAN终端设备, 并且作为认 证者或主要认证者的前提是已经通过了认证服务器的认证。 而 WPAN中, 除终 端设备以外的其他设备一般都不具有移动通信网络能够识别的身份标识 (如 UMTS用户识别卡 US IM ) , 从而不能通过移动通信网络的认证。 因此, 在 WPAN 与移动通信网络的融合过程中, 需要建立一套新的认证机制。  According to the above technical solution, the devices as the authenticators are all WLAN terminal devices, and the premise of being the authenticator or the primary authenticator is that the authentication of the authentication server has passed. In WPAN, devices other than the terminal device generally do not have an identity (such as the UMTS subscriber identity card US IM) that the mobile communication network can recognize, and thus cannot be authenticated by the mobile communication network. Therefore, in the process of integration of WPAN and mobile communication networks, a new set of authentication mechanisms needs to be established.
发明内容 Summary of the invention
本发明实施例提供了一种设备接入通信网络的认证方法、 系统及设备, 以解决请求认证的终端设备与认证器之间为多跳时的认证问题。 Embodiments of the present invention provide an authentication method, system, and device for accessing a communication network of a device, To solve the problem of authentication when the terminal device requesting authentication and the authenticator are multi-hop.
本发明实施例提供了一种设备接入通信网络的认证方法, 包括: 认证管 理节点接收认证请求; 认证管理节点向认证节点传递所述认证请求; 认证节 点与请求节点之间通过认证管理节点进行认证消息的交互。  An embodiment of the present invention provides an authentication method for a device to access a communication network, including: an authentication management node receiving an authentication request; an authentication management node transmitting the authentication request to an authentication node; and performing an authentication management node between the authentication node and the requesting node The interaction of the authentication message.
本发明实施例还提供了一种设备接入通信网络的认证系统, 包括请求节 点、 认证管理节点和认证节点, 请求节点用于发送认证请求和认证消息; 认 证管理节点用于接收所述认证请求并向认证节点传递该认证请求, 在请求节 点与认证节点的认证消息交互过程中传递认证消息; 所述认证节点用于与认 证服务器进行交互, 在认证管理节点与认证服务器之间传递认证消息。  An embodiment of the present invention further provides an authentication system for a device to access a communication network, including a requesting node, an authentication management node, and an authentication node, where the requesting node is configured to send an authentication request and an authentication message; and the authentication management node is configured to receive the authentication request. And transmitting the authentication request to the authentication node, and transmitting the authentication message during the interaction between the requesting node and the authentication node; the authentication node is configured to interact with the authentication server, and the authentication message is transmitted between the authentication management node and the authentication server.
本发明实施例还提供了一种通信设备, 用于管理无线接入网络中的节点 的认证过程, 包括: 接收单元, 用于接收认证消息; 封装单元, 用于封装来 自认证节点的认证消息; 解封装单元, 用于解封装来自请求节点的认证消息; 发送单元, 用于将所述封装单元封装后的认证消息发送给请求节点, 将解封 装单元解封装后的认证消息发送给认证节点。  The embodiment of the present invention further provides a communication device, configured to manage an authentication process of a node in a radio access network, including: a receiving unit, configured to receive an authentication message; and an encapsulating unit, configured to encapsulate an authentication message from the authentication node; The decapsulation unit is configured to decapsulate the authentication message from the requesting node, and the sending unit is configured to send the encapsulated authentication message to the requesting node, and send the decapsulated authentication message to the authentication node.
依据本发明实施例, 请求节点通过认证管理节点与认证节点之间进行消 息交互, 使认证管理节点可以对各节点的认证进行统一处理, 有利于对认证 流程的管理, 解决了请求节点与认证管理节点之间为多跳时的认证问题。 并 且, 本发明实施例的认证管理节点、 认证节点和认证服务器的架构与传统认 证架构一致, 可充分支持现有的成熟认证机制。  According to the embodiment of the present invention, the requesting node performs message interaction between the authentication management node and the authentication node, so that the authentication management node can uniformly process the authentication of each node, which is beneficial to the management of the authentication process, and solves the request node and the authentication management. Authentication problems between nodes when multi-hopping. Moreover, the architecture of the authentication management node, the authentication node, and the authentication server in the embodiment of the present invention is consistent with the traditional authentication architecture, and can fully support the existing mature authentication mechanism.
附图说明 DRAWINGS
图 1为依据本发明的一个实施例的认证系统简化图;  1 is a simplified diagram of an authentication system in accordance with one embodiment of the present invention;
图 2为图 1所示的认证系统的认证流程示意图;  2 is a schematic diagram of an authentication process of the authentication system shown in FIG. 1;
图 3为图 2中请求节点向认证管理节点传递认证请求的示意图;  3 is a schematic diagram of the requesting node transmitting an authentication request to the authentication management node in FIG. 2;
图 4为请求节点与认证服务器之间进行认证消息交互过程的示意图; 图 5为依据本发明一个实施例的通信设备结构简化图。  4 is a schematic diagram of an authentication message interaction process between a requesting node and an authentication server; FIG. 5 is a simplified diagram of a structure of a communication device according to an embodiment of the present invention.
