WO2010069202A1 - Authentication negotiation method and the system thereof, security gateway, home node b - Google Patents

Authentication negotiation method and the system thereof, security gateway, home node b Download PDF

Info

Publication number
WO2010069202A1
WO2010069202A1 PCT/CN2009/074561 CN2009074561W WO2010069202A1 WO 2010069202 A1 WO2010069202 A1 WO 2010069202A1 CN 2009074561 W CN2009074561 W CN 2009074561W WO 2010069202 A1 WO2010069202 A1 WO 2010069202A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
ike
identifier
device authentication
auth
Prior art date
Application number
PCT/CN2009/074561
Other languages
French (fr)
Chinese (zh)
Inventor
何承东
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2010069202A1 publication Critical patent/WO2010069202A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/24Negotiation of communication capabilities

Abstract

This invention provides an authentication negotiation method and the system thereof, a security gateway, and a home Node B. The authentication negotiation method includes the following steps: receiving the IKE_SA_INIT request sent by the H(e)NB; sending the KE_SA_INIT response to the H(e)NB; receiving the first IKE_AUTH request sent by the H(e)NB; implementing the authentication to the H(e)NB based on whether the first identifier, which supports the device authentication and the hosting party authentication, is included in the IKE_SA_INIT response and the first IKE_AUTH request. The security gateway, the home Node B and the authentication negotiation system are also provided. The authentication negotiation mechanism between the H(e)NB and the SeGW can be implemented simply and accurately, and the various versions of the H(e)NB and the SeGW devices may be reduced.

Description

认证协商方法及系统、 安全网关、 家庭无线接入点 本申请要求于 2008 年 12 月 15 日提交中国专利局, 申请号为 200810239705.3 , 发明名称为 "认证协商方法及系统、 安全网关、 家庭无线 接入点" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Authentication negotiation method and system, security gateway, home wireless access point This application is submitted to the Chinese Patent Office on December 15, 2008, and the application number is 200810239705.3. The invention name is "certification negotiation method and system, security gateway, home wireless connection." The priority of the Chinese Patent Application, the entire disclosure of which is incorporated herein by reference. Technical field
本发明涉及移动通信技术领域, 特别涉及一种认证协商方法及系统、 安 全网关、 家庭无线接入点。 背景技术  The present invention relates to the field of mobile communication technologies, and in particular, to an authentication negotiation method and system, a security gateway, and a home wireless access point. Background technique
目前 3GPP和 non-3GPP标准组织正在研究一种新的接入模式:家庭接入 模式, 用户设备 ( User Equipment, UE )通过家庭无线接入点( Home Node B , HNB ) , 使用许可的频语, 通过通用的 IP公共接入网络连接到运营商的移动 网络。由于从 HNB的设备到运营商的移动网络中的 HNB的安全网关( Security Gateway, SeGW ) 网元之间经过的是 IP公共接入网络, 这样就可能引入 IP 公共网络中常见的网络攻击, 因此需要核心网元, 这里是 HNB的 SeGW对 HNB 的设备进行认证。 其中该认证包括设备认证和宿主认证 (Host Party Module, HPM, 宿主模块, 通常用 HPM表示宿主认证) 。 设备认证是指对 HNB的设备本身的认证; 宿主认证则是对与运营商签约的, 该 HNB的设备 的宿主的认证。  Currently, 3GPP and non-3GPP standards organizations are studying a new access mode: home access mode, user equipment (UE) through home wireless access point (Home Node B, HNB), licensed language Connect to the carrier's mobile network through a universal IP public access network. Since the security gateway (SeGW) network element of the HNB in the mobile network of the carrier moves through the IP public access network, it is possible to introduce a common network attack in the IP public network. The core network element is required. Here, the SeGW of the HNB authenticates the HNB device. The certification includes device authentication and host authentication (Host Party Module, HPM, host module, usually with HPM for host authentication). Device authentication refers to the authentication of the HNB device itself; host authentication is the host authentication of the device with the HNB.
最新的 3GPP H(e)NB (包括 HNB和 HeNB ( Home Evolved Node B ) ) 安全规范 33.820 Vl.2.0 (文档号 S3-081585 )定义了如下的认证原则: 认证与密钥协商 ( Extensible Authentication Protocol - Authentication and Key Agreement, EAP-AKA )认证中的一种; (DH(e)NB , 可选地支持 EAP-AKA宿主认证机制; The latest 3GPP H(e)NB (including HNB and HeNB (Home Evolved Node B)) security specification 33.820 Vl.2.0 (document number S3-081585) defines the following authentication principles: Authentication and Key Agreement (Extensible Authentication Protocol - Authentication and Key Agreement, EAP-AKA) (DH(e)NB, optionally supporting the EAP-AKA host authentication mechanism;
③对 H(e)NB的 SeGW的要求和上述对 H(e)NB的两条要求①和②一样, 另外 SeGW还可以根据运营商的安全策略, 决定釆用哪种安全机制;  3 The requirements for the SeGW of the H(e)NB are the same as the two requirements 1 and 2 for the H(e)NB. In addition, the SeGW can decide which security mechanism to use according to the security policy of the operator.
④具体釆用上述哪一种认证机制还取决于网络部署。  4 Which of the above authentication mechanisms is used depends on the network deployment.
上述 H(e)NB和 SeGW之间主要是根据 RFC4306定义的 Internet密钥交 换版本 2 ( Internet Key Exchange V2 , IKE V2 )协议进行认证机制的协商的。 该 IKE V2协议的主要思想是, 首先进行 Internet密钥交换 -安全联盟-初始化 请求( IKE - Security Association - INITial request, IKE SA INIT request ) I IKE_SA_INIT响应 (IKE_SA_INIT response ) 消息对的交互, 以便协商加密 算法, 交换随机数, 并进行蒂夫-赫尔曼 ( Diffie-Hellman ) 交换; 然后进行 Internet密钥交换-认证请求 ( IKE - Authentication request, IKE— AUTH request ) I IKE AUTH 响应 (IKE_AUTH response ) 消息对的交互, 以便认证上述 IKE— SA— INIT消息, 交换身份标识和证书, 建立第一个子安全联盟。 此后还 可能有多个 IKE-AUTH请求 /响应消息对的交互, 以进行后续认证的相关处 理。  The above-mentioned H(e)NB and SeGW mainly negotiate the authentication mechanism according to the Internet Key Exchange V2 (IKE V2) protocol defined in RFC4306. The main idea of the IKE V2 protocol is to first perform the interaction of the IKE-Security Association - INITial request (IKE SA INIT request) I IKE_SA_INIT response (IKE_SA_INIT response) message pair to negotiate encryption. Algorithm, exchange random numbers, and perform Diffie-Hellman exchange; then perform IKE-Authentication request (IKE-AUTH request) I IKE AUTH response (IKE_AUTH response) message The interaction of the pair, in order to authenticate the above IKE-SA-INIT message, exchange identity and certificate, and establish the first child security alliance. There may also be multiple IKE-AUTH request/response message pairs for subsequent processing of subsequent authentication.
