WO2009155812A1 - Terminal access method, access management method, network equipment and communication system - Google Patents

Terminal access method, access management method, network equipment and communication system Download PDF

Info

Publication number
WO2009155812A1
WO2009155812A1 PCT/CN2009/071856 CN2009071856W WO2009155812A1 WO 2009155812 A1 WO2009155812 A1 WO 2009155812A1 CN 2009071856 W CN2009071856 W CN 2009071856W WO 2009155812 A1 WO2009155812 A1 WO 2009155812A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
user terminal
user
identifier
user identifier
Prior art date
Application number
PCT/CN2009/071856
Other languages
French (fr)
Chinese (zh)
Inventor
王绍斌
张宁
位继伟
尹瀚
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2009155812A1 publication Critical patent/WO2009155812A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • Terminal access method, access management method, network device, and communication system The present application claims to be submitted to the Chinese Patent Office on June 23, 2008, the application number is 200810029121.3, and the invention name is "terminal access method, access management method network device, and The priority of the Chinese Patent Application for the communication system is hereby incorporated by reference in its entirety.
  • the present invention relates to the field of communications, and in particular, to a user terminal access method, an access management method, a communication system, an access device, and a network device. Background technique
  • Home NodeB is a home-based micro base station. Users can arrange such base stations in hotspot coverage areas such as homes and offices, and access the mobile communication network through the Internet, so that users can obtain higher bandwidth and more reliable quality indoors than indoors. And more economical wireless communication services.
  • the introduction of Home Node B solves the bottleneck problem of the wireless port of the wireless data service, enabling users to enjoy high-speed, high-bandwidth network services.
  • the macro Node B For the traditional macro base station with a large coverage area (hereinafter referred to as the macro Node B), the arrangement of the network nodes is mostly planned by the operator in advance, and the network arrangement is completed according to the planned content. Therefore, the time, location, and configuration of the access time of the macro Node B are known to the current wireless network. Therefore, when the macro Node B requests access, it only needs to configure corresponding data according to the data specified by the network. By accessing the parameters, the access of the macro Node B can be completed without special control mechanism. For the network node of the same carrier, the registered mobile phone users in the network can establish a wireless link through the base station. It is only necessary to perform access control of the user equipment UE (User Equipment) on the core network side.
  • UE User Equipment
  • the inventor has found that the prior art has at least the following drawbacks: Since the HNB service is generally a personal application of a home or business user, from the perspective of the user, the HNB is generally a private device, and does not wish to be Used by others. From the operator's point of view, under normal circumstances, the HNB coverage is more favorable than the macro network, and it is desirable to judge and limit the personnel who use the HNB. In the prior art, the UE's admission judgment is judged by the core network element, which is aggravated. The core network element handles the burden, and there is a possibility that the illegal UE attacks the core network through the access request.
  • the embodiments of the present invention provide an access method, an access management method, an access device, and a network device of a user terminal, which implements effective verification of the legitimacy of the user accessing the core network through the access device, and effectively ensures the user. And the interests of the operators.
  • An embodiment of the present invention provides a method for accessing a user terminal, including:
  • the message includes the access permission message generated by the core network element according to the identifier of the local device and the encrypted data of the user identifier, and the generated access admission message or Access denied message.
  • the embodiment of the invention further provides an access management method for a user terminal, including:
  • an embodiment of the present invention provides an access device, including: a storage unit, configured to store a user identifier of a user terminal that is configured to be permitted to access; a user identifier obtaining unit, configured to acquire a user identifier from the user terminal;
  • a determining unit configured to determine whether the storage unit stores the user identifier of the user terminal
  • an authentication processing unit configured to: when the determining unit determines to be no, the access of the user terminal is denied, when the determining When the unit determines that the unit is YES, it sends an access authentication request carrying the encrypted data of the device identifier and the user identifier to the core network element;
  • a receiving unit configured to receive a message from the core network element, where the message includes: the core network element performs access authentication on the user terminal according to the local device identifier and the encrypted data of the user identifier, and generates Access access message or access reject message.
  • a network device including:
  • An authentication request receiving unit configured to receive a user terminal accessing an authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal;
  • the authentication unit is configured to obtain a corresponding decryption key according to the device identifier of the access device, and decrypt the encrypted data of the user identifier of the user terminal by using the decryption key. If the decryption fails, the access authentication fails.
  • the embodiment of the present invention further provides a communication system, including an access device and a network device, where:
  • the access device is configured to obtain a user identifier from the user terminal, determine, according to the user identifier, whether the user terminal is legal, and if the determination is no, the user terminal is denied access, and if the determination is yes, the The network device sends an access authentication request that carries the encrypted data of the device identifier and the user identifier, and receives a message from the core network element, where the message includes the network device according to the local device identifier and the The access admission message or the access reject message generated by the user terminal performing the access authentication by the encrypted data of the user identifier.
  • the network device is configured to receive a user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal; and obtain the corresponding according to the device identifier of the access device
  • the decryption key is used to decrypt the encrypted data of the user identifier of the user terminal with the decryption key. If the decryption fails, the access authentication fails.
  • the access device obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier. If the determination is no, the user terminal is denied access. If the determination is yes, the access to the core network is performed.
  • the network element (eg, the HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier; after receiving the access request message, the core network element receives the access device identifier and the location Encrypting data of the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device, and returns the determined grant access or denial access message to the access device, thereby implementing
  • the access device effectively verifies and manages the identity of the accessed user terminal, ensuring the interests of the access device owner and the operator.
  • FIG. 1 is a schematic flowchart of a method for accessing a user terminal according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a method for access management of a user terminal according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of an interaction process of admission control of a user terminal according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of the composition of a communication system according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of an access device according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of the composition of a network device according to an embodiment of the present invention. detailed description
  • the access device may be a base station, a home base station, a digital subscriber access multiplexer DLSAM, a set top box STB, a modem, a home gateway, a customer premises equipment, a user terminal such as a mobile phone or a personal computer, and the like.
  • the following embodiment illustrates an example in which the access device is a Home NodeB (HNB).
  • HNB Home NodeB
  • the core network element may be a home location register (HLR) or an access device home register (AHR).
  • HLR home location register
  • AHR access device home register
  • FIG. 1 is a schematic flowchart of a method for accessing a user terminal according to an embodiment of the present invention, including:
  • the user identifier of the user terminal may be: when the user terminal is switched from the macro base station to the coverage area of the HNB according to the embodiment of the present invention, or when the coverage area of the HNB is powered on, the host station sends a reservation request to the HNB; After the residing request, the user terminal sends a user identity acquisition request to the user terminal; after receiving the acquisition request, the user terminal sends its own user identifier to the HNB.
  • the user identifier of the user terminal is a unique identifier of the identity of the user terminal, and may be an IMSI (International Mobile Subscriber Identification Number) or an MSISDN (Mobile Station International Integrated Service Digital Network Number). ISDN number).
  • the 102 Determine, according to the user identifier, whether the user terminal is legal. If the determination is no, the user terminal is denied access. If the determination is yes, the device carries the device identifier and the user identifier. Encrypted data access authentication request.
  • a TPM Trusted Platform Module
  • the TPM is a microcontroller based on the TCG (Trustworthy Computing Organization) industry standard specification.
  • the TPM defined in the TCG Trusted Platform Module Specification is a microcontroller that stores keys, passwords, and digital certificates, and provides strong cryptographic functions that can be integrated on the HNB device board.
  • the TPM contains cryptographic components and storage components embedded in the computing platform, similar to smart card chips. As The components of the Trusted Platform, the components of the TPM are trusted to work properly.
  • the TCG software stack specification is a standard API software specification for accessing the TPM.
  • the Trusted Computing Platform has three main characteristics: Protected Capabilities, Attestation, Integrity Measurement Logging and Reporting. Determining whether the user terminal is legal according to the user identifier, determining whether the user identifier exists in the user terminal access list stored by the device based on the trusted platform module configuration, and if the determination is no, the user terminal illegal.
  • encrypting the user identifier to generate the encrypted data of the user identifier may be implemented as follows: According to the asymmetric encryption mechanism, the access device is maintained by the trusted platform module corresponding to the device.
  • the platform identity authentication key signs the user identifier to generate user identification signature data; or may be based on a symmetric encryption mechanism, and the access device shares the core network element with the trusted platform module corresponding to the device.
  • the key encrypts the user identifier to generate user identification encrypted data. Whether based on a symmetric encryption mechanism or an asymmetric encryption mechanism, the storage and maintenance of the key are maintained by the TPM to ensure data integrity and security.
  • the access terminal list of the user terminal for storing the user identity of the user terminal that is permitted to access is configured in the HNB, and the access authentication network element device located in the core network corresponding to the HNB is simultaneously saved to the HNB.
  • Corresponding user identification list of a user terminal wherein the user terminal access list stores a user identifier of a user terminal that is allowed to use the HNB device to access the core network, and the user can use the user service to authenticate the user terminal.
  • the user ID saved in the list can be modified by adding, replacing, or deleting. You can also modify the user terminal access list by logging in to the customer service website through the user name and user password. Similarly, you can also provide the password through the customer service phone or on the HNB device.
  • the key access mechanism modifies the user terminal access list.
  • the user terminal accessing the authentication request for transmitting the encrypted data carrying the device identifier and the user identifier to the core network element may be: saving the platform identity authentication key pair by using the HNB device
  • the user identifier is signed, the user identifier signature data is generated, and the user terminal access authentication request carrying the device identifier and the user identifier signature data is sent to the core network element.
  • the core network element When the core network element performs access authentication for the user terminal according to the serial number of the device and the user identifier of the user terminal, the core network element sends an access admission message to the HNB, and notifies the HNB that the user terminal is legal. The user, the access is allowed, and optionally, the HNB can further send an access admission message to the user terminal, and notify the user that the terminal can access the core network through the HNB.
  • the core network element fails to perform access authentication on the user terminal according to the serial number of the device and the user identifier of the user terminal, the core network element sends an access reject message to the HNB, notifying the HNB that the user terminal belongs to an illegal user. The access terminal does not have access rights and refuses to access.
  • the HNB may further send an access reject message to the user terminal, informing the user that the terminal is denied access to the core network through the HNB.
  • the access device obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier. If the determination is negative, the user terminal is denied access. If the determination is yes, The core network element (HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier. After receiving the access request message, the core network element receives the device identifier according to the access device. The encrypted data of the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device (HNB), and returns a determined access admission message or an access rejection message to the user terminal. The access device, in turn, enables the access device (HNB) to effectively verify and manage the identity of the accessed user terminal, thereby ensuring the interests of the access device (HNB) owner and the operator.
  • FIG. 2 is a schematic flowchart of a method for accessing a user terminal according to an embodiment of the present invention, including: 201.
  • a user that receives encrypted data of a device identifier of an access device and a user identifier of a user terminal from an access device.
  • the terminal accesses the authentication request.
  • the encryption of the user identifier to generate the encrypted data of the user identifier may be implemented as follows: According to the asymmetric encryption mechanism, the access device uses the platform identity maintained by the trusted platform module corresponding to the device. The authentication key is used to sign the user identifier to generate the user identification signature data.
  • the authentication device may also be based on a symmetric encryption mechanism, and the access device maintains the core network based on the trusted platform module corresponding to the device.
  • the shared key of the network element encrypts the user identifier to generate user identity encrypted data.
  • the encryption key of the user identifier of the user terminal is encrypted, which does not match the decryption key, that is, the identity of the HNB is not trusted, and thus the access authentication fails. If the decryption is successful, the identity of the HNB is trusted, so it can be considered that the access authentication is passed. In order to further ensure the reliability of the authentication, if the decryption is successful, the device identifier of the access device may be used to find and determine whether the user identifier is saved in the user terminal access list corresponding to the access device. If the determination is yes, the access authentication to the user terminal is passed, and the user terminal is denied access.