具体实施方式 为了解决请求认证的终端设备与认证器之间为多跳时的认证问题, 本发 明实施例提供了一种设备接入通信网络的认证系统, 包括请求节点、 认证管 理节点和认证节点, detailed description In order to solve the problem of the multi-hop authentication between the terminal device and the authenticator, the embodiment of the present invention provides an authentication system for the device to access the communication network, including the requesting node, the authentication management node, and the authentication node.
请求节点用于发送认证请求和认证消息;  The requesting node is configured to send an authentication request and an authentication message;
认证管理节点用于接收所述认证请求并向认证节点传递该认证请求, 在 请求节点与认证节点的认证消息交互过程中传递认证消息;  The authentication management node is configured to receive the authentication request and deliver the authentication request to the authentication node, and deliver the authentication message during the interaction between the requesting node and the authentication message of the authentication node;
所述认证节点用于与认证服务器进行交互, 在认证管理节点与认证服务 器之间传递认证消息。  The authentication node is configured to interact with an authentication server to transmit an authentication message between the authentication management node and the authentication server.
为使本发明的目的、 技术方案和优点更加清楚, 下面以 WPAN网络为例, 结合附图对本发明作进一步的详细描述。  In order to make the objects, technical solutions and advantages of the present invention more clear, the present invention will be further described in detail below with reference to the WPAN network.
图 1为依据本发明的一个实施例的认证系统简化图, 包括请求节点、 中继 节点 1、 中继节点 2、 认证管理节点、 认证节点和认证服务器。  1 is a simplified diagram of an authentication system including a requesting node, a relay node 1, a relay node 2, an authentication management node, an authentication node, and an authentication server, in accordance with an embodiment of the present invention.
请求节点是认证请求的发起者, 一般是移动通信网络能够识别的终端设 备,例如 UE(用户设备), 请求节点支持相关认证协议,例如 EAP-S IM、 EAP-AKA。 认证管理节点负责对认证消息进行封装或解封装等处理, 传递处理后的认证 消息, 还可以制定并管理认证通道的安全策略, 还可以记录 WP AN内所有请求 节点的认证结果, 以便于对无线接入网络内的各节点进行集中监控。 考虑到 WPAN内的协调者的强大处理能力以及其作为中心管理者的地位, 优选协调者 作为认证管理节点。  The requesting node is the initiator of the authentication request, and is generally a terminal device that the mobile communication network can recognize, such as a UE (User Equipment), and the requesting node supports related authentication protocols, such as EAP-S IM, EAP-AKA. The authentication management node is responsible for encapsulating or decapsulating the authentication message, transmitting the processed authentication message, and formulating and managing the security policy of the authentication channel, and also recording the authentication result of all the requesting nodes in the WP AN, so as to facilitate the wireless Each node in the access network performs centralized monitoring. Considering the powerful processing power of the coordinator within the WPAN and its status as a central manager, the coordinator is preferred as the authentication management node.
请求节点与认证管理节点之间可以有一个或多个中继节点, 由具体的网 络拓朴结构决定。 中继节点通常为 WPAN内的路由节点, 用于转发认证消息。 认证消息对中继节点是透明的, 因此中继节点只需要经过 WP AN的网内认证就 可以保证安全性。 中继节点支持 WPAN中已有的点到点的认证机制, 例如实体 认证机制。  There may be one or more relay nodes between the requesting node and the authentication management node, which are determined by the specific network topology. The relay node is usually a routing node within the WPAN and is used to forward the authentication message. The authentication message is transparent to the relay node, so the relay node only needs to pass the intra-network authentication of the WP AN to ensure security. The relay node supports the existing point-to-point authentication mechanism in the WPAN, such as the entity authentication mechanism.
认证节点作为认证服务器的客户端, 用于处理和转发认证消息。 认证节 点支持认证服务器使用的认证协议, 如 Diame ter协议或 RADIUS协议, 还支持 认证管理节点使用的认证协议, 并且支持这两种协议的 ^艮文转换。 认证节点 可以是 WPAN的网关。 The authentication node acts as a client of the authentication server and processes and forwards the authentication message. The authentication node supports the authentication protocol used by the authentication server, such as the Diame ter protocol or the RADIUS protocol, and also supports The authentication protocol used by the authentication management node, and supports the conversion of the two protocols. The authentication node can be the gateway of the WPAN.
认证服务器位于移动通信网络, 用于执行认证算法并验证请求节点的身 份。 认证服务器可以是 D iame ter服务器或 RADIUS服务器。  The authentication server is located in the mobile communication network and is used to perform the authentication algorithm and verify the identity of the requesting node. The authentication server can be a Dameter server or a RADIUS server.