下面具体说明现有的认证机制的协商方案:  The following is a detailed description of the existing negotiation scheme for the authentication mechanism:
协商方案一、 如果 SeGW在 IKE— SA— INIT响应消息中同时携带了消息 类型为多认证支持 ( MULTIPLE AUTH SUPPORT ) 的通知 (NOTIFY ) 头 域和证书请求( CERTREQ )头域; H(e)NB在随后的 IKE— AUTH请求消息中 同时携带了认证 ( AUTH ) 头域, 消息类型为 MULTIPLE— AUTH— SUPPORT 的 NOTIFY 头域, 以及消 息类型为 "接着是下一个认证 " ( ANOTHER— AUTH— FOLLOWS )的 NOTIFY头域, 则协商结果是釆用基于 证书认证的设备认证以及 EAP- AKA宿主认证。  Negotiation scheme 1. If SeGW carries the notification (NOTIFY) header field and certificate request (CERTREQ) header field with the message type multi-authentication support ( MULTIPLE AUTH SUPPORT) in the IKE-SA-INIT response message; H(e)NB In the subsequent IKE-AUTH request message, the authentication (AUTH) header field is also carried, the message type is MULTIPLE-AUTH-SUPPORT's NOTIFY header field, and the message type is "Next Next Authentication" (ANOTHER_AUTH_FOLLOWS) The NOTIFY header field, the result of the negotiation is the use of certificate-based device authentication and EAP-AKA host authentication.
协商方案二、 如果 SeGW在 IKE— SA— INIT响应消息中携带了消息类型 为 MULTIPLE— AUTH— SUPPORT的 NOTIFY头域, 但没有携带 CERTREQ 头域; H(e)NB在随后的 IKE— AUTH请求消息中没有携带 AUTH头域, 但同 时携带了消息类型为 MULTIPLE— AUTH— SUPPORT的 NOTIFY头域以及消 息类型为 ANOTHER— AUTH— FOLLOWS的 NOTIFY头域, 则协商结果是釆 用 EAP-AKA设备认证以及 EAP-AKA宿主认证。 Negotiation scheme 2: If SeGW carries the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORT in the IKE-SA-INIT response message, but does not carry the CERTREQ header field; H(e)NB in the subsequent IKE-AUTH request message Did not carry the AUTH header field, but the same The NOTIFY header field with the message type MULTIPLE-AUTH_SUPPORT and the NOTIFY header field with the message type ANOTHER-AUTH-FOLLOWS are carried, and the negotiation result is EAP-AKA device authentication and EAP-AKA host authentication.
协商方案三、 如果 SeGW在 IKE— SA— INIT响应消息中没有携带消息类 型为 MULTIPLE— AUTH— SUPPORT的 NOTIFY头域, 但携带了 CERTREQ 头域; H(e)NB在随后的 IKE— AUTH请求消息中携带了 AUTH头域, 但没有 携带消息类型为 MULTIPLE— AUTH— SUPPORT的 NOTIFY头域和消息类型 为 ANOTHER— AUTH— FOLLOWS的 NOTIFY头域, 则协商结果是釆用基于 证书认证的设备认证, 但没有 EAP-AKA宿主认证。  Negotiation scheme 3: If SeGW does not carry the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORT in the IKE-SA_INIT response message, but carries the CERTREQ header field; H(e)NB in the subsequent IKE-AUTH request message The AUTH header field is carried, but the NOTIFY header field with the message type MULTIPLE-AUTH-SUPPORT and the NOTIFY header field with the message type ANOTHER-AUTH-FOLLOWS are not carried, and the negotiation result is the device authentication based on the certificate authentication, but There is no EAP-AKA host certification.
协商方案四、 如果 SeGW在 IKE— SA— INIT响应消息中没有携带消息类 型为 MULTIPLE— AUTH— SUPPORT 的 NOTIFY头域和 CERTREQ 头域; H(e)NB在随后的 IKE— AUTH请求消息中也没有携带 AUTH头域、 消息类型 为 MULTIPLE— AUTH— SUPPORT 的 NOTIFY 头域、 消 息类型 为 ANOTHER— AUTH— FOLLOWS 的 NOTIFY 头域, 则协商结果是釆用 EAP-AKA设备认证, 但没有 EAP-AKA宿主认证。  Negotiation scheme 4. If the SeGW does not carry the NOTIFY header field and the CERTREQ header field of the message type MULTIPLE-AUTH_SUPPORT in the IKE-SA-INIT response message; H(e)NB does not have any subsequent IKE-AUTH request message. The NOTIFY header field carrying the AUTH header field, the message type is MULTIPLE-AUTH-SUPPORT, and the NOTIFY header field of the message type ANOTHER-AUTH-FOLLOWS, the negotiation result is EAP-AKA device authentication, but there is no EAP-AKA host authentication. .
除了上述四种协商方案外的其他情况属于异常情况, 需要 SeGW根据运 营商的安全策略进行进一步的判断和处理。  In addition to the above four negotiation schemes, the exception is an abnormal situation. SeGW needs to be further judged and processed according to the operator's security policy.
发明人在实现本发明的过程中, 发现现有技术中的认证机制釆用的 H(e)NB和 SeGW以及它们之间的协商方案至少存在以下缺点:  In the process of implementing the present invention, the inventors found that the H(e)NB and SeGW used in the prior art authentication mechanism and the negotiation scheme between them have at least the following disadvantages:
在网络部署上, 针对不同的运营商的不同的认证需求, 设备商至少需要 提供如下不同版本的 H(e)NB和 SeGW: 仅支持基于证书的设备认证的设备、 仅支持 EAP-AKA 设备认证的设备、 同时支持基于证书的设备认证和 EAP-AKA宿主认证的设备、 同时支持 EAP-AKA设备认证和 EAP-AKA宿主 认证的设备、 以及还可能提供同时支持基于证书的设备认证、 EAP-AKA设备 认证和 EAP-AKA宿主认证的设备。 而对于运营商来说, 由于设备版本繁多, 运营商从不同的设备商处购买的 H(e)NB和 SeGW可能支持不同的认证方式, 导致认证协商时可能进入各种异常情况, 甚至不能完成对 H(e)NB 的认证。 从而不能真正满足运营商的认证需求。 发明内容 On the network deployment, the device vendors need to provide at least the following versions of H(e)NB and SeGW for different authentication requirements of different carriers: Only devices that support certificate-based device authentication, only EAP-AKA device authentication is supported. Devices, devices that support both certificate-based device authentication and EAP-AKA host authentication, devices that support both EAP-AKA device authentication and EAP-AKA host authentication, and possibly also support for certificate-based device authentication, EAP-AKA Device authentication and EAP-AKA host certified device. For operators, due to the large number of devices, H(e)NB and SeGW purchased by operators from different equipment vendors may support different authentication methods. This may lead to various abnormal situations during authentication negotiation, and may not even complete the authentication of H(e)NB. Therefore, it is impossible to truly meet the certification requirements of operators. Summary of the invention
本发明实施例在于提供一种认证协商方法及系统、 安全网关、 家庭无线 接入点, 以减少现有技术中的版本繁多的 H(e)NB和 SeGW设备, 并提供一 种更加简单、 准确的认证机制。  The embodiments of the present invention provide a method and system for authenticating an authentication, a security gateway, and a home wireless access point, so as to reduce the number of H(e)NB and SeGW devices in the prior art, and provide a simpler and more accurate method. Authentication mechanism.