  • the step of acquiring the corresponding decryption key according to the device identifier of the access device, and decrypting the encrypted data of the user identifier of the user terminal by using the decryption key, according to the asymmetric encryption mode includes:
  • the device identifier of the access device is an index, and the decryption public key corresponding to the platform identity authentication key is retrieved and obtained; the user identity signature data is verified by the decryption public key, and the user identifier is obtained by decryption.
  • the step of acquiring the corresponding decryption key according to the device identifier of the access device, and decrypting the encrypted data of the user identifier of the user terminal with the decryption key, according to the symmetric encryption mode includes: acquiring the And a shared key of the access device and the core network element, and decrypting the encrypted data of the user identifier of the user terminal by using the shared key.
  • the core network element device may be a network device such as a location home register HLR.
  • the core network element receives the user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier, according to the device identifier of the access device and the The encrypted data of the user identity performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device (HNB), and returns the determined access admission message or access rejection message to the access.
  • the device implements effective verification and management control of the identity of the accessed user terminal by the access device (HNB), and ensures the owner and operation of the access device (HNB). The interests of business.
  • FIG. 3 is a schematic diagram of an interaction process of user terminal admission control according to an embodiment of the present invention.
  • a UE is used as a user terminal
  • an HNB is an access device
  • the HLR is used in the core network to authenticate an authentication request from the HNB.
  • the network element device (of course, it can also be another network element device with similar capabilities).
  • the method includes:
  • the UE sends a camping request to the HNB, where the UE switches from the macro base station to the HNB coverage area, or the UE sends a camping request to the HNB when the HNB coverage area is powered on.
  • the HNB After receiving the camping request, the HNB sends a user identity obtaining request to the UE.
  • the UE sends a user identifier to the HNB, where the user identifier is a unique identifier of the user terminal identity, and may be an IMSI (International Mobile Subscriber Identification Number) or an MSISDN (Mobile Station International ISDN Number). Taiwan International ISDN number).
  • IMSI International Mobile Subscriber Identification Number
  • MSISDN Mobile Station International ISDN Number
  • Taiwan International ISDN number Taiwan International ISDN number
  • the HNB obtains the user identifier, and uses the user identifier as an index to query the UE admission list of the HNB secure storage, and determines whether the user identifier exists in the admission list. When it is determined that the user identifier exists, the user identifier is signed. Generate user identification signature data, and execute 305, otherwise execute 306.
  • the user terminal access list for storing the user identity of the user terminal that is permitted to access is configured on the HNB, and the access authentication network element located in the core network corresponding to the HNB is also saved.
  • a user terminal access list corresponding to the HNB where the user terminal access list stores the user identifier of the user terminal that is allowed to use the HNB device to access the core network, and the user can use the user service mode to the user terminal.
  • the user ID saved in the list can be modified by adding, replacing, or deleting. You can also modify the user terminal access list by logging in to the customer service website through the user name and user password. Similarly, you can also provide the password through the customer service phone or on the HNB device.
  • the key access mechanism modifies the user terminal access list.
  • the HNB Based on the security platform provided by the TPM, the HNB signs the user identifier with a platform identity authentication key stored in the TPM to generate user identity signature data.
  • the user identifier does not exist in the user identifier list of the user terminal, The user corresponding to the user identifier is a user who is not allowed to access, and performs 306.
  • the HNB sends an access authentication request that carries the HNB device identifier and the user identifier signature data to the HLR.
  • the HNB sends an access prohibition message to the UE.
  • the HLR obtains the HNB device identifier and the user identifier signature data, uses the HNB device identifier as an index, searches a database, finds a corresponding decryption public key, and decrypts the user identifier signature data by using the decryption public key. If the decryption succeeds, the user identifier is obtained, and the user terminal access list corresponding to the HNB device saved by the HLR is obtained by using the HNB device identifier as an index, and it is determined whether the user identifier exists in the user terminal admission list, and the determination is yes. Then, the authentication transmits the access admission message by granting access, otherwise the authentication fails to reject the access, and the access rejection message is sent.
  • the HLR sends an access admission message or an access rejection message to the HNB.
  • the HNB sends an access admission message or an access rejection message to the UE.
  • the access device obtains the user identifier of the user terminal, determines whether the user identifier is saved, and denies the access of the user terminal when it is determined that the user identifier is not saved.
  • the access network The network element sends a user terminal access authentication request carrying the device identifier and the user identifier of the user terminal, and after receiving the access request message, the core network element receives the access device identifier and the user terminal according to the access device identifier
  • the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device, and returns the determined access admission message or access rejection message to the access device, thereby implementing
  • the access device effectively verifies and manages the identity of the accessed user terminal, ensuring the interests of the access device owner and the operator.
  • FIG. 4 it is a schematic diagram of a composition of a communication system according to an embodiment of the present invention.
  • the communication system includes an access device 1 and a network device 2, where the access device 1 is configured to acquire a user identifier from a user terminal.
  • the user identifier determines whether the user terminal is legal. If the determination is no, the user terminal is denied access. If the determination is yes, the device sends the encrypted data carrying the device identifier and the user identifier.
  • FIG. 5 it is a schematic diagram of a configuration of an access device 1 according to an embodiment of the present invention.
  • the access device 1 in this example may be used to perform a method for accessing a user terminal according to an embodiment of the present invention.
  • 1 includes: a storage unit 13, a user identification acquisition unit 11, a determination unit 12, an authentication processing unit 15, and a reception unit 16.
  • the storage unit 13 is configured to store a user identifier of the user terminal that is configured to permit access; the storage unit 13 may include:
  • a user identifier storage unit 131 configured to store, in a trusted manner of the core network element, a user identifier of a user terminal that is allowed to access;
  • the key storage unit 132 is configured to store, in a manner trusted by the core network element, a platform identity authentication key transmitted with the core network element metadata or a shared key with a core network element.
  • a TPM Trusted Platform Module
  • the user identifier storage unit 131 and the key storage unit 132 are maintained based on the specification defined by the TPM.
  • a security storage mechanism and a key storage mechanism defined by the TPM specification where the user identifier storage unit 131 configured in the access device stores the configured user identifier of the user terminal that is permitted to access and the key storage unit 132 stores and stores the The platform identity authentication key of the core network metadata transmission or the shared key with the core network element may be considered trusted by the core network element.
  • the user identifier obtaining unit 11 is configured to obtain the user identifier from the user terminal.
  • the user identifier obtaining unit 11 may include:
  • a resident request receiving unit 111 configured to receive a resident request from the user terminal
  • the user identifier obtaining request 112 is configured to send a user identifier obtaining request to the user terminal, and the user identifier receiving unit 113 is configured to receive the user identifier from the user terminal.
  • the determining unit 12 is configured to determine whether the storage unit 13 saves the user identifier of the user terminal.
  • the authentication processing unit 15 is configured to reject the user end when the determining unit 12 determines to be no
  • the access of the terminal when the determining unit 12 determines YES, sends an access authentication request carrying the encrypted data of the device identifier and the user identifier to the core network element.
  • the certificate processing unit 15 may include:
  • the rejecting unit 151 is configured to reject the access of the user terminal when the determining unit 12 determines to be no;
  • the encryption unit 152 is configured to sign the user identifier by using the platform identity authentication key stored in the key storage unit 132, generate user identification signature data, or store the information in the key storage unit 132.
  • the shared key with the core network element encrypts the user identifier, and generates user identifier encrypted data;
  • the authentication request sending unit 153 is configured to send, to the core network element, a user terminal access authentication request carrying the device identifier and the user identifier signature data or the user identifier encrypted data.
  • the receiving unit 16 is configured to receive a message from the core network element, where the message includes the core network element performing access authentication generation on the user terminal according to the local device identifier and the encrypted data of the user identifier. Access access message or access reject message.
  • the access device 1 in this embodiment may further include:
  • the access prohibition message transmitting unit 14 is configured to send an access prohibition message to the user terminal when the determining unit 12 determines to be no.
  • the access device 1 in this embodiment may further include:
  • the access admission message sending unit 17 is configured to send an access admission message to the user terminal when the receiving unit 16 receives the access admission message from the core network element;
  • the access reject message sending unit 18 is configured to send an access reject message to the user terminal when the receiving unit 16 receives the access reject message from the core network element.
  • the access device obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier. If the determination is negative, the user terminal is denied access. If the determination is yes, The core network element (HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier; after receiving the access request message, the core network element receives the The access device device identifier and the encrypted data of the user identifier perform access authentication on the user terminal, determine whether the user terminal is permitted to be accessed by the access device (HNB), and determine the access access. The message or the access denial message is returned to the access device, thereby implementing effective verification and management control of the identity of the accessed user terminal by the access device (HNB), ensuring the access device (HNB) owner and the operator. interest.
  • the network device 2 is configured to receive a user terminal access authentication request from the access device 1 carrying the device identifier of the access device and the encrypted data of the user identifier of the user terminal; according to the device identifier of the access device, Obtaining a corresponding decryption key, and decrypting the encrypted data of the user identifier of the user terminal with the decryption key, and if the decryption fails, the access authentication fails.
  • FIG. 6 is a schematic diagram of the composition of the network device 2 according to the embodiment of the present invention.
  • the network device 2 in the embodiment of the present invention may be a location-origin register HLR or the like.
  • the network device 2 in this example may be used to perform the access management method of the two user terminals in the embodiment of the present invention.
  • the network device 2 includes: an authentication request receiving unit 21, a storage unit 22, and an authentication unit 23, Unit 24.
  • the authentication request receiving unit 21 is configured to receive a user terminal access authentication request from the access device 1 that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal;
  • the storage unit 22 is configured to save a user terminal access list corresponding to the access device
  • the authentication unit 23 is configured to obtain a corresponding decryption key according to the device identifier of the access device 1, and decrypt the encrypted data of the user identifier of the user terminal by using the decryption key, and if the decryption fails, the authentication is performed.
  • the authentication unit 23 may include:
  • the key obtaining unit 231 is configured to retrieve and obtain a corresponding decryption public key or a shared key with the access device 1 by using the device identifier of the access device 1 as an index;
  • the decryption unit 232 is configured to decrypt the encrypted data of the user identifier of the user terminal according to the decryption public key acquired by the key obtaining unit 231 or the shared key of the access device;
  • the authentication execution unit 233 is configured to determine that the access authentication fails when the decryption unit 232 fails to decrypt, and directly determines whether the access authentication passes or according to the device identifier of the access device when the decryption unit resolves the 232 secret successfully. Finding and determining the corresponding to the access device stored by the storage unit 22 Whether the user identifier is saved in the user terminal access list, and if the determination is yes, the access authentication of the user terminal is passed, otherwise, the user terminal is denied access.
  • the sending unit 24 is configured to send an access admission message or an access rejection message to the access device.
  • the core network element receives a user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal, according to the access device device identifier and The encrypted data of the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device (HNB), and returns a determined access admission message or an access rejection message to the user terminal.
  • the access device enables the access device (HNB) to effectively verify and manage the identity of the accessed user terminal, thereby ensuring the interests of the access device (HNB) owner and the operator.
  • the access device obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier, and if the determination is no, the user terminal is denied access.
  • the core network element sends an access authentication request carrying the encrypted data of the device identifier and the user identifier; after receiving the access request message, the core network element receives the access request message according to the Encrypting data of the device device identifier and the user identifier is used for access authentication of the user terminal, determining whether the user terminal is permitted to be accessed by the access device (HNB), and determining the granted access or denying access The message is returned to the access device, which in turn enables the access device (HNB) to effectively verify and manage the identity of the accessed user terminal, thereby ensuring the interests of the access device (HNB) owner and the operator.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

