WO2009155812A1 - Procédé d'accès à un terminal, procédé de gestion d'accès, équipement de réseau et système de communication - Google Patents

Procédé d'accès à un terminal, procédé de gestion d'accès, équipement de réseau et système de communication Download PDF

Info

Publication number
WO2009155812A1
WO2009155812A1 PCT/CN2009/071856 CN2009071856W WO2009155812A1 WO 2009155812 A1 WO2009155812 A1 WO 2009155812A1 CN 2009071856 W CN2009071856 W CN 2009071856W WO 2009155812 A1 WO2009155812 A1 WO 2009155812A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
user terminal
user
identifier
user identifier
Prior art date
Application number
PCT/CN2009/071856
Other languages
English (en)
Chinese (zh)
Inventor
王绍斌
张宁
位继伟
尹瀚
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2009155812A1 publication Critical patent/WO2009155812A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • Terminal access method, access management method, network device, and communication system The present application claims to be submitted to the Chinese Patent Office on June 23, 2008, the application number is 200810029121.3, and the invention name is "terminal access method, access management method network device, and The priority of the Chinese Patent Application for the communication system is hereby incorporated by reference in its entirety.
  • the present invention relates to the field of communications, and in particular, to a user terminal access method, an access management method, a communication system, an access device, and a network device. Background technique
  • Home NodeB is a home-based micro base station. Users can arrange such base stations in hotspot coverage areas such as homes and offices, and access the mobile communication network through the Internet, so that users can obtain higher bandwidth and more reliable quality indoors than indoors. And more economical wireless communication services.
  • the introduction of Home Node B solves the bottleneck problem of the wireless port of the wireless data service, enabling users to enjoy high-speed, high-bandwidth network services.
  • the macro Node B For the traditional macro base station with a large coverage area (hereinafter referred to as the macro Node B), the arrangement of the network nodes is mostly planned by the operator in advance, and the network arrangement is completed according to the planned content. Therefore, the time, location, and configuration of the access time of the macro Node B are known to the current wireless network. Therefore, when the macro Node B requests access, it only needs to configure corresponding data according to the data specified by the network. By accessing the parameters, the access of the macro Node B can be completed without special control mechanism. For the network node of the same carrier, the registered mobile phone users in the network can establish a wireless link through the base station. It is only necessary to perform access control of the user equipment UE (User Equipment) on the core network side.
  • UE User Equipment
  • the inventor has found that the prior art has at least the following drawbacks: Since the HNB service is generally a personal application of a home or business user, from the perspective of the user, the HNB is generally a private device, and does not wish to be Used by others. From the operator's point of view, under normal circumstances, the HNB coverage is more favorable than the macro network, and it is desirable to judge and limit the personnel who use the HNB. In the prior art, the UE's admission judgment is judged by the core network element, which is aggravated. The core network element handles the burden, and there is a possibility that the illegal UE attacks the core network through the access request.
  • the embodiments of the present invention provide an access method, an access management method, an access device, and a network device of a user terminal, which implements effective verification of the legitimacy of the user accessing the core network through the access device, and effectively ensures the user. And the interests of the operators.
  • An embodiment of the present invention provides a method for accessing a user terminal, including:
  • the message includes the access permission message generated by the core network element according to the identifier of the local device and the encrypted data of the user identifier, and the generated access admission message or Access denied message.
  • the embodiment of the invention further provides an access management method for a user terminal, including:
  • an embodiment of the present invention provides an access device, including: a storage unit, configured to store a user identifier of a user terminal that is configured to be permitted to access; a user identifier obtaining unit, configured to acquire a user identifier from the user terminal;
  • a determining unit configured to determine whether the storage unit stores the user identifier of the user terminal
  • an authentication processing unit configured to: when the determining unit determines to be no, the access of the user terminal is denied, when the determining When the unit determines that the unit is YES, it sends an access authentication request carrying the encrypted data of the device identifier and the user identifier to the core network element;
  • a receiving unit configured to receive a message from the core network element, where the message includes: the core network element performs access authentication on the user terminal according to the local device identifier and the encrypted data of the user identifier, and generates Access access message or access reject message.
  • a network device including:
  • An authentication request receiving unit configured to receive a user terminal accessing an authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal;
  • the authentication unit is configured to obtain a corresponding decryption key according to the device identifier of the access device, and decrypt the encrypted data of the user identifier of the user terminal by using the decryption key. If the decryption fails, the access authentication fails.