根据本发明实施例的一方面, 提供了一种认证协商方法, 包括: 接收家庭无线接入点 H(e)NB 发送的因特网密钥交换 -安全联盟-初始化 IKE— SA— INIT请求;  According to an aspect of the embodiments of the present invention, an authentication negotiation method is provided, including: receiving an Internet Key Exchange-Security Association-Initialization IKE-SA-INIT request sent by a Home Wireless Access Point H(e)NB;
发送 IKE— SA— INIT响应至所述 H(e)NB;  Sending an IKE_SA_INIT response to the H(e)NB;
接收所述 H(e)NB发送的第一因特网密钥交换 -认证 IKE AUTH请求; 根据所述 IKE— SA— INIT响应和第一 IKE— AUTH请求中是否携带有支持 对所述 H(e)NB执行设备认证和宿主认证的第一标识,执行对所述 H(e)NB的 认证。  Receiving, by the H(e)NB, a first Internet Key Exchange-Authentication IKE AUTH request; according to whether the IKE-SA_INIT response and the first IKE-AUTH request carry support for the H(e) The NB performs a first identifier of the device authentication and the host authentication, and performs authentication on the H(e)NB.
根据本发明实施例的另一方面, 提供了一种安全网关, 包括: 接收模块, 用于接收家庭无线接入点 H(e)NB发送的因特网密钥交换-安 全联盟-初始化 IKE— SA— INIT请求,以及接收所述 H(e)NB发送的因特网密钥 交换 -认证 IKE AUTH请求;  According to another aspect of the present invention, a security gateway is provided, including: a receiving module, configured to receive an Internet Key Exchange-Security Association-Initialization IKE-SA sent by a Home Wireless Access Point H(e)NB An INIT request, and receiving an Internet Key Exchange-Authentication IKE AUTH request sent by the H(e)NB;
发送模块, 用于发送 IKE— SA— INIT 响应以及 IKE AUTH 响应至所述 a sending module, configured to send an IKE-SA-INIT response and an IKE AUTH response to the
H(e)NB; H(e)NB;
处理模块, 用于根据所述 IKE— SA— INIT响应和 IKE— AUTH请求中是否 携带有支持对所述 H(e)NB 执行设备认证和宿主认证的第一标识, 执行对所 述 H(e)NB的认证。  a processing module, configured to perform, according to the IKE-SA-INIT response and the IKE-AUTH request, a first identifier that supports performing device authentication and host authentication on the H(e)NB, and performing the ) NB certification.
根据本发明实施例的另一方面, 提供了一种家庭无线接入点, 包括: 发送模块, 用于发送因特网密钥交换 -安全联盟-初始化 IKE— SA— INIT请 求以及因特网密钥交换 -认证 IKE AUTH请求至安全网关; According to another aspect of the embodiments of the present invention, a home wireless access point is provided, including: a sending module, configured to send an Internet Key Exchange-Security Association-Initialize IKE-SA-INIT Request and Internet Key Exchange - Authentication IKE AUTH request to the security gateway;
接收模块, 用于接收所述安全网关发送的 IKE— SA— INIT 响应以及 IKE— AUTH响应;  a receiving module, configured to receive an IKE-SA-INIT response and an IKE-AUTH response sent by the security gateway;
处理模块, 用于根据所述 IKE— SA— INIT 响应中是否携带有支持对所述 H(e)NB 执行设备认证和宿主认证的第一标识, 决定是否在所述 IKE AUTH 请求中也携带所述第一标识。  a processing module, configured to determine, according to whether the IKE-SA-INIT response carries a first identifier that supports performing device authentication and host authentication on the H(e)NB, and whether to carry the IKE AUTH request The first identifier is described.
根据本发明实施例的另一方面, 提供了一种认证协商系统, 包括: 家庭无线接入点 H(e)NB , 用于发送因特网密钥交换 -安全联盟-初始化 IKE SA INIT请求以及因特网密钥交换 -认证 IKE AUTH请求 , 接收返回的 IKE SA INIT响应以及 IKE— AUTH响应; 并根据所述 IKE SA INIT响应中 是否携带有支持对所述 H(e)NB执行设备认证和宿主认证的第一标识, 决定 是否在所述 IKE— AUTH请求中也携带所述第一标识;  According to another aspect of an embodiment of the present invention, an authentication negotiation system is provided, including: a home wireless access point H(e)NB for transmitting an Internet Key Exchange-Security Association-initializing an IKE SA INIT request and an Internet secret Key exchange-authentication IKE AUTH request, receiving the returned IKE SA INIT response and IKE-AUTH response; and according to whether the IKE SA INIT response carries the support for performing device authentication and host authentication on the H(e)NB An identifier, determining whether the first identifier is also carried in the IKE-AUTH request;
安全网关, 用于接收所述 H(e)NB 发送的 IKE— SA— INIT 请求以及 IKE AUTH 请求; 发送 IKE— SA— INIT 响应以及 IKE AUTH 响应至所述 H(e)NB; 并根据所述 IKE SA INIT响应和 IKE— AUTH请求中是否携带有所 述第一标识, 执行对所述 H(e)NB的认证。  a security gateway, configured to receive an IKE_SA_INIT request sent by the H(e)NB and an IKE AUTH request; send an IKE_SA_INIT response and an IKE AUTH response to the H(e)NB; The IKE SA INIT response and the IKE-AUTH request carry the first identifier, and perform authentication on the H(e)NB.