An accessing method of user terminal is provided in the present invention embodiment, which includes that: acquiring the user identification from the user terminal; judging whether the user terminal is legal based on the user identification, if no, refusing the user terminal access, if yes, transmitting the access authentication request carried with the equipment identification and encryption data of the user identification to the network element of the core network; receiving the information from the network unit of the core network, the information includes the access admittance message or the access refused message for the access authentication of the user terminal generated by the network element of the core network according to the equipment identification and the encryption data of the user identification.

Description

终端接入方法、 接入管理方法网络设备以及通信系统 本申请要求于 2008 年 6 月 23 日提交中国专利局、 申请号为 200810029121.3、 发明名称为"终端接入方法、 接入管理方法网络设备以及通 信系统"的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Terminal access method, access management method, network device, and communication system The present application claims to be submitted to the Chinese Patent Office on June 23, 2008, the application number is 200810029121.3, and the invention name is "terminal access method, access management method network device, and The priority of the Chinese Patent Application for the communication system is hereby incorporated by reference in its entirety. Technical field
本发明涉及通讯领域, 尤其涉及一种用户终端的接入方法、 接入管理方 法、 通信系统、 接入设备及网络设备。 背景技术  The present invention relates to the field of communications, and in particular, to a user terminal access method, an access management method, a communication system, an access device, and a network device. Background technique
在无线网络通信系统中, 随着互联网 (Internet ) 的发展以及各种无线业 务的广泛应用, 一方面, 用户对于无线网络的带宽、 便捷性、 成本等方面提 出了更高的需求。 另一方面, 从运营商的角度来看, 需要充分地利用现有网 络的资源, 扩大容量, 减少成本, 更好地为用户提供服务。  In the wireless network communication system, with the development of the Internet (Internet) and the wide application of various wireless services, on the one hand, users have higher demands on the bandwidth, convenience, and cost of the wireless network. On the other hand, from the perspective of operators, it is necessary to make full use of the resources of existing networks, expand capacity, reduce costs, and better serve users.
为了充分满足上述需求和网络的发展需要, 提出了一种家用基站(Home NodeB, HNB )。 Home NodeB是一种家用的微型基站, 用户可以在家庭、 办 公场所等热点覆盖区域布置这种基站, 通过 Internet接入到移动通信网络, 使 用户在室内获得比室外更高带宽、 更可靠质量、 且更经济的无线通信服务。 Home Node B的引入, 解决了无线数据业务中空口资源瓶颈问题, 使得用户 可以享用到高速率、 高带宽的网络服务。  In order to fully meet the above requirements and the development needs of the network, a home base station (HNB) is proposed. Home NodeB is a home-based micro base station. Users can arrange such base stations in hotspot coverage areas such as homes and offices, and access the mobile communication network through the Internet, so that users can obtain higher bandwidth and more reliable quality indoors than indoors. And more economical wireless communication services. The introduction of Home Node B solves the bottleneck problem of the wireless port of the wireless data service, enabling users to enjoy high-speed, high-bandwidth network services.
对于传统的较大覆盖面积的宏基站(以下简称宏 Node B ), 网络节点的布 置, 大多是由运营商事先规划好, 并根据规划的内容完成网络布置。 因此宏 Node B接入的时间、 地点以及接入时的配置对于当前的无线网络来说都是已 知的, 因此在宏 Node B请求接入时, 只需要根据网络规定的数据, 配置相应 的接入参数, 便可完成宏 Node B的接入, 无需专门的控制机制。 对于同一运 营商的网络结点, 该网内的注册手机用户均可以通过这个基站建立无线链路, 只需在核心网侧做用户终端 UE ( User Equipment ) 的接入控制。 For the traditional macro base station with a large coverage area (hereinafter referred to as the macro Node B), the arrangement of the network nodes is mostly planned by the operator in advance, and the network arrangement is completed according to the planned content. Therefore, the time, location, and configuration of the access time of the macro Node B are known to the current wireless network. Therefore, when the macro Node B requests access, it only needs to configure corresponding data according to the data specified by the network. By accessing the parameters, the access of the macro Node B can be completed without special control mechanism. For the network node of the same carrier, the registered mobile phone users in the network can establish a wireless link through the base station. It is only necessary to perform access control of the user equipment UE (User Equipment) on the core network side.
发明人在实现本发明的过程中发现, 现有技术至少存在以下缺陷: 由于 HNB业务一般是家庭或企业用户个人申请, 从用户角度出发, HNB 一般是私人设备, 未经主人允许, 不希望被他人使用。 从运营商角度出发, 一般情况下 HNB覆盖下的资费比宏网络优惠, 希望对使用 HNB的人员加以 判断和限制, 而现有技术中, UE的准入判断由核心网网元判断, 加重了核心 网网元处理负担, 且存在非法 UE通过接入请求攻击核心网络的可能。  In the process of implementing the present invention, the inventor has found that the prior art has at least the following drawbacks: Since the HNB service is generally a personal application of a home or business user, from the perspective of the user, the HNB is generally a private device, and does not wish to be Used by others. From the operator's point of view, under normal circumstances, the HNB coverage is more favorable than the macro network, and it is desirable to judge and limit the personnel who use the HNB. In the prior art, the UE's admission judgment is judged by the core network element, which is aggravated. The core network element handles the burden, and there is a possibility that the illegal UE attacks the core network through the access request.
发明内容 Summary of the invention
本发明实施例提供了一种用户终端的接入方法、 接入管理方法、 接入设 备及网络设备, 实现了用户通过接入设备接入核心网的合法性的有效验证, 有效的保证了用户及运营商的利益。  The embodiments of the present invention provide an access method, an access management method, an access device, and a network device of a user terminal, which implements effective verification of the legitimacy of the user accessing the core network through the access device, and effectively ensures the user. And the interests of the operators.
本发明实施例提供了一种用户终端的接入方法, 包括:  An embodiment of the present invention provides a method for accessing a user terminal, including:
获取来自用户终端的用户标识; 根据所述用户标识判断该用户终端是否合法, 若判断为否, 则拒绝该用 户终端接入, 若判断为是, 则向核心网网元发送携带有本设备标识及所述用 户标识的加密数据的接入认证请求;  Obtaining a user identifier from the user terminal; determining, according to the user identifier, whether the user terminal is legal. If the determination is negative, the user terminal is denied access. If the determination is yes, sending the device identifier to the core network element And an access authentication request for the encrypted data of the user identifier;
接收来自所述核心网网元的消息, 该消息包括所述核心网网元根据所述 本设备标识及所述用户标识的加密数据对用户终端进行接入认证, 生成的接 入准入消息或接入拒绝消息。  Receiving a message from the network element of the core network, the message includes the access permission message generated by the core network element according to the identifier of the local device and the encrypted data of the user identifier, and the generated access admission message or Access denied message.
本发明实施例还提供了一种用户终端的接入管理方法, 包括:  The embodiment of the invention further provides an access management method for a user terminal, including:
接收来自接入设备的携带有接入设备的设备标识及用户终端的用户标识 的加密数据的用户终端接入认证请求;  Receiving an authentication request from a user terminal of the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal;
根据所述接入设备的设备标识, 获取相应的解密密钥, 并以该解密密钥 解密所述用户终端的用户标识的加密数据, 若解密失败, 则接入认证失败。  Obtaining a corresponding decryption key according to the device identifier of the access device, and decrypting the encrypted data of the user identifier of the user terminal by using the decryption key. If the decryption fails, the access authentication fails.
相应地, 本发明实施例提供了一种接入设备, 包括: 存储单元, 用于存储配置准许接入的用户终端的用户标识; 用户标识获取单元, 用于获取来自用户终端的用户标识; Correspondingly, an embodiment of the present invention provides an access device, including: a storage unit, configured to store a user identifier of a user terminal that is configured to be permitted to access; a user identifier obtaining unit, configured to acquire a user identifier from the user terminal;
判断单元, 用于判断所述存储单元是否保存了所述用户终端的用户标识; 认证处理单元, 用于当所述判断单元判断为否时, 拒绝所述用户终端的 接入, 当所述判断单元判断为是时, 向核心网网元发送携带有本设备标识及 所述用户标识的加密数据的接入认证请求;  a determining unit, configured to determine whether the storage unit stores the user identifier of the user terminal, and an authentication processing unit, configured to: when the determining unit determines to be no, the access of the user terminal is denied, when the determining When the unit determines that the unit is YES, it sends an access authentication request carrying the encrypted data of the device identifier and the user identifier to the core network element;
接收单元, 用于接收来自所述核心网网元的消息, 该消息包括所述核心 网网元根据所述本设备标识及所述所述用户标识的加密数据对用户终端进行 接入认证, 生成的接入准入消息或接入拒绝消息。  a receiving unit, configured to receive a message from the core network element, where the message includes: the core network element performs access authentication on the user terminal according to the local device identifier and the encrypted data of the user identifier, and generates Access access message or access reject message.
及一种网络设备, 包括:  And a network device, including:
认证请求接收单元, 用于接收来自接入设备的携带有接入设备的设备标 识及用户终端的用户标识的加密数据的用户终端接入认证请求;  An authentication request receiving unit, configured to receive a user terminal accessing an authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal;
认证单元, 用于根据所述接入设备的设备标识, 获取相应的解密密钥, 并以该解密密钥解密所述用户终端的用户标识的加密数据, 若解密失败, 则 接入认证失败。 同时, 本发明实施例还进一步提供了一种通信系统, 包括接 入设备和网络设备, 其中:  The authentication unit is configured to obtain a corresponding decryption key according to the device identifier of the access device, and decrypt the encrypted data of the user identifier of the user terminal by using the decryption key. If the decryption fails, the access authentication fails. In addition, the embodiment of the present invention further provides a communication system, including an access device and a network device, where:
所述接入设备, 用于获取来自用户终端的用户标识; 根据所述用户标识 判断该用户终端是否合法, 若判断为否, 则拒绝该用户终端接入, 若判断为 是, 则向所述网络设备发送携带有本设备标识及所述用户标识的加密数据的 接入认证请求; 接收来自所述核心网网元的消息, 该消息包括所述网络设备 根据所述本设备标识及所述所述用户标识的加密数据对用户终端进行接入认 证生成的接入准入消息或接入拒绝消息。  The access device is configured to obtain a user identifier from the user terminal, determine, according to the user identifier, whether the user terminal is legal, and if the determination is no, the user terminal is denied access, and if the determination is yes, the The network device sends an access authentication request that carries the encrypted data of the device identifier and the user identifier, and receives a message from the core network element, where the message includes the network device according to the local device identifier and the The access admission message or the access reject message generated by the user terminal performing the access authentication by the encrypted data of the user identifier.
所述网络设备, 用于接收来自接入设备的携带有接入设备的设备标识及 用户终端的用户标识的加密数据的用户终端接入认证请求; 根据所述接入设 备的设备标识, 获取相应的解密密钥, 并以该解密密钥解密所述用户终端的 用户标识的加密数据, 若解密失败, 则接入认证失败。 实施本发明实施例, 接入设备获取用户终端的用户标识, 根据所述用户 标识判断该用户终端是否合法, 若判断为否, 则拒绝该用户终端接入, 若判 断为是, 则向核心网网元(如: HLR )发送携带有本设备标识及所述用户标 识的加密数据的接入认证请求; 核心网网元接收到该接入请求消息后, 根据 所述接入设备设备标识及所述用户标识的加密数据对所述用户终端进行接入 认证, 确定用户终端是否准许被所述接入设备接入, 并将确定的准许接入或 拒绝接入消息返回给接入设备, 进而实现了接入设备对被接入用户终端的身 份的有效验证和管理控制, 保证了接入设备拥有者及运营商的利益。 附图说明 The network device is configured to receive a user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal; and obtain the corresponding according to the device identifier of the access device The decryption key is used to decrypt the encrypted data of the user identifier of the user terminal with the decryption key. If the decryption fails, the access authentication fails. In the embodiment of the present invention, the access device obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier. If the determination is no, the user terminal is denied access. If the determination is yes, the access to the core network is performed. The network element (eg, the HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier; after receiving the access request message, the core network element receives the access device identifier and the location Encrypting data of the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device, and returns the determined grant access or denial access message to the access device, thereby implementing The access device effectively verifies and manages the identity of the accessed user terminal, ensuring the interests of the access device owner and the operator. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面 描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图 1是本发明实施例的一种用户终端的接入方法流程示意图;  1 is a schematic flowchart of a method for accessing a user terminal according to an embodiment of the present invention;