  • the embodiment of the present invention further provides a communication system, including an access device and a network device, where:
  • the access device is configured to obtain a user identifier from the user terminal, determine, according to the user identifier, whether the user terminal is legal, and if the determination is no, the user terminal is denied access, and if the determination is yes, the The network device sends an access authentication request that carries the encrypted data of the device identifier and the user identifier, and receives a message from the core network element, where the message includes the network device according to the local device identifier and the The access admission message or the access reject message generated by the user terminal performing the access authentication by the encrypted data of the user identifier.
  • the network device is configured to receive a user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal; and obtain the corresponding according to the device identifier of the access device
  • the decryption key is used to decrypt the encrypted data of the user identifier of the user terminal with the decryption key. If the decryption fails, the access authentication fails.
  • the access device obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier. If the determination is no, the user terminal is denied access. If the determination is yes, the access to the core network is performed.
  • the network element (eg, the HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier; after receiving the access request message, the core network element receives the access device identifier and the location Encrypting data of the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device, and returns the determined grant access or denial access message to the access device, thereby implementing
  • the access device effectively verifies and manages the identity of the accessed user terminal, ensuring the interests of the access device owner and the operator.
  • FIG. 1 is a schematic flowchart of a method for accessing a user terminal according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a method for access management of a user terminal according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of an interaction process of admission control of a user terminal according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of the composition of a communication system according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of an access device according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of the composition of a network device according to an embodiment of the present invention. detailed description
  • the access device may be a base station, a home base station, a digital subscriber access multiplexer DLSAM, a set top box STB, a modem, a home gateway, a customer premises equipment, a user terminal such as a mobile phone or a personal computer, and the like.
  • the following embodiment illustrates an example in which the access device is a Home NodeB (HNB).
  • HNB Home NodeB
  • the core network element may be a home location register (HLR) or an access device home register (AHR).
  • HLR home location register
  • AHR access device home register
  • FIG. 1 is a schematic flowchart of a method for accessing a user terminal according to an embodiment of the present invention, including:
  • the user identifier of the user terminal may be: when the user terminal is switched from the macro base station to the coverage area of the HNB according to the embodiment of the present invention, or when the coverage area of the HNB is powered on, the host station sends a reservation request to the HNB; After the residing request, the user terminal sends a user identity acquisition request to the user terminal; after receiving the acquisition request, the user terminal sends its own user identifier to the HNB.
  • the user identifier of the user terminal is a unique identifier of the identity of the user terminal, and may be an IMSI (International Mobile Subscriber Identification Number) or an MSISDN (Mobile Station International Integrated Service Digital Network Number). ISDN number).
  • the 102 Determine, according to the user identifier, whether the user terminal is legal. If the determination is no, the user terminal is denied access. If the determination is yes, the device carries the device identifier and the user identifier. Encrypted data access authentication request.
  • a TPM Trusted Platform Module
  • the TPM is a microcontroller based on the TCG (Trustworthy Computing Organization) industry standard specification.
  • the TPM defined in the TCG Trusted Platform Module Specification is a microcontroller that stores keys, passwords, and digital certificates, and provides strong cryptographic functions that can be integrated on the HNB device board.
  • the TPM contains cryptographic components and storage components embedded in the computing platform, similar to smart card chips. As The components of the Trusted Platform, the components of the TPM are trusted to work properly.
  • the TCG software stack specification is a standard API software specification for accessing the TPM.
  • the Trusted Computing Platform has three main characteristics: Protected Capabilities, Attestation, Integrity Measurement Logging and Reporting. Determining whether the user terminal is legal according to the user identifier, determining whether the user identifier exists in the user terminal access list stored by the device based on the trusted platform module configuration, and if the determination is no, the user terminal illegal.
  • encrypting the user identifier to generate the encrypted data of the user identifier may be implemented as follows: According to the asymmetric encryption mechanism, the access device is maintained by the trusted platform module corresponding to the device.