由以上技术方案可知, 本发明实施例提供的认证协商方法及系统、 安全 网关、 家庭无线接入点, 通过对 IKE— SA— INIT响应和 IKE— AUTH请求中携 带的标识的判断, 实现 H(e)NB和 SeGW之间的简单准确的认证协商机制, 还可以减少现有技术中的版本繁多的 H(e)NB和 SeGW设备。 附图说明  According to the foregoing technical solution, the authentication negotiation method and system, the security gateway, and the home wireless access point provided by the embodiments of the present invention implement H by determining the IKE-SA-INIT response and the identifier carried in the IKE-AUTH request. e) A simple and accurate authentication negotiation mechanism between the NB and the SeGW can also reduce the number of H(e)NB and SeGW devices in the prior art. DRAWINGS
图 1为本发明实施例家庭接入的系统架构示意图;  1 is a schematic structural diagram of a system for home access according to an embodiment of the present invention;
图 2为本发明认证协商方法第一实施例的流程示意图;  2 is a schematic flowchart of a first embodiment of an authentication negotiation method according to the present invention;
图 3为本发明认证协商方法第二实施例的第一信令流程图;  3 is a first signaling flowchart of a second embodiment of an authentication negotiation method according to the present invention;
图 4为本发明认证协商方法第二实施例的第二信令流程图; 图 5为本发明认证协商方法第三实施例的第一信令流程图; 图 6为本发明认证协商方法第三实施例的第二信令流程图; 4 is a second signaling flowchart of a second embodiment of an authentication negotiation method according to the present invention; FIG. 5 is a first signaling flowchart of a third embodiment of an authentication negotiation method according to the present invention; FIG. 6 is a second signaling flowchart of a third embodiment of an authentication negotiation method according to the present invention;
图 7为本发明认证协商方法第三实施例的第三信令流程图;  7 is a third signaling flowchart of a third embodiment of an authentication negotiation method according to the present invention;
图 8为本发明认证协商方法第三实施例的第四信令流程图;  8 is a fourth signaling flowchart of a third embodiment of an authentication negotiation method according to the present invention;
图 9为本发明认证协商方法第四实施例的第一信令流程图;  FIG. 9 is a first signaling flowchart of a fourth embodiment of an authentication negotiation method according to the present invention;
图 10为本发明认证协商方法第四实施例的第二信令流程图;  FIG. 10 is a second signaling flowchart of a fourth embodiment of the authentication negotiation method according to the present invention;
图 11为本发明认证协商方法第四实施例的第三信令流程图;  FIG. 11 is a third signaling flowchart of a fourth embodiment of an authentication negotiation method according to the present invention;
图 12为本发明认证协商方法第四实施例的第四信令流程图;  FIG. 12 is a fourth signaling flowchart of a fourth embodiment of an authentication negotiation method according to the present invention;
图 13为本发明安全网关实施例的结构示意图;  13 is a schematic structural diagram of an embodiment of a security gateway according to the present invention;
图 14为本发明家庭无线接入点实施例的结构示意图;  14 is a schematic structural diagram of an embodiment of a home wireless access point according to the present invention;
图 15为本发明认证协商系统实施例的结构示意图。 具体实施方式  FIG. 15 is a schematic structural diagram of an embodiment of an authentication negotiation system according to the present invention. detailed description
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而 不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作 出创造性劳动前提下所获得的所有其他实施例 , 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图 1为本发明实施例家庭接入的系统架构示意图。 如图 1所示, 包括家 庭无线接入点(H(e)NB ) , 使用许可的频谱, 通过通用的 IP公共网络将用户 设备(UE )连接到运营商的移动网络。 家庭无线接入点包括 HNB, 运行在通 用移动通信系统 ( Universal Mobile Telecommunications System, UMTS )陆地 无线接入网 ( UMTS Territorial Radio Access Network, UTRAN )频谱的家庭 无线接入点; HeNB,运行在演进的 UMTS陆地无线接入网( Evolved-UTRAN, E-UTRAN )频谱的家庭无线接入点; Home non-3GPP WAP ( Home non-3GPP wireless access point ),运行在 non-3 GPP网络(如 CDMA/Wimax/WLAN/HRPD 等网络)频谱的家庭无线接入点。 家庭无线接入点的网关网元, 包括 HNB网 关( HNB GW ) 、 HeNB GW以及 Home non-3GPP WAP GW, 其执行家庭无 线接入点的管理和接入控制, 汇集家庭无线接入点, 路由和转发家庭无线接 入点和移动网络中的网元之间的信令的数据等功能; 另外上述的网关网元 ( HNB GW、 HeNB GW和 Home non-3 GPP WAP GW )还具有家庭无线接入 点的安全网关( Security Gateway, SeGW ) 的功能, 执行与安全相关的功能, 例如认证、 力。密等。 移动性管理实体(Mobility Management Entity, MME ) , 负责 E-UTRAN网络中的控制面移动性管理, 包括用户上下文和移动状态管 理, 分配用户临时身份标识等。 服务通用分组无线业务支持节点 (Serving GPRS Supporting Node, SGSN ) ,用于实现通用分组无线业务( General Packet Radio Service, GPRS ) /UMTS网络中路由转发、 移动性管理、 会话管理以及 用户信息存储等功能。 非 3GPP网关实体(non-3GPP GW ) 实现非 3GPP网 络中的移动性管理、 会话管理等功能。 对于 WLAN网络, non-3GPP GW为 演进分组数据网关( Evolved Packet Data Gateway, EPDG ) ; 对于 Wimax网 络, non-3 GPP GW为接入业务网络网关 ( Access Service Network Gateway, ASN GW ); 对于 CDMA网络, non-3GPP GW为接入网关( Access Gateway, AGW ); 对于 HRPD网络, non-3GPP GW为高速分组数据服务网关( HRPD Serving Gateway, HSGW )。 归属用户服务器( Home Subscriber Server, HSS ) 用于存储用户签约信息。 认证、 授权与计费服务器 (Authentication , Authorization and Accounting Server, AAA Server )用于对 UE执行接入认证、 授权和计费功能。 家庭接入管理服务器( Home Management Server, HMS ) , 负责家庭无线接入点的管理功能,其中 HMS可以是一个独立的网元,也可以 集成到 HSS 中; HMS还可以直接和家庭无线接入点相连, 本发明实施例不 作限制。 另外, 该家庭接入的系统架构并不意味着是最终的家庭接入的系统 架构, 本发明实施例同样不作限制。 