图 2是本发明实施例的一种用户终端的接入管理方法流程示意图; 图 3是本发明实施例用户终端准入控制的交互流程示意图;  2 is a schematic flowchart of a method for access management of a user terminal according to an embodiment of the present invention; FIG. 3 is a schematic diagram of an interaction process of admission control of a user terminal according to an embodiment of the present invention;
图 4是本发明实施例通信系统的组成示意图;  4 is a schematic diagram of the composition of a communication system according to an embodiment of the present invention;
图 5是本发明实施例接入设备的组成示意图;  5 is a schematic structural diagram of an access device according to an embodiment of the present invention;
图 6是本发明实施例网络设备的组成示意图。 具体实施方式  FIG. 6 is a schematic diagram of the composition of a network device according to an embodiment of the present invention. detailed description
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而 不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作 出创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。 为使本发明的目的、 技术方案和优点更加清楚, 下面将结合附图对本发 明作进一步地详细描述。 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention. In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings.
在以下实施例中, 接入设备可以是基站、 家用基站、 数字用户接入复用 器 DLSAM、 机顶盒 STB、 调制解调器、 家庭网关、 用户驻地设备、 手机或个 人电脑等用户终端等等。 以下实施例以接入设备是家用基站(Home NodeB, HNB ) 为例说明。  In the following embodiments, the access device may be a base station, a home base station, a digital subscriber access multiplexer DLSAM, a set top box STB, a modem, a home gateway, a customer premises equipment, a user terminal such as a mobile phone or a personal computer, and the like. The following embodiment illustrates an example in which the access device is a Home NodeB (HNB).
在以下实施例中, 核心网网元可以是归属位置寄存器 HLR或者接入设备 归属地寄存器( AP Home Register, AHR )等。  In the following embodiments, the core network element may be a home location register (HLR) or an access device home register (AHR).
参考图 1 ,为本发明实施例的一种用户终端的接入方法流程示意图,包括: FIG. 1 is a schematic flowchart of a method for accessing a user terminal according to an embodiment of the present invention, including:
101 , 获取来自用户终端的用户标识。 该获取来自用户终端的用户标识具 体可以为:用户终端由宏基站切换至本发明实施例所述的 HNB的覆盖区域时, 或在 HNB的覆盖区域开机时, 向 HNB发起驻留请求; HNB接收到该驻留请 求后, 向用户终端发送用户终端的用户标识获取请求; 用户终端接收到所述 获取请求后, 向 HNB发送自身的用户标识。 所述用户终端的用户标识为用户 终端身份的唯一标识, 具体实现时, 可以为 IMSI ( International Mobile Subscriber Identification Number, 国际移动用户识别码)或 MSISDN (Mobile Station International Integrated Service Digital Network Number, 移动台国际 ISDN号码)。 101. Obtain a user identifier from the user terminal. The user identifier of the user terminal may be: when the user terminal is switched from the macro base station to the coverage area of the HNB according to the embodiment of the present invention, or when the coverage area of the HNB is powered on, the host station sends a reservation request to the HNB; After the residing request, the user terminal sends a user identity acquisition request to the user terminal; after receiving the acquisition request, the user terminal sends its own user identifier to the HNB. The user identifier of the user terminal is a unique identifier of the identity of the user terminal, and may be an IMSI (International Mobile Subscriber Identification Number) or an MSISDN (Mobile Station International Integrated Service Digital Network Number). ISDN number).
102, 根据所述用户标识判断该用户终端是否合法, 若判断为否, 则拒绝 该用户终端接入, 若判断为是, 则向核心网网元发送携带有本设备标识及所 述用户标识的加密数据的接入认证请求。  102. Determine, according to the user identifier, whether the user terminal is legal. If the determination is no, the user terminal is denied access. If the determination is yes, the device carries the device identifier and the user identifier. Encrypted data access authentication request.
本发明实施例在 HNB上配置了一个 TPM ( Trusted Platform Module, 可 信平台模块), TPM是一种基于 TCG (可信赖计算组织)工业标准规范的微控制 器。 在 TCG可信平台模块规范中定义的 TPM是存放密钥、 密码和数字证书 的微控制器,并可提供较强的密码运算功能,可集成在 HNB设备主板上。 TPM 含有密码运算部件和存储部件, 嵌入在计算平台, 类似于智能卡芯片。 作为 可信平台的构件, TPM的组件被信赖能够正常工作。 TCG软件栈规范是访问 TPM的标准 API软件规范。可信计算平台主要有三个特征:数据保护( Protected Capabilities )、 身份认证 ( Attestation )、 完整性测量记录和报告 ( Integrity Measurement Logging and Reporting )。 所述才艮据所述用户标识判断该用户终端 是否合法为判断所述用户标识是否存在于本设备基于可信平台模块配置存储 的用户终端准入列表中, 若判断为否, 则该用户终端不合法。 在本发明实施 例中, 对所述用户标识进行加密生成所述用户标识的加密数据可以通过如下 方式实现: 可以为基于非对称加密机制, 接入设备以本设备对应的基于可信 平台模块维护的平台身份认证密钥对所述用户标识进行签名, 生成用户标识 签名数据; 也可以为基于对称加密机制, 接入设备以本设备对应的基于可信 平台模块维护的与核心网网元的共享密钥对所述用户标识进行加密, 生成用 户标识加密数据。 无论是基于对称加密机制, 还是非对称加密机制, 所述密 钥的存储, 维护均由 TPM进行维护, 以保证数据的完整及安全性。 In the embodiment of the present invention, a TPM (Trusted Platform Module) is configured on the HNB, and the TPM is a microcontroller based on the TCG (Trustworthy Computing Organization) industry standard specification. The TPM defined in the TCG Trusted Platform Module Specification is a microcontroller that stores keys, passwords, and digital certificates, and provides strong cryptographic functions that can be integrated on the HNB device board. The TPM contains cryptographic components and storage components embedded in the computing platform, similar to smart card chips. As The components of the Trusted Platform, the components of the TPM are trusted to work properly. The TCG software stack specification is a standard API software specification for accessing the TPM. The Trusted Computing Platform has three main characteristics: Protected Capabilities, Attestation, Integrity Measurement Logging and Reporting. Determining whether the user terminal is legal according to the user identifier, determining whether the user identifier exists in the user terminal access list stored by the device based on the trusted platform module configuration, and if the determination is no, the user terminal illegal. In the embodiment of the present invention, encrypting the user identifier to generate the encrypted data of the user identifier may be implemented as follows: According to the asymmetric encryption mechanism, the access device is maintained by the trusted platform module corresponding to the device. The platform identity authentication key signs the user identifier to generate user identification signature data; or may be based on a symmetric encryption mechanism, and the access device shares the core network element with the trusted platform module corresponding to the device. The key encrypts the user identifier to generate user identification encrypted data. Whether based on a symmetric encryption mechanism or an asymmetric encryption mechanism, the storage and maintenance of the key are maintained by the TPM to ensure data integrity and security.
本发明实施例在 HNB在配置了用于保存准许接入的用户终端的用户标识 的用户终端准入列表, 与所述 HNB相应的位于核心网的接入认证网元设备同 时保存了对该 HNB对应的一个用户终端的用户标识列表,该用户终端准入列 表中存储了被允许使用所述 HNB设备接入核心网的用户终端的用户标识, 用 户可通过运营商客服的方式对该用户终端准入列表中保存的用户标识进行增 加、 替换或者删除等修改, 也可以通过用户名和用户密码登录客服网站对用 户终端准入列表进行修改, 类似的, 还可以通过客服电话或在 HNB设备上提 供密钥访问机制,对用户终端准入列表进行修改。基于 TPM提供的安全平台, 所述向核心网网元发送携带有本设备标识及所述用户标识的加密数据的用户 终端接入认证请求具体可以为: 以 HNB设备保存平台身份认证密钥对所述用 户标识进行签名, 生成用户标识签名数据, 向核心网网元发送携带有本设备 标识以及所述用户标识签名数据的用户终端接入认证请求。  In the embodiment of the present invention, the access terminal list of the user terminal for storing the user identity of the user terminal that is permitted to access is configured in the HNB, and the access authentication network element device located in the core network corresponding to the HNB is simultaneously saved to the HNB. Corresponding user identification list of a user terminal, wherein the user terminal access list stores a user identifier of a user terminal that is allowed to use the HNB device to access the core network, and the user can use the user service to authenticate the user terminal. The user ID saved in the list can be modified by adding, replacing, or deleting. You can also modify the user terminal access list by logging in to the customer service website through the user name and user password. Similarly, you can also provide the password through the customer service phone or on the HNB device. The key access mechanism modifies the user terminal access list. Based on the security platform provided by the TPM, the user terminal accessing the authentication request for transmitting the encrypted data carrying the device identifier and the user identifier to the core network element may be: saving the platform identity authentication key pair by using the HNB device The user identifier is signed, the user identifier signature data is generated, and the user terminal access authentication request carrying the device identifier and the user identifier signature data is sent to the core network element.
103 , 接收来自所述核心网网元的消息, 该消息包括所述核心网网元根据 所述本设备标识及所述用户标识的加密数据对用户终端进行接入认证生成的 接入准入消息或接入拒绝消息。 103. Receive a message from the core network element, where the message includes the core network element according to The access identification message or the access rejection message generated by the access authentication of the user equipment and the encrypted data of the user identifier.
当核心网网元根据所述本设备序列号及用户终端的用户标识对用户终端 进行接入认证通过时, 核心网网元将向 HNB发送接入准入消息, 通知 HNB 所述用户终端属于合法用户, 允许接入, 可选的, HNB可以进一步向用户终 端发送接入准入消息 , 告知用户终端可以通过 HNB接入核心网。 当核心网网 元根据所述本设备序列号及用户终端的用户标识对用户终端进行接入认证失 败时 , 核心网网元将向 HNB发送接入拒绝消息 , 通知 HNB所述用户终端属 于非法用户, 不具备访问权限, 拒绝接入, 可选的, HNB可以进一步向用户 终端发送接入拒绝消息, 告知用户终端被拒绝通过 HNB接入核心网。  When the core network element performs access authentication for the user terminal according to the serial number of the device and the user identifier of the user terminal, the core network element sends an access admission message to the HNB, and notifies the HNB that the user terminal is legal. The user, the access is allowed, and optionally, the HNB can further send an access admission message to the user terminal, and notify the user that the terminal can access the core network through the HNB. When the core network element fails to perform access authentication on the user terminal according to the serial number of the device and the user identifier of the user terminal, the core network element sends an access reject message to the HNB, notifying the HNB that the user terminal belongs to an illegal user. The access terminal does not have access rights and refuses to access. Optionally, the HNB may further send an access reject message to the user terminal, informing the user that the terminal is denied access to the core network through the HNB.
实施本实施例, 接入设备(HNB )获取用户终端的用户标识, 根据所述 用户标识判断该用户终端是否合法, 若判断为否, 则拒绝该用户终端接入, 若判断为是, 则向核心网网元(HLR )发送携带有本设备标识及所述用户标 识的加密数据的接入认证请求; 核心网网元接收到该接入请求消息后, 根据 所述接入设备的设备标识及所述用户标识的加密数据对所述用户终端进行接 入认证, 确定用户终端是否准许被所述接入设备 ( HNB )接入, 并将确定的 接入准入消息或接入拒绝消息返回给接入设备, 进而实现了接入设备( HNB ) 对被接入用户终端的身份的有效验证和管理控制, 保证了接入设备 ( HNB ) 拥有者及运营商的利益。  In this embodiment, the access device (HNB) obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier. If the determination is negative, the user terminal is denied access. If the determination is yes, The core network element (HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier. After receiving the access request message, the core network element receives the device identifier according to the access device. The encrypted data of the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device (HNB), and returns a determined access admission message or an access rejection message to the user terminal. The access device, in turn, enables the access device (HNB) to effectively verify and manage the identity of the accessed user terminal, thereby ensuring the interests of the access device (HNB) owner and the operator.
参考图 2,为本发明实施例的一种用户终端的接入方法流程示意图,包括: 201 , 接收来自接入设备的携带有接入设备的设备标识及用户终端的用户 标识的加密数据的用户终端接入认证请求。 具体实现时, 对所述用户标识进 行加密生成所述用户标识的加密数据可以通过如下方式实现: 可以为基于非 对称加密机制, 接入设备以本设备对应的基于可信平台模块维护的平台身份 认证密钥对所述用户标识进行签名, 生成用户标识签名数据; 也可以为基于 对称加密机制, 接入设备以本设备对应的基于可信平台模块维护的与核心网 网元的共享密钥对所述用户标识进行加密, 生成用户标识加密数据。 FIG. 2 is a schematic flowchart of a method for accessing a user terminal according to an embodiment of the present invention, including: 201. A user that receives encrypted data of a device identifier of an access device and a user identifier of a user terminal from an access device. The terminal accesses the authentication request. In a specific implementation, the encryption of the user identifier to generate the encrypted data of the user identifier may be implemented as follows: According to the asymmetric encryption mechanism, the access device uses the platform identity maintained by the trusted platform module corresponding to the device. The authentication key is used to sign the user identifier to generate the user identification signature data. The authentication device may also be based on a symmetric encryption mechanism, and the access device maintains the core network based on the trusted platform module corresponding to the device. The shared key of the network element encrypts the user identifier to generate user identity encrypted data.