认证管理节点、 认证节点和认证服务器三者的关系符合现有认证系统中 由请求者、 认证者和认证服务器构成的认证框架。 也就是说, 认证节点相当 于认证者, 而从认证节点的角度看, 认证请求发自认证管理节点, 认证管理 节点相当于现有认证系统中的请求者。  The relationship between the authentication management node, the authentication node, and the authentication server conforms to the authentication framework consisting of the requester, the authenticator, and the authentication server in the existing authentication system. That is to say, the authentication node is equivalent to the authenticator, and from the perspective of the authentication node, the authentication request is sent from the authentication management node, and the authentication management node is equivalent to the requester in the existing authentication system.
本发明实施例还提供了一种设备接入通信网络的认证方法, 包括: 认证管理节点接收认证请求;  The embodiment of the invention further provides an authentication method for a device to access a communication network, comprising: the authentication management node receiving an authentication request;
认证管理节点向认证节点传递该认证请求;  The authentication management node transmits the authentication request to the authentication node;
认证节点与请求节点之间通过认证管理节点进行认证消息的交互。  The authentication node interacts with the requesting node through the authentication management node.
下面以 WP AN网络为例, 结合附图对本发明实施例作进一步的详细描述。 图 2为图 1所示的认证系统的认证流程示意图, 具体为:  The WP AN network is taken as an example to describe the embodiment of the present invention in further detail with reference to the accompanying drawings. FIG. 2 is a schematic diagram of an authentication process of the authentication system shown in FIG. 1, specifically:
201、 请求节点沿预设的认证通道向认证管理节点传递认证请求; 201. The requesting node sends an authentication request to the authentication management node along the preset authentication channel.
202、 认证管理节点收到认证请求后向认证节点传递; 202. The authentication management node sends the authentication request to the authentication node.
203、 认证管理节点、 认证节点和认证服务器三者之间按照一定的协议进 行认证消息的交互, 例如 EAP-S IM协议或 EAP-AKA协议; 同时, 认证管理节点 与请求节点之间通过预设的认证通道进行认证消息的交互, 其中包括认证服  203. The authentication management node, the authentication node, and the authentication server perform an interaction of the authentication message according to a certain protocol, such as an EAP-S IM protocol or an EAP-AKA protocol. Meanwhile, the authentication management node and the requesting node are preset. Authentication channel for authentication message interaction, including authentication service
204、 认证管理节点记录认证结果; 204. The authentication management node records the authentication result.
205、 认证管理节点通知请求节点认证结果。  205. The authentication management node notifies the requesting node of the authentication result.
其中, 步骤 201又具体包括如图 3所示的若干步骤:  Step 201 further includes several steps as shown in FIG. 3:
301、 请求节点向中继节点 1发出认证请求, 该认证请求由 WP AN定义的协 议报文承载, 报文中包含认证报文标识 (表明该报文用于认证) 、 请求节点 地址以及代表本次认证过程的标识。 302、 中继节点 1识别认证请求, 转入认证状态, 并记录请求节点和上一 跳节点的地址。 该记录可以通过建立认证路由表来实现。 由于请求节点和上 一跳节点相同, 因此本步骤中, 只需要记录请求节点地址。 当本实施例中的 中继节点处于认证状态时, 暂停处理其他业务, 接收和处理与本次认证过程 相关的认证消息。 301. The requesting node sends an authentication request to the relay node 1, where the authentication request is carried by the protocol packet defined by the WP AN, where the packet includes the authentication packet identifier (indicating that the packet is used for authentication), the requesting node address, and the representative address. Identification of the secondary certification process. 302. The relay node 1 identifies the authentication request, transfers to the authentication state, and records the addresses of the requesting node and the last hop node. This record can be achieved by establishing an authentication routing table. Since the requesting node and the previous hopping node are the same, in this step, only the requesting node address needs to be recorded. When the relay node in this embodiment is in the authentication state, it pauses processing other services, and receives and processes the authentication message related to the current authentication process.
303、 中继节点 1向中继节点 2转发认证请求; 如果中继节点 1的下一跳节 点就是认证管理节点, 则不存在中继节点 2;  303, the relay node 1 forwards the authentication request to the relay node 2; if the next hop node of the relay node 1 is the authentication management node, there is no relay node 2;
304、 中继节点 2识别认证请求, 转入认证状态, 并记录请求节点和上一 跳节点的地址, 例如建立包含请求节点地址和中继节点 1地址的认证路由表; 304. The relay node 2 identifies the authentication request, transfers to the authentication state, and records the addresses of the requesting node and the last hop node, for example, establishing an authentication routing table including the requesting node address and the relay node 1 address;
305、 中继节点 2向认证管理节点转发认证请求; 305. The relay node 2 forwards the authentication request to the authentication management node.