FIG. 1 is a schematic structural diagram of a system for home access according to an embodiment of the present invention. As shown in FIG. 1, a home wireless access point (H(e)NB) is used, and a licensed user's equipment (UE) is connected to the operator's mobile network through a universal IP public network. The home wireless access point includes an HNB, a home wireless access point operating in the Universal Mobile Telecommunications System (UMTS) UMTS Territorial Radio Access Network (UTRAN) spectrum; the HeNB, operating in an evolved Home wireless access point for UMTS terrestrial radio access network (Evolved-UTRAN, E-UTRAN) spectrum; Home non-3GPP WAP (Home non-3GPP wireless access point), operating on non-3 GPP networks (eg CDMA/Wimax) Home wireless access point for spectrum/network such as WLAN/HRPD). Gateway network element of the home wireless access point, including the HNB network Off (HNB GW), HeNB GW, and Home non-3GPP WAP GW, which perform home wireless access point management and access control, aggregate home wireless access points, route and forward home wireless access points, and mobile networks Functions such as signaling data between network elements; in addition, the above-mentioned gateway network elements (HNB GW, HeNB GW, and Home non-3 GPP WAP GW) also have a security gateway (SeGW) of a home wireless access point. Function, perform safety-related functions such as authentication, force. Secret and so on. The Mobility Management Entity (MME) is responsible for control plane mobility management in the E-UTRAN network, including user context and mobility state management, and assigning user temporary identity. Service Serving GPRS Supporting Node (SGSN) for implementing routing and forwarding, mobility management, session management, and user information storage in General Packet Radio Service (GPRS)/UMTS networks . The non-3GPP gateway entity (non-3GPP GW) implements functions such as mobility management and session management in the non-3GPP network. For a WLAN network, the non-3GPP GW is an Evolved Packet Data Gateway (EPDG); for a Wimax network, the non-3 GPP GW is an Access Service Network Gateway (ASN GW); for a CDMA network The non-3GPP GW is an Access Gateway (AGW); for the HRPD network, the non-3GPP GW is a High Speed Packet Data Serving Gateway (HSGW). The Home Subscriber Server (HSS) is used to store user subscription information. The Authentication, Authorization and Accounting Server (AAA Server) is used to perform access authentication, authorization, and accounting functions for the UE. The Home Management Server (HMS) is responsible for the management functions of the home wireless access point. The HMS can be an independent network element or integrated into the HSS. The HMS can also directly connect to the home wireless access point. The embodiments of the present invention are not limited. In addition, the system architecture of the home access is not meant to be the system architecture of the final home access, and the embodiment of the present invention is also not limited.
由于从家庭无线接入点到家庭无线接入点对应的 SeGW网元之间走的是 Because the walking between the home wireless access point and the SeGW network element corresponding to the home wireless access point is
IP公共网络, 这样就可能引入 IP网络中的常见的网络攻击, 因此需要核心网 元, 这里是家庭无线接入点对应的各个 SeGW网元对家庭无线接入点进行认 证, 包括设备认证和宿主认证。 目前最新的 3GPP H(e)NB安全规范 33.820 VI .2.0中的设备认证包括基于证书的设备认证或 EAP-AKA Over IKE V2设备 认证, 即运行在 IKE V2协议之上的 EAP-AKA设备认证两种认证机制 , 所有 运营商都会釆用设备认证中的其中一种认证机制; 而宿主认证则只包含 EAP-AKA认证方式, 并且有些运营商可能釆用, 有些运营商可能不釆用, 并 且对于釆用宿主认证的移动网络, 宿主认证一般在设备认证之后进行。 IP public network, which may introduce common network attacks in IP networks, so the core network is needed. Element, where each SeGW network element corresponding to the home wireless access point authenticates the home wireless access point, including device authentication and host authentication. The device authentication in the latest 3GPP H(e)NB security specification 33.820 VI .2.0 includes certificate-based device authentication or EAP-AKA Over IKE V2 device authentication, that is, EAP-AKA device authentication running on the IKE V2 protocol. An authentication mechanism, all operators use one of the authentication mechanisms in the device authentication; host authentication only includes the EAP-AKA authentication method, and some operators may use it, some operators may not use it, and for For host-authenticated mobile networks, host authentication is typically performed after device authentication.
在现有协商方案的技术实现上, 若将 IKE— AUTH请求消息中是否携带 AUTH头域作为判定是支持基于证书的设备认证, 还是支持 EAP-AKA设备 认证 的 依据 , 那 么 由 于 IKE— AUTH 请 求 消 息 中 携 带 有 ANOTHER— AUTH— FOLLOWS的 NOTIFY头域的同时其必然也携带 AUTH 头域, 即 AUTH和 ANOTHER— AUTH— FOLLOWS总是绑定在一起的, 因此 AUTH头域不能作为判定设备认证的方式的依据。  In the technical implementation of the existing negotiation scheme, if the AU-AUTH request message carries the AUTH header field as a decision to support the certificate-based device authentication or the EAP-AKA device authentication basis, then the IKE-AUTH request message is used. Carrying the NOTIFY header field of ANOTHER-AUTH-FOLLOWS must also carry the AUTH header field, ie AUTH and ANOTHER-AUTH-FOLLOWS are always bound together, so the AUTH header field cannot be used as a means of determining device authentication. in accordance with.
若将 IKE— SA— INIT响应消息中是否携带 CERTREQ头域作为判断是支持 基于证书的设备认证, 还是支持 EAP-AKA设备认证的依据, 那么由于 CERTREQ头域也可以请求携带证书以外的内容, 因此 CERTREQ头域作为 判定设备认证的方式的依据也是不合适的。  If the IKE-SA-INIT response message carries the CERTREQ header field as a judgment to support certificate-based device authentication or a basis for supporting EAP-AKA device authentication, since the CERTREQ header field can also request to carry content other than the certificate, The basis of the CERTREQ header field as a means of determining device authentication is also inappropriate.