  • the platform identity authentication key signs the user identifier to generate user identification signature data; or may be based on a symmetric encryption mechanism, and the access device shares the core network element with the trusted platform module corresponding to the device.
  • the key encrypts the user identifier to generate user identification encrypted data. Whether based on a symmetric encryption mechanism or an asymmetric encryption mechanism, the storage and maintenance of the key are maintained by the TPM to ensure data integrity and security.
  • the access terminal list of the user terminal for storing the user identity of the user terminal that is permitted to access is configured in the HNB, and the access authentication network element device located in the core network corresponding to the HNB is simultaneously saved to the HNB.
  • Corresponding user identification list of a user terminal wherein the user terminal access list stores a user identifier of a user terminal that is allowed to use the HNB device to access the core network, and the user can use the user service to authenticate the user terminal.
  • the user ID saved in the list can be modified by adding, replacing, or deleting. You can also modify the user terminal access list by logging in to the customer service website through the user name and user password. Similarly, you can also provide the password through the customer service phone or on the HNB device.
  • the key access mechanism modifies the user terminal access list.
  • the user terminal accessing the authentication request for transmitting the encrypted data carrying the device identifier and the user identifier to the core network element may be: saving the platform identity authentication key pair by using the HNB device
  • the user identifier is signed, the user identifier signature data is generated, and the user terminal access authentication request carrying the device identifier and the user identifier signature data is sent to the core network element.
  • the core network element When the core network element performs access authentication for the user terminal according to the serial number of the device and the user identifier of the user terminal, the core network element sends an access admission message to the HNB, and notifies the HNB that the user terminal is legal. The user, the access is allowed, and optionally, the HNB can further send an access admission message to the user terminal, and notify the user that the terminal can access the core network through the HNB.
  • the core network element fails to perform access authentication on the user terminal according to the serial number of the device and the user identifier of the user terminal, the core network element sends an access reject message to the HNB, notifying the HNB that the user terminal belongs to an illegal user. The access terminal does not have access rights and refuses to access.
  • the HNB may further send an access reject message to the user terminal, informing the user that the terminal is denied access to the core network through the HNB.
  • the access device obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier. If the determination is negative, the user terminal is denied access. If the determination is yes, The core network element (HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier. After receiving the access request message, the core network element receives the device identifier according to the access device. The encrypted data of the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device (HNB), and returns a determined access admission message or an access rejection message to the user terminal. The access device, in turn, enables the access device (HNB) to effectively verify and manage the identity of the accessed user terminal, thereby ensuring the interests of the access device (HNB) owner and the operator.
  • FIG. 2 is a schematic flowchart of a method for accessing a user terminal according to an embodiment of the present invention, including: 201.
  • a user that receives encrypted data of a device identifier of an access device and a user identifier of a user terminal from an access device.
  • the terminal accesses the authentication request.
  • the encryption of the user identifier to generate the encrypted data of the user identifier may be implemented as follows: According to the asymmetric encryption mechanism, the access device uses the platform identity maintained by the trusted platform module corresponding to the device. The authentication key is used to sign the user identifier to generate the user identification signature data.
  • the authentication device may also be based on a symmetric encryption mechanism, and the access device maintains the core network based on the trusted platform module corresponding to the device.
  • the shared key of the network element encrypts the user identifier to generate user identity encrypted data.
  • the encryption key of the user identifier of the user terminal is encrypted, which does not match the decryption key, that is, the identity of the HNB is not trusted, and thus the access authentication fails. If the decryption is successful, the identity of the HNB is trusted, so it can be considered that the access authentication is passed. In order to further ensure the reliability of the authentication, if the decryption is successful, the device identifier of the access device may be used to find and determine whether the user identifier is saved in the user terminal access list corresponding to the access device. If the determination is yes, the access authentication to the user terminal is passed, and the user terminal is denied access.
  • the step of acquiring the corresponding decryption key according to the device identifier of the access device, and decrypting the encrypted data of the user identifier of the user terminal by using the decryption key, according to the asymmetric encryption mode includes:
  • the device identifier of the access device is an index, and the decryption public key corresponding to the platform identity authentication key is retrieved and obtained; the user identity signature data is verified by the decryption public key, and the user identifier is obtained by decryption.