306、 认证管理节点识别认证请求, 记录请求节点和上一跳节点的地址, 例如建立包含请求节点地址和中继节点 2地址的认证路由表, 并为请求节点创 建认证信息存储空间, 该存储空间用于保存请求节点地址、 认证结果(包括 认证成功或认证失败 ) 以及授权信息;  306. The authentication management node identifies the authentication request, records the address of the requesting node and the last hop node, for example, establishes an authentication routing table including the requesting node address and the address of the relay node 2, and creates an authentication information storage space for the requesting node, the storage space. Used to save the request node address, the authentication result (including authentication success or authentication failure), and authorization information;
307、 认证管理节点制定安全策略, 例如预设的密钥算法。  307. The authentication management node formulates a security policy, such as a preset key algorithm.
需要说明的是, 在预设认证通道时, 优选的是, 相邻节点都呈父子关系, 即从请求节点到认证管理节点的方向上, 下一跳节点都是上一跳节点的父节 点。例如, 中继节点 1是请求节点的父节点, 中继节点 2是中继节点 1的父节点, 认证管理节点是中继节点 2的父节点。 由于子节点存储有父节点的地址, 并且 父节点唯一, 因此在子节点向父节点传递消息时, 不需要进行建立路由的过 程, 相对于其他随机的认证通道而言, 有利于消息的快速传递, 并且安全性 和稳定性好。 当相邻节点之间不呈父子关系时, 请求节点在发出认证请求之 前需要查找路由表, 如果没有到达认证管理节点的路由表项, 则请求节点需 要建立到达认证管理节点的路由, 在建立路由过程中, 每个上一跳节点需要 选择下一跳节点并记录下一跳节点的地址, 以使后续进行认证消息交互时, 可以遵循同样的路径。 另外, 中继节点 1和中继节点 2都是经过了认证管理节点认证的节点。 请 求节点与认证管理节点之间也可能没有中继节点, 则请求节点直接向认证管 理节点发送认证请求, 并且不需要步骤 302、 303、 304和 305。 It should be noted that, when the authentication channel is preset, it is preferable that the neighboring nodes have a parent-child relationship, that is, the direction from the requesting node to the authentication management node, and the next hop node is the parent node of the previous hop node. For example, the relay node 1 is the parent node of the request node, the relay node 2 is the parent node of the relay node 1, and the authentication management node is the parent node of the relay node 2. Since the child node stores the address of the parent node and the parent node is unique, when the child node delivers the message to the parent node, the process of establishing a route is not required, which is beneficial to the fast delivery of the message compared to other random authentication channels. , and good security and stability. When the neighboring nodes do not have a parent-child relationship, the requesting node needs to look up the routing table before issuing the authentication request. If the routing table entry of the authentication management node is not reached, the requesting node needs to establish a route to the authentication management node, and establish a route. During the process, each of the previous hop nodes needs to select the next hop node and record the address of the next hop node, so that the subsequent path can be followed when the authentication message interaction is performed. In addition, both the relay node 1 and the relay node 2 are nodes that have been authenticated by the authentication management node. The requesting node and the authentication management node may also have no relay node, and the requesting node directly sends an authentication request to the authentication management node, and steps 302, 303, 304, and 305 are not required.
其中, 步骤 203的详细步骤如图 4所示:  The detailed steps of step 203 are as shown in FIG. 4:
本实施例中, 认证管理节点、 认证节点和认证服务器之间釆用 EAP-AKA认 证协议。  In this embodiment, the EAP-AKA authentication protocol is used between the authentication management node, the authentication node, and the authentication server.
401、 认证节点向认证管理节点发送 EAP请求, 请求获得身份标识; 401. The authentication node sends an EAP request to the authentication management node, requesting to obtain an identity identifier.
402、 认证管理节点将 EAP请求数据包封装到 WPAN认证报文中, 并按安全 策略进行加密; 402. The authentication management node encapsulates the EAP request packet into the WPAN authentication packet, and encrypts according to the security policy.
403、 认证管理节点通过预设的认证通道向请求节点传递封装后的 WPAN认 证报文, 中间可能有中继节点的转发;  403. The authentication management node delivers the encapsulated WPAN authentication message to the requesting node through a preset authentication channel, and may have a relay node forwarding in the middle;
404、 请求节点收到 WPAN认证报文后进行解密和解封装, 识别 EAP请求数 据包, 并根据 EAP请求把含有身份标识信息的 EAP应答数据包封装到 WPAN认证 报文中, 按照安全策略加密; 点, 中间可能有中继节点的转发;  404. After receiving the WPAN authentication packet, the requesting node decrypts and decapsulates the packet, identifies the EAP request data packet, and encapsulates the EAP response data packet containing the identity identification information into the WPAN authentication packet according to the EAP request, and encrypts according to the security policy; , there may be forwarding of relay nodes in the middle;
406、 认证管理节点将收到的 WP AN认证报文进行解密和解封装, 取出身份 标识信息;  406. The authentication management node decrypts and decapsulates the received WP AN authentication packet, and takes out the identity identification information.