202, 根据所述接入设备的设备标识, 获取相应的解密密钥, 并以该解密 密钥解密所述用户终端的用户标识的加密数据, 若解密失败, 则接入认证失 败。  202. Acquire a corresponding decryption key according to the device identifier of the access device, and decrypt the encrypted data of the user identifier of the user terminal by using the decryption key. If the decryption fails, the access authentication fails.
在该步骤 202 中, 若解密失败, 则说明加密所述用户终端的用户标识的 加密密钥, 与解密密钥不匹配, 也即说明 HNB的身份不可信, 因此接入认证 失败。 若解密成功, 则说明 HNB的身份是可信的, 因此可以认定接入认证通 过。 而为了进一步保障认证的可靠性, 若解密成功, 则可以根据所述接入设 备的设备标识查找并判断与所述接入设备对应的用户终端准入列表中是否保 存了所述用户标识, 当判断为是, 则对所述用户终端的接入认证通过, 否贝' J , 拒绝所述用户终端接入。 当基于非对称加密方式时, 所述根据所述接入设备 的设备标识, 获取相应的解密密钥, 并以该解密密钥解密所述用户终端的用 户标识的加密数据的步骤包括: 以所述接入设备的设备标识为索引, 检索并 获取与所述平台身份认证密钥对应的解密公钥; 以所述解密公钥对所述用户 标识签名数据进行验证, 解密获取所述用户标识。 当基于对称加密方式时, 所述根据所述接入设备的设备标识, 获取相应的解密密钥, 并以该解密密钥 解密所述用户终端的用户标识的加密数据的步骤包括: 获取所述接入设备与 所述核心网网元的共享密钥, 以该共享密钥解密所述用户终端的用户标识的 加密数据。 核心网网元设备可以是位置归属寄存器 HLR等网络设备。  In this step 202, if the decryption fails, the encryption key of the user identifier of the user terminal is encrypted, which does not match the decryption key, that is, the identity of the HNB is not trusted, and thus the access authentication fails. If the decryption is successful, the identity of the HNB is trusted, so it can be considered that the access authentication is passed. In order to further ensure the reliability of the authentication, if the decryption is successful, the device identifier of the access device may be used to find and determine whether the user identifier is saved in the user terminal access list corresponding to the access device. If the determination is yes, the access authentication to the user terminal is passed, and the user terminal is denied access. The step of acquiring the corresponding decryption key according to the device identifier of the access device, and decrypting the encrypted data of the user identifier of the user terminal by using the decryption key, according to the asymmetric encryption mode, includes: The device identifier of the access device is an index, and the decryption public key corresponding to the platform identity authentication key is retrieved and obtained; the user identity signature data is verified by the decryption public key, and the user identifier is obtained by decryption. The step of acquiring the corresponding decryption key according to the device identifier of the access device, and decrypting the encrypted data of the user identifier of the user terminal with the decryption key, according to the symmetric encryption mode, includes: acquiring the And a shared key of the access device and the core network element, and decrypting the encrypted data of the user identifier of the user terminal by using the shared key. The core network element device may be a network device such as a location home register HLR.
203 , 向接入设备发送接入准入消息或接入拒绝消息。  203. Send an access admission message or an access rejection message to the access device.
实施本实施例, 核心网网元接收到来自接入设备的携带有接入设备的设 备标识及用户标识的加密数据的用户终端接入认证请求, 根据所述接入设备 的设备标识及所述用户标识的加密数据对所述用户终端进行接入认证, 确定 用户终端是否准许被所述接入设备 ( HNB )接入, 并将确定的接入准入消息 或接入拒绝消息返回给接入设备, 进而实现了接入设备 ( HNB )对被接入用 户终端的身份的有效验证和管理控制, 保证了接入设备 ( HNB )拥有者及运 营商的利益。 In this embodiment, the core network element receives the user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier, according to the device identifier of the access device and the The encrypted data of the user identity performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device (HNB), and returns the determined access admission message or access rejection message to the access. The device, in turn, implements effective verification and management control of the identity of the accessed user terminal by the access device (HNB), and ensures the owner and operation of the access device (HNB). The interests of business.
参考图 3 ,是本发明实施例用户终端准入控制的交互流程示意图, 在本例 中以 UE表示用户终端, HNB为接入设备, HLR为核心网中用于对来自 HNB 的认证请求进行认证的网元设备 (当然也可以为其他具备类似能力的网元设 备), 具体实现时, 该方法包括:  Referring to FIG. 3, FIG. 3 is a schematic diagram of an interaction process of user terminal admission control according to an embodiment of the present invention. In this example, a UE is used as a user terminal, and an HNB is an access device, and the HLR is used in the core network to authenticate an authentication request from the HNB. The network element device (of course, it can also be another network element device with similar capabilities). When implemented, the method includes:
301 , UE向 HNB发送驻留请求, UE从宏基站切换至 HNB覆盖区域或 UE在 HNB覆盖区域开机启动时, UE向 HNB发送驻留请求。  301. The UE sends a camping request to the HNB, where the UE switches from the macro base station to the HNB coverage area, or the UE sends a camping request to the HNB when the HNB coverage area is powered on.
302 , HNB接收到所述驻留请求后, 向 UE发送用户标识获取请求。  302. After receiving the camping request, the HNB sends a user identity obtaining request to the UE.
303 , UE向 HNB发送用户标识,该用户标识为用户终端身份的唯一标识, 具体实现时, 可以为 IMSI ( International Mobile Subscriber Identification Number, 国际移动用户识别码)或 MSISDN (Mobile Station International ISDN Number, 移动台国际 ISDN号码)。  303. The UE sends a user identifier to the HNB, where the user identifier is a unique identifier of the user terminal identity, and may be an IMSI (International Mobile Subscriber Identification Number) or an MSISDN (Mobile Station International ISDN Number). Taiwan International ISDN number).
304 , HNB获取所述用户标识, 以该用户标识为索引查询 HNB安全存储 的 UE准入列表,确定准入列表中是否存在该用户标识, 当确定存在所述用户 标识时, 对用户标识进行签名, 生成用户标识签名数据, 并执行 305, 否则执 行 306。  304. The HNB obtains the user identifier, and uses the user identifier as an index to query the UE admission list of the HNB secure storage, and determines whether the user identifier exists in the admission list. When it is determined that the user identifier exists, the user identifier is signed. Generate user identification signature data, and execute 305, otherwise execute 306.
本发明实施例在 HNB上配置了用于保存准许接入的用户终端的用户标识 的用户终端准入列表, 同时, 与所述 HNB相应的位于核心网的接入认证网元 也保存了与该 HNB对应的一个用户终端准入列表,该用户终端准入列表中存 储了被允许使用所述 HNB设备接入核心网的用户终端的用户标识, 用户可通 过运营商客服的方式对该用户终端准入列表中保存的用户标识进行增加、 替 换或者删除等修改, 也可以通过用户名和用户密码登录客服网站对用户终端 准入列表进行修改, 类似的, 还可以通过客服电话或在 HNB设备上提供密钥 访问机制对用户终端准入列表进行修改。 基于 TPM提供的安全平台, HNB 以保存在 TPM中的平台身份认证密钥对所述用户标识进行签名, 生成用户标 识签名数据。 当确定所述用户终端的用户标识列表中不存在所述用户标识时 , 说明该用户标识对应的终端为不允许接入的用户, 执行 306。 In the embodiment of the present invention, the user terminal access list for storing the user identity of the user terminal that is permitted to access is configured on the HNB, and the access authentication network element located in the core network corresponding to the HNB is also saved. A user terminal access list corresponding to the HNB, where the user terminal access list stores the user identifier of the user terminal that is allowed to use the HNB device to access the core network, and the user can use the user service mode to the user terminal. The user ID saved in the list can be modified by adding, replacing, or deleting. You can also modify the user terminal access list by logging in to the customer service website through the user name and user password. Similarly, you can also provide the password through the customer service phone or on the HNB device. The key access mechanism modifies the user terminal access list. Based on the security platform provided by the TPM, the HNB signs the user identifier with a platform identity authentication key stored in the TPM to generate user identity signature data. When it is determined that the user identifier does not exist in the user identifier list of the user terminal, The user corresponding to the user identifier is a user who is not allowed to access, and performs 306.
305, HNB向 HLR发送携带有 HNB设备标识以及所述用户标识签名数 据的接入认证请求。  305. The HNB sends an access authentication request that carries the HNB device identifier and the user identifier signature data to the HLR.
306 , HNB向 UE发送接入禁止消息。  306. The HNB sends an access prohibition message to the UE.
307 , HLR获取所述 HNB设备标识以及所述用户标识签名数据, 以所述 HNB设备标识为索引, 检索数据库, 找到对应的解密公钥, 以该解密公钥解 密所述用户标识签名数据, 若解密成功, 则获取用户标识, 以 HNB设备标识 为索引查找获取 HLR保存的与该 HNB设备对应的用户终端准入列表, 判断 该用户终端准入列表中是否存在所述用户标识, 判断为是, 则认证通过准许 接入, 发送接入准入消息, 否则认证失败拒绝接入, 发送接入拒绝消息。  307. The HLR obtains the HNB device identifier and the user identifier signature data, uses the HNB device identifier as an index, searches a database, finds a corresponding decryption public key, and decrypts the user identifier signature data by using the decryption public key. If the decryption succeeds, the user identifier is obtained, and the user terminal access list corresponding to the HNB device saved by the HLR is obtained by using the HNB device identifier as an index, and it is determined whether the user identifier exists in the user terminal admission list, and the determination is yes. Then, the authentication transmits the access admission message by granting access, otherwise the authentication fails to reject the access, and the access rejection message is sent.
308, HLR向 HNB发送接入准入消息或接入拒绝消息。  308. The HLR sends an access admission message or an access rejection message to the HNB.
309, HNB向 UE发送接入准入消息或接入拒绝消息。  309. The HNB sends an access admission message or an access rejection message to the UE.
实施本实施例, 接入设备获取用户终端的用户标识, 确定自身是否保存 了该用户标识, 当确定未保存时, 拒绝用户终端的接入, 当确定保存了所述 用户标识时, 向核心网网元发送携带有本设备标识及所述用户终端的用户标 识的用户终端接入认证请求, 核心网网元接收到该接入请求消息后, 根据所 述接入设备设备标识及所述用户终端的用户标识对所述用户终端进行接入认 证, 确定用户终端是否准许被所述接入设备接入, 并将确定的接入准入消息 或接入拒绝消息返回给接入设备, 进而实现了接入设备对被接入用户终端的 身份的有效验证和管理控制, 保证了接入设备拥有者及运营商的利益。  In this embodiment, the access device obtains the user identifier of the user terminal, determines whether the user identifier is saved, and denies the access of the user terminal when it is determined that the user identifier is not saved. When it is determined that the user identifier is saved, the access network The network element sends a user terminal access authentication request carrying the device identifier and the user identifier of the user terminal, and after receiving the access request message, the core network element receives the access device identifier and the user terminal according to the access device identifier The user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device, and returns the determined access admission message or access rejection message to the access device, thereby implementing The access device effectively verifies and manages the identity of the accessed user terminal, ensuring the interests of the access device owner and the operator.
参考图 4,是本发明实施例通信系统的组成示意图, 该通信系统包括接入 设备 1及网络设备 2, 其中, 所述接入设备 1 , 用于获取来自用户终端的用户 标识; 根据所述用户标识判断该用户终端是否合法, 若判断为否, 则拒绝该 用户终端接入, 若判断为是, 则向所述网络设备发送携带有本设备标识及所 述用户标识的加密数据的接入认证请求; 接收来自所述网络设备 2 的消息, 该消息包括所述网络设备根据所述本设备标识及所述所述用户标识的加密数 据对用户终端进行接入认证生成的接入准入消息或接入拒绝消息。 参考图 5,是本发明实施例接入设备 1的组成示意图, 本例所述接入设备 1可用于执行本发明实施例的一种用户终端的接入方法, 具体实现时, 该接入 设备 1包括: 存储单元 13 , 用户标识获取单元 11 , 判断单元 12, 认证处理单 元 15, 接收单元 16。 Referring to FIG. 4, it is a schematic diagram of a composition of a communication system according to an embodiment of the present invention. The communication system includes an access device 1 and a network device 2, where the access device 1 is configured to acquire a user identifier from a user terminal. The user identifier determines whether the user terminal is legal. If the determination is no, the user terminal is denied access. If the determination is yes, the device sends the encrypted data carrying the device identifier and the user identifier. Receiving a message from the network device 2, the message including the number of encryptions of the network device according to the local device identifier and the user identifier An access admission message or an access rejection message generated by performing access authentication on the user terminal. Referring to FIG. 5, it is a schematic diagram of a configuration of an access device 1 according to an embodiment of the present invention. The access device 1 in this example may be used to perform a method for accessing a user terminal according to an embodiment of the present invention. 1 includes: a storage unit 13, a user identification acquisition unit 11, a determination unit 12, an authentication processing unit 15, and a reception unit 16.
存储单元 13 , 用于存储配置准许接入的用户终端的用户标识; 该存储单 元 13可以包括:  The storage unit 13 is configured to store a user identifier of the user terminal that is configured to permit access; the storage unit 13 may include:
用户标识存储单元 131 ,用于以所述核心网网元可信任的方式存储配置准 许接入的用户终端的用户标识;  a user identifier storage unit 131, configured to store, in a trusted manner of the core network element, a user identifier of a user terminal that is allowed to access;
密钥存储单元 132,用于以所述核心网网元可信任的方式存储与所述核心 网网元数据传输的平台身份认证密钥或与核心网网元的共享密钥。  The key storage unit 132 is configured to store, in a manner trusted by the core network element, a platform identity authentication key transmitted with the core network element metadata or a shared key with a core network element.