  • the step of acquiring the corresponding decryption key according to the device identifier of the access device, and decrypting the encrypted data of the user identifier of the user terminal with the decryption key, according to the symmetric encryption mode includes: acquiring the And a shared key of the access device and the core network element, and decrypting the encrypted data of the user identifier of the user terminal by using the shared key.
  • the core network element device may be a network device such as a location home register HLR.
  • the core network element receives the user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier, according to the device identifier of the access device and the The encrypted data of the user identity performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device (HNB), and returns the determined access admission message or access rejection message to the access.
  • the device implements effective verification and management control of the identity of the accessed user terminal by the access device (HNB), and ensures the owner and operation of the access device (HNB). The interests of business.
  • FIG. 3 is a schematic diagram of an interaction process of user terminal admission control according to an embodiment of the present invention.
  • a UE is used as a user terminal
  • an HNB is an access device
  • the HLR is used in the core network to authenticate an authentication request from the HNB.
  • the network element device (of course, it can also be another network element device with similar capabilities).
  • the method includes:
  • the UE sends a camping request to the HNB, where the UE switches from the macro base station to the HNB coverage area, or the UE sends a camping request to the HNB when the HNB coverage area is powered on.
  • the HNB After receiving the camping request, the HNB sends a user identity obtaining request to the UE.
  • the UE sends a user identifier to the HNB, where the user identifier is a unique identifier of the user terminal identity, and may be an IMSI (International Mobile Subscriber Identification Number) or an MSISDN (Mobile Station International ISDN Number). Taiwan International ISDN number).
  • IMSI International Mobile Subscriber Identification Number
  • MSISDN Mobile Station International ISDN Number
  • Taiwan International ISDN number Taiwan International ISDN number
  • the HNB obtains the user identifier, and uses the user identifier as an index to query the UE admission list of the HNB secure storage, and determines whether the user identifier exists in the admission list. When it is determined that the user identifier exists, the user identifier is signed. Generate user identification signature data, and execute 305, otherwise execute 306.
  • the user terminal access list for storing the user identity of the user terminal that is permitted to access is configured on the HNB, and the access authentication network element located in the core network corresponding to the HNB is also saved.
  • a user terminal access list corresponding to the HNB where the user terminal access list stores the user identifier of the user terminal that is allowed to use the HNB device to access the core network, and the user can use the user service mode to the user terminal.
  • the user ID saved in the list can be modified by adding, replacing, or deleting. You can also modify the user terminal access list by logging in to the customer service website through the user name and user password. Similarly, you can also provide the password through the customer service phone or on the HNB device.
  • the key access mechanism modifies the user terminal access list.
  • the HNB Based on the security platform provided by the TPM, the HNB signs the user identifier with a platform identity authentication key stored in the TPM to generate user identity signature data.
  • the user identifier does not exist in the user identifier list of the user terminal, The user corresponding to the user identifier is a user who is not allowed to access, and performs 306.
  • the HNB sends an access authentication request that carries the HNB device identifier and the user identifier signature data to the HLR.
  • the HNB sends an access prohibition message to the UE.
  • the HLR obtains the HNB device identifier and the user identifier signature data, uses the HNB device identifier as an index, searches a database, finds a corresponding decryption public key, and decrypts the user identifier signature data by using the decryption public key. If the decryption succeeds, the user identifier is obtained, and the user terminal access list corresponding to the HNB device saved by the HLR is obtained by using the HNB device identifier as an index, and it is determined whether the user identifier exists in the user terminal admission list, and the determination is yes. Then, the authentication transmits the access admission message by granting access, otherwise the authentication fails to reject the access, and the access rejection message is sent.
  • the HLR sends an access admission message or an access rejection message to the HNB.
  • the HNB sends an access admission message or an access rejection message to the UE.
  • the access device obtains the user identifier of the user terminal, determines whether the user identifier is saved, and denies the access of the user terminal when it is determined that the user identifier is not saved.
  • the access network The network element sends a user terminal access authentication request carrying the device identifier and the user identifier of the user terminal, and after receiving the access request message, the core network element receives the access device identifier and the user terminal according to the access device identifier
  • the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device, and returns the determined access admission message or access rejection message to the access device, thereby implementing