407、 认证管理节点将含有身份标识信息的 EAP应答(认证信息应答)传 递给认证节点;  407. The authentication management node transmits an EAP response (authentication information response) containing the identity information to the authentication node.
408、 认证节点将 EAP应答转发给认证服务器;  408. The authentication node forwards the EAP response to the authentication server.
409、 认证服务器向认证节点发送含有 AKA挑战信息的 EAP请求(认证信息 请求) ;  409. The authentication server sends an EAP request (authentication information request) containing the AKA challenge information to the authentication node.
410、 认证节点向认证管理实体转发 EAP请求;  410. The authentication node forwards the EAP request to the authentication management entity.
411、 认证管理节点将 EAP请求数据包封装到 WPAN认证报文中, 并按安全 策略进行加密; 412、 认证管理节点通过预设的认证通道向请求节点传递封装后的 WPAN认 证报文, 中间可能有中继节点的转发; 411. The authentication management node encapsulates the EAP request packet into the WPAN authentication packet, and encrypts according to the security policy. 412. The authentication management node delivers the encapsulated WPAN authentication packet to the requesting node through a preset authentication channel, and may be forwarded by the relay node in the middle;
413、 请求节点收到 WPAN认证报文后进行解密和解封装, 识别 EAP请求数 据包, 并根据 E AP请求把含有 AK A应答信息的 E AP应答数据包封装到 WP AN认证报 文中, 按照安全策略加密; 点, 中间可能有中继节点的转发;  413. After receiving the WPAN authentication packet, the requesting node decrypts and decapsulates the packet, identifies the EAP request packet, and encapsulates the EAP response packet containing the AK A response message into the WP AN authentication packet according to the EAP request, according to the security. Policy encryption; point, there may be forwarding of relay nodes in the middle;
415、 认证管理节点将收到的 WP AN认证 ^艮文进行解密和解封装, 取出 AKA 应答信息;  415. The authentication management node decrypts and decapsulates the received WP AN authentication, and extracts the AKA response information.
416、 认证管理节点将含有 AKA应答信息的 EAP应答传递给认证节点; 416. The authentication management node passes the EAP response including the AKA response information to the authentication node.
417、 认证节点将 EAP应答转发给认证服务器; 417. The authentication node forwards the EAP response to the authentication server.
418和 419、认证服务器发送认证结果,例如认证成功时返回 EAP成功信息, 并通过认证节点把 EAP成功信息传递给认证管理节点。  418 and 419. The authentication server sends the authentication result. For example, when the authentication succeeds, the EAP success information is returned, and the EAP success information is transmitted to the authentication management node by the authentication node.
步骤 401至 417中, 认证节点传递给认证管理节点的各个认证消息中包含 的信息可以统称为请求信息, 例如 EAP请求中的信息、 AKA挑战信息; 而请求 节点传递给认证管理节点的各个认证消息包含的信息可以统称为应答信息, 例如身份标识信息、 AKA应答信息。  In steps 401 to 417, the information included in each authentication message that the authentication node passes to the authentication management node may be collectively referred to as request information, such as information in the EAP request, AKA challenge information, and each authentication message that the requesting node transmits to the authentication management node. The information contained may be collectively referred to as response information, such as identity information, AKA response information.
本发明实施例还提供了一种通信设备, 用于管理无线接入网络中各节点 的认证过程, 包括封装和解封装认证消息, 传递认证消息, 还可以包括制定 和管理认证通道的安全策略。 如图 5所示, 该通信设备包括发送单元 501、 封 装单元 502、 接收单元 503和解封装单元 504。  The embodiment of the invention further provides a communication device for managing the authentication process of each node in the radio access network, including encapsulating and decapsulating the authentication message, and transmitting the authentication message, and may also include formulating and managing the security policy of the authentication channel. As shown in FIG. 5, the communication device includes a transmitting unit 501, a packaging unit 502, a receiving unit 503, and a decapsulation unit 504.