若将 MULTIPLE— AUTH— SUPPPORTED和 ANOTHER— AUTH— FOLLOWS 绑定在同一个 IKE— AUTH请求消息中作为判断是否同时支持设备认证和宿主 认证的判定依据, 由于根据 RFC4739 , "下一条 IKE— AUTH将包含第 2个身 份标识, 并启动下一个认证, 即宿主认证" , 因此对于同时支持 EAP-AKA 设备认证和 EAP-AKA宿主认证的场景, 下一条 IKE— AUTH还是用于启动 EAP-AKA设备认证的, 而不是 EAP-AKA宿主认证的, 因此不符合 RFC4739 的规定。 所以将两者绑定在同一个 IKE— AUTH请求消息中时, 只适用于同时 支持基于证书的设备认证和 EAP-AKA宿主认证的场景, 而不能适用于同时 支持 EAP-AKA设备认证和 EAP-AKA宿主认证的场景。 另夕卜, 对于 H(e)NB 而言, MULTIPLE— AUTH— SUPPORTED头域只可以携带在第一个 IKE— AUTH 请求消息中, 而 ANOTHER— AUTH— FOLLOWS是可以携带在任何一个含有 AUTH头域的 IKE— AUTH请求 /响应消息中的, 即两者没有必要绑定在同一 个 IKE— AUTH请求消息中, 以免影响协商的灵活性。 If MULTIPLE- AUTH-SUPPPORTED and ANOTHER-AUTH-FOLLOWS are bound in the same IKE-AUTH request message as the basis for judging whether to support both device authentication and host authentication, since according to RFC4739, "Next IKE-AUTH will contain The second identity, and the next authentication, ie the host authentication, is enabled. Therefore, for scenarios that support both EAP-AKA device authentication and EAP-AKA host authentication, the next IKE-AUTH is still used to initiate EAP-AKA device authentication. , not the EAP-AKA host certified, and therefore does not comply with RFC4739. Therefore, when the two are bound to the same IKE-AUTH request message, it is only applicable to scenarios that support both certificate-based device authentication and EAP-AKA host authentication, but not for EAP-AKA device authentication and EAP- AKA host authentication scenario. In addition, for H(e)NB In this case, the MULTIPLE-AUTH-SUPPORTED header field can only be carried in the first IKE-AUTH request message, and ANOTHER-AUTH-FOLLOWS can be carried in any IKE-AUTH request/response message containing the AUTH header field. That is, it is not necessary for the two to be bound in the same IKE-AUTH request message, so as not to affect the flexibility of negotiation.
针对上述现有协商方案上存在的问题, 下面将基于图 1所示的家庭接入 的系统架构说明本发明实施例所釆用的认证协商的方法。  For the problem existing in the above existing negotiation scheme, the method for authentication negotiation used in the embodiment of the present invention will be described based on the system architecture of the home access shown in FIG.
在本发明下述的实施例中, 为了解决现有设备版本繁多的问题, 设备商 制造的家庭无线接入点(以下用 H(e)NB表示)或安全网关网元(以下用 SeGW 表示)或 H(e)NB和 SeGW要支持所有的认证方式, 以便运营商在进行网络 部署后, 决定在 H(e)NB和 SeGW之间使用哪种认证方式或其组合的自由度 更高。 在本发明下述的实施例中, 为了解决现有的认证方案中存在的问题, 主要釆用以下三点对现有认证协商方案进行了改进:①扩展 IKE V2协议中的 NOTIFY头域的消息类型以指示设备认证的类型, SeGW和 H(e)NB分别在 IKE SA INIT 响应消息和 IKE— AUTH请求消息中携带扩展了消息类型的 NOTIFY头域以指示所支持的设备认证方式;②直接利用 IKE V2协议中可以 携带 EAP头域, 例如 EAP协议中的 NOTIFY消息类型, 来指示设备认证的 类型 , SeGW和 H(e)NB分别在 IKE— SA— INIT响应消息和 IKE— AUTH请求消 息中携带 EAP 头域指示所支持的设备认证方式; ③不再将 MULTIPLE— AUTH— SUPPPORTED和 ANOTHER— AUTH— FOLLOWS绑定在 同一个 IKE— AUTH请求消息中。  In the following embodiments of the present invention, in order to solve the problem of a large number of existing device versions, a home wireless access point (hereinafter referred to as H(e)NB) or a security gateway network element (hereinafter referred to as SeGW) manufactured by a device manufacturer is used. Or H(e)NB and SeGW support all authentication methods, so that after the network deployment, the operator decides which authentication method or combination of use between H(e)NB and SeGW is more free. In the following embodiments of the present invention, in order to solve the problems existing in the existing authentication scheme, the following three points are mainly used to improve the existing authentication negotiation scheme: 1 to extend the message of the NOTIFY header field in the IKE V2 protocol. Type to indicate the type of device authentication, SeGW and H(e)NB carry the NOTIFY header field of the extended message type in the IKE SA INIT response message and the IKE-AUTH request message respectively to indicate the supported device authentication mode; The IKE V2 protocol can carry an EAP header field, such as the NOTIFY message type in the EAP protocol, to indicate the type of device authentication. The SeGW and the H(e)NB are carried in the IKE-SA-INIT response message and the IKE-AUTH request message, respectively. The EAP header field indicates the supported device authentication mode; 3 The MULTIPLE-AUTH-SUPPPORTED and ANOTHER-AUTH-FOLLOWS are no longer bound in the same IKE-AUTH request message.
首先对 H(e)NB支持所有的认证方式, SeGW可能只支持部分认证方式 的情况下如何进行认证协商进行详细说明。 在此种情况下, 认证协商中不会 有异常情况出现。  First, all the authentication modes are supported for the H(e)NB. The SeGW may only support the authentication negotiation in the case of partial authentication. In this case, no abnormalities will occur in the authentication negotiation.
图 2为本发明认证协商方法第一实施例的流程示意图。 如图 2所示, 包 括如下步骤:  FIG. 2 is a schematic flowchart diagram of a first embodiment of an authentication negotiation method according to the present invention. As shown in Figure 2, the following steps are included:
步骤 301、 接收家庭无线接入点 (H(e)NB )发送的 IKE— S A— INIT请求; 步骤 302、 发送 IKE— SA— INIT响应至 H(e)NB; Step 301: Receive an IKE-SA-INIT request sent by a home wireless access point (H(e)NB); Step 302: Send an IKE_SA_INIT response to the H(e)NB.
步骤 303、 接收 H(e)NB发送的 IKE— AUTH请求;  Step 303: Receive an IKE-AUTH request sent by the H(e)NB.
步骤 304、根据 IKE— SA— INIT响应和 IKE— AUTH请求中是否携带有支持 对 H(e)NB执行设备认证和宿主认证的第一标识, 执行对 H(e)NB的认证。  Step 304: Perform authentication on the H(e)NB according to whether the IKE-SA-INIT response and the IKE-AUTH request carry the first identifier that supports device authentication and host authentication for the H(e)NB.