  • the access device effectively verifies and manages the identity of the accessed user terminal, ensuring the interests of the access device owner and the operator.
  • FIG. 4 it is a schematic diagram of a composition of a communication system according to an embodiment of the present invention.
  • the communication system includes an access device 1 and a network device 2, where the access device 1 is configured to acquire a user identifier from a user terminal.
  • the user identifier determines whether the user terminal is legal. If the determination is no, the user terminal is denied access. If the determination is yes, the device sends the encrypted data carrying the device identifier and the user identifier.
  • FIG. 5 it is a schematic diagram of a configuration of an access device 1 according to an embodiment of the present invention.
  • the access device 1 in this example may be used to perform a method for accessing a user terminal according to an embodiment of the present invention.
  • 1 includes: a storage unit 13, a user identification acquisition unit 11, a determination unit 12, an authentication processing unit 15, and a reception unit 16.
  • the storage unit 13 is configured to store a user identifier of the user terminal that is configured to permit access; the storage unit 13 may include:
  • a user identifier storage unit 131 configured to store, in a trusted manner of the core network element, a user identifier of a user terminal that is allowed to access;
  • the key storage unit 132 is configured to store, in a manner trusted by the core network element, a platform identity authentication key transmitted with the core network element metadata or a shared key with a core network element.
  • a TPM Trusted Platform Module
  • the user identifier storage unit 131 and the key storage unit 132 are maintained based on the specification defined by the TPM.
  • a security storage mechanism and a key storage mechanism defined by the TPM specification where the user identifier storage unit 131 configured in the access device stores the configured user identifier of the user terminal that is permitted to access and the key storage unit 132 stores and stores the The platform identity authentication key of the core network metadata transmission or the shared key with the core network element may be considered trusted by the core network element.
  • the user identifier obtaining unit 11 is configured to obtain the user identifier from the user terminal.
  • the user identifier obtaining unit 11 may include:
  • a resident request receiving unit 111 configured to receive a resident request from the user terminal
  • the user identifier obtaining request 112 is configured to send a user identifier obtaining request to the user terminal, and the user identifier receiving unit 113 is configured to receive the user identifier from the user terminal.
  • the determining unit 12 is configured to determine whether the storage unit 13 saves the user identifier of the user terminal.
  • the authentication processing unit 15 is configured to reject the user end when the determining unit 12 determines to be no
  • the access of the terminal when the determining unit 12 determines YES, sends an access authentication request carrying the encrypted data of the device identifier and the user identifier to the core network element.
  • the certificate processing unit 15 may include:
  • the rejecting unit 151 is configured to reject the access of the user terminal when the determining unit 12 determines to be no;
  • the encryption unit 152 is configured to sign the user identifier by using the platform identity authentication key stored in the key storage unit 132, generate user identification signature data, or store the information in the key storage unit 132.
  • the shared key with the core network element encrypts the user identifier, and generates user identifier encrypted data;
  • the authentication request sending unit 153 is configured to send, to the core network element, a user terminal access authentication request carrying the device identifier and the user identifier signature data or the user identifier encrypted data.
  • the receiving unit 16 is configured to receive a message from the core network element, where the message includes the core network element performing access authentication generation on the user terminal according to the local device identifier and the encrypted data of the user identifier. Access access message or access reject message.
  • the access device 1 in this embodiment may further include:
  • the access prohibition message transmitting unit 14 is configured to send an access prohibition message to the user terminal when the determining unit 12 determines to be no.
  • the access device 1 in this embodiment may further include:
  • the access admission message sending unit 17 is configured to send an access admission message to the user terminal when the receiving unit 16 receives the access admission message from the core network element;
  • the access reject message sending unit 18 is configured to send an access reject message to the user terminal when the receiving unit 16 receives the access reject message from the core network element.
  • the access device obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier. If the determination is negative, the user terminal is denied access. If the determination is yes, The core network element (HLR) sends an access authentication request carrying the encrypted data of the device identifier and the user identifier; after receiving the access request message, the core network element receives the The access device device identifier and the encrypted data of the user identifier perform access authentication on the user terminal, determine whether the user terminal is permitted to be accessed by the access device (HNB), and determine the access access. The message or the access denial message is returned to the access device, thereby implementing effective verification and management control of the identity of the accessed user terminal by the access device (HNB), ensuring the access device (HNB) owner and the operator. interest.
