WO2010060296A1 - Authentication method, trusted environment unit and home nodeb - Google Patents

Authentication method, trusted environment unit and home nodeb Download PDF

Info

Publication number
WO2010060296A1
WO2010060296A1 PCT/CN2009/072108 CN2009072108W WO2010060296A1 WO 2010060296 A1 WO2010060296 A1 WO 2010060296A1 CN 2009072108 W CN2009072108 W CN 2009072108W WO 2010060296 A1 WO2010060296 A1 WO 2010060296A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
base station
home base
trusted environment
identity
Prior art date
Application number
PCT/CN2009/072108
Other languages
French (fr)
Chinese (zh)
Inventor
王绍斌
张宁
丁小燕
李茜
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN2009800001105A priority Critical patent/CN101822083B/en
Publication of WO2010060296A1 publication Critical patent/WO2010060296A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the embodiments of the present invention relate to the field of wireless communications technologies, and in particular, to an authentication method, a trusted environment unit, and a home base station based on a trusted environment of a home base station. Background technique
  • the home base station (Home NodeB; hereinafter referred to as HNB) is also called a femtocell base station, and is proposed for a macro base station used in a third generation mobile communication (3rd Generation; 3G) cellular mobile communication system.
  • the HNB's transmit power is only +15db and the indoor coverage is 50 meters. It functions like a Wireless Fidelity (WiFi) wireless access node (Access Point; hereinafter referred to as AP), enabling users to connect to a home broadband network via Ethernet.
  • WiFi Wireless Fidelity
  • AP Wireless Fidelity
  • the development of HNB by mobile operators is firstly to improve indoor coverage, improve indoor broadband access speed, and meet the needs of users for various multimedia services.
  • macro base stations mainly serve outdoor users; It can cope with the pressure of wireless carriers and mobile virtual network operators.
  • HPM The Hosting Party Module
  • HPM is a physical entity that is separate from the physical device of the HNB and includes a certificate for authenticating and authenticating the mobile network operator (hereinafter referred to as: Hosting) Party) The credibility of identity.
  • the user is similar to the mobile phone user, and the module is similar to the Subscriber Identity Module (SIM) card.
  • SIM Subscriber Identity Module
  • HPM is provided to users by mobile network operators. The HPM can be removed from the HNB, which means that the HPM can be replaced when the HNB is replaced. HPM enables HNBs to have user-based user identity without affecting HNB Producer. The greatest significance of HPM is that when the HNB equipment manufacturer and the HNB service provider are separated, the users applying for the service are effectively authenticated.
  • TrE Trusted Enviroment
  • the embodiment of the invention provides an authentication method, a trusted environment unit and a home base station, so as to reduce the burden on the network side for HNB authentication.
  • An embodiment of the present invention provides an authentication method based on a trusted environment of a home base station, including: performing device identity authentication on the HNB;
  • An embodiment of the present invention provides another authentication method based on a trusted environment of a home base station, including: performing device identity authentication on the HNB;
  • the HNB is non-identified by the TrE.
  • An embodiment of the present invention provides another authentication method based on a trusted environment of a home base station, including:
  • the TrE receives the UE identity sent by the user equipment (User Equipment; hereinafter referred to as UE) Certificate request;
  • UE User Equipment
  • the UE is authenticated by the TrE.
  • the embodiment of the invention provides a trusted environment unit, including:
  • An authentication data storage module configured to store non-identity authentication data of the HNB
  • the authentication module is configured to perform non-identity authentication of the HNB according to the non-identity authentication data of the HNB stored by the authentication data storage module.
  • the embodiment of the present invention further provides a home base station, including a TrE unit, where the TrE unit is provided with:
  • An authentication data storage module configured to store non-identity authentication data of the HNB
  • the authentication module is configured to perform non-identity authentication of the HNB according to the non-identity authentication data of the HNB stored by the authentication data storage module.
  • the embodiment of the present invention provides an authentication method, a trusted environment unit, and a home base station, and fully utilizes the characteristics of the TrE to store the non-identity authentication data after the HNB authentication for the first time in the TrE.
  • the TrE can be adopted. Perform related non-identity authentication, thereby reducing the burden on the network side for HNB authentication.
  • FIG. 1 is a flow chart of a first embodiment of an authentication method based on a trusted environment of a home base station according to the present invention
  • FIG. 2 is a signaling flow diagram of a second embodiment of an authentication method based on a trusted environment of a home base station according to the present invention
  • FIG. 4 is a signaling flow diagram of a fourth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention.
  • FIG. 5 is a signaling flow diagram of a fifth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention.
  • FIG. 6 is a flow chart of a sixth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention.
  • FIG. 7 is a signaling flow diagram of a seventh embodiment of an authentication method based on a trusted environment of a home base station according to the present invention.
  • FIG. 8 is a signaling flow diagram of an eighth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention.
  • FIG. 9 is a signaling flow diagram of a ninth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention. detailed description
  • the network type of the following embodiments of the present invention may be: Global System for Mobile Communication (hereinafter referred to as GSM) network, code division multiple access (for the purpose of making the purpose, technical solution, and advantages of the embodiments of the present invention clearer) Code Division Multiple Access; hereinafter referred to as: CDMA) Network, Wideband CDMA (WCDMA) network, Worldwide Interoperability for Microwave Access (WMAX) network, Time Division Synchronization Code Division Multiple Access (Time Division-Synchronous CDMA; hereinafter referred to as: TD-SCDMA) network or long-term evolution (Long Term Evolution; hereinafter referred to as: LTE) network.
  • GSM Global System for Mobile Communication
  • CDMA Code Division Multiple Access
  • WCDMA Wideband CDMA
  • WMAX Worldwide Interoperability for Microwave Access
  • TD-SCDMA Time Division Synchronization Code Division Multiple Access
  • LTE Long Term Evolution
  • the type of the wireless access device may be: a home base station, a pico base station (Pico), a universal mobile telecommunications system AP (hereinafter referred to as UMTS AP), a Wimax type (Femto) base station, or a Wimax macro base station.
  • UMTS AP universal mobile telecommunications system AP
  • Wimax type Femto base station
  • Wimax macro base station a Wimax macro base station.
  • PDAs personal digital assistants
  • the HNB is a user equipment deployed in the user's home, the equipment belonging to the operator is used to complete the access function to the user, and the dual role makes the operator's security requirements for the HNB high. Therefore, when the home base station is powered on and establishes a physical connection with the operator, the operator needs to perform relevant authentication on the HNB.
  • the non-identity authentication of the HNB in the prior art is based on a non-trusted environment, the security storage capability is low, the function of the TrE is not fully utilized, and the application space of the TrE is reduced to some extent; and since the TrE has independent identity information, And the identity information can be associated with HNB and HPM.
  • the authentication of the HNB by the network side involves the authentication of the TrE and the authentication of the TrE and the HNB. How does the embodiment of the present invention implement the authentication process of the HNB configured with the TrE on the network side, and How TrE with higher secure storage performance enables localization of HNB-related authentication.
  • FIG. 1 is a flow chart of a first embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 1 , this embodiment describes an authentication process when an HNB is initially started, and includes the following steps:
  • Step 11 Perform device identity authentication on the HNB.
  • the network side first needs to authenticate the identity of the HNB device itself.
  • the identity authentication of the HNB is mainly based on the identity credential authentication.
  • the HNB identity credential has two presentation modes, one is based on the certificate, and the other is based on the authentication.
  • the Authentication and Key Agreement (AKA) credential is mainly the security gateway and authentication authorization statistics on the network side (Authorization Authorization and Accounting; AAA)
  • AAA Authorization Authorization and Accounting
  • Step 12 Perform identity authentication on the TrE set on the HNB.
  • Certificate-based authentication can also be used for TrE authentication.
  • the authentication process is mainly the interaction between the security gateway on the network side and the AAA server (authentication, authorization, and accounting server) and the TrE on the HNB.
  • Step 13 Authenticate the identity binding relationship between the HNB and the TrE.
  • the authentication of the binding relationship is mainly performed by the AAA server.
  • the AAA server queries the pre-stored binding relationship according to the identity of the TrE, and then compares the HNB identity identifiers sent by the HNB to prove the binding relationship.
  • Step 14 Perform non-identification on the HNB.
  • the non-authentication performed on the HNB may include: identity authentication for the HPM on the HNB, location authentication for the HNB, and identity verification for the UE.
  • Step 15 Acquire and store the non-authentication data of the HNB in the TrE.
  • the non-authentication data may include: authentication data of the HPM, location authentication data of the HNB, and UE authentication data.
  • part of the authentication data maintained by the network side (mainly related authentication data about non-identity authentication) is downloaded to the local TrE of the HNB.
  • the non-identification process can be performed in the HNB local TrE, which fully utilizes the functions of the TrE, and also makes the restart or re-authentication process do not require the participation of the core network, reducing the The burden on the network side.
  • FIG. 2 is a signaling flowchart of a second embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 2, this embodiment describes the authentication process of the HNB at the initial startup, which specifically includes the following steps:
  • Step 101 An IKE_SA_INIT (IKE Authentication Initialization) connection is established between the HNB and the security gateway (Secure Gateway; SGW for short).
  • IKE authentication request IKE authentication request
  • There are two ways to present HNB identity credentials one based on certificates and the other based on AKA credentials. This embodiment describes the case based on the AKA credential. If a certificate-based authentication mechanism is adopted, a certificate verification process is required between the HNB and the SGW.
  • Step 103 The SGW verifies the identity of the TrE. Certification for TrE is based on certificate-based authentication.
  • Step 104 The SGW sends an Authentication Request/Identity request (authentication request) to the AAA server, where the request carries the identity of the HNB and the TrE.
  • Step 105 The AAA server performs HNB identity authentication.
  • the specific identity authentication process may be similar to the following process:
  • the AAA server initiates an AKA (Authentication and Key Agreement Protocol) identity authentication challenge request, and acquires an AV (authentication vector), and runs the AKA algorithm. , accepting the HNB identity authentication 4 mega war response, thereby achieving two-way authentication between the HNB and the network side.
  • AKA Authentication and Key Agreement Protocol
  • AV authentication vector
  • Step 106 The AAA server authenticates the binding relationship between the HNB and the TrE.
  • the specific binding authentication process may be similar to the following process: AAA from the related database network element (such as Home Location Register (HLR)) Obtaining the binding relationship between the HNB and the TrE, the AAA server queries the pre-stored binding relationship according to the identity of the TrE transmitted by the HNB, and compares it with the received HNB identity to verify the binding relationship.
  • HLR Home Location Register
  • Step 107 The AAA server sends a TrE identity authentication success and an authentication response (successation response/success) to the SGW.
  • Step 108 The SGW notifies the HNB that the authentication succeeds by using an IKE-AUTH-RES (IKE Authentication Response) message.
  • IKE-AUTH-RES IKE Authentication Response
  • Step 109 After receiving the authentication success message, the HNB triggers the platform integrity authentication of the HNB.
  • Step 111 The HNB and the network side perform subsequent related non-identity authentication, such as location authentication of the HNB, authentication of the HPM, and identity authentication of the UE.
  • the AAA server needs to obtain relevant data for non-authentication authentication from the authentication database.
  • Step 112 After the non-identity authentication succeeds, download part of the authentication data (mainly data for non-authentication authentication) maintained by the AAA server to the local TrE of the HNB.
  • the authentication process is performed in the HBR local TrE.
  • the network element such as the AAA server and the SGW server is specifically described, but the authentication of the HNB in the embodiment of the present invention is described.
  • the process is not limited to the above-mentioned network element.
  • the HNB device identity authentication, TrE identity authentication, and both are completed by interaction with the SGW and the AAA server on the network side.
  • relevant non-identity authentication is performed.
  • part of the authentication data maintained by the network side mainly related authentication data related to non-identity authentication
  • the non-identification process can be performed in the local TrE of the HNB, which fully utilizes the functions of the TrE, and also makes the restart or re-authentication process unnecessary to be associated with the SGW and the AAA server.
  • the interaction of the network side server reduces the burden on the network side.
  • FIG. 3 is a signaling flowchart of a method for authenticating a home base station trusted environment according to a third embodiment of the present invention. As shown in FIG. 3, this embodiment focuses on the identity authentication process of the HPM on the network side when the HNB is initially started. Is a further detailed illustration of steps 111 to 112 in the second embodiment described above.
  • HPM certification refers to the certification of mobile network operators to users of HNB. Usually have two fields Scenery:
  • the HNB device authentication is completed, that is, the HPM authentication is completed.
  • EAP-AKA Extensible Authentication Protocol - Key Agreement Protocol
  • certificate authentication which do not require additional authentication, can be used as HPM certification, which is suitable for HPM non-mobile scenarios.
  • Scenario B The authentication scenario in which the HPM is separated from the HNB device. There are two solutions in this scenario.
  • the scheme first uses the respective certificates between HNB and SGW for device authentication, and then performs EAP-AKA HPM certification.
  • HNB is a device with embedded HPM. Each device has an EI (device number) to indicate its identity.
  • EI device number
  • the HNB-EI is placed in the HNB by the manufacturer at the factory.
  • the HLR on the network side stores the HNB-EI record corresponding to each HPM-ID. This record represents the binding relationship between this HNB-EI and HPM-ID.
  • the AAA server performs authentication of the binding relationship based on this record.
  • the authentication process for the HPM includes the following steps:
  • Step 1110 The TrE obtains the identity of the HPM of the HNB, and the process can be implemented by using an interface between the HNB and the TrE.
  • Step 1111 The HNB sends an IKE-AUTH-REQ authentication request (IKE authentication request) to the SGW, where the request carries the identity of the HPM and the TrE.
  • IKE authentication request IKE authentication request
  • Step 1112 The SGW sends an Authentication Request/Identity request (authentication request) to the AAA server, and sends an Authentication Request/Identity request, which carries the identity of the HPM and the TrE.
  • Step 1113 The AAA server acquires multiple AV vectors (authentication vectors) from the HLR.