其中,步骤 301〜步骤 303具体为: H(e)NB发送 IKE— SA— INIT请求; SeGW 接收到 H(e)NB 发送的 IKE— SA— INIT 请求后, 返回 IKE— SA— INIT 响应至 H(e)NB; H(e)NB发送 IKE— AUTH请求; SeGW接收到该 IKE— AUTH请求后 即完成了主要的认证协商过程。 本发明实施例中省略了 SeGW 返回 IKE AUTH响应至 H(e)NB的步骤, 以及随后的在设备认证和宿主认证过程 中的 IKE— AUTH请求 /响应消息。 步骤 304为根据步骤 302和步骤 303的协 商结果, 即 IKE— SA— INIT响应和 IKE— AUTH请求中是否携带支持对 H(e)NB 执行设备认证和宿主认证的第一标识, 由 SeGW执行对 H(e)NB的认证, 包 括设备认证或设备认证和宿主认证。  Steps 301 to 303 are specifically as follows: H(e)NB sends an IKE_SA_INIT request; after receiving the IKE_SA_INIT request sent by H(e)NB, the SeGW returns an IKE_SA_INIT response to H (e) NB; H(e)NB sends an IKE-AUTH request; after receiving the IKE-AUTH request, the SeGW completes the main authentication negotiation process. The steps of the SeGW returning the IKE AUTH response to the H(e)NB, and the subsequent IKE-AUTH request/response messages in the device authentication and host authentication procedures are omitted in the embodiment of the present invention. Step 304 is performed according to the negotiation result of step 302 and step 303, that is, whether the IKE-SA_INIT response and the IKE-AUTH request carry the first identifier that supports device authentication and host authentication for the H(e)NB, and is executed by the SeGW. H(e)NB authentication, including device authentication or device authentication and host authentication.
对于基于证书的设备认证和 EAP-AKA设备认证, 当 SeGW设备仅支持 其中一种设备认证的方式, 由于步骤 302中的 IKE— SA— INIT响应携带的某些 参数可以说明其支持的设备认证方式, 因此在 H(e)NB和 SeGW之间仅支持 一种宿主认证的方式的前提下, 只要通过判断 IKE— SA— INIT 响应和 IKE AUTH请求中是否携带支持对 H(e)NB执行设备认证和宿主认证的第一 标识, 即可确定 SeGW对 H(e)NB所执行的认证。 下面将通过具体实施例进 行详细说明。  For certificate-based device authentication and EAP-AKA device authentication, when the SeGW device supports only one of the device authentication modes, some parameters carried in the IKE-SA-INIT response in step 302 can indicate the supported device authentication mode. Therefore, under the premise that only one type of host authentication is supported between H(e)NB and SeGW, it is only necessary to perform device authentication for H(e)NB by judging whether the IKE-SA-INIT response and the IKE AUTH request carry the support. And the first identifier of the host authentication, and the authentication performed by the SeGW on the H(e)NB can be determined. Detailed description will be made below through specific embodiments.
本发明实施例提供的认证协商方法, 通过在 IKE— SA— INIT 响应和 IKE AUTH请求中携带表示认证方式的标识, 可以实现 H(e)NB和 SeGW之 间的简单、 准确的认证协商过程, 并且 H(e)NB支持所有的认证方式, SeGW 可以为支持所有认证方式或者仅支持部分认证方式的设备, 会降低由于设备 匹配问题出现认证协商失败的情况。  The authentication negotiation method provided by the embodiment of the present invention can implement a simple and accurate authentication negotiation process between the H(e)NB and the SeGW by carrying the identifier indicating the authentication mode in the IKE-SA-INIT response and the IKE AUTH request. The H(e)NB supports all authentication modes. The SeGW can support all authentication modes or devices that support only partial authentication modes. This reduces the failure of authentication negotiation due to device matching problems.
图 3为本发明认证协商方法第二实施例的第一信令流程图。 基于上述图 2所示的实施例 ,本实施例中假设 H(e)NB和 SeGW之间的设备认证方式只有 一种,即要么^^于证书的设备认证,要么是 EAP-AKA设备认证,且 H(e)NB 支持所有的认证方式, 即 H(e)NB支持设备认证方式和宿主认证; 如图 3所 示, 包括如下步骤: FIG. 3 is a first signaling flowchart of a second embodiment of an authentication negotiation method according to the present invention. Based on the above diagram In the embodiment shown in FIG. 2, it is assumed in the embodiment that there is only one type of device authentication between the H(e)NB and the SeGW, that is, the device authentication of the certificate or the EAP-AKA device authentication, and H ( e) NB supports all authentication modes, that is, H(e)NB supports device authentication mode and host authentication. As shown in Figure 3, the following steps are included:
步骤 401、 H(e)NB向 SeGW发送 IKE— S A— INIT请求消息;  Step 401: The H(e)NB sends an IKE_S A-INIT request message to the SeGW.
步骤 402、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB;  Step 402: The SeGW sends an IKE-SA-INIT response message to the H(e)NB.
SeGW 判断需要对 H(e)NB 执行设备认证和宿主认证, 因此在 IKE SA INIT响应消息中携带表示 SeGW支持或者请求对 H(e)NB进行设备 认证和宿主认证的第一标识, 例如第一标识可以为消息类型为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域; 该步骤 402中并没有携 带请求哪种设备认证的第二标识, 说明此时 SeGW和 H(e)NB均为仅支持同 一种设备认证方式的设备; 假定该实施例中 SeGW和 H(e)NB均仅支持基于 证书的设备认证, 那么该步骤 402表示该 SeGW支持对 H(e)NB进行基于证 书的设备认证和 EAP-AKA宿主认证;  The SeGW determines that the device authentication and the host authentication are performed on the H(e)NB. Therefore, the IKE SA INIT response message carries a first identifier indicating that the SeGW supports or requests device authentication and host authentication for the H(e)NB, for example, the first identifier. The identifier may be a NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORTED; the step 402 does not carry the second identifier of which device authentication is requested, indicating that both the SeGW and the H(e)NB support only the same device. Authentication mode device; assuming that both SeGW and H(e)NB support only certificate-based device authentication in this embodiment, then step 402 indicates that the SeGW supports certificate-based device authentication and EAP-AKA for H(e)NB Host certification;
步骤 403、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中携带表示 Step 403: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the bearer carries
H(e)NB支持或者请求进行设备认证和宿主认证的第一标识,例如第一标识可 以为消息类型为 MULTIPLE— AUTH— SUPPORTED 的 NOTIFY 头域表示 H(e)NB仅支持或者请求基于证书的设备认证和 EAP-AKA宿主认证; The H(e)NB supports or requests a first identifier for device authentication and host authentication. For example, the first identifier may be a NOTIFY header field whose message type is MULTIPLE-AUTH_SUPPORTED indicates that H(e)NB only supports or requests certificate-based Equipment certification and EAP-AKA host certification;
至此, H(e)NB和 SeGW根据上述消息交互, 还可能结合本地的安全策 略, 协商好需要进行基于证书的设备认证和 EAP-AKA宿主认证;  At this point, H(e)NB and SeGW interact according to the above message, and may also cooperate with the local security policy to negotiate certificate-based device authentication and EAP-AKA host authentication.