  • the network device 2 is configured to receive a user terminal access authentication request from the access device 1 carrying the device identifier of the access device and the encrypted data of the user identifier of the user terminal; according to the device identifier of the access device, Obtaining a corresponding decryption key, and decrypting the encrypted data of the user identifier of the user terminal with the decryption key, and if the decryption fails, the access authentication fails.
  • FIG. 6 is a schematic diagram of the composition of the network device 2 according to the embodiment of the present invention.
  • the network device 2 in the embodiment of the present invention may be a location-origin register HLR or the like.
  • the network device 2 in this example may be used to perform the access management method of the two user terminals in the embodiment of the present invention.
  • the network device 2 includes: an authentication request receiving unit 21, a storage unit 22, and an authentication unit 23, Unit 24.
  • the authentication request receiving unit 21 is configured to receive a user terminal access authentication request from the access device 1 that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal;
  • the storage unit 22 is configured to save a user terminal access list corresponding to the access device
  • the authentication unit 23 is configured to obtain a corresponding decryption key according to the device identifier of the access device 1, and decrypt the encrypted data of the user identifier of the user terminal by using the decryption key, and if the decryption fails, the authentication is performed.
  • the authentication unit 23 may include:
  • the key obtaining unit 231 is configured to retrieve and obtain a corresponding decryption public key or a shared key with the access device 1 by using the device identifier of the access device 1 as an index;
  • the decryption unit 232 is configured to decrypt the encrypted data of the user identifier of the user terminal according to the decryption public key acquired by the key obtaining unit 231 or the shared key of the access device;
  • the authentication execution unit 233 is configured to determine that the access authentication fails when the decryption unit 232 fails to decrypt, and directly determines whether the access authentication passes or according to the device identifier of the access device when the decryption unit resolves the 232 secret successfully. Finding and determining the corresponding to the access device stored by the storage unit 22 Whether the user identifier is saved in the user terminal access list, and if the determination is yes, the access authentication of the user terminal is passed, otherwise, the user terminal is denied access.
  • the sending unit 24 is configured to send an access admission message or an access rejection message to the access device.
  • the core network element receives a user terminal access authentication request from the access device that carries the device identifier of the access device and the encrypted data of the user identifier of the user terminal, according to the access device device identifier and The encrypted data of the user identifier performs access authentication on the user terminal, determines whether the user terminal is permitted to be accessed by the access device (HNB), and returns a determined access admission message or an access rejection message to the user terminal.
  • the access device enables the access device (HNB) to effectively verify and manage the identity of the accessed user terminal, thereby ensuring the interests of the access device (HNB) owner and the operator.
  • the access device obtains the user identifier of the user terminal, and determines whether the user terminal is legal according to the user identifier, and if the determination is no, the user terminal is denied access.
  • the core network element sends an access authentication request carrying the encrypted data of the device identifier and the user identifier; after receiving the access request message, the core network element receives the access request message according to the Encrypting data of the device device identifier and the user identifier is used for access authentication of the user terminal, determining whether the user terminal is permitted to be accessed by the access device (HNB), and determining the granted access or denying access The message is returned to the access device, which in turn enables the access device (HNB) to effectively verify and manage the identity of the accessed user terminal, thereby ensuring the interests of the access device (HNB) owner and the operator.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé d'accès à un terminal d'utilisateur qui comprend les étapes suivantes : acquérir l'identification d'utilisateur à partir du terminal d'utilisateur ; évaluer si le terminal d'utilisateur est valide en fonction de l'identification d'utilisateur, si ce n'est pas le cas, refuser l'accès au terminal d'utilisateur, si c'est le cas, transmettre la demande d'authentification d'accès transportée avec l'identification d'équipement et les données de cryptage de l'identification d'utilisateur à l'élément de réseau du réseau d'infrastructure ; recevoir les informations provenant de l'unité de réseau du réseau d'infrastructure, les informations contenant le message d'accord d'accès ou le message de refus d'accès pour l'authentification d'accès du terminal d'utilisateur généré par l'élément de réseau du réseau d'infrastructure conformément à l'identification d'équipement et aux données de cryptage de l'identification d'utilisateur.
PCT/CN2009/071856 2008-06-23 2009-05-19 Procédé d'accès à un terminal, procédé de gestion d'accès, équipement de réseau et système de communication WO2009155812A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810029121.3 2008-06-23
CN200810029121 2008-06-23