  • Step 1114 The AAA server initiates an EAP Request / AKA (SIM) challenge request (EAP Request / AKA Challenge) to the SGW.
  • SIM EAP Request / AKA
  • Step 1115 The SGW sends an EAP Request / AKA (SIM) challenge request to the HNB through an IKE-AUTH-RES (IKE Authentication Response) message.
  • SIM EAP Request / AKA
  • IKE-AUTH-RES IKE Authentication Response
  • Step 1116 The HNB returns the EAP through the IKE-AUTH-REQ (IKE Authentication Request) message.
  • Step 1117 The SGW returns the EAP Reponse / AKA (SIM) challenge to the AAA server.
  • step 1114 step 1117, the EAP-AKA authentication process is performed between the AAA server and the HNB, thereby completing the authentication of the HPM.
  • Step 1118 The AAA server performs HPM and TrE binding relationship verification.
  • the AAA server verifies the identity of the TrE based on the HPM-based identity query pre-stored binding relationship.
  • Step 1119 The AAA server sends an Authentication Response / EAP-AKA (SIM) success to the SGW (HPM identity authentication success and binding relationship authentication success response).
  • SIM Authentication Response / EAP-AKA
  • Step 1120 The SGW sends the HPM identity authentication success and the binding relationship authentication success response to the HNB through the IKE-AUTH-RES message.
  • Step 1121 The HNB initiates an HNB Boot Request (Initial Start Request) to the AHR (AP Home Registration Server).
  • HNB Boot Request Initial Start Request
  • AHR AP Home Registration Server
  • Step 1122 The AHR obtains the HPM authentication vector from the AAA through the retrieving authentication data message, and the requested authentication vector may be multiple, to ensure that each local authentication is fresh.
  • Step 1123 The AAA server responds to the request and returns the stored unused AV vector (the parameter XRES (desired response value), RAND (random number), AUTN (authentication token)) included in the authentication vector to the AHR.
  • the parameter XRES desired response value
  • RAND random number
  • AUTN authentication token
  • Step 1124 The AHR sends an initial startup response (Boot response) to the HNB, and carries the authentication data of the HPM.
  • the identity authentication of the HPM in the non-identity authentication is completed through interaction with the SGW and the AAA server on the network side.
  • the HPM authentication data maintained by the network side is downloaded to the HNB local.
  • the HPM identity authentication process can be performed in the HNB local TrE, and does not need to interact with the network side servers such as the SGW and the AAA server, thus fully utilizing the TrE function, reducing the The burden on the network side.
  • FIG. 4 is a signaling flowchart of a fourth embodiment of a method for authenticating a home base station trusted environment according to the present invention. As shown in FIG. 4, this embodiment focuses on the location authentication of the HNB by the network side when the HNB is initially started. Process. This is also a further detailed illustration of steps 111 to 112 in the second embodiment described above. Specifically, the following steps are included:
  • Step 2110 The HNB initiates an initial startup request (boot request) to the AHR, and carries the current location information of the HNB.
  • Step 2111 The AHR performs location authentication.
  • Step 2112 The AHR sends an initial startup response (Boot response) to the HNB, and carries the encrypted authenticated location information.
  • Step 2113 After receiving the location information, the HNB will transmit the location information to the TrE.
  • Step 2114 The TrE verifies the information source. If the verification is passed, the location information is used as a reference value of the location information of the current user (corresponding to the current HPM), and is stored securely.
  • the location authentication of the HNB in the non-identity authentication is completed by the interaction with the SGW and the AAA server on the network side.
  • the location authentication data of an HNB maintained by the network side is downloaded to the HNB.
  • Local TrE When the HNB is restarted or re-authenticated, the location authentication process of the HNB can be performed in the local TrE of the HNB, and there is no need to interact with the network side servers such as the SGW, the AAA server, and the AHR.
  • the TrE's functionality reduces the burden on the network side.
  • FIG. 5 is a signaling flowchart of a fifth embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 5, this embodiment focuses on the first time that the HNB initiates authentication after the initial startup of the HNB. Process flow. This is also a further detailed illustration of steps 111 to 112 in the second embodiment described above. Specifically, the following steps are included:
  • Step 3110 The UE initiates an identity authentication request by using the HNB, and carries the identity identification information in the request, and the request is sent to the AAA server.
  • Step 3111 The AAA server may run the AKA algorithm to perform identity authentication on the UE.
  • Step 3112 The AAA server sends the encrypted UE authentication data through the authentication response (may be RAND, AUTN, XRES, etc. in the AV stored in the AAA, and may be multiple groups) to be sent to the HNBo.
  • the authentication response may be RAND, AUTN, XRES, etc. in the AV stored in the AAA, and may be multiple groups
  • Step 3113 The HNB sends a response message that the authentication succeeds to the UE.
  • Step 3114 The HNB sends the encrypted UE authentication data to the TrE.
  • Step 3115 The TrE decrypts the authentication data, and securely stores the UE authentication data.
  • the UE and the HNB complete the identity authentication of the UE in the non-identity authentication by interacting with the SGW and the AAA server on the network side, and the identity authentication data of the UE maintained by the network side after the authentication succeeds. Download to HNB local TrE.
  • the identity authentication process of the UE can be performed in the local TrE of the HNB, and the interaction between the UE and the HNB is required, and the SGW and the AAA server are not required.
  • network-side servers such as AHR, which fully utilizes the functions of the TrE and reduces the burden on the network side.
  • FIG. 6 is a flowchart of a sixth embodiment of a method for authenticating a trusted environment of a home base station according to the present invention.
  • this embodiment focuses on an authentication process for restarting or re-authenticating in an HNB, by using the foregoing first embodiment.
  • the HNB After the HNB is started for the first time, it passes through the network.
  • part of the authentication data maintained by the network side (mainly related authentication data about non-identity authentication) is downloaded to the local TrE of the HNB.
  • the related non-identity authentication can be performed directly locally without the participation of the network side.
  • This embodiment specifically includes the following steps:
  • Step 21 Perform identity authentication on the HNB.
  • Step 22 Perform identity authentication on the TrE.
  • Step 23 Authenticate the identity binding relationship between the HNB and the TrE.
  • Steps 21 to 23 may specifically adopt the processes in step 101 to step 110 in the second embodiment, and details are not described herein again.
  • Step 24 Perform non-identity authentication on the HNB through the TrE.
  • Non-identity authentication can include:
  • HPM authentication location authentication data for HNB, and authentication for UE.
  • the non-identity authentication data acquired in the authentication process when the HNB is first started is stored in the TrE.
  • the relevant non-identity authentication can be performed based on the non-identity authentication data stored in the local TrE.
  • network-side servers such as SGW, AAA server, and AHR, which fully utilizes the TrE function and reduces the burden on the network side.
  • FIG. 7 is a signaling flowchart of a seventh embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 7, this embodiment focuses on an identity authentication process for an HPM during HNB restart or re-authentication.
  • the authentication process described in this embodiment is a specific exemplary description of step 24 in the sixth embodiment.
  • steps 21 to 23 in the sixth embodiment includes the following steps:
  • Step 4110 The HPM initiates an identity authentication request to the TrE, which can be completed through an interface between the HNB and the TrE.
  • Step 4111 The TrE queries the authentication vector (A V ) that it has not used.
  • Step 4112 The TrE initiates an authentication challenge request to the HPM, where the request carries an AV (where AV contains vRAND and AUTN parameters).
  • Step 4113 The HPM calculates RES based on the received RAND and AUTN parameters and its stored key (response values calculated from the key and AUTN and RAND).
  • Step 4114 The HPM returns an authentication challenge response, and the RES is carried in the response.
  • Step 4115 The TrE performs HPM identity authentication.
  • the TrE compares the received RES with the stored XRES (the parameter that is downloaded to the TrE after the authentication process is completed when the HNB is first started). If they match, the TrE succeeds in the HPM authentication and generates a successful authentication result. Otherwise, the authentication result of the authentication failure is generated.
  • the stored XRES the parameter that is downloaded to the TrE after the authentication process is completed when the HNB is first started. If they match, the TrE succeeds in the HPM authentication and generates a successful authentication result. Otherwise, the authentication result of the authentication failure is generated.
  • Step 4116 The TrE returns the authentication result to the HPM.
  • Step 4117 The TrE notifies the AAA server on the network side of the authentication result.
  • the TrE stores the identity authentication data of the acquired HPM in the authentication process when the HNB is first started.
  • the identity authentication of the relevant HPM can be performed based on the identity authentication data of the HPM stored in the local TrE.
  • network-side servers such as SGW, AAA server, and AHR, which fully utilizes the TrE function and reduces the burden on the network side.
  • FIG. 8 is a signaling flowchart of an eighth embodiment of a method for authenticating a home base station trusted environment according to the present invention. As shown in FIG. 8, this embodiment focuses on a location authentication process for an HNB during HNB restart or re-authentication. The authentication process described in this embodiment is also a specific exemplary description of step 24 in the sixth embodiment, and the HNB restart or re-authentication also goes through steps 21 to 23 in the sixth embodiment. This embodiment includes the following steps:
  • Step 5110 The HNB sends a location authentication request to the TrE, where the location authentication request carries the current location information of the HNB.
  • Step 5111 TrE performs location authentication.
  • the TrE compares the current location information with the location information stored in the TrE. If they match, the location authentication result of the successful authentication is generated, otherwise the location authentication result of the authentication failure is generated.
  • Step 5122 the TrE notifies the HNB of the location authentication result.
  • Step 5113 The TrE notifies the AHR of the network side of the location authentication result.
  • the TrE stores the obtained in the authentication process when the HNB is first started.
  • HNB location authentication data When the HNB is restarted or re-authenticated, the location authentication of the relevant HNB may be performed based on the location authentication data of the HNB stored in the local TrE. No need to work with SGW again,
  • the interaction between the AAA server and the network side server such as the AHR fully utilizes the functions of the TrE, reducing the burden on the network side.
  • FIG. 9 is a signaling flowchart of a ninth embodiment of a method for authenticating a trusted environment of a home base station according to the present invention.
  • this embodiment focuses on the UE performing the identity authentication again after the UE first passes the network side.
  • the certification process at the time of certification. After the initial startup of the HNB, if a certain UE has already performed identity authentication with the network side, the UE authentication data related to the UE is already stored in the local TrE, so that when the HNB receives the identity authentication of the same UE again. When requested, the certification can be done directly through the TrE.
  • the re-authentication performed by the UE may be after the initial startup of the HNB, or when the HNB is restarted or re-authenticated.
  • the authentication process of this embodiment is as follows:
  • Step 6110 The TrE receives the UE identity authentication request sent by the UE, where the request carries the identity identifier of the UE.
  • Step 6111 The TrE compares the identity identifier of the UE carried in the UE identity authentication request with the identity identifier of the UE stored in the TrE. If they are consistent, the UE authentication result of the successful authentication is generated, otherwise the UE authentication result of the authentication failure is generated. .
  • Step 6112 The TrE notifies the UE of the UE identity authentication result.
  • Step 6113 The TrE notifies the AAA server of the network side of the UE identity authentication result.
  • the TrE stores the UE identity authentication data of the acquired HNB in the authentication process when the HNB is initially started.
  • the relevant UE identity authentication may be performed based on the UE identity authentication data stored in the local TrE.
  • network-side servers such as SGW, AAA server, and AHR, which fully utilizes the functions of TrE. Less burden on the network side.
  • This embodiment is an embodiment of a TrE unit including an authentication data storage module and an authentication module.
  • the authentication data storage module is configured to store non-identity authentication data of the HNB; the authentication module is configured to perform non-identity authentication of the HNB according to the non-identity authentication data of the HNB stored by the authentication data storage module.
  • the authentication data storage module may include: an HPM authentication data storage module and/or a UE authentication data storage module and/or an HNB location authentication data storage module.
  • the authentication module includes: an HPM identity authentication module and/or an HNB location authentication module and/or a UE identity authentication module.
  • the HPM identity authentication module needs to invoke the data stored in the HPM authentication data storage module when performing identity authentication on the HPM.
  • the HNB location authentication module and the HNB location authentication data storage module, the UE identity authentication module, and the UE authentication data storage module There is also a corresponding correspondence.
  • the embodiment of the present invention further provides a home base station, which includes a TrE unit as shown in the tenth embodiment, and is not further described herein.
  • the embodiment of the present invention fully utilizes the characteristics of the TrE, and stores the non-identity authentication data after the HNB authentication for the first time in the TrE.
  • the related non-identity authentication can be performed through the TrE. Therefore, the burden on the HNB authentication of the network side is alleviated, and the HPM-ID and the HNB-ID are not needed to implement the binding of the device and the user identity, thereby avoiding the burden of the operator to additionally establish a database.
  • the non-identity authentication in the embodiment of the present invention refers to: in addition to the device identity authentication and the TrE identity authentication of the HNB, some authentications related to the HNB, such as HNB location authentication, HPM authentication, and access to the HNB.
  • UE authentication in addition to the device identity authentication and the TrE identity authentication of the HNB, some authentications related to the HNB, such as HNB location authentication, HPM authentication, and access to the HNB.
  • RAM random access memory
  • ROM read only memory
  • electrically programmable ROM electrically erasable programmable ROM
  • registers hard disk, removable disk, CD-ROM, or any other form of storage medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

An authentication method, trusted environment (TrE) unit and home nodeB (HNB) are disclosed in embodiments of the present invention. The method includes: performing equipment identity authentication for HNB, performing identity authentication for TrE which is set in said HNB, performing authentication for the identity binding relationship between said HNB and said TrE, performing non-identity authentication for said HNB, and obtaining the non-identity authentication data of said HNB and storing it in said TrE. Embodiments of the present invention take full advantage of the characteristics of the TrE and store the non-identity authentication data obtained after the first HNB authentication in the TrE. When the HNB restarts, related non-identity authentication can be executed by the TrE, and thus the burden of HNB authentication on network side is reduced.