在认证过程中, 接收单元 503接收到来自于请求节点的认证请求后, 发送 单元 501将该认证请求通过认证节点传递给认证服务器; 认证服务器接收到认 证请求后生成认证消息, 该认证消息包含认证服务器的请求信息, 通过认证 节点传递给认证管理节点的接收单元 503 , 接收到认证消息后, 封装单元 502 将该认证消息进行封装, 然后由发送单元 501发送给请求节点; 请求节点收到 该消息后向通信设备返回一个封装的认证消息, 该认证消息包含请求节点的 应答信息, 该消息被通信设备的接收单元 503接收后, 由解封装单元进行解封 该通信设备还包括认证结果存储单元 505 , 在接收单元 503接收到认证服 务器通过认证节点传来的认证结果后, 存储该认证结果。 In the authentication process, after the receiving unit 503 receives the authentication request from the requesting node, the sending unit 501 passes the authentication request to the authentication server through the authentication node. After receiving the authentication request, the authentication server generates an authentication message, where the authentication message includes the authentication message. The request information of the server is transmitted to the receiving unit 503 of the authentication management node through the authentication node. After receiving the authentication message, the encapsulating unit 502 encapsulates the authentication message, and then the sending unit 501 sends the request message to the requesting node. The message then returns an encapsulated authentication message to the communication device, the authentication message containing the response information of the requesting node, and the message is received by the receiving unit 503 of the communication device, and then decapsulated by the decapsulation unit. The communication device further includes an authentication result storage. The unit 505 stores the authentication result after the receiving unit 503 receives the authentication result sent by the authentication server through the authentication node.
在本发明实施例中, 选取一个固定的节点作为上述通信设备, 选取认证 管理节点作为上述通信设备对 WP AN内所有请求节点的认证进行集中处理和管 理, 有利于对认证情况的管理和监控; 并且, 认证管理节点、 认证节点和认 证服务器构成的认证系统架构与传统的认证架构一致, 可以充分支持现有的 成熟认证机制, 对移动通信网络的改动较小, 可移植性和可扩展性较强。 另 外, 预设请求节点与认证管理节点之间的认证通道, 简化了请求节点和认证 管理节点之间建立路由的过程, 优选的父子关系的节点形成的认证通道更有 利于保障网络的安全性和稳定性。  In the embodiment of the present invention, a fixed node is selected as the communication device, and the authentication management node is selected as the communication device to centrally process and manage the authentication of all request nodes in the WP AN, which is beneficial to the management and monitoring of the authentication situation; Moreover, the authentication system structure formed by the authentication management node, the authentication node, and the authentication server is consistent with the traditional authentication architecture, and can fully support the existing mature authentication mechanism, and the changes to the mobile communication network are small, and the portability and scalability are relatively good. Strong. In addition, the authentication channel between the requesting node and the authentication management node simplifies the process of establishing a route between the requesting node and the authentication management node. The authentication channel formed by the node of the preferred parent-child relationship is more beneficial to ensure network security and stability.
附图和相关描述只是为了说明本发明的原理, 并非用于限定本发明的保 护范围, 例如, 本发明也可以适用于与 WPAN具有类似拓朴结构的无线网络。 因此, 凡在本发明的精神和原则之内所作的任何修改、 等同替换、 改进等, 均包含在本发明的保护范围内。  The drawings and the related description are merely illustrative of the principles of the invention and are not intended to limit the scope of the invention. For example, the invention may also be applied to a wireless network having a similar topology to WPAN. Therefore, any modifications, equivalents, improvements, etc. made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要求 书 Claim
1、 一种设备接入通信网络的认证方法, 其特征在于, 包括:  A method for authenticating a device to a communication network, characterized in that it comprises:
认证管理节点接收认证请求;  The authentication management node receives the authentication request;
认证管理节点向认证节点传递所述认证请求;  The authentication management node transmits the authentication request to the authentication node;
认证节点与请求节点之间通过认证管理节点进行认证消息的交互。  The authentication node interacts with the requesting node through the authentication management node.
2、 根据权利要求 1所述的设备接入通信网络的认证方法, 其特征在于, 所述认证请求由请求节点通过预设的认证通道传递给认证管理节点; 在所述进行认证消息交互时, 请求节点与认证管理节点之间通过所述预设 的认证通道传递认证消息。  The authentication method of the device accessing the communication network according to claim 1, wherein the authentication request is transmitted by the requesting node to the authentication management node through a preset authentication channel; The authentication message is transmitted between the requesting node and the authentication management node through the preset authentication channel.
3、 根据权利要求 2所述的设备接入通信网络的认证方法, 其特征在于, 所 述的认证通道为包括请求节点、 中继节点和认证管理节点的无线链路。  The method for authenticating a device access communication network according to claim 2, wherein the authentication channel is a wireless link including a requesting node, a relay node, and an authentication management node.
4、 根据权利要求 2所述的设备接入通信网络的认证方法, 其特征在于, 所 述的认证通道内, 上一跳节点存储有下一跳节点的地址。  The method for authenticating a device accessing a communication network according to claim 2, wherein in the authentication channel, the last hop node stores the address of the next hop node.
5、 根据权利要求 1所述的设备接入通信网络的认证方法, 其特征在于, 所 述的认证管理节点为无线个人域网络内的协调者。  5. The method for authenticating a device access communication network according to claim 1, wherein the authentication management node is a coordinator within the wireless personal area network.