Publications (1)

Publication Number Publication Date
WO2009155812A1 true WO2009155812A1 (fr) 2009-12-30

Family

ID=41444004

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/071856 WO2009155812A1 (fr) 2008-06-23 2009-05-19 Procédé d'accès à un terminal, procédé de gestion d'accès, équipement de réseau et système de communication

Country Status (1)

Country Link
WO (1) WO2009155812A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102158394A (zh) * 2011-01-30 2011-08-17 福建星网锐捷网络有限公司 虚拟路由冗余协议路由器防攻击的方法和接入设备
CN111770087A (zh) * 2020-06-29 2020-10-13 深圳市网心科技有限公司 一种服务节点验证方法及相关设备
CN111918292A (zh) * 2020-09-02 2020-11-10 中国联合网络通信集团有限公司 一种接入方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275941B1 (en) * 1997-03-28 2001-08-14 Hiatchi, Ltd. Security management method for network system
CN1444362A (zh) * 2002-03-08 2003-09-24 华为技术有限公司 无线局域网加密密钥的分发方法
CN1725687A (zh) * 2005-01-26 2006-01-25 杭州华为三康技术有限公司 一种安全认证方法
CN101048972A (zh) * 2004-10-29 2007-10-03 韩国电子通信研究院 用于在家庭网络系统中进行用户验证的方法和系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275941B1 (en) * 1997-03-28 2001-08-14 Hiatchi, Ltd. Security management method for network system
CN1444362A (zh) * 2002-03-08 2003-09-24 华为技术有限公司 无线局域网加密密钥的分发方法
CN101048972A (zh) * 2004-10-29 2007-10-03 韩国电子通信研究院 用于在家庭网络系统中进行用户验证的方法和系统
CN1725687A (zh) * 2005-01-26 2006-01-25 杭州华为三康技术有限公司 一种安全认证方法

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102158394A (zh) * 2011-01-30 2011-08-17 福建星网锐捷网络有限公司 虚拟路由冗余协议路由器防攻击的方法和接入设备
CN102158394B (zh) * 2011-01-30 2013-11-20 福建星网锐捷网络有限公司 虚拟路由冗余协议路由器防攻击的方法和接入设备
CN111770087A (zh) * 2020-06-29 2020-10-13 深圳市网心科技有限公司 一种服务节点验证方法及相关设备
CN111918292A (zh) * 2020-09-02 2020-11-10 中国联合网络通信集团有限公司 一种接入方法及装置

Similar Documents

Publication Publication Date Title
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
JP3869392B2 (ja) 公衆無線lanサービスシステムにおけるユーザ認証方法および該方法をコンピュータで実行させるためのプログラムを記録した記録媒体
KR100832893B1 (ko) 무선 근거리 통신망으로 이동 단말의 보안 접근 방법 및 무선 링크를 통한 보안 데이터 통신 방법
US8411562B2 (en) Network system and method for providing an ad-hoc access environment
CN114268943B (zh) 授权方法及装置
CN102111766B (zh) 网络接入方法、装置及系统
JP4170912B2 (ja) ネットワークプロバイダ及びビジネスパートナーに対する遠隔通信加入者の認証及び許可のための端末における公開鍵ペアの利用
EP2879421B1 (fr) Procédé de confirmation de l'identité d'un terminal et d'authentification d'un service, système et terminal
DK2924944T3 (en) Presence authentication
WO2015043131A1 (fr) Procédé et appareil d'authentification pour réseau sans fil
WO2009074082A1 (fr) Procédé, système et dispositif de contrôle d'accès
JP3973961B2 (ja) 無線ネットワーク接続システム、端末装置、リモートアクセスサーバ及び認証機能装置
WO2011022950A1 (fr) Procédé, système et dispositif d'accès au service basé sur une authentification d'accès au réseau local sans fil wlan
CN106559785B (zh) 认证方法、设备和系统以及接入设备和终端
CN111885604B (zh) 一种基于天地一体化网络的认证鉴权方法、装置及系统
CN112566119A (zh) 终端认证方法、装置、计算机设备及存储介质
KR20150053912A (ko) 서버에 클라이언트를 등록하기 위한 방법 및 디바이스들
CN103368735B (zh) 应用接入智能卡的认证方法、装置和系统
WO2007104248A1 (fr) Procédé, système, appareil et entité à fonction de service d'amorçage aux fins de prévention d'attaques
JP2007506329A (ja) Wlanセキュリティを向上させる方法
JP2024501326A (ja) アクセス制御方法、装置、ネットワーク側機器、端末及びブロックチェーンノード
JP3964338B2 (ja) 通信ネットワークシステム、通信端末機、認証装置、認証サーバ、及び電子認証方法
WO2009155812A1 (fr) Procédé d'accès à un terminal, procédé de gestion d'accès, équipement de réseau et système de communication
WO2008148348A1 (fr) Procédé de communication, système et station de base domestique
JP2023509806A (ja) モバイルネットワークアクセスシステム、方法、記憶媒体及び電子機器

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09768737

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09768737

Country of ref document: EP

Kind code of ref document: A1