本实施例可以通过在接入设备上配置了一个 TPM ( Trusted Platform Module, 即可信平台模块), 进而基于该 TPM定义的规范设置维护所述用户 标识存储单元 131及密钥存储单元 132, 基于 TPM规范定义的安全存储机制 和密钥存储机制, 接入设备中配置的所述用户标识存储单元 131 中存储配置 的准许接入的用户终端的用户标识和密钥存储单元 132存储的与所述核心网 网元数据传输的平台身份认证密钥或与核心网网元的共享密钥可被核心网网 元认为是可信任的。  In this embodiment, a TPM (Trusted Platform Module) is configured on the access device, and the user identifier storage unit 131 and the key storage unit 132 are maintained based on the specification defined by the TPM. a security storage mechanism and a key storage mechanism defined by the TPM specification, where the user identifier storage unit 131 configured in the access device stores the configured user identifier of the user terminal that is permitted to access and the key storage unit 132 stores and stores the The platform identity authentication key of the core network metadata transmission or the shared key with the core network element may be considered trusted by the core network element.
用户标识获取单元 11 , 用于获取来自用户终端的用户标识; 具体实施例 中, 该用户标识获取单元 11可以包括:  The user identifier obtaining unit 11 is configured to obtain the user identifier from the user terminal. In a specific embodiment, the user identifier obtaining unit 11 may include:
驻留请求接收单元 111 , 用于接收来自用户终端的驻留请求;  a resident request receiving unit 111, configured to receive a resident request from the user terminal;
用户标识获取请求 112, 用于向所述用户终端发送用户标识获取请求; 用户标识接收单元 113 , 用于接收来自用户终端的用户标识。  The user identifier obtaining request 112 is configured to send a user identifier obtaining request to the user terminal, and the user identifier receiving unit 113 is configured to receive the user identifier from the user terminal.
判断单元 12,用于判断所述存储单元 13是否保存了所述用户终端的用户 标识。  The determining unit 12 is configured to determine whether the storage unit 13 saves the user identifier of the user terminal.
认证处理单元 15 , 用于当所述判断单元 12判断为否时, 拒绝所述用户终 端的接入, 当所述判断单元 12判断为是时, 向核心网网元发送携带有本设备 标识及所述用户标识的加密数据的接入认证请求。 具体实施例中, 该证处理 单元 15可以包括: The authentication processing unit 15 is configured to reject the user end when the determining unit 12 determines to be no The access of the terminal, when the determining unit 12 determines YES, sends an access authentication request carrying the encrypted data of the device identifier and the user identifier to the core network element. In a specific embodiment, the certificate processing unit 15 may include:
拒绝单元 151 , 用于在所述判断单元 12判断为否时, 拒绝所述用户终端 的接入;  The rejecting unit 151 is configured to reject the access of the user terminal when the determining unit 12 determines to be no;
加密单元 152,用于以所述密钥存储单元 132中存储的所述平台身份认证 密钥对所述用户标识进行签名, 生成用户标识签名数据, 或以所述密钥存储 单元 132 中存储的所述与核心网网元的共享密钥加密所述用户标识, 生成用 户标识加密数据;  The encryption unit 152 is configured to sign the user identifier by using the platform identity authentication key stored in the key storage unit 132, generate user identification signature data, or store the information in the key storage unit 132. The shared key with the core network element encrypts the user identifier, and generates user identifier encrypted data;
认证请求发送单元 153 ,用于向核心网网元发送携带有本设备标识以及所 述用户标识签名数据或用户标识加密数据的用户终端接入认证请求。  The authentication request sending unit 153 is configured to send, to the core network element, a user terminal access authentication request carrying the device identifier and the user identifier signature data or the user identifier encrypted data.
接收单元 16, 用于接收来自所述核心网网元的消息, 该消息包括所述核 心网网元根据所述本设备标识及所述所述用户标识的加密数据对用户终端进 行接入认证生成的接入准入消息或接入拒绝消息。  The receiving unit 16 is configured to receive a message from the core network element, where the message includes the core network element performing access authentication generation on the user terminal according to the local device identifier and the encrypted data of the user identifier. Access access message or access reject message.
可选地, 本实施例所述接入设备 1还可以包括:  Optionally, the access device 1 in this embodiment may further include:
接入禁止消息发送单元 14, 用于在所述判断单元 12判断为否时, 向用户 终端发送接入禁止消息。  The access prohibition message transmitting unit 14 is configured to send an access prohibition message to the user terminal when the determining unit 12 determines to be no.
可选地, 本实施例所述接入设备 1还可以进一步包括:  Optionally, the access device 1 in this embodiment may further include:
接入准入消息发送单元 17,用于在所述接收单元 16接收到来自所述核心 网网元的接入准入消息时, 向用户终端发送接入准入消息;  The access admission message sending unit 17 is configured to send an access admission message to the user terminal when the receiving unit 16 receives the access admission message from the core network element;
接入拒绝消息发送单元 18,用于在所述接收单元 16接收到来自所述核心 网网元的接入拒绝消息时向用户终端发送接入拒绝消息。  The access reject message sending unit 18 is configured to send an access reject message to the user terminal when the receiving unit 16 receives the access reject message from the core network element.
实施本实施例, 接入设备(HNB )获取用户终端的用户标识, 根据所述 用户标识判断该用户终端是否合法, 若判断为否, 则拒绝该用户终端接入, 若判断为是, 则向核心网网元(HLR )发送携带有本设备标识及所述用户标 识的加密数据的接入认证请求; 核心网网元接收到该接入请求消息后, 根据 所述接入设备设备标识及所述用户标识的加密数据对所述用户终端进行接入 认证, 确定用户终端是否准许被所述接入设备 ( HNB )接入, 并将确定的接 入准入消息或接入拒绝消息返回给接入设备, 进而实现了接入设备( HNB ) 对被接入用户终端的身份的有效验证和管理控制, 保证了接入设备 ( HNB ) 拥有者及运营商的利益。 In this embodiment, the access device (HNB) obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier. If the determination is negative, the user terminal is denied access. If the determination is yes, The core network element (HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier; after receiving the access request message, the core network element receives the The access device device identifier and the encrypted data of the user identifier perform access authentication on the user terminal, determine whether the user terminal is permitted to be accessed by the access device (HNB), and determine the access access. The message or the access denial message is returned to the access device, thereby implementing effective verification and management control of the identity of the accessed user terminal by the access device (HNB), ensuring the access device (HNB) owner and the operator. interest.
所述网络设备 2,用于接收来自接入设备 1的携带有接入设备的设备标识 及用户终端的用户标识的加密数据的用户终端接入认证请求; 根据所述接入 设备的设备标识, 获取相应的解密密钥, 并以该解密密钥解密所述用户终端 的用户标识的加密数据, 若解密失败, 则接入认证失败。 参考图 6, 是本发明 实施例网络设备 2的组成示意图, 本发明实施例网络设备 2可以是位置归属 寄存器 HLR等等。 本例所述网络设备 2可用于执行本发明实施例的二种用户 终端的接入管理方法, 具体实现时, 该网络设备 2 包括: 认证请求接收单元 21 , 存储单元 22, 认证单元 23 , 发送单元 24。  The network device 2 is configured to receive a user terminal access authentication request from the access device 1 carrying the device identifier of the access device and the encrypted data of the user identifier of the user terminal; according to the device identifier of the access device, Obtaining a corresponding decryption key, and decrypting the encrypted data of the user identifier of the user terminal with the decryption key, and if the decryption fails, the access authentication fails. Referring to FIG. 6, FIG. 6 is a schematic diagram of the composition of the network device 2 according to the embodiment of the present invention. The network device 2 in the embodiment of the present invention may be a location-origin register HLR or the like. The network device 2 in this example may be used to perform the access management method of the two user terminals in the embodiment of the present invention. When the network device 2 is implemented, the network device 2 includes: an authentication request receiving unit 21, a storage unit 22, and an authentication unit 23, Unit 24.
认证请求接收单元 21 , 用于接收来自接入设备 1的携带有接入设备的设 备标识及用户终端的用户标识的加密数据的用户终端接入认证请求;  The authentication request receiving unit 21 is configured to receive a user terminal access authentication request from the access device 1 that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal;
存储单元 22 , 用于保存接入设备对应的用户终端准入列表;  The storage unit 22 is configured to save a user terminal access list corresponding to the access device;
认证单元 23 , 用于根据所述接入设备 1的设备标识, 获取相应的解密密 钥, 并以该解密密钥解密所述用户终端的用户标识的加密数据, 若解密失败, 则接入认证失败; 具体实现时, 该认证单元 23可以包括:  The authentication unit 23 is configured to obtain a corresponding decryption key according to the device identifier of the access device 1, and decrypt the encrypted data of the user identifier of the user terminal by using the decryption key, and if the decryption fails, the authentication is performed. The authentication unit 23 may include:
密钥获取单元 231 , 用于以所述接入设备 1的设备标识为索引,检索并获 取相应的解密公钥或与接入设备 1的共享密钥;  The key obtaining unit 231 is configured to retrieve and obtain a corresponding decryption public key or a shared key with the access device 1 by using the device identifier of the access device 1 as an index;
解密单元 232,用于根据所述密钥获取单元 231所获取的所述解密公钥或 与所述接入设备的共享密钥解密所述用户终端的用户标识的加密数据;  The decryption unit 232 is configured to decrypt the encrypted data of the user identifier of the user terminal according to the decryption public key acquired by the key obtaining unit 231 or the shared key of the access device;
认证执行单元 233 , 用于在所述解密单元 232解密失败时, 确定接入认证 失败, 在所述解密单元解 232 密成功时, 直接确定接入认证通过或根据所述 接入设备的设备标识查找并判断与所述存储单元 22存储的接入设备对应的用 户终端准入列表中是否保存了所述用户标识, 当判断为是, 则对所述用户终 端的接入认证通过, 否则, 拒绝所述用户终端接入。 The authentication execution unit 233 is configured to determine that the access authentication fails when the decryption unit 232 fails to decrypt, and directly determines whether the access authentication passes or according to the device identifier of the access device when the decryption unit resolves the 232 secret successfully. Finding and determining the corresponding to the access device stored by the storage unit 22 Whether the user identifier is saved in the user terminal access list, and if the determination is yes, the access authentication of the user terminal is passed, otherwise, the user terminal is denied access.
发送单元 24 , 用于向接入设备发送接入准入消息或接入拒绝消息。  The sending unit 24 is configured to send an access admission message or an access rejection message to the access device.
实施本实施例, 核心网网元接收到来自接入设备的携带有接入设备的设 备标识及用户终端的用户标识的加密数据的用户终端接入认证请求, 根据所 述接入设备设备标识及所述用户标识的加密数据对所述用户终端进行接入认 证, 确定用户终端是否准许被所述接入设备 ( HNB )接入, 并将确定的接入 准入消息或接入拒绝消息返回给接入设备, 进而实现了接入设备( HNB )对 被接入用户终端的身份的有效验证和管理控制, 保证了接入设备 ( HNB )拥 有者及运营商的利益。  In this embodiment, the core network element receives a user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal, according to the access device device identifier and The encrypted data of the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device (HNB), and returns a determined access admission message or an access rejection message to the user terminal. The access device, in turn, enables the access device (HNB) to effectively verify and manage the identity of the accessed user terminal, thereby ensuring the interests of the access device (HNB) owner and the operator.
综上所述, 实施本发明实施例, 接入设备(HNB )获取用户终端的用户 标识, 根据所述用户标识判断该用户终端是否合法, 若判断为否, 则拒绝该 用户终端接入, 若判断为是, 则向核心网网元(HLR )发送携带有本设备标 识及所述用户标识的加密数据的接入认证请求; 核心网网元接收到该接入请 求消息后, 根据所述接入设备设备标识及所述用户标识的加密数据对所述用 户终端进行接入认证, 确定用户终端是否准许被所述接入设备 ( HNB )接入, 并将确定的准许接入或拒绝接入消息返回给接入设备, 进而实现了接入设备 ( HNB )对被接入用户终端的身份的有效验证和管理控制, 保证了接入设备 ( HNB )拥有者及运营商的利益。  In summary, the implementation of the embodiment of the present invention, the access device (HNB) obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier, and if the determination is no, the user terminal is denied access. If the determination is yes, the core network element (HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier; after receiving the access request message, the core network element receives the access request message according to the Encrypting data of the device device identifier and the user identifier is used for access authentication of the user terminal, determining whether the user terminal is permitted to be accessed by the access device (HNB), and determining the granted access or denying access The message is returned to the access device, which in turn enables the access device (HNB) to effectively verify and manage the identity of the accessed user terminal, thereby ensuring the interests of the access device (HNB) owner and the operator.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流 程, 是可以通过计算机程序来指令相关的硬件来完成, 所述的程序可存储于 一计算机可读取存储介质中, 该程序在执行时, 可包括如上述各方法的实施 例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体( Read-Only Memory, ROM )或随机存^ ^己忆体 ( Random Access Memory, RAM )等。  A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. In execution, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
以上所揭露的仅为本发明较佳实施例而已, 当然不能以此来限定本发明 之权利范围, 因此依本发明权利要求所作的等同变化, 仍属本发明所涵盖的 一 ς\一 The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto. Therefore, equivalent changes made in accordance with the claims of the present invention are still covered by the present invention. One ς\一
S8l.0/600ZN3/X3d ZT8SSl/600Z OAV S8l.0/600ZN3/X3d ZT8SSl/600Z OAV