6、 根据权利要求 2所述的设备接入通信网络的认证方法, 其特征在于, 所 述认证消息包括封装后的请求信息;  The method for authenticating a device accessing a communication network according to claim 2, wherein the authentication message includes encapsulated request information;
请求节点收到所述封装的请求信息后, 将该信息解封装, 并将应答信息封 装后沿所述认证通道传递给认证管理节点。  After receiving the encapsulated request information, the requesting node decapsulates the information, and encapsulates the response information and transmits the response information to the authentication management node along the authentication channel.
7、 根据权利要求 1至 6中任一权利要求所述的设备接入通信网络的认证方 法, 其特征在于, 所述认证消息的交互包括认证节点向认证管理节点传递认证 结果, 所述认证结果由认证服务器产生; 该认证方法还包括:  The method for authenticating a device access communication network according to any one of claims 1 to 6, wherein the interaction of the authentication message comprises: the authentication node transmitting an authentication result to the authentication management node, the authentication result Generated by the authentication server; the authentication method further includes:
认证管理节点记录该认证结果, 并将该认证结果通知给请求节点。  The authentication management node records the authentication result and notifies the requesting node of the authentication result.
8、 一种设备接入通信网络的认证系统, 其特征在于, 包括请求节点、 认证 管理节点和认证节点,  8. An authentication system for accessing a communication network of a device, comprising: a requesting node, an authentication management node, and an authentication node,
请求节点用于发送认证请求和认证消息; 认证管理节点用于接收所述认证请求并向认证节点传递该认证请求, 在请 求节点与认证节点的认证消息交互过程中传递认证消息; The requesting node is configured to send an authentication request and an authentication message; The authentication management node is configured to receive the authentication request and deliver the authentication request to the authentication node, and deliver the authentication message during the interaction between the requesting node and the authentication node of the authentication node;
所述认证节点用于与认证服务器进行交互, 在认证管理节点与认证服务器 之间传递认证消息。  The authentication node is configured to interact with an authentication server, and pass an authentication message between the authentication management node and the authentication server.
9、 根据权利要求 8所述的设备接入通信网络的认证系统, 其特征在于, 还 包括中继节点, 用于把来自于请求节点的认证请求传递给认证管理节点, 和传 递认证管理节点与请求节点之间的认证消息。  9. The authentication system for accessing a communication network of a device according to claim 8, further comprising a relay node, configured to pass an authentication request from the requesting node to the authentication management node, and to transmit the authentication management node and Request authentication messages between nodes.
10、 根据权利要求 8所述的设备接入通信网络的认证系统, 其特征在于, 所 述请求节点与认证管理节点之间通过预设的认证通道传递所述认证请求和认证 消息。  The authentication system of the device accessing the communication network according to claim 8, wherein the requesting node and the authentication management node transmit the authentication request and the authentication message through a preset authentication channel.
11、 根据权利要求 8所述的设备接入通信网络的认证系统, 其特征在于, 所 述认证消息包括认证结果, 该认证结果由认证服务器产生; 所述认证管理节点 还用于记录所述认证结果。  The authentication system of the device accessing the communication network according to claim 8, wherein the authentication message includes an authentication result, and the authentication result is generated by an authentication server; the authentication management node is further configured to record the authentication. result.
12、 一种通信设备, 用于管理无线接入网络中的节点的认证过程, 其特征 在于, 包括:  12. A communication device, configured to manage an authentication process of a node in a wireless access network, the method comprising:
接收单元, 用于接收认证消息;  a receiving unit, configured to receive an authentication message;
封装单元, 用于封装来自认证节点的认证消息;  a packaging unit, configured to encapsulate an authentication message from the authentication node;
解封装单元, 用于解封装来自请求节点的认证消息;  a decapsulation unit, configured to decapsulate an authentication message from the requesting node;
发送单元, 用于将所述封装单元封装后的认证消息发送给请求节点, 将解 封装单元解封装后的认证消息发送给认证节点。  And a sending unit, configured to send the encapsulated authentication message to the requesting node, and send the decapsulated authentication message to the authentication node.
1 3、 根据权利要求 12所述的通信设备, 其特征在于, 接收单元还用于接收 来自于认证节点的认证结果, 所述通信设备还包括:  The communication device according to claim 12, wherein the receiving unit is further configured to receive an authentication result from the authentication node, where the communications device further includes:
认证结果存储单元, 用于存储所述认证结果。  An authentication result storage unit, configured to store the authentication result.