Description

认证方法、 可信任环境单元及家庭基站  Authentication method, trusted environment unit and home base station
本申请要求于 2008 年 11 月 03 日提交中国专利局、 申请号为 200810175958.9、 发明名称为"身份认证方法、 可信任环境单元及家庭基站" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  This application claims priority to Chinese Patent Application No. 200810175958.9, entitled "Identification Method, Trusted Environment Unit and Home Base Station", filed on November 3, 2008, the entire contents of which are incorporated by reference. In this application. Technical field
本发明实施例涉及无线通信技术领域, 尤其涉及一种基于家庭基站可信 任环境的认证方法、 可信任环境单元及家庭基站。 背景技术  The embodiments of the present invention relate to the field of wireless communications technologies, and in particular, to an authentication method, a trusted environment unit, and a home base station based on a trusted environment of a home base station. Background technique
家庭基站 (Home NodeB; 以下简称: HNB ) 又称超微蜂窝基站, 是相 对于第三代移动通信(3rd Generation; 以下简称: 3G )蜂窝移动通信系统所 采用的宏基站而提出的。 HNB的发射功率仅 +15db, 室内覆盖范围 50公尺。 它的作用类似于无线保真技术( Wireless Fidelity; 以下简称: WiFi ) 的无线 访问节点 (Access Point; 以下简称: AP ) , 使得用户可以通过以太网连接 家庭宽带网络。 移动运营商发展 HNB, 首先是为了改善室内覆盖, 提高室内 宽带接入速度, 满足用户各种多媒体业务的需求; 再有是为了缓解宏基站的 压力, 使宏基站主要服务于室外用户; 另外还可以应对无线运营商和移动虚 拟网络运营商的压力。  The home base station (Home NodeB; hereinafter referred to as HNB) is also called a femtocell base station, and is proposed for a macro base station used in a third generation mobile communication (3rd Generation; 3G) cellular mobile communication system. The HNB's transmit power is only +15db and the indoor coverage is 50 meters. It functions like a Wireless Fidelity (WiFi) wireless access node (Access Point; hereinafter referred to as AP), enabling users to connect to a home broadband network via Ethernet. The development of HNB by mobile operators is firstly to improve indoor coverage, improve indoor broadband access speed, and meet the needs of users for various multimedia services. In addition, in order to alleviate the pressure of macro base stations, macro base stations mainly serve outdoor users; It can cope with the pressure of wireless carriers and mobile virtual network operators.
使用者身份模块( Hosting Party Module; 以下简称: HPM )是一个物理 实体, 与 HNB 的物理设备是相分离的, 其上包含有用于向移动网络运营商 证明和认证使用者 (以下称为: Hosting Party ) 身份的信任状。 使用者类似 于手机用户, 而 模块 (Module ) 类似于手机用户身份识别模块(Subscriber Identity Module; 以下简称: SIM )卡。 HPM是由移动网络运营商提供给使 用者的。 HPM可以从 HNB上移除, 也就是说在更换 HNB时可以不用更换 HPM。 HPM使得 HNB可以具备基于使用者的用户身份, 而不需影响 HNB 的生产者。 HPM存在的最大意义在于, 当 HNB的设备生产商和 HNB业务 提供者分离时, 有效地对申请业务的用户进行认证。 The Hosting Party Module (hereinafter referred to as HPM) is a physical entity that is separate from the physical device of the HNB and includes a certificate for authenticating and authenticating the mobile network operator (hereinafter referred to as: Hosting) Party) The credibility of identity. The user is similar to the mobile phone user, and the module is similar to the Subscriber Identity Module (SIM) card. HPM is provided to users by mobile network operators. The HPM can be removed from the HNB, which means that the HPM can be replaced when the HNB is replaced. HPM enables HNBs to have user-based user identity without affecting HNB Producer. The greatest significance of HPM is that when the HNB equipment manufacturer and the HNB service provider are separated, the users applying for the service are effectively authenticated.
可信任环境 ( Trusted Enviroment; 以下简称: TrE )是一个部署在 HNB 上的逻辑上或物理上独立的实体, 特指 HNB上一个安全的存储环境, 用来 存储 HNB上的一些敏感数据, 例如代表 HNB设备身份的信任状等。  Trusted Enviroment (hereinafter referred to as TrE) is a logically or physically independent entity deployed on the HNB. It refers to a secure storage environment on the HNB to store some sensitive data on the HNB. Trust of HNB device identity, etc.
在实现本发明实施例过程中, 发明人发现现有技术中至少存在如下问 题:  In the process of implementing the embodiments of the present invention, the inventors found that at least the following problems exist in the prior art:
现有技术中, HNB的每次重新启动均需要与核心网执行全部的并且是重 复的认证过程, 这无疑增加了网络侧服务器的负担。 发明内容  In the prior art, each restart of the HNB requires an entire and repeated authentication process with the core network, which undoubtedly increases the burden on the network side server. Summary of the invention
本发明实施例提供一种认证方法、 可信任环境单元及家庭基站, 以减少 网络侧对 HNB认证的负担。  The embodiment of the invention provides an authentication method, a trusted environment unit and a home base station, so as to reduce the burden on the network side for HNB authentication.
本发明实施例提供了一种基于家庭基站可信任环境的认证方法, 包括: 对 HNB进行设备身份认证;  An embodiment of the present invention provides an authentication method based on a trusted environment of a home base station, including: performing device identity authentication on the HNB;
对设置在所述 HNB上的 TrE进行身份认证;  Authenticating the TrE set on the HNB;
对所述 HNB和所述 TrE的身份绑定关系进行认证;  Authenticating the identity binding relationship between the HNB and the TrE;
对所述 HNB进行非身份认证;  Performing non-identity authentication on the HNB;
获取并存储所述 HNB的非身份认证数据于所述 TrE中。  Acquiring and storing non-identity authentication data of the HNB in the TrE.
本发明实施例提供了另一种基于家庭基站可信任环境的认证方法,包括: 对 HNB进行设备身份认证;  An embodiment of the present invention provides another authentication method based on a trusted environment of a home base station, including: performing device identity authentication on the HNB;
对 TrE进行身份认证;  Authenticate the TrE;
对所述 HNB和所述 TrE的身份绑定关系进行认证;  Authenticating the identity binding relationship between the HNB and the TrE;
通过所述 TrE对所述 HNB进行非身份认证。  The HNB is non-identified by the TrE.
本发明实施例提供了再一种基于家庭基站可信任环境的认证方法,包括: An embodiment of the present invention provides another authentication method based on a trusted environment of a home base station, including:
TrE接收用户设备( User Equipment; 以下简称: UE )发送的 UE身份认 证请求; The TrE receives the UE identity sent by the user equipment (User Equipment; hereinafter referred to as UE) Certificate request;
通过所述 TrE对 UE进行身份认证。  The UE is authenticated by the TrE.
本发明实施例提供了一种可信任环境单元, 包括:  The embodiment of the invention provides a trusted environment unit, including:
认证数据存储模块, 用于存储 HNB的非身份认证数据;  An authentication data storage module, configured to store non-identity authentication data of the HNB;
认证模块, 用于根据所述认证数据存储模块存储的 HNB 的非身份认证 数据, 执行 HNB的非身份认证。  The authentication module is configured to perform non-identity authentication of the HNB according to the non-identity authentication data of the HNB stored by the authentication data storage module.
本发明实施例还提供了一种家庭基站, 包括一 TrE单元, 在所述 TrE单 元上设置有:  The embodiment of the present invention further provides a home base station, including a TrE unit, where the TrE unit is provided with:
认证数据存储模块, 用于存储 HNB的非身份认证数据;  An authentication data storage module, configured to store non-identity authentication data of the HNB;
认证模块, 用于根据所述认证数据存储模块存储的 HNB 的非身份认证 数据, 执行 HNB的非身份认证。  The authentication module is configured to perform non-identity authentication of the HNB according to the non-identity authentication data of the HNB stored by the authentication data storage module.
本发明实施例通过提供一种认证方法、 可信任环境单元及家庭基站, 充 分利用了 TrE的特性, 将首次对 HNB认证后的非身份认证数据存储于 TrE, 当 HNB重新启动时, 可以通过 TrE执行相关的非身份认证, 从而减轻了网 络侧对 HNB认证的负担。 附图说明  The embodiment of the present invention provides an authentication method, a trusted environment unit, and a home base station, and fully utilizes the characteristics of the TrE to store the non-identity authentication data after the HNB authentication for the first time in the TrE. When the HNB is restarted, the TrE can be adopted. Perform related non-identity authentication, thereby reducing the burden on the network side for HNB authentication. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施 例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下面描 述中的附图是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出 创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图 1 为本发明基于家庭基站可信任环境的认证方法第一实施例的流程 图;  1 is a flow chart of a first embodiment of an authentication method based on a trusted environment of a home base station according to the present invention;
图 2为本发明基于家庭基站可信任环境的认证方法第二实施例的信令流 程图;  2 is a signaling flow diagram of a second embodiment of an authentication method based on a trusted environment of a home base station according to the present invention;
图 3为本发明基于家庭基站可信任环境的认证方法第三实施例的信令流 程图; 3 is a signaling flow of a third embodiment of an authentication method based on a trusted environment of a home base station according to the present invention; Cheng Tu
图 4为本发明基于家庭基站可信任环境的认证方法第四实施例的信令流 程图;  4 is a signaling flow diagram of a fourth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention;
图 5为本发明基于家庭基站可信任环境的认证方法第五实施例的信令流 程图;  5 is a signaling flow diagram of a fifth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention;
图 6 为本发明基于家庭基站可信任环境的认证方法第六实施例的流程 图;  6 is a flow chart of a sixth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention;
图 7为本发明基于家庭基站可信任环境的认证方法第七实施例的信令流 程图;  7 is a signaling flow diagram of a seventh embodiment of an authentication method based on a trusted environment of a home base station according to the present invention;
图 8为本发明基于家庭基站可信任环境的认证方法第八实施例的信令流 程图;  8 is a signaling flow diagram of an eighth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention;
图 9为本发明基于家庭基站可信任环境的认证方法第九实施例的信令流 程图。 具体实施方式  FIG. 9 is a signaling flow diagram of a ninth embodiment of an authentication method based on a trusted environment of a home base station according to the present invention. detailed description
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例仅是本发明一部分实施例, 而不 是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有做出 创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
为使本发明实施例的目的、 技术方案和优点更加清楚, 以下本发明实施 例的网络类型可以为: 全球移动通信系统 ( Global System for Mobile Communication; 以下简称: GSM ) 网络、 码分多址( Code Division Multiple Access; 以下简称: CDMA ) 网络、 宽带码分多址( Wideband CDMA; 以下 简称: WCDMA ) 网络、 全球微波互联接入(Worldwide Interoperability for Microwave Access; 以下简称: Wimax ) 网络、 时分同步的码分多址 (Time Division-Synchronous CDMA;以下简称: TD-SCDMA )网络或长期演进( Long Term Evolution; 以下简称: LTE ) 网络等。 无线接入设备的类型可以为: 家 庭基站、 微型基站 (Pico ) 、 通用移动通信系统 AP ( Universal Mobile Telecommunications System AP;以下简称: UMTS AP ), Wimax 型( Femto ) 基站或 Wimax宏基站等。 以下本发明实施例的用户设备类型可以为: 手机、 笔记本电脑或个人数码助理( Personal Digital Assistant; 以下简称: PDA )等 移动终端。 The network type of the following embodiments of the present invention may be: Global System for Mobile Communication (hereinafter referred to as GSM) network, code division multiple access (for the purpose of making the purpose, technical solution, and advantages of the embodiments of the present invention clearer) Code Division Multiple Access; hereinafter referred to as: CDMA) Network, Wideband CDMA (WCDMA) network, Worldwide Interoperability for Microwave Access (WMAX) network, Time Division Synchronization Code Division Multiple Access (Time Division-Synchronous CDMA; hereinafter referred to as: TD-SCDMA) network or long-term evolution (Long Term Evolution; hereinafter referred to as: LTE) network. The type of the wireless access device may be: a home base station, a pico base station (Pico), a universal mobile telecommunications system AP (hereinafter referred to as UMTS AP), a Wimax type (Femto) base station, or a Wimax macro base station. The following types of user equipments in the embodiments of the present invention may be: mobile terminals such as mobile phones, notebook computers, or personal digital assistants (hereinafter referred to as PDAs).
由于 HNB —方面属于用户设备部署在用户家中, 一方面属于运营商的 设备, 和宏基站一样用于完成对用户的接入功能, 这样的双重角色使得运营 商对 HNB 的安全性要求很高。 因此当家庭基站加电运行并与运营商建立物 理连接后, 运营商需要对 HNB执行相关认证。 现有技术对 HNB的非身份的 认证是基于非信任环境的, 安全存储能力较低, 没有充分利用 TrE的功能, 一定程度上减小了 TrE的应用空间; 而且由于 TrE具备独立的身份信息, 且 该身份信息可以与 HNB和 HPM相关联。 当 HNB在加载 TrE后, 网络侧对 HNB的认证便要涉及 TrE的认证以及 TrE与 HNB关联的认证, 本发明各实 施例是如何实现网络侧对配置有 TrE的 HNB的认证流程, 以及基于具有较 高安全存储性能的 TrE如何实现 HNB相关认证的本地化。  Since the HNB is a user equipment deployed in the user's home, the equipment belonging to the operator is used to complete the access function to the user, and the dual role makes the operator's security requirements for the HNB high. Therefore, when the home base station is powered on and establishes a physical connection with the operator, the operator needs to perform relevant authentication on the HNB. The non-identity authentication of the HNB in the prior art is based on a non-trusted environment, the security storage capability is low, the function of the TrE is not fully utilized, and the application space of the TrE is reduced to some extent; and since the TrE has independent identity information, And the identity information can be associated with HNB and HPM. After the HNB is loaded with the TrE, the authentication of the HNB by the network side involves the authentication of the TrE and the authentication of the TrE and the HNB. How does the embodiment of the present invention implement the authentication process of the HNB configured with the TrE on the network side, and How TrE with higher secure storage performance enables localization of HNB-related authentication.
第一实施例  First embodiment