Claims

权利 要求 书 Claim
1、 一种用户终端的接入方法, 其特征在于, 包括:  A method for accessing a user terminal, comprising:
获取来自用户终端的用户标识;  Obtaining a user identifier from the user terminal;
根据所述用户标识判断该用户终端是否合法, 若判断为是, 则向核心网网 元发送携带有本设备标识及所述用户标识的加密数据的接入认证请求;  Determining whether the user terminal is legal according to the user identifier, and if yes, transmitting an access authentication request carrying the encrypted data of the device identifier and the user identifier to the core network element;
接收来自所述核心网网元的消息, 该消息包括所述核心网网元根据所述本 设备标识及所述用户标识的加密数据对用户终端进行接入认证, 生成的接入准 入消息或接入拒绝消息。  Receiving a message from the network element of the core network, the message includes the access permission message generated by the core network element according to the identifier of the local device and the encrypted data of the user identifier, and the generated access admission message or Access denied message.
2、 如权利要求 1所述的方法, 其特征在于, 所述根据所述用户标识判断该 用户终端是否合法的步骤包括:  The method according to claim 1, wherein the step of determining whether the user terminal is legal according to the user identifier comprises:
判断所述用户标识是否存在于本设备基于可信平台模块配置存储的用户终 端准入列表中, 若判断为否, 则该用户终端不合法, 若判断为是, 则该用户终 端合法。  The user terminal is determined to be in the user terminal access list stored by the device based on the configuration of the trusted platform module. If the determination is no, the user terminal is invalid. If the determination is yes, the user terminal is legal.
3、 如权利要求 1所述的方法, 其特征在于, 所述向核心网网元发送携带有 本设备标识及所述用户标识的加密数据的接入认证请求包括:  The method of claim 1, wherein the sending an access authentication request that carries the encrypted data of the device identifier and the user identifier to the core network element includes:
以本设备对应的基于可信平台模块维护的平台身份认证密钥对所述用户标 识进行签名, 生成用户标识签名数据, 向核心网网元发送携带有本设备标识以 及所述用户标识签名数据的用户终端接入认证请求。  The user identifier is signed by the platform identity authentication key that is maintained by the trusted platform module, and the user identifier signature data is generated, and the device identifier and the user identifier signature data are sent to the core network element. The user terminal accesses the authentication request.
4、 如权利要求 1所述的方法, 其特征在于, 所述向核心网网元发送携带有 本设备标识及所述用户标识的加密数据的接入认证请求包括:  The method of claim 1, wherein the sending an access authentication request to the core network element carrying the encrypted data of the device identifier and the user identifier comprises:
以本设备对应的基于可信平台模块维护的与核心网网元的共享密钥对所述 用户标识进行加密, 生成用户标识加密数据, 向核心网网元发送携带有本设备 标识以及所述用户标识加密数据的用户终端接入认证请求。  Encrypting the user identifier with the shared key of the core network element maintained by the trusted platform module corresponding to the device, generating the user identifier encrypted data, and sending the device identifier and the user to the core network element The user terminal that identifies the encrypted data accesses the authentication request.
5、 如权利要求 2所述的方法, 其特征在于, 所述获取来自用户终端的用户 标识之前, 还包括:  The method of claim 2, wherein before the obtaining the user identifier from the user terminal, the method further includes:
基于可信平台模块配置存储用于保存准许接入的用户终端的用户标识的用 户终端准入列表。 Storing a user identifier for storing a user terminal permitted to access based on the trusted platform module configuration User terminal access list.
6、 如权利要求 1所述的方法, 其特征在于, 所述获取来自用户终端的用户 标识包括:  The method of claim 1, wherein the obtaining the user identifier from the user terminal comprises:
接收来自用户终端的驻留请求;  Receiving a resident request from a user terminal;
向所述用户终端发送用户终端标识获取请求;  Sending a user terminal identity acquisition request to the user terminal;
接收来自用户终端的用户标识。  Receive the user ID from the user terminal.
7、 如权利要求 1所述的方法, 其特征在于, 所述接收来自所述核心网网元 的消息之后, 还包括:  The method according to claim 1, wherein after receiving the message from the core network element, the method further includes:
向用户终端发送接入准入消息或接入拒绝消息。  An access admission message or an access rejection message is sent to the user terminal.
8、 如权利要求 1至 7任意项所述的方法, 其特征在于, 所述用户终端的用 户标识的类型包括:  The method according to any one of claims 1 to 7, wherein the type of the user identifier of the user terminal comprises:
国际移动用户识别码或移动台国际 ISDN号码。  International Mobile Subscriber Identity or Mobile International ISDN number.
9、 如权利要求 1至 7任意项所述的方法, 其特征在于, 所述核心网网元的 类型包括:  The method according to any one of claims 1 to 7, wherein the type of the core network element includes:
归属位置寄存器或接入设备归属地寄存器。  Home location register or access device home register.
10、 一种用户终端的接入管理方法, 其特征在于, 包括:  A method for access management of a user terminal, comprising:
接收来自接入设备的用户终端接入认证请求, 该请求携带有接入设备的设 备标识, 以及用户终端的用户标识的加密数据;  Receiving a user terminal access authentication request from the access device, where the request carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal;
根据所述接入设备的设备标识, 获取相应的解密密钥, 以该解密密钥解密 所述用户终端的用户标识的加密数据, 若解密失败, 则接入认证失败。  Obtaining a corresponding decryption key according to the device identifier of the access device, and decrypting the encrypted data of the user identifier of the user terminal by using the decryption key. If the decryption fails, the access authentication fails.
11、 如权利要求 10所述的方法, 其特征在于, 若解密成功, 则根据所述接 入设备的设备标识查找并判断与所述接入设备对应的用户终端准入列表中是否 保存了所述用户标识, 当判断为是, 则对所述用户终端的接入认证通过。  The method of claim 10, wherein if the decryption is successful, searching for and determining whether the user terminal access list corresponding to the access device is saved according to the device identifier of the access device The user identifier is determined. If the determination is yes, the access authentication to the user terminal is passed.
12、 如权利要求 10所述的方法, 其特征在于, 所述用户终端的用户标识的 加密数据为接入设备基于可信平台模块维护的平台身份认证密钥对所述用户标 识进行签名, 生成的用户标识签名数据; 所述根据所述接入设备的设备标识, 获取相应的解密密钥, 以该解密密钥解密所述用户终端的用户标识的加密数据 包括: The method according to claim 10, wherein the encrypted data of the user identifier of the user terminal is used by the access device to sign the user identifier based on the platform identity authentication key maintained by the trusted platform module, and generate User identification signature data; the device identifier according to the access device, Obtaining a corresponding decryption key, and decrypting the encrypted data of the user identifier of the user terminal by using the decryption key includes:
以所述接入设备的设备标识为索引, 检索并获取与所述平台身份认证密钥 对应的解密公钥;  Retrieving and acquiring a decryption public key corresponding to the platform identity authentication key by using the device identifier of the access device as an index;
以所述解密公钥对所述用户标识签名数据进行验证, 解密获取所述用户标 识。  The user identification signature data is verified by the decryption public key, and the user identification is decrypted.
13、 如权利要求 10所述的方法, 其特征在于, 所述用户终端的用户标识的 加密数据为接入设备基于可信平台模块维护的与核心网网元的共享密钥对所述 用户标识进行加密, 生成的用户标识加密数据; 所述根据所述接入设备的设备 标识, 获取相应的解密密钥, 并以该解密密钥解密所述用户终端的用户标识的 加密数据的步骤包括:  The method according to claim 10, wherein the encrypted data of the user identifier of the user terminal is a shared key of the access device and the core network element maintained by the trusted platform module, and the user identifier is And performing the encryption, the generated user identifier is encrypted data; the step of acquiring the corresponding decryption key according to the device identifier of the access device, and decrypting the encrypted data of the user identifier of the user terminal by using the decryption key comprises:
获取所述接入设备与所述核心网网元的共享密钥, 以该共享密钥解密所述 用户标识加密数据, 获取所述用户标识。  Obtaining a shared key of the access device and the core network element, decrypting the user identifier encrypted data by using the shared key, and acquiring the user identifier.
14、 一种接入设备, 其特征在于, 包括:  14. An access device, comprising:
存储单元, 用于存储配置准许接入的用户终端的用户标识;  a storage unit, configured to store a user identifier of a user terminal configured to permit access;
用户标识获取单元, 用于获取来自用户终端的用户标识;  a user identifier obtaining unit, configured to acquire a user identifier from the user terminal;
判断单元, 用于判断所述存储单元是否保存了所述用户终端的用户标识; 认证处理单元, 用于当所述判断单元判断为是时, 向核心网网元发送携带 有本设备标识及所述用户标识的加密数据的接入认证请求;  a determining unit, configured to determine whether the storage unit stores the user identifier of the user terminal, and the authentication processing unit is configured to send, when the determining unit determines that the device identifier is An access authentication request for the encrypted data of the user identifier;
接收单元, 用于接收来自所述核心网网元的消息, 该消息包括所述核心网 网元根据所述本设备标识及所述所述用户标识的加密数据对用户终端进行接入 认证, 生成的接入准入消息或接入拒绝消息。  a receiving unit, configured to receive a message from the core network element, where the message includes: the core network element performs access authentication on the user terminal according to the local device identifier and the encrypted data of the user identifier, and generates Access access message or access reject message.
15、 如权利要求 14所述的接入设备, 其特征在于, 所述存储单元包括: 用户标识存储单元, 用于以所述核心网网元可信任的方式存储配置准许接 入的用户终端的用户标识;  The access device according to claim 14, wherein the storage unit comprises: a user identifier storage unit, configured to store, in a trusted manner of the core network element, a user terminal configured to permit access User ID;
密钥存储单元, 用于以所述核心网网元可信任的方式存储与所述核心网网 元数据传输的平台身份认证密钥或与核心网网元的共享密钥。 a key storage unit, configured to store and communicate with the core network network in a trusted manner by the core network element The platform identity authentication key for metadata transmission or the shared key with the core network element.
16、如权利要求 15所述的接入设备, 其特征在于, 所述认证处理单元包括: 加密单元, 用于以所述密钥存储单元中存储的所述平台身份认证密钥对所 述用户标识进行签名, 生成用户标识签名数据, 或以所述密钥存储单元中存储 的所述与核心网网元的共享密钥加密所述用户标识, 生成用户标识加密数据; 认证请求发送单元, 用于向核心网网元发送携带有本设备标识以及所述用 户标识签名数据或用户标识加密数据的用户终端接入认证请求。  The access device according to claim 15, wherein the authentication processing unit comprises: an encryption unit, configured to pair the user with the platform identity authentication key stored in the key storage unit The identifier is signed, the user identifier signature data is generated, or the user identifier is encrypted by using the shared key with the core network element stored in the key storage unit, and the user identifier encrypted data is generated; the authentication request sending unit uses The user terminal accessing the authentication request carrying the device identifier and the user identifier signature data or the user identifier encrypted data is sent to the core network element.
17、 如权利要求 16所述的接入设备, 其特征在于, 所述用户标识获取单元 包括:  The access device according to claim 16, wherein the user identifier obtaining unit comprises:
驻留请求接收单元, 用于接收来自用户终端的驻留请求;  a resident request receiving unit, configured to receive a resident request from the user terminal;
用户标识获取请求, 用于向所述用户终端发送用户标识获取请求; 用户标识接收单元, 用于接收来自用户终端的用户标识。  a user identifier obtaining request, configured to send a user identifier obtaining request to the user terminal, and a user identifier receiving unit, configured to receive a user identifier from the user terminal.
18、 如权利要求 14所述的接入设备, 其特征在于, 还包括:  The access device of claim 14, further comprising:
接入禁止消息发送单元, 用于在所述判断单元判断为否时, 向用户终端发 送接入禁止消息。  The access prohibition message sending unit is configured to send an access prohibition message to the user terminal when the determining unit determines to be no.
19、 如权利要求 14所述的接入设备, 其特征在于, 还包括:  The access device of claim 14, further comprising:
接入准入消息发送单元, 用于在所述接收单元接收到来自所述核心网网元 的接入准入消息时, 向用户终端发送接入准入消息;  An access admission message sending unit, configured to send an access admission message to the user terminal when the receiving unit receives an access admission message from the core network element;
接入拒绝消息发送单元, 用于在所述接收单元接收到来自所述核心网网元 的接入拒绝消息时向用户终端发送接入拒绝消息。  And an access reject message sending unit, configured to send an access reject message to the user terminal when the receiving unit receives the access reject message from the core network element.
20、 一种网络设备, 其特征在于, 包括:  20. A network device, comprising:
认证请求接收单元, 用于接收来自接入设备的携带有接入设备的设备标识 及用户终端的用户标识的加密数据的用户终端接入认证请求;  An authentication request receiving unit, configured to receive a user terminal accessing an authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal;
认证单元, 用于根据所述接入设备的设备标识, 获取相应的解密密钥, 并 以该解密密钥解密所述用户终端的用户标识的加密数据, 若解密失败, 则接入 认证失败。 The authentication unit is configured to obtain a corresponding decryption key according to the device identifier of the access device, and decrypt the encrypted data of the user identifier of the user terminal by using the decryption key. If the decryption fails, the access authentication fails.
21、 如权利要求 20所述的设备, 其特征在于, 所述认证单元包括: 密钥获取单元, 用于以所述接入设备的设备标识为索引, 检索并获取相应 的解密公钥或与接入设备的共享密钥; The device according to claim 20, wherein the authentication unit comprises: a key obtaining unit, configured to retrieve and acquire a corresponding decryption public key or with the device identifier of the access device as an index The shared key of the access device;
解密单元, 用于根据所述密钥获取单元所获取的所述解密公钥或与所述接 入设备的共享密钥解密所述用户终端的用户标识的加密数据;  a decrypting unit, configured to decrypt the encrypted data of the user identifier of the user terminal according to the decrypted public key acquired by the key obtaining unit or the shared key with the access device;
认证执行单元, 用于在所述解密单元解密失败时, 确定接入认证失败, 在 所述解密单元解密成功时, 直接确定接入认证通过或根据所述接入设备的设备 标识查找并判断与所述接入设备对应的用户终端准入列表中是否保存了所述用 户标识, 当判断为是, 则对所述用户终端的接入认证通过。  The authentication execution unit is configured to: when the decryption unit fails to decrypt, determine that the access authentication fails, and when the decryption unit decrypts successfully, directly determine whether the access authentication passes or according to the device identifier of the access device, finds and determines Whether the user identifier is saved in the user terminal access list corresponding to the access device, and if the determination is yes, the access authentication of the user terminal is passed.
22、 如权利要求 20或 21所述的设备, 其特征在于, 还包括:  The device according to claim 20 or 21, further comprising:
发送单元, 用于向接入设备发送接入准入消息或接入拒绝消息。  And a sending unit, configured to send an access admission message or an access rejection message to the access device.
23、 一种通信系统, 其特征在于, 包括接入设备和网络设备, 其中: 所述接入设备, 用于获取来自用户终端的用户标识; 根据所述用户标识判 断该用户终端是否合法, 若判断为是, 则向所述网络设备发送携带有本设备标 识及所述用户标识的加密数据的接入认证请求; 接收来自所述核心网网元的消 息, 该消息包括所述网络设备根据所述本设备标识及所述所述用户标识的加密 数据对用户终端进行接入认证生成的接入准入消息或接入拒绝消息。  A communication system, comprising: an access device and a network device, wherein: the access device is configured to acquire a user identifier from the user terminal; and determine, according to the user identifier, whether the user terminal is legal, if If the determination is yes, the device sends an access authentication request carrying the encrypted data of the device identifier and the user identifier to the network device, and receives a message from the core network element, where the message includes the network device according to the An access admission message or an access rejection message generated by the user equipment performing the access authentication by using the device identifier and the encrypted data of the user identifier.
所述网络设备, 用于接收来自接入设备的携带有接入设备的设备标识及用 户终端的用户标识的加密数据的用户终端接入认证请求; 根据所述接入设备的 设备标识, 获取相应的解密密钥, 以该解密密钥解密所述用户终端的用户标识 的加密数据, 若解密失败, 则接入认证失败。  The network device is configured to receive a user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal; and obtain the corresponding according to the device identifier of the access device The decryption key decrypts the encrypted data of the user identifier of the user terminal with the decryption key, and if the decryption fails, the access authentication fails.
24、 如权利要求 23所述的通信系统, 其特征在于, 所述接入设备的类型包 括: 基站、 家用基站、数字用户接入复用器 DLSAM、机顶盒 STB、调制解调器、 家庭网关、 用户驻地设备、 手机或个人电脑。  The communication system according to claim 23, wherein the type of the access device comprises: a base station, a home base station, a digital user access multiplexer DLSAM, a set top box STB, a modem, a home gateway, and a user premises equipment. , cell phone or personal computer.
25、 如权利要求 23所述的通信系统, 其特征在于, 所述网络设备的类型包 括: 归属位置寄存器或接入设备归属地寄存器。  The communication system according to claim 23, wherein the type of the network device comprises: a home location register or an access device home location register.
PCT/CN2009/071856 2008-06-23 2009-05-19 Terminal access method, access management method, network equipment and communication system WO2009155812A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810029121 2008-06-23
CN200810029121.3 2008-06-23