PCT/CN2008/070435 2007-03-14 2008-03-07 Method, system and associated device for authenticating apparatus access to a communication network WO2008110099A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007100735135A CN101267365B (en) 2007-03-14 2007-03-14 Authentication method, system and device for communication network access of device
CN200710073513.5 2007-03-14

Publications (1)

Publication Number Publication Date
WO2008110099A1 true WO2008110099A1 (en) 2008-09-18

Family

ID=39759016

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070435 WO2008110099A1 (en) 2007-03-14 2008-03-07 Method, system and associated device for authenticating apparatus access to a communication network

Country Status (2)

Country Link
CN (1) CN101267365B (en)
WO (1) WO2008110099A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610510B (en) * 2009-06-10 2012-06-27 南京邮电大学 Node legitimacy multiple-authentication method in layer cluster type wireless self-organization network
EP2474880B1 (en) * 2011-01-11 2019-04-17 Avago Technologies International Sales Pte. Limited Smart powering and pairing system and related method
CN102325027A (en) * 2011-09-10 2012-01-18 广东东纳软件科技有限公司 Navigation on-line authentication system and authentication method thereof
CN106230645B (en) * 2016-08-31 2020-04-10 陕西哥莱信息科技有限公司 Low-power-consumption wireless communication method used between monitoring node and convergence gateway
JP6465098B2 (en) * 2016-11-24 2019-02-06 トヨタ自動車株式会社 Vehicle authentication system
CN111586749B (en) * 2019-02-15 2023-02-07 华为技术有限公司 Downlink cache state feedback method and device
CN112544058B (en) * 2020-07-22 2022-07-19 华为技术有限公司 Authentication detection method, device and system
CN112261003A (en) * 2020-09-27 2021-01-22 紫光云引擎科技(苏州)有限公司 Safety authentication method and system for industrial internet edge computing node
CN112398644B (en) * 2020-10-12 2023-03-03 深圳数字电视国家工程实验室股份有限公司 Content key sharing method, system and storage medium
CN112565651B (en) * 2020-11-30 2022-10-21 深圳数字电视国家工程实验室股份有限公司 Data transmission method, electronic device and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060026708A (en) * 2004-09-21 2006-03-24 경희대학교 산학협력단 Secure route discovery authentication method in low-rate wpan
CN1805397A (en) * 2005-01-27 2006-07-19 捷讯研究有限公司 Wireless personal area network having authentication and associated methods
US20060179311A1 (en) * 2000-10-10 2006-08-10 Mccorkle John W System for providing device authentication in a wireless network
CN1901448A (en) * 2005-07-21 2007-01-24 华为技术有限公司 Connecting identification system in communication network and realizing method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060179311A1 (en) * 2000-10-10 2006-08-10 Mccorkle John W System for providing device authentication in a wireless network
KR20060026708A (en) * 2004-09-21 2006-03-24 경희대학교 산학협력단 Secure route discovery authentication method in low-rate wpan
CN1805397A (en) * 2005-01-27 2006-07-19 捷讯研究有限公司 Wireless personal area network having authentication and associated methods
CN1901448A (en) * 2005-07-21 2007-01-24 华为技术有限公司 Connecting identification system in communication network and realizing method

Also Published As

Publication number Publication date
CN101267365B (en) 2011-08-03
CN101267365A (en) 2008-09-17

Similar Documents

Publication Publication Date Title
JP4921557B2 (en) Security authentication and key management method in infrastructure-based wireless multi-hop network
WO2008110099A1 (en) Method, system and associated device for authenticating apparatus access to a communication network
US7814322B2 (en) Discovery and authentication scheme for wireless mesh networks
US7962123B1 (en) Authentication of access terminals in a cellular communication network
US8561200B2 (en) Method and system for controlling access to communication networks, related network and computer program therefor
KR101002799B1 (en) mobile telecommunication network and method for authentication of mobile node in mobile telecommunication network
US8509440B2 (en) PANA for roaming Wi-Fi access in fixed network architectures
US20070206537A1 (en) System and method for securing mesh access points in a wireless mesh network, including rapid roaming
WO2019017837A1 (en) Network security management method and apparatus
JP2010503326A5 (en) Security authentication and key management method in infrastructure-based wireless multi-hop network
CA2663176A1 (en) Tunneling security association messages through a mesh network
WO2010130121A1 (en) Method and system for accessing 3rd generation network
WO2014040481A1 (en) Authentication method and system for wireless mesh network
WO2013010469A1 (en) Method, terminal and access point for establishing connection
WO2011127774A1 (en) Method and apparatus for controlling mode for user terminal to access internet
JP2009520450A (en) Method and apparatus for providing a supplicant with access to a request service
WO2010130191A1 (en) Authentication method of switching access networks, system and device thereof
US7715562B2 (en) System and method for access authentication in a mobile wireless network
WO2007131426A1 (en) Aaa system and authentication method of multi-hosts network
US20080184332A1 (en) Method and device for dual authentication of a networking device and a supplicant device
CN110226319A (en) Method and apparatus for the parameter exchange during promptly accessing
WO2009089773A1 (en) Multi-host access authentication method and system for wimax network
KR100638590B1 (en) Amethod for terminal authenticating in portable internet system
CN101483580B (en) Initial service stream establishment method, apparatus and communication system
Lee et al. A User Authentication Protocol Using EAP for Mobile Ad Hoc Networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08715171

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08715171

Country of ref document: EP

Kind code of ref document: A1