图 1 为本发明基于家庭基站可信任环境的认证方法第一实施例的流程 图, 如图 1 所示, 本实施例所描述的是在 HNB在初次启动时的认证流程, 包括如下步骤:  FIG. 1 is a flow chart of a first embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 1 , this embodiment describes an authentication process when an HNB is initially started, and includes the following steps:
步骤 11、 对 HNB进行设备身份认证。  Step 11. Perform device identity authentication on the HNB.
网络侧首先需要对 HNB设备本身的身份进行认证, 对 HNB的身份认证 主要是基于身份信任状的认证, HNB的身份信任状有两种呈现方式, 一种是 基于证书, 另一种是基于认证和密钥协商协议 ( Authentication and Key Agreement; 以下简称: AKA )信任状。 认证过程主要是网络侧的安全网关 和认证授权统计 ( Authentication Authorization and Accounting; 以下简称: AAA )服务器与 HNB进行认证流程的交互。 The network side first needs to authenticate the identity of the HNB device itself. The identity authentication of the HNB is mainly based on the identity credential authentication. The HNB identity credential has two presentation modes, one is based on the certificate, and the other is based on the authentication. And the Authentication and Key Agreement (AKA) credential. The authentication process is mainly the security gateway and authentication authorization statistics on the network side (Authorization Authorization and Accounting; AAA) The server interacts with the HNB for the authentication process.
步骤 12、 对设置在 HNB上的 TrE进行身份认证。  Step 12: Perform identity authentication on the TrE set on the HNB.
对于 TrE的认证同样可以采用基于证书的认证方式, 认证过程主要是网 络侧的安全网关和 AAA服务器 (验证、 授权和记账服务器) 与 HNB上的 TrE进行认证流程的交互。  Certificate-based authentication can also be used for TrE authentication. The authentication process is mainly the interaction between the security gateway on the network side and the AAA server (authentication, authorization, and accounting server) and the TrE on the HNB.
步骤 13、 对 HNB和 TrE的身份绑定关系进行认证。  Step 13. Authenticate the identity binding relationship between the HNB and the TrE.
绑定关系的认证主要是通过 AAA服务器来完成, AAA服务器根据 TrE 的身份标识, 查询其事先存储的绑定关系, 再通过 HNB发送的 HNB身份标 识相比较, 从而 证绑定关系。  The authentication of the binding relationship is mainly performed by the AAA server. The AAA server queries the pre-stored binding relationship according to the identity of the TrE, and then compares the HNB identity identifiers sent by the HNB to prove the binding relationship.
步骤 14、 对 HNB进行非身份认证; 其中, 对 HNB进行的非身份验证可 以包括: 对 HNB上的 HPM进行的身份认证、 对 HNB进行的位置认证以及 对 UE进行的身份验证。  Step 14: Perform non-identification on the HNB. The non-authentication performed on the HNB may include: identity authentication for the HPM on the HNB, location authentication for the HNB, and identity verification for the UE.
步骤 15、 获取并存储 HNB的非身份认证数据于 TrE中。 与上述的非身 份验证类型相对应, 非身份认证数据可以包括: HPM的认证数据、 HNB 的 位置认证数据以及 UE认证数据。  Step 15. Acquire and store the non-authentication data of the HNB in the TrE. Corresponding to the above-mentioned non-authentication type, the non-authentication data may include: authentication data of the HPM, location authentication data of the HNB, and UE authentication data.
当非身份认证成功后, 将网络侧维护的一部分认证数据 (主要是有关非 身份认证的相关认证数据)下载到 HNB本地的 TrE中。 当 HNB重启动或重 认证时, 非身份认证过程就可以在 HNB本地的 TrE中进行了, 这样充分发 挥了 TrE的功能, 并且也使得重启动或重认证过程不需要核心网的参与, 减 少了网络侧的负担。  After the non-identity authentication succeeds, part of the authentication data maintained by the network side (mainly related authentication data about non-identity authentication) is downloaded to the local TrE of the HNB. When the HNB is restarted or re-authenticated, the non-identification process can be performed in the HNB local TrE, which fully utilizes the functions of the TrE, and also makes the restart or re-authentication process do not require the participation of the core network, reducing the The burden on the network side.
第二实施例  Second embodiment
图 2为本发明基于家庭基站可信任环境的认证方法第二实施例的信令流 程图, 如图 2所示, 本实施例将详细描述 HNB在初次启动时的认证流程, 具体包括如下步骤:  2 is a signaling flowchart of a second embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 2, this embodiment describes the authentication process of the HNB at the initial startup, which specifically includes the following steps:
步骤 101、 HNB与安全网关 (Secure Gateway; 以下简称: SGW )之间 建立 IKE_SA_INIT ( IKE认证初始化 )连接。 步骤 102、 HNB向 SGW发送 IKE— AUTH— REQ认证请求 ( IKE鉴权请 求) , 该请求中携带 HNB和 TrE的身份标识。 这里需要说明的是 HNB的身 份信任状有两种呈现方式, 一种是基于证书, 另一种是基于 AKA信任状。 本实施例描述的是基于 AKA信任状的情况。 如果采用基于证书的认证机制, 则在 HNB和 SGW之间需要进行证书校验过程。 Step 101: An IKE_SA_INIT (IKE Authentication Initialization) connection is established between the HNB and the security gateway (Secure Gateway; SGW for short). Step 102: The HNB sends an IKE-AUTH-REQ authentication request (IKE authentication request) to the SGW, where the request carries the identity identifiers of the HNB and the TrE. It should be noted here that there are two ways to present HNB identity credentials, one based on certificates and the other based on AKA credentials. This embodiment describes the case based on the AKA credential. If a certificate-based authentication mechanism is adopted, a certificate verification process is required between the HNB and the SGW.
步骤 103、 SGW对 TrE的身份进行验证。 对于 TrE的认证是采用基于证 书的认证方式。  Step 103: The SGW verifies the identity of the TrE. Certification for TrE is based on certificate-based authentication.
步骤 104、 SGW向 AAA服务器发送 Authentication Request/Identity请求 (鉴权请求) , 该请求中携带 HNB和 TrE的身份标识。  Step 104: The SGW sends an Authentication Request/Identity request (authentication request) to the AAA server, where the request carries the identity of the HNB and the TrE.
步骤 105、 AAA服务器执行对 HNB身份认证; 具体的身份认证过程可 以类似如下过程: AAA服务器发起 AKA (认证和密钥协商协议) 身份认证 挑战请求, 并获取 AV (鉴权向量) , 运行 AKA算法, 接受 HNB的身份认 证 4兆战响应, 从而实现 HNB和网络侧之间的双向认证。  Step 105: The AAA server performs HNB identity authentication. The specific identity authentication process may be similar to the following process: The AAA server initiates an AKA (Authentication and Key Agreement Protocol) identity authentication challenge request, and acquires an AV (authentication vector), and runs the AKA algorithm. , accepting the HNB identity authentication 4 mega war response, thereby achieving two-way authentication between the HNB and the network side.
步骤 106、 AAA服务器对 HNB与 TrE的绑定关系进行认证; 具体的绑 定关认证过程可以类似如下过程: AAA从相关数据库网元(如归属位置寄存 器( Home Location Register; 以下简称: HLR ) )获取 HNB和 TrE的绑定关 系, AAA服务器根据 HNB传来的 TrE的身份标识, 查询其事先存储的绑定 关系, 与接收到的 HNB身份标识相比较, 从而验证其绑定关系。  Step 106: The AAA server authenticates the binding relationship between the HNB and the TrE. The specific binding authentication process may be similar to the following process: AAA from the related database network element (such as Home Location Register (HLR)) Obtaining the binding relationship between the HNB and the TrE, the AAA server queries the pre-stored binding relationship according to the identity of the TrE transmitted by the HNB, and compares it with the received HNB identity to verify the binding relationship.
步骤 107、 AAA服务器向 SGW发送 TrE身份认证成功和绑定关系认证 成功响应 (Authentication Response /success ) 。  Step 107: The AAA server sends a TrE identity authentication success and an authentication response (successation response/success) to the SGW.
步骤 108、 SGW通过 IKE— AUTH— RES ( IKE鉴权响应) 消息通知 HNB 认证成功。  Step 108: The SGW notifies the HNB that the authentication succeeds by using an IKE-AUTH-RES (IKE Authentication Response) message.
步骤 109、 HNB接到认证成功消息后触发 HNB的平台完整性认证。 步骤 110、 HNB和完整性认证服务器之间进行 HNB平台完整性的认证。 完整性认证需要网络侧存储 HNB 完整性的参考度量值, 该数据存储在现有 的网元上, 例如可以在现有的网元上新增存储功能, 比如 HLR, 也可以存储 在新增的网元上。 在完整性认证结束后, HNB和 SGW之间便会建立相应的 安全通道。 Step 109: After receiving the authentication success message, the HNB triggers the platform integrity authentication of the HNB. Step 110: The HNB platform integrity authentication is performed between the HNB and the integrity authentication server. Integrity authentication requires the network side to store reference metrics for HNB integrity. The data is stored on existing NEs. For example, you can add storage functions to existing NEs, such as the HLR. On the newly added network element. After the integrity authentication is completed, a corresponding secure channel is established between the HNB and the SGW.
步骤 111、 HNB和网络侧进行后续的相关非身份认证, 比如 HNB的位 置认证, HPM的认证, UE的身份认证等过程。 同时 AAA服务器需要向认 证数据库获取用于进行非身份认证的相关数据。  Step 111: The HNB and the network side perform subsequent related non-identity authentication, such as location authentication of the HNB, authentication of the HPM, and identity authentication of the UE. At the same time, the AAA server needs to obtain relevant data for non-authentication authentication from the authentication database.
步骤 112、 当非身份认证成功后, 将 AAA服务器维护的一部分认证数据 (主要是用于非身份认证的数据 )下载到 HNB本地的 TrE中。这样, 当 HNB 重启动或重认证时, 认证过程就在 HNB本地的 TrE中进行。  Step 112: After the non-identity authentication succeeds, download part of the authentication data (mainly data for non-authentication authentication) maintained by the AAA server to the local TrE of the HNB. Thus, when the HNB is restarted or re-authenticated, the authentication process is performed in the HBR local TrE.
需要说明的是, 在本实施例以及以下的实施例中, 在网络侧对 HNB 的 认证过程中, 以 AAA服务器和 SGW服务器等网元进行了具体说明, 但本发 明实施例中对 HNB的认证过程不限于上述网元, 本领域技术人员可以知道, 本实施例在 HNB首次启动后, 通过与网络侧的 SGW和 AAA服务器的 交互, 完成了 HNB设备的身份认证、 TrE身份认证、 两者绑定关系以及平台 完整性认证后, 又进行了相关的非身份认证, 非身份认证成功后, 便将网络 侧维护的一部分认证数据 (主要是有关非身份认证的相关认证数据) 下载到 HNB本地的 TrE中。 当 HNB重启动或重认证时, 非身份认证过程就可以在 HNB本地的 TrE中进行了, 这样充分发挥了 TrE的功能, 并且也使得重启动 或重认证过程不需要再与 SGW和 AAA服务器等网络侧服务器的交互,减少 了网络侧的负担。  It should be noted that, in this embodiment and the following embodiments, in the authentication process of the HNB on the network side, the network element such as the AAA server and the SGW server is specifically described, but the authentication of the HNB in the embodiment of the present invention is described. The process is not limited to the above-mentioned network element. It can be known by those skilled in the art that after the HNB is first started, the HNB device identity authentication, TrE identity authentication, and both are completed by interaction with the SGW and the AAA server on the network side. After the relationship and platform integrity authentication, relevant non-identity authentication is performed. After the non-identity authentication is successful, part of the authentication data maintained by the network side (mainly related authentication data related to non-identity authentication) is downloaded to the local HNB. In TrE. When the HNB is restarted or re-authenticated, the non-identification process can be performed in the local TrE of the HNB, which fully utilizes the functions of the TrE, and also makes the restart or re-authentication process unnecessary to be associated with the SGW and the AAA server. The interaction of the network side server reduces the burden on the network side.
第三实施例  Third embodiment
图 3为本发明基于家庭基站可信任环境的认证方法第三实施例的信令流 程图,如图 3所示,本实施例着重描述在 HNB在初次启动时, 网络侧对 HPM 的身份认证过程, 是对上述第二实施例中的步骤 111至步骤 112的进一步详 细的举例说明。  FIG. 3 is a signaling flowchart of a method for authenticating a home base station trusted environment according to a third embodiment of the present invention. As shown in FIG. 3, this embodiment focuses on the identity authentication process of the HPM on the network side when the HNB is initially started. Is a further detailed illustration of steps 111 to 112 in the second embodiment described above.
HPM认证是指移动网络运营商对 HNB的使用者的认证。 通常有两个场 景: HPM certification refers to the certification of mobile network operators to users of HNB. Usually have two fields Scenery:
场景 A、 HPM与 HNB设备相绑定场景  Scene A, HPM and HNB device binding scenarios
在该场景中, HNB设备认证完成, 即完成 HPM的认证。 不需要额外的 认证的步骤, EAP-AKA (可扩展认证协议-密钥协商协议) 和证书认证, 都 可以用作 HPM的认证, 该方案适用于 HPM不可移动的场景。  In this scenario, the HNB device authentication is completed, that is, the HPM authentication is completed. EAP-AKA (Extensible Authentication Protocol - Key Agreement Protocol) and certificate authentication, which do not require additional authentication, can be used as HPM certification, which is suitable for HPM non-mobile scenarios.
场景 B、 HPM与 HNB设备相分离的认证场景, 该场景下目前存在两个 解决方案  Scenario B. The authentication scenario in which the HPM is separated from the HNB device. There are two solutions in this scenario.
B1、 基于证书的 HNB设备认证和基于 EAP-AKA的 HPM认证  B1, certificate-based HNB device authentication and EAP-AKA-based HPM authentication
该方案首先在 HNB和 SGW之间利用各自证书进行设备认证,之后再进 行 EAP-AKA的 HPM认证。  The scheme first uses the respective certificates between HNB and SGW for device authentication, and then performs EAP-AKA HPM certification.
B2、 HPM ID和 HNB设备 ID的绑定  Binding of B2, HPM ID and HNB device ID
HNB是一个嵌入了 HPM的设备。 而每个设备有一个 EI (设备号码 )用 来表示自己身份。 HNB-EI由生产商在出厂时设置在 HNB中。 网络侧的 HLR 会存储和每个 HPM-ID对应的 HNB-EI 记录, 这个记录代表这 HNB-EI和 HPM-ID的绑定关系。 AAA服务器会基于这个记录执行绑定关系的认证。  HNB is a device with embedded HPM. Each device has an EI (device number) to indicate its identity. The HNB-EI is placed in the HNB by the manufacturer at the factory. The HLR on the network side stores the HNB-EI record corresponding to each HPM-ID. This record represents the binding relationship between this HNB-EI and HPM-ID. The AAA server performs authentication of the binding relationship based on this record.
在本实施例基于 HPM认证与 HNB设备认证相分离的认证场景, 可以不 需要对 HPM与 HNB设备的绑定关系进行认证。 本实施例中, 对 HPM的身 份认证过程包括如下步骤:  In the authentication scenario in which the HPM authentication is separated from the HNB device authentication in this embodiment, the binding relationship between the HPM and the HNB device may not be authenticated. In this embodiment, the authentication process for the HPM includes the following steps:
步骤 1110、 TrE获取 HNB的 HPM的身份标识, 该过程可以通过 HNB 和 TrE的接口来实现。  Step 1110: The TrE obtains the identity of the HPM of the HNB, and the process can be implemented by using an interface between the HNB and the TrE.
步骤 1111、 HNB向 SGW发送 IKE— AUTH— REQ认证请求( IKE鉴权请 求) , 该请求中携带 HPM和 TrE的身份标识。  Step 1111: The HNB sends an IKE-AUTH-REQ authentication request (IKE authentication request) to the SGW, where the request carries the identity of the HPM and the TrE.
步骤 1112、 SGW向 AAA服务器发送 Authentication Request/Identity请 求(鉴权请求) , 将通过发送 Authentication Request/Identity请求, 其中携带 HPM和 TrE的身份标识。  Step 1112: The SGW sends an Authentication Request/Identity request (authentication request) to the AAA server, and sends an Authentication Request/Identity request, which carries the identity of the HPM and the TrE.
步骤 1113、 AAA服务器向 HLR获取多个 AV向量 (鉴权向量) 。 步骤 1114、 AAA服务器向 SGW发起 EAP Request /AKA(SIM) challenge 请求 ( EAP请求 /AKA挑战) 。 Step 1113: The AAA server acquires multiple AV vectors (authentication vectors) from the HLR. Step 1114: The AAA server initiates an EAP Request / AKA (SIM) challenge request (EAP Request / AKA Challenge) to the SGW.
步骤 1115、 SGW通过 IKE— AUTH— RES ( IKE鉴权响应 ) 消息将 EAP Request /AKA(SIM) challenge请求发送给 HNB。  Step 1115: The SGW sends an EAP Request / AKA (SIM) challenge request to the HNB through an IKE-AUTH-RES (IKE Authentication Response) message.
步骤 1116、 HNB通过 IKE— AUTH— REQ ( IKE鉴权请求) 消息返回 EAP Step 1116: The HNB returns the EAP through the IKE-AUTH-REQ (IKE Authentication Request) message.
Reponse /AKA(SIM) challenge ( EAP响应 /AKA挑战)给 SGW。 Reponse / AKA (SIM) challenge (EAP Response / AKA Challenge) to SGW.
步骤 1117、 SGW将 EAP Reponse /AKA(SIM) challenge返回给 AAA服 务器。  Step 1117: The SGW returns the EAP Reponse / AKA (SIM) challenge to the AAA server.
在步骤 1114一步骤 1117中, AAA服务器和 HNB之间执行 EAP-AKA 认证流程, 从而完成对 HPM进行认证。  In step 1114, step 1117, the EAP-AKA authentication process is performed between the AAA server and the HNB, thereby completing the authentication of the HPM.
步骤 1118、 AAA服务器进行 HPM和 TrE绑定关系验证。 AAA服务器 基于 HPM的身份标识查询预先存储的绑定关系来验证 TrE的身份标识。  Step 1118: The AAA server performs HPM and TrE binding relationship verification. The AAA server verifies the identity of the TrE based on the HPM-based identity query pre-stored binding relationship.
步骤 1119、 AAA 服务器向 SGW 发送 Authentication Response /EAP-AKA(SIM) success ( HPM身份认证成功和绑定关系认证成功响应) 。  Step 1119: The AAA server sends an Authentication Response / EAP-AKA (SIM) success to the SGW (HPM identity authentication success and binding relationship authentication success response).
步骤 1120、 SGW通过 IKE— AUTH— RES消息将 HPM身份认证成功和绑 定关系认证成功响应发送给 HNB。  Step 1120: The SGW sends the HPM identity authentication success and the binding relationship authentication success response to the HNB through the IKE-AUTH-RES message.
步骤 1121、HNB向 AHR( AP归属注册服务器)发起 HNB的 Boot request (初始启动请求 ) 。  Step 1121: The HNB initiates an HNB Boot Request (Initial Start Request) to the AHR (AP Home Registration Server).
步骤 1122、 AHR通过 retrieving authentication data (荻取认证数据) 消 息向 AAA索取 HPM的认证向量, 索取的认证向量可以是多个, 用于保证每 次本地认证都是新鲜的。  Step 1122: The AHR obtains the HPM authentication vector from the AAA through the retrieving authentication data message, and the requested authentication vector may be multiple, to ensure that each local authentication is fresh.
步骤 1123、 AAA服务器响应该请求, 将其存储的未使用的 AV向量(认 证向量中包含的参数 XRES (期望的响应值), RAND (随机数), AUTN (认证令 牌))返回给 AHR。  Step 1123: The AAA server responds to the request and returns the stored unused AV vector (the parameter XRES (desired response value), RAND (random number), AUTN (authentication token)) included in the authentication vector to the AHR.
步骤 1124、 AHR向 HNB发送初始启动响应 ( Boot响应) , 携带 HPM 的认证数据。 步骤 1125、 TrE安全存储 HPM的认证数据, 从而实现认证数据的本地 化。 Step 1124: The AHR sends an initial startup response (Boot response) to the HNB, and carries the authentication data of the HPM. Step 1125: The TrE securely stores the authentication data of the HPM, thereby implementing localization of the authentication data.
本实施例在 HNB首次启动后, 通过与网络侧的 SGW和 AAA服务器的 交互, 完成了非身份认证中的对 HPM 的身份认证, 认证成功后将网络侧维 护的一 HPM认证数据下载到 HNB本地的 TrE中。 当 HNB重启动或重认证 时, HPM的身份认证过程就可以在 HNB本地的 TrE中进行了, 不需要再与 SGW和 AAA服务器等网络侧服务器的交互, 这样充分发挥了 TrE的功能, 减少了网络侧的负担。  In this embodiment, after the first startup of the HNB, the identity authentication of the HPM in the non-identity authentication is completed through interaction with the SGW and the AAA server on the network side. After the authentication succeeds, the HPM authentication data maintained by the network side is downloaded to the HNB local. In the TrE. When the HNB is restarted or re-authenticated, the HPM identity authentication process can be performed in the HNB local TrE, and does not need to interact with the network side servers such as the SGW and the AAA server, thus fully utilizing the TrE function, reducing the The burden on the network side.
第四实施例  Fourth embodiment
图 4为本发明基于家庭基站可信任环境的认证方法第四实施例的信令流 程图,如图 4所示,本实施例着重描述在 HNB在初次启动时, 网络侧对 HNB 的位置认证的流程。 同样是对上述第二实施例中的步骤 111至步骤 112的进 一步详细的举例说明。 具体包括如下步骤:  4 is a signaling flowchart of a fourth embodiment of a method for authenticating a home base station trusted environment according to the present invention. As shown in FIG. 4, this embodiment focuses on the location authentication of the HNB by the network side when the HNB is initially started. Process. This is also a further detailed illustration of steps 111 to 112 in the second embodiment described above. Specifically, the following steps are included:
步骤 2110、 HNB向 AHR发起初始启动请求( Boot请求), 并携带 HNB 的当前位置信息。  Step 2110: The HNB initiates an initial startup request (boot request) to the AHR, and carries the current location information of the HNB.
步骤 2111、 AHR执行位置认证。  Step 2111: The AHR performs location authentication.
步骤 2112、 AHR向 HNB发送初始启动响应 ( Boot响应) , 并携带加密 过的通过认证的位置信息。  Step 2112: The AHR sends an initial startup response (Boot response) to the HNB, and carries the encrypted authenticated location information.
步骤 2113、 HNB在收到该位置信息后会将其传送给 TrE。  Step 2113: After receiving the location information, the HNB will transmit the location information to the TrE.
步骤 2114、 TrE验证信息来源, 如果通过校验, 就将该位置信息作为当 前用户 (对应于当前的 HPM ) 的位置信息的参考值, 并进行安全存储。  Step 2114: The TrE verifies the information source. If the verification is passed, the location information is used as a reference value of the location information of the current user (corresponding to the current HPM), and is stored securely.
本实施例在 HNB首次启动后, 通过与网络侧的 SGW和 AAA服务器的 交互, 完成了非身份认证中的 HNB 的位置认证, 认证成功后将网络侧维护 的一 HNB的位置认证数据下载到 HNB本地的 TrE中。 当 HNB重启动或重 认证时, HNB的位置认证过程就可以在 HNB本地的 TrE中进行了, 不需要 再与 SGW、 AAA服务器以及 AHR等网络侧服务器的交互, 这样充分发挥了 TrE的功能, 减少了网络侧的负担。 After the HNB is first started, the location authentication of the HNB in the non-identity authentication is completed by the interaction with the SGW and the AAA server on the network side. After the authentication succeeds, the location authentication data of an HNB maintained by the network side is downloaded to the HNB. Local TrE. When the HNB is restarted or re-authenticated, the location authentication process of the HNB can be performed in the local TrE of the HNB, and there is no need to interact with the network side servers such as the SGW, the AAA server, and the AHR. The TrE's functionality reduces the burden on the network side.
第五实施例  Fifth embodiment
图 5为本发明基于家庭基站可信任环境的认证方法第五实施例的信令流 程图, 如图 5所示, 本实施例着重描述在 HNB在初次启动后, 在 UE初次发 起认证的时的处理流程。 同样是对上述第二实施例中的步骤 111至步骤 112 的进一步详细的举例说明。 具体包括如下步骤:  FIG. 5 is a signaling flowchart of a fifth embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 5, this embodiment focuses on the first time that the HNB initiates authentication after the initial startup of the HNB. Process flow. This is also a further detailed illustration of steps 111 to 112 in the second embodiment described above. Specifically, the following steps are included:
步骤 3110、 UE通过 HNB发起身份认证请求, 在该请求中携带身份标识 信息, 该请求被发送至 AAA服务器。  Step 3110: The UE initiates an identity authentication request by using the HNB, and carries the identity identification information in the request, and the request is sent to the AAA server.
步骤 3111、 AAA服务器可以运行 AKA算法对 UE执行身份认证。  Step 3111: The AAA server may run the AKA algorithm to perform identity authentication on the UE.
步骤 3112、 AAA服务器通过认证响应将经过加密的 UE认证数据 (可以 为 AAA中存储的 AV中的 RAND、 AUTN、 XRES等参数, 可以是多组 )发 送给 HNBo  Step 3112: The AAA server sends the encrypted UE authentication data through the authentication response (may be RAND, AUTN, XRES, etc. in the AV stored in the AAA, and may be multiple groups) to be sent to the HNBo.
步骤 3113、 HNB向 UE发送认证成功的响应消息。  Step 3113: The HNB sends a response message that the authentication succeeds to the UE.
步骤 3114、 HNB将加密的 UE认证数据发送给 TrE。  Step 3114: The HNB sends the encrypted UE authentication data to the TrE.
步骤 3115、 TrE解密该认证数据, 并安全存储 UE认证数据。  Step 3115: The TrE decrypts the authentication data, and securely stores the UE authentication data.
本实施例在 HNB首次启动后, UE和 HNB通过与网络侧的 SGW和 AAA 服务器的交互, 完成了非身份认证中的 UE的身份认证, 认证成功后将网络 侧维护的一 UE的身份认证数据下载到 HNB本地的 TrE中。 当 HNB重启动 或重认证时或者当 UE需要重新认证时, UE的身份认证过程就可以在 HNB 本地的 TrE中进行了, 进需要 UE与 HNB之间进行交互, 不需要再与 SGW、 AAA服务器以及 AHR等网络侧服务器的交互,这样充分发挥了 TrE的功能, 减少了网络侧的负担。  In this embodiment, after the first startup of the HNB, the UE and the HNB complete the identity authentication of the UE in the non-identity authentication by interacting with the SGW and the AAA server on the network side, and the identity authentication data of the UE maintained by the network side after the authentication succeeds. Download to HNB local TrE. When the HNB is restarted or re-authenticated, or when the UE needs to re-authenticate, the identity authentication process of the UE can be performed in the local TrE of the HNB, and the interaction between the UE and the HNB is required, and the SGW and the AAA server are not required. And the interaction of network-side servers such as AHR, which fully utilizes the functions of the TrE and reduces the burden on the network side.
第六实施例  Sixth embodiment
图 6 为本发明基于家庭基站可信任环境的认证方法第六实施例的流程 图, 如图 6所示, 本实施例着重描述在 HNB重启动或重认证的认证流程, 通过上述第一实施例至第五实施例可知, 在 HNB 在初次启动后, 经过了网 络侧对 HNB 的认证后, 将网络侧维护的一部分认证数据 (主要是有关非身 份认证的相关认证数据)下载到 HNB本地的 TrE中。 这样在 HNB重启动或 重认证时, 相关的非身份认证, 便可以直接在本地进行, 而不需要与网络侧 的参与。 本实施例具体包括如下步骤: FIG. 6 is a flowchart of a sixth embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 6, this embodiment focuses on an authentication process for restarting or re-authenticating in an HNB, by using the foregoing first embodiment. As can be seen from the fifth embodiment, after the HNB is started for the first time, it passes through the network. After the network side authenticates the HNB, part of the authentication data maintained by the network side (mainly related authentication data about non-identity authentication) is downloaded to the local TrE of the HNB. In this way, when the HNB is restarted or re-authenticated, the related non-identity authentication can be performed directly locally without the participation of the network side. This embodiment specifically includes the following steps:
步骤 21、 对 HNB进行身份认证;  Step 21: Perform identity authentication on the HNB.
步骤 22、 对 TrE进行身份认证;  Step 22. Perform identity authentication on the TrE.
步骤 23、 对 HNB和 TrE的身份绑定关系进行认证;  Step 23: Authenticate the identity binding relationship between the HNB and the TrE.
步骤 21至步骤 23具体可以采用第二实施例中的步骤 101至步骤 110中 的流程, 在此不再赘述。  Steps 21 to 23 may specifically adopt the processes in step 101 to step 110 in the second embodiment, and details are not described herein again.
步骤 24、 通过 TrE对 HNB进行非身份认证。 非身份认证可以包括: 对 Step 24. Perform non-identity authentication on the HNB through the TrE. Non-identity authentication can include:
HPM的认证、 对 HNB的位置认证数据以及对 UE的认证。 HPM authentication, location authentication data for HNB, and authentication for UE.
在本实施例中, TrE中存储了在 HNB初次启动时的认证流程中, 获取的 非身份认证数据。 当 HNB重启动或重认证时, 可以基于本地 TrE中存储的 非身份认证数据执行相关的非身份认证。 不需要再与 SGW、 AAA服务器以 及 AHR等网络侧服务器的交互, 这样充分发挥了 TrE的功能, 减少了网络 侧的负担。  In this embodiment, the non-identity authentication data acquired in the authentication process when the HNB is first started is stored in the TrE. When the HNB is restarted or re-authenticated, the relevant non-identity authentication can be performed based on the non-identity authentication data stored in the local TrE. There is no need to interact with network-side servers such as SGW, AAA server, and AHR, which fully utilizes the TrE function and reduces the burden on the network side.
第七实施例  Seventh embodiment
图 7为本发明基于家庭基站可信任环境的认证方法第七实施例的信令流 程图, 如图 7所示, 本实施例着重描述在 HNB重启动或重认证时对 HPM的 身份认证流程,本实施例所描述的认证流程是对第六实施例中的步骤 24的具 体的示例性描述, HNB再次启动时同样也要经历第六实施例中的步骤 21至 步骤 23。 本实施例包括如下步骤:  FIG. 7 is a signaling flowchart of a seventh embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 7, this embodiment focuses on an identity authentication process for an HPM during HNB restart or re-authentication. The authentication process described in this embodiment is a specific exemplary description of step 24 in the sixth embodiment. When the HNB is started again, it also goes through steps 21 to 23 in the sixth embodiment. This embodiment includes the following steps:
步骤 4110、 HPM向 TrE发起身份认证请求, 可以通过 HNB和 TrE之间 的接口完成。  Step 4110: The HPM initiates an identity authentication request to the TrE, which can be completed through an interface between the HNB and the TrE.
步骤 4111、 TrE查询其没有使用过的认证向量 ( A V ) 。  Step 4111: The TrE queries the authentication vector (A V ) that it has not used.
步骤 4112、 TrE向 HPM发起认证挑战请求,该请求中携带有 AV (其中, AV中包含 vRAND和 AUTN参数 ) 。 Step 4112: The TrE initiates an authentication challenge request to the HPM, where the request carries an AV (where AV contains vRAND and AUTN parameters).
步骤 4113、 HPM根据接收的 RAND和 AUTN参数和其存储的密钥计算 RES (根据密钥及 AUTN和 RAND计算得来的响应值)。  Step 4113: The HPM calculates RES based on the received RAND and AUTN parameters and its stored key (response values calculated from the key and AUTN and RAND).
步骤 4114、 HPM返回认证挑战响应, 在该响应中携带上述 RES。  Step 4114: The HPM returns an authentication challenge response, and the RES is carried in the response.
步骤 4115、 TrE执行 HPM身份认证。 TrE对比接收到的 RES和其存储 的 XRES (在 HNB初次启动时,完成认证过程后下载到 TrE中的参数)的值, 如果一致, 则 TrE对 HPM认证成功, 并生成认证成功的认证结果, 否则, 生成认证失败的认证结果。  Step 4115: The TrE performs HPM identity authentication. The TrE compares the received RES with the stored XRES (the parameter that is downloaded to the TrE after the authentication process is completed when the HNB is first started). If they match, the TrE succeeds in the HPM authentication and generates a successful authentication result. Otherwise, the authentication result of the authentication failure is generated.
步骤 4116、 TrE将认证结果返回给 HPM。  Step 4116: The TrE returns the authentication result to the HPM.
步骤 4117、 TrE将认证结果通知网络侧的 AAA服务器。  Step 4117: The TrE notifies the AAA server on the network side of the authentication result.
在本实施例中, TrE中存储了在 HNB初次启动时的认证流程中, 获取的 HPM的身份认证数据。 当 HNB重启动或重认证时, 可以基于本地 TrE中存 储的 HPM的身份认证数据执行相关的 HPM的身份认证。 不需要再与 SGW、 AAA服务器以及 AHR等网络侧服务器的交互,这样充分发挥了 TrE的功能, 减少了网络侧的负担。  In this embodiment, the TrE stores the identity authentication data of the acquired HPM in the authentication process when the HNB is first started. When the HNB is restarted or re-authenticated, the identity authentication of the relevant HPM can be performed based on the identity authentication data of the HPM stored in the local TrE. There is no need to interact with network-side servers such as SGW, AAA server, and AHR, which fully utilizes the TrE function and reduces the burden on the network side.
第八实施例  Eighth embodiment
图 8为本发明基于家庭基站可信任环境的认证方法第八实施例的信令流 程图, 如图 8所示, 本实施例着重描述在 HNB重启动或重认证时对 HNB的 位置认证流程, 本实施例所描述的认证流程同样是对第六实施例中的步骤 24 的具体的示例性描述, HNB重启动或重认证时同样也要经历第六实施例中的 步骤 21至步骤 23。 本实施例包括如下步骤:  FIG. 8 is a signaling flowchart of an eighth embodiment of a method for authenticating a home base station trusted environment according to the present invention. As shown in FIG. 8, this embodiment focuses on a location authentication process for an HNB during HNB restart or re-authentication. The authentication process described in this embodiment is also a specific exemplary description of step 24 in the sixth embodiment, and the HNB restart or re-authentication also goes through steps 21 to 23 in the sixth embodiment. This embodiment includes the following steps:
步骤 5110、 HNB向 TrE发送位置认证请求, 该位置认证请求中携带有 HNB的当前位置信息。  Step 5110: The HNB sends a location authentication request to the TrE, where the location authentication request carries the current location information of the HNB.
步骤 5111、 TrE执行位置认证。 TrE将当前位置信息与 TrE中存储的位 置信息进行比较, 如果一致, 则生成认证成功的位置认证结果, 否则生成认 证失败的位置认证结果。 步骤 5112、 TrE将位置认证结果通知 HNB。 Step 5111, TrE performs location authentication. The TrE compares the current location information with the location information stored in the TrE. If they match, the location authentication result of the successful authentication is generated, otherwise the location authentication result of the authentication failure is generated. Step 5122, the TrE notifies the HNB of the location authentication result.
步骤 5113、 TrE将位置认证结果通知网络侧的 AHR。  Step 5113: The TrE notifies the AHR of the network side of the location authentication result.
在本实施例中, TrE中存储了在 HNB初次启动时的认证流程中, 获取的 In this embodiment, the TrE stores the obtained in the authentication process when the HNB is first started.
HNB的位置认证数据。 当 HNB重启动或重认证时, 可以基于本地 TrE中存 储的 HNB的位置认证数据执行相关的 HNB的位置认证。 不需要再与 SGW、HNB location authentication data. When the HNB is restarted or re-authenticated, the location authentication of the relevant HNB may be performed based on the location authentication data of the HNB stored in the local TrE. No need to work with SGW again,
AAA服务器以及 AHR等网络侧服务器的交互,这样充分发挥了 TrE的功能, 减少了网络侧的负担。 The interaction between the AAA server and the network side server such as the AHR fully utilizes the functions of the TrE, reducing the burden on the network side.
第九实施例  Ninth embodiment
图 9为本发明基于家庭基站可信任环境的认证方法第九实施例的信令流 程图, 如图 9所示, 本实施例着重描述在当 UE初次通过网络侧的身份认证 后, UE再次进行认证时的认证流程。 在 HNB的初次启动后, 如果某一 UE 已经进行了与网络侧的身份认证, 则与该 UE相关的 UE认证数据已经存储 在了本地的 TrE中, 这样当 HNB再次接到同一 UE的身份认证请求时,便可 以通过 TrE直接完成认证。 UE进行的再次身份认证可以是在 HNB初次启动 后, 也可以是 HNB重启动或重认证时。 本实施例的认证流程如下:  FIG. 9 is a signaling flowchart of a ninth embodiment of a method for authenticating a trusted environment of a home base station according to the present invention. As shown in FIG. 9, this embodiment focuses on the UE performing the identity authentication again after the UE first passes the network side. The certification process at the time of certification. After the initial startup of the HNB, if a certain UE has already performed identity authentication with the network side, the UE authentication data related to the UE is already stored in the local TrE, so that when the HNB receives the identity authentication of the same UE again. When requested, the certification can be done directly through the TrE. The re-authentication performed by the UE may be after the initial startup of the HNB, or when the HNB is restarted or re-authenticated. The authentication process of this embodiment is as follows:
步骤 6110、 TrE接收 UE发送的 UE身份认证请求, 该请求中携带有 UE 的身份标识。  Step 6110: The TrE receives the UE identity authentication request sent by the UE, where the request carries the identity identifier of the UE.
步骤 6111、 TrE将 UE身份认证请求中携带的 UE的身份标识与 TrE中 存储的 UE的身份标识进行比较, 如果一致, 则生成认证成功的 UE身份认 证结果, 否则生成认证失败的 UE身份认证结果。  Step 6111: The TrE compares the identity identifier of the UE carried in the UE identity authentication request with the identity identifier of the UE stored in the TrE. If they are consistent, the UE authentication result of the successful authentication is generated, otherwise the UE authentication result of the authentication failure is generated. .
步骤 6112 、 TrE将 UE身份认证结果通知 UE。  Step 6112: The TrE notifies the UE of the UE identity authentication result.
步骤 6113、 TrE将 UE身份认证结果通知网络侧的 AAA服务器。  Step 6113: The TrE notifies the AAA server of the network side of the UE identity authentication result.
在本实施例中, TrE中存储了在 HNB初次启动时的认证流程中, 获取的 HNB的 UE身份认证数据。 当 HNB重启动或重认证时, 可以基于本地 TrE 中存储的 UE身份认证数据执行相关的 UE身份认证。不需要再与 SGW、AAA 服务器以及 AHR等网络侧服务器的交互, 这样充分发挥了 TrE的功能, 减 少了网络侧的负担。 In this embodiment, the TrE stores the UE identity authentication data of the acquired HNB in the authentication process when the HNB is initially started. When the HNB is restarted or re-authenticated, the relevant UE identity authentication may be performed based on the UE identity authentication data stored in the local TrE. There is no need to interact with network-side servers such as SGW, AAA server, and AHR, which fully utilizes the functions of TrE. Less burden on the network side.
第十实施例  Tenth embodiment
本实施例为 TrE单元的实施例, 该 TrE单元包括认证数据存储模块和认 证模块。 认证数据存储模块用于存储 HNB 的非身份认证数据; 认证模块用 于根据认证数据存储模块存储的 HNB的非身份认证数据, 执行 HNB的非身 份认证。  This embodiment is an embodiment of a TrE unit including an authentication data storage module and an authentication module. The authentication data storage module is configured to store non-identity authentication data of the HNB; the authentication module is configured to perform non-identity authentication of the HNB according to the non-identity authentication data of the HNB stored by the authentication data storage module.
其中, 认证数据存储模块可以包括: HPM认证数据存储模块和 /或 UE 认证数据存储模块和 /或 HNB位置认证数据存储模块。 认证模块包括: HPM 身份认证模块和 /或 HNB位置认证模块和 /或 UE身份认证模块。 其中, HPM 身份认证模块执行对 HPM的身份认证时, 需要调用 HPM认证数据存储模块 中存储的数据, 同样, HNB位置认证模块和 HNB位置认证数据存储模块, UE身份认证模块与 UE认证数据存储模块也具有相应的对应关系。  The authentication data storage module may include: an HPM authentication data storage module and/or a UE authentication data storage module and/or an HNB location authentication data storage module. The authentication module includes: an HPM identity authentication module and/or an HNB location authentication module and/or a UE identity authentication module. The HPM identity authentication module needs to invoke the data stored in the HPM authentication data storage module when performing identity authentication on the HPM. Similarly, the HNB location authentication module and the HNB location authentication data storage module, the UE identity authentication module, and the UE authentication data storage module. There is also a corresponding correspondence.
第十一实施例  Eleventh embodiment
本发明实施例还提供了一种家庭基站, 该家庭基站包括一如第十实施例 中所示的 TrE单元, 在此不再赞述。  The embodiment of the present invention further provides a home base station, which includes a TrE unit as shown in the tenth embodiment, and is not further described herein.
通过上述实施例可以看出, 本发明实施例充分利用了 TrE的特性, 将首 次对 HNB认证后的非身份认证数据存储于 TrE, 当 HNB重新启动时, 可以 通过 TrE执行相关的非身份认证, 从而减轻了网络侧对 HNB认证的负担, 同时也不需要利用 HPM-ID和 HNB-ID来实现设备和用户身份的捆绑, 避免 了运营商要额外建立数据库的负担。  It can be seen from the foregoing embodiment that the embodiment of the present invention fully utilizes the characteristics of the TrE, and stores the non-identity authentication data after the HNB authentication for the first time in the TrE. When the HNB is restarted, the related non-identity authentication can be performed through the TrE. Therefore, the burden on the HNB authentication of the network side is alleviated, and the HPM-ID and the HNB-ID are not needed to implement the binding of the device and the user identity, thereby avoiding the burden of the operator to additionally establish a database.
需要说明的是: 本发明实施例中的非身份认证是指: 除了 HNB的设备身 份认证和 TrE身份认证之外的,与 HNB相关的一些认证,如 HNB位置认证, HPM认证及接入 HNB的 UE的认证。  It should be noted that: the non-identity authentication in the embodiment of the present invention refers to: in addition to the device identity authentication and the TrE identity authentication of the HNB, some authentications related to the HNB, such as HNB location authentication, HPM authentication, and access to the HNB. UE authentication.
结合本文中所公开的实施例描述的各示例的单元及算法步骤, 能够以电 子硬件、 计算机软件或者二者的结合来实现, 为了清楚地说明硬件和软件的 可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。 这些功能究竟以硬件还是软件方式来执行, 取决于技术方案的特定应用和设 描述的功能, 但是这种实现不应认为超出本发明的范围。 The elements of the examples and the algorithm steps described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, in order to clearly illustrate the interchangeability of hardware and software, in the above description. The composition and steps of the various examples have been generally described in terms of function. Whether such functions are performed in hardware or software depends on the particular application of the technical solution and the functions described, but such implementation should not be considered to be beyond the scope of the present invention.
结合本文中所公开的实施例描述的方法或算法的步骤可以用硬件、 处理 器执行的软件模块, 或者二者的结合来实施。 软件模块可以置于随机存储器 The steps of a method or algorithm described in connection with the embodiments disclosed herein can be implemented in hardware, a software module executed by a processor, or a combination of both. Software modules can be placed in random access memory
( RAM ) 、 内存、 只读存储器 (ROM ) 、 电可编程 ROM、 电可擦除可编程 ROM, 寄存器、 硬盘、 可移动磁盘、 CD-ROM、 或任意其它形式的存储介质 中。 (RAM), memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或 者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技 术方案的本质脱离本发明各实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权 利 要 求 Rights request
1、 一种基于家庭基站可信任环境的认证方法, 其特征在于, 包括: 对家庭基站进行设备身份认证;  An authentication method based on a trusted environment of a home base station, the method comprising: performing device identity authentication on a home base station;
对设置在所述家庭基站上的可信任环境进行身份认证;  Performing identity authentication on a trusted environment set on the home base station;
对所述家庭基站和所述可信任环境的身份绑定关系进行认证; 对所述家庭基站进行非身份认证;  Authenticating an identity binding relationship between the home base station and the trusted environment; performing non-identity authentication on the home base station;
获取并存储所述家庭基站的非身份认证数据于所述可信任环境中。 Acquiring and storing non-identity authentication data of the home base station in the trusted environment.