Publications (1)

Publication Number Publication Date
WO2009155812A1 true WO2009155812A1 (en) 2009-12-30

Family

ID=41444004

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/071856 WO2009155812A1 (en) 2008-06-23 2009-05-19 Terminal access method, access management method, network equipment and communication system

Country Status (1)

Country Link
WO (1) WO2009155812A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102158394A (en) * 2011-01-30 2011-08-17 福建星网锐捷网络有限公司 Attack prevention method for virtual router redundancy protocol router and access equipment
CN111770087A (en) * 2020-06-29 2020-10-13 深圳市网心科技有限公司 Service node verification method and related equipment
CN111918292A (en) * 2020-09-02 2020-11-10 中国联合网络通信集团有限公司 Access method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275941B1 (en) * 1997-03-28 2001-08-14 Hiatchi, Ltd. Security management method for network system
CN1444362A (en) * 2002-03-08 2003-09-24 华为技术有限公司 Distribution method of wireless local area network encrypted keys
CN1725687A (en) * 2005-01-26 2006-01-25 杭州华为三康技术有限公司 Security identification method
CN101048972A (en) * 2004-10-29 2007-10-03 韩国电子通信研究院 Method and system for user authentication in home network system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275941B1 (en) * 1997-03-28 2001-08-14 Hiatchi, Ltd. Security management method for network system
CN1444362A (en) * 2002-03-08 2003-09-24 华为技术有限公司 Distribution method of wireless local area network encrypted keys
CN101048972A (en) * 2004-10-29 2007-10-03 韩国电子通信研究院 Method and system for user authentication in home network system
CN1725687A (en) * 2005-01-26 2006-01-25 杭州华为三康技术有限公司 Security identification method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102158394A (en) * 2011-01-30 2011-08-17 福建星网锐捷网络有限公司 Attack prevention method for virtual router redundancy protocol router and access equipment
CN102158394B (en) * 2011-01-30 2013-11-20 福建星网锐捷网络有限公司 Attack prevention method for virtual router redundancy protocol router and access equipment
CN111770087A (en) * 2020-06-29 2020-10-13 深圳市网心科技有限公司 Service node verification method and related equipment
CN111918292A (en) * 2020-09-02 2020-11-10 中国联合网络通信集团有限公司 Access method and device

Similar Documents

Publication Publication Date Title
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
KR100832893B1 (en) A method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely
US8411562B2 (en) Network system and method for providing an ad-hoc access environment
CN103596173B (en) Wireless network authentication method, client and service end wireless network authentication device
CN102111766B (en) Network accessing method, device and system
JP4170912B2 (en) Use of public key pairs at terminals to authenticate and authorize telecommunications subscribers to network providers and business partners
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
DK2924944T3 (en) Presence authentication
WO2003088571A1 (en) System and method for secure wireless communications using pki
WO2009074082A1 (en) Access controlling method?system and device
JP3973961B2 (en) Wireless network connection system, terminal device, remote access server, and authentication function device
CN106559785B (en) Authentication method, device and system, access device and terminal
CN111885604B (en) Authentication method, device and system based on heaven and earth integrated network
WO2011022950A1 (en) Service access method, system and device based on wlan access authentication
KR20150053912A (en) Method and devices for registering a client to a server
CN112566119A (en) Terminal authentication method and device, computer equipment and storage medium
WO2007104248A1 (en) Method, system, apparatus and bsf entity for preventing bsf entity from attack
JP2007506329A (en) Method for improving WLAN security
WO2013149426A1 (en) Method, device and system for authenticating access for application to smart card
JP3964338B2 (en) Communication network system, communication terminal, authentication device, authentication server, and electronic authentication method
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes
WO2009155812A1 (en) Terminal access method, access management method, network equipment and communication system
JP7312279B2 (en) MOBILE NETWORK ACCESS SYSTEM, METHOD, STORAGE MEDIUM AND ELECTRONIC DEVICE
WO2008148348A1 (en) Communication method, system, and home bs

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09768737

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09768737

Country of ref document: EP

Kind code of ref document: A1