2、 根据权利要求 1所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 对所述家庭基站进行非身份验证, 获取并存储所述家庭基站的非身 份认证数据于所述可信任环境中具体为:对所述家庭基站上的使用者身份模 块进行身份认证,获取并存储所述使用者身份模块的认证数据于所述可信任 环境中。 The home base station trusted environment-based authentication method according to claim 1, wherein the home base station performs non-authentication verification, and acquires and stores the non-identity authentication data of the home base station in the trusted Specifically, the environment is: performing identity authentication on the user identity module on the home base station, and acquiring and storing the authentication data of the user identity module in the trusted environment.
3、 根据权利要求 2所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 对所述家庭基站上的使用者身份模块进行身份认证, 获取并存储所 述使用者身份模块的认证数据于所述可信任环境中具体为:  The method for authenticating a home base station trusted environment according to claim 2, wherein the user identity module on the home base station is authenticated, and the authentication data of the user identity module is acquired and stored. Specifically in the trusted environment:
通过所述可信任环境获取所述使用者身份模块的身份标识;  Obtaining an identity of the user identity module by using the trusted environment;
发送使用者身份模块身份认证请求至验证、授权和记账服务器, 该请求 中携带有所述使用者身份模块和所述可信任环境的身份标识;  Sending a user identity module identity authentication request to a verification, authorization, and accounting server, where the request carries the identity module of the user identity and the identity of the trusted environment;
通过所述验证、授权和记账服务器执行对所述使用者身份模块的身份认 证以及对所述使用者身份模块与所述可信任环境的绑定关系认证;  Performing identity authentication of the user identity module and binding authentication of the user identity module to the trusted environment by the verification, authorization, and accounting server;
从 AP归属注册服务器获取使用者身份模块认证数据, 并存储于所述可 信任环境中。  The user identity module authentication data is obtained from the AP home registration server and stored in the trusted environment.
4、 根据权利要求 1所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 对所述家庭基站进行非身份验证, 获取并存储所述家庭基站的非身 份认证数据于所述可信任环境中具体为: 对所述家庭基站进行位置认证, 获 取并存储所述家庭基站的位置认证数据于所述可信任环境中。 The home base station trusted environment-based authentication method according to claim 1, wherein the home base station performs non-authentication verification, and acquires and stores the non-identity authentication data of the home base station in the trusted Specifically, the environment is: performing location authentication on the home base station, and acquiring and storing location authentication data of the home base station in the trusted environment.
5、 根据权利要求 4所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 对所述家庭基站进行位置认证, 获取并存储所述家庭基站的位置认 证数据于所述可信任环境中具体为: The home base station trusted environment-based authentication method according to claim 4, wherein the home base station performs location authentication, and the location authentication data of the home base station is acquired and stored in the trusted environment. Specifically:
向 AP归属注册服务器发起初始启动请求, 所述初始启动请求中携带有 家庭基站的当前位置信息;  Initiating an initial startup request to the AP home registration server, where the initial startup request carries current location information of the home base station;
通过所述 AP归属注册服务器执行对所述家庭基站的位置认证; 接收 AP归属注册良务器返回的初始启动响应, 所述初始启动响应中携 带有经过认证后的位置信息;  Performing location authentication on the home base station by using the AP home registration server; receiving an initial startup response returned by the AP home registration server, where the initial startup response carries the authenticated location information;
将所述认证后的位置信息存储在所述可信任环境中。  The authenticated location information is stored in the trusted environment.
6、 根据权利要求 1所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 对所述家庭基站进行非身份验证, 获取并存储所述家庭基站的非身 份认证数据于所述可信任环境中具体为: 对 UE进行身份验证, 获取并存储 所述 UE的认证数据于所述可信任环境中。  The home base station trusted environment-based authentication method according to claim 1, wherein the home base station performs non-authentication verification, and acquires and stores the non-identity authentication data of the home base station in the trusted Specifically, the environment is: performing authentication on the UE, and acquiring and storing the authentication data of the UE in the trusted environment.
7、 根据权利要求 6所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 对 UE进行身份验证, 获取并存储所述 UE的认证数据于所述可信 任环境中具体为:  The authentication method of the home base station trusted environment according to claim 6, wherein the authentication of the UE is performed, and the authentication data of the UE is obtained and stored in the trusted environment:
接收所述 UE发起 UE认证请求, 并转发至验证、 授权和记账服务器, 所述 UE认证请求中携带有所述 UE的身份标识信息;  Receiving, by the UE, a UE authentication request, and forwarding the request to the authentication, authorization, and accounting server, where the UE authentication request carries the identity identification information of the UE;
通过所述验证、 授权和记账服务器对所述 UE进行身份认证;  Identity authentication of the UE by the verification, authorization, and accounting server;
接收所述验证、 授权和记账服务器返回的 UE认证数据;  Receiving UE authentication data returned by the verification, authorization, and accounting server;
将所述 UE认证数据存储在所述可信任环境中。  The UE authentication data is stored in the trusted environment.
8、 根据权利要求 1所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 在对所述家庭基站和所述可信任环境的身份绑定关系进行认证后, 还包括: 对家庭基站的平台完整性进行认证。  The authentication method of the home base station trusted environment according to claim 1, wherein after the identity binding relationship between the home base station and the trusted environment is authenticated, the method further includes: The platform integrity is certified.
9、 一种基于家庭基站可信任环境的认证方法, 其特征在于, 包括: 对家庭基站进行设备身份认证; 对可信任环境进行身份认证; 9. An authentication method based on a trusted environment of a home base station, the method comprising: performing device identity authentication on a home base station; Authenticate the trusted environment;
对所述家庭基站和所述可信任环境的身份绑定关系进行认证; 通过所述可信任环境对所述家庭基站进行非身份认证。  Authenticating an identity binding relationship between the home base station and the trusted environment; performing non-identity authentication on the home base station by using the trusted environment.
10、根据权利要求 9所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 通过所述可信任环境对所述家庭基站进行非身份认证具体为: 通过所述可信任环境对所述家庭基站上的使用者身份模块进行身份认 证。  The authentication method of the home base station trusted environment according to claim 9, wherein the non-identification of the home base station by the trusted environment is: The user identity module on the home base station performs identity authentication.
11、 根据权利要求 10所述的基于家庭基站可信任环境的认证方法, 其 特征在于,通过所述可信任环境对所述家庭基站上的使用者身份模块进行身 份认证具体为:  The authentication method of the home base station trusted environment according to claim 10, wherein the authentication of the user identity module on the home base station by the trusted environment is specifically:
所述使用者身份模块向所述可信任环境发起认证请求;  The user identity module initiates an authentication request to the trusted environment;
所述可信任环境向所述使用者身份模块发起认证挑战请求,该请求中携 带有 RAND和 AUTN参数;  The trusted environment initiates an authentication challenge request to the user identity module, the request carrying RAND and AUTN parameters;
所述使用者身份模块根据其存储的密钥计算 RES;  The user identity module calculates a RES according to a key stored therein;
所述使用者身份模块发起认证挑战响应, 该响应中携带 RES参数; 所述可信任环境判断所述 RES和 XRES的值是否一致, 如果一致, 则 生成认证成功的使用者身份模块身份认证结果,否则生成认证失败的使用者 身份模块身份认证结果;  The user identity module initiates an authentication challenge response, and the response carries an RES parameter; the trusted environment determines whether the values of the RES and the XRES are consistent, and if they are consistent, generating a user identity module identity authentication result of successful authentication, Otherwise, the identity authentication result of the user identity module that failed the authentication is generated;
所述可信任环境将所述使用者身份模块身份认证结果返回给所述使用 者身份模块;  The trusted environment returns the user identity module identity authentication result to the user identity module;
所述可信任环境将所述使用者身份模块身份认证结果通知验证、授权和 记账服务器。  The trusted environment notifies the authentication, authorization, and accounting server of the identity of the user identity module.
12、根据权利要求 9所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 通过所述可信任环境对所述家庭基站进行非身份认证具体为: 通过 所述可信任环境对所述家庭基站进行位置认证。  The authentication method of the home base station trusted environment according to claim 9, wherein the non-identification of the home base station by the trusted environment is: The home base station performs location authentication.
13、 根据权利要求 12所述的基于家庭基站可信任环境的认证方法, 其 特征在于, 通过所述可信任环境对所述家庭基站进行位置认证具体为: 所述家庭基站向所述可信任环境发送位置认证请求,该位置认证请求中 携带有所述家庭基站的当前位置信息; 13. The home base station trusted environment-based authentication method according to claim 12, The location authentication of the home base station by using the trusted environment is: the home base station sends a location authentication request to the trusted environment, where the location authentication request carries current location information of the home base station ;
所述可信任环境将所述当前位置信息与所述可信任环境中存储的位置 信息进行比较, 如果一致, 则生成认证成功的位置认证结果, 否则生成认证 失败的位置认证结果;  The trusted environment compares the current location information with the location information stored in the trusted environment. If they are consistent, the location authentication result of the successful authentication is generated, otherwise the location authentication result of the authentication failure is generated;
所述可信任环境将所述位置认证结果通知 AP归属注册服务器。  The trusted environment notifies the AP of the location authentication result to the AP home registration server.
14、根据权利要求 9所述的基于家庭基站可信任环境的认证方法, 其特 征在于, 通过所述可信任环境对所述家庭基站进行非身份认证具体为:  The authentication method of the home base station trusted environment according to claim 9, wherein the non-identification of the home base station by the trusted environment is specifically:
通过所述可信任环境对 UE进行身份认证。  The UE is authenticated by the trusted environment.
15、 一种基于家庭基站可信任环境的认证方法, 其特征在于, 包括: 可信任环境接收 UE发送的 UE身份认证请求;  An authentication method based on a trusted environment of a home base station, the method comprising: receiving, by the trusted environment, a UE identity authentication request sent by the UE;
通过所述可信任环境对 UE进行身份认证。  The UE is authenticated by the trusted environment.
16、 根据权利要求 15所述的基于家庭基站可信任环境的认证方法, 其 特征在于, 所述 UE身份认证请求中携带有 UE的身份标识, 所述通过所述 可信任环境对 UE进行身份认证具体为:  The authentication method of the home base station trusted environment according to claim 15, wherein the UE identity authentication request carries an identity of the UE, and the identity authentication of the UE by the trusted environment is performed. Specifically:
所述可信任环境将所述 UE身份认证请求中携带的 UE的身份标识与所 述可信任环境中存储的 UE的身份标识进行比较, 如果一致, 则生成认证成 功的 UE身份认证结果, 否则生成认证失败的 UE身份认证结果;  The trusted environment compares the identity of the UE that is carried in the UE identity authentication request with the identity of the UE that is stored in the trusted environment, and if yes, generates a UE authentication result that is successfully authenticated, otherwise generates UE authentication result that fails authentication;
所述可信任环境将所述 UE身份认证结果通知验证、授权和记账服务器。 The trusted environment notifies the authentication, authorization, and accounting server of the UE identity authentication result.
17、 一种可信任环境单元, 其特征在于, 包括: 17. A trusted environment unit, comprising:
认证数据存储模块, 用于存储家庭基站的非身份认证数据;  An authentication data storage module, configured to store non-identity authentication data of the home base station;
认证模块,用于根据所述认证数据存储模块存储的家庭基站的非身份认 证数据, 执行家庭基站的非身份认证。  And an authentication module, configured to perform non-identity authentication of the home base station according to the non-identity authentication data of the home base station stored by the authentication data storage module.
18、 根据权利要求 17所述的可信任环境单元, 其特征在于, 所述认证 数据存储模块包括:使用者身份模块认证数据存储模块和 /或 UE认证数据存 储模块和 /或家庭基站位置认证数据存储模块。 The trusted environment unit according to claim 17, wherein the authentication data storage module comprises: a user identity module authentication data storage module and/or a UE authentication data storage. A storage module and/or a home base station location authentication data storage module.
19、 根据权利要求 17所述的可信任环境单元, 其特征在于, 认证模块 包括: 使用者身份模块身份认证模块和 /或家庭基站位置认证模块和 /或 UE 身份认证模块。  The trusted environment unit according to claim 17, wherein the authentication module comprises: a user identity module identity authentication module and/or a home base station location authentication module and/or a UE identity authentication module.
20、 一种家庭基站, 其特征在于, 包括一可信任环境单元, 在所述可信 任环境单元上设置有:  20. A home base station, comprising: a trusted environment unit, wherein: the trusted environment unit is provided with:
认证数据存储模块, 用于存储家庭基站的非身份认证数据;  An authentication data storage module, configured to store non-identity authentication data of the home base station;
认证模块,用于根据所述认证数据存储模块存储的家庭基站的非身份认 证数据, 执行家庭基站的非身份认证。  And an authentication module, configured to perform non-identity authentication of the home base station according to the non-identity authentication data of the home base station stored by the authentication data storage module.
PCT/CN2009/072108 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb WO2010060296A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009800001105A CN101822083B (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810175958.9 2008-11-03
CN200810175958A CN101827361B (en) 2008-11-03 2008-11-03 Identity authentication method, dependable environment unit and femtocell

Publications (1)

Publication Number Publication Date
WO2010060296A1 true WO2010060296A1 (en) 2010-06-03

Family

ID=42225224

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/072108 WO2010060296A1 (en) 2008-11-03 2009-06-03 Authentication method, trusted environment unit and home nodeb

Country Status (2)

Country Link
CN (2) CN101827361B (en)
WO (1) WO2010060296A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019017835A1 (en) * 2017-07-20 2019-01-24 华为国际有限公司 Network authentication method and related device and system
WO2019196792A1 (en) 2018-04-12 2019-10-17 Oppo广东移动通信有限公司 Security control method and apparatus for application program, and mobile terminal and computer-readable storage medium
CN111865592A (en) * 2020-09-21 2020-10-30 四川科锐得电力通信技术有限公司 Internet of things equipment fast access method and device, Internet of things platform and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1739903A1 (en) * 2005-07-02 2007-01-03 Samsung Electronics Co., Ltd. Authentication system and method thereof in a communication system
CN1933657A (en) * 2005-09-15 2007-03-21 华为技术有限公司 Method for resisting attack from pretended legal mobile station in RSA authentication process
US20080267114A1 (en) * 2007-04-30 2008-10-30 Interdigital Technology Corporation HOME (e)NODE-B WITH NEW FUNCTIONALITY

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1739903A1 (en) * 2005-07-02 2007-01-03 Samsung Electronics Co., Ltd. Authentication system and method thereof in a communication system
CN1933657A (en) * 2005-09-15 2007-03-21 华为技术有限公司 Method for resisting attack from pretended legal mobile station in RSA authentication process
US20080267114A1 (en) * 2007-04-30 2008-10-30 Interdigital Technology Corporation HOME (e)NODE-B WITH NEW FUNCTIONALITY

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAWEI: "Dual Roles of HNB in PLMN network", R3-071242 OVER 3GPP TR R3.020, 14 June 2007 (2007-06-14) *

Also Published As

Publication number Publication date
CN101827361A (en) 2010-09-08
CN101827361B (en) 2012-10-17
CN101822083B (en) 2012-10-17
CN101822083A (en) 2010-09-01

Similar Documents

Publication Publication Date Title
EP3545702B1 (en) User identity privacy protection in public wireless local access network, wlan, access
US10917790B2 (en) Server trust evaluation based authentication
JP5992554B2 (en) System and method for authenticating a second client station using first client station credentials
JP5775174B2 (en) Configuring authentication and secure channels for communication handoff scenarios
JP4824813B2 (en) Application authentication
US20130298209A1 (en) One round trip authentication using sngle sign-on systems
CN108886688B (en) Method, apparatus and readable medium operable in a service provider, SP, network connected to a wireless communication network
KR100755394B1 (en) Method for fast re-authentication in umts for umts-wlan handover
RU2580399C2 (en) METHOD AND SYSTEM FOR SECURE ACCESS TO HNB OR HeNB AND CORE NETWORK ELEMENT
US11070355B2 (en) Profile installation based on privilege level
WO2004102884A1 (en) A method for performing authentication in a wireless lan
CN114258693B (en) Mobile device authentication without Electronic Subscriber Identity Module (ESIM) credentials
WO2020198991A1 (en) Methods and apparatus relating to authentication of a wireless device
US11316670B2 (en) Secure communications using network access identity
CN113115300B (en) Electronic subscriber identity module transfer qualification
TW201316792A (en) Authentication method and apparatus for user equipment and LIPA network eneities
WO2010060296A1 (en) Authentication method, trusted environment unit and home nodeb
Lin et al. Authentication schemes based on the EAP-SIM mechanism in GSM-WLAN heterogeneous mobile networks
TW202224396A (en) Communication system and communication method

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200980000110.5

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09828557

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09828557

Country of ref document: EP

Kind code of ref document: A1