步骤 404、 SeGW对 H(e)NB执行基于证书的设备认证过程,为清晰起见, 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息;  Step 404: The SeGW performs a certificate-based device authentication process on the H(e)NB. For the sake of clarity, the SeGW returns the H(e)NB IKE-AUTH response message.
步骤 405、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中携带消息 类型为接着是下一个认证( ANOTHER— AUTH— FOLLOWS )的 NOTIFY头域 和 AUTH 头域表示设备认证已经完成, 下一步将接着对 H (e)NB 执行 EAP-AKA宿主认证; 需要说明的是, 此处的步骤 405 和上面的 403 也可以合并在同一条 IKE— AUTH请求消息, 即将 ANOTHER— AUTH— FOLLOWS的 NOTIFY头域 和 MULTIPLE— AUTH— SUPPORTED 的 NOTIFY 头域绑定在同一条 IKE— AUTH请求消息中; Step 405: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field and the AUTH header field carrying the message type followed by the next authentication (ANOTHER_AUTH_FOLLOWS) indicate that the device authentication has been completed, and the next step EAP-AKA host authentication will then be performed on H(e)NB; It should be noted that step 405 and 403 above may also be combined in the same IKE-AUTH request message, that is, the NOTIFY header field of ANOTHER-AUTH-FOLLOWS and the NOTIFY header field of MULTIPLE-AUTH-SUPPORTED are bound together. An IKE-AUTH request message;
步骤 406、 SeGW对 H(e)NB执行 EAP-AKA宿主认证过程,为清晰起见, 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息。  Step 406: The SeGW performs an EAP-AKA host authentication process on the H(e)NB. For the sake of clarity, the SeGW returns the H(e)NB IKE-AUTH response message.
当假定 SeGW和 H(e)NB仅支持 EAP-AKA设备认证时的具体认证协商 过程与 SeGW支持基于证书的设备认证时的具体认证协商过程相同, 只是步 骤 404执行的为 SeGW对 H(e)NB的 EAP-AKA设备认证过程; 并且需要说 明的是,此时的步骤 405和上面的 403不可以合并在同一条 IKE— AUTH请求 消息, 即必须将 ANOTHER— AUTH— FOLLOWS 的 NOTIFY 头域和 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域分开在不同的 IKE— AUTH 消息中携带。  When it is assumed that the specific authentication negotiation process when the SeGW and the H(e)NB support only the EAP-AKA device authentication is the same as the specific authentication negotiation process when the SeGW supports the certificate-based device authentication, only the step 404 performs the SeGW pair H(e). NB's EAP-AKA device authentication process; and it should be noted that step 405 and the above 403 cannot be merged in the same IKE-AUTH request message, that is, the NOTIFY header field and MULTIPLE of ANOTHER-AUTH-FOLLOWS must be combined. – AUTH – The NOTIFY header field of SUPPORTED is carried separately in different IKE-AUTH messages.
图 4为本发明认证协商方法第二实施例的第二信令流程图。 基于上述图 2所示的实施例 ,本实施例中假设 H(e)NB和 SeGW之间的设备认证方式只有 一种,即要么^^于证书的设备认证,要么是 EAP-AKA设备认证,且 H(e)NB 支持所有的认证方式, 即 H(e)NB 支持设备认证方式和宿主认证; 其中 IKE SA INIT响应和 IKE— AUTH请求中均不携带表示支持设备认证和宿主 认证的第一标识, 例如第一标识可以为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域。 如图 4所示, 包括如下步骤:  FIG. 4 is a second signaling flowchart of a second embodiment of the authentication negotiation method according to the present invention. Based on the embodiment shown in FIG. 2, it is assumed in the embodiment that there is only one type of device authentication between the H(e)NB and the SeGW, that is, the device authentication of the certificate or the EAP-AKA device authentication. The H(e)NB supports all authentication modes, that is, the H(e)NB supports the device authentication mode and the host authentication. The IKE SA INIT response and the IKE-AUTH request do not carry the first indicating support device authentication and host authentication. The identifier, for example, the first identifier may be the MULTIFY_AUTH_SUPPORTED NOTIFY header field. As shown in Figure 4, the following steps are included:
步骤 501、 H(e)NB向 SeGW发送 IKE— SA— INIT请求消息;  Step 501: The H(e)NB sends an IKE_SA_INIT request message to the SeGW.
步骤 502、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB;  Step 502: The SeGW sends an IKE-SA-INIT response message to the H(e)NB.
SeGW判断仅需要对 H(e)NB执行设备认证, 因此在 IKE— SA— INIT响应 消息中没有携带表示 SeGW支持或者请求对 H(e)NB进行设备认证和宿主认 证 的 第 一 标 识 , 例 如 第 一 标 识 可 以 为 消 息 类 型 为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 以表示该 SeGW仅支持 或者请求对 H(e)NB进行设备认证; 该步骤 502中并没有携带请求哪种设备 认证的第二标识, 说明此时的 SeGW和 H(e)NB均为仅支持同一种设备认证 方式的设备; 例如假定该实施例中 SeGW和 H(e)NB均仅支持 EAP-AKA设 备认证, 那么该步骤 502表示该 SeGW对 H(e)NB进行 EAP-AKA设备认证; 步骤 503、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中相应地也 不携带消息类型为 MULTIPLE— AUTH— SUPPORTED 的 NOTIFY 头域表示 H(e)NB仅支持或者请求 EAP-AKA设备认证; The SeGW determines that the device authentication needs to be performed only for the H(e)NB. Therefore, the IKE-SA-INIT response message does not carry the first identifier indicating that the SeGW supports or requests the device authentication and host authentication for the H(e)NB, for example, An identifier may be a NOTIFY header field of message type MULTIPLE-AUTH-SUPPORTED to indicate that the SeGW only supports Or requesting device authentication for the H(e)NB; the step 502 does not carry the second identifier of which device authentication is requested, indicating that both the SeGW and the H(e)NB support only the same device authentication mode. For example, if the SeGW and the H(e)NB support only the EAP-AKA device authentication in this embodiment, the step 502 indicates that the SeGW performs EAP-AKA device authentication on the H(e)NB; Step 503, H(e) The NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORTED does not carry the H(e)NB only supports or requests the EAP-AKA device authentication;
至此, H(e)NB和 SeGW根据上述消息交互, 还可能结合本地的安全策 略, 协商好需要进行 EAP-AKA设备认证;  At this point, H(e)NB and SeGW interact according to the above message, and may also cooperate with the local security policy to negotiate EAP-AKA device authentication.
步骤 504、 SeGW对 H(e)NB执行 EAP-AKA设备认证过程 ,为清晰起见 , 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息。  Step 504: The SeGW performs an EAP-AKA device authentication process on the H(e)NB. For the sake of clarity, the SeGW returns the H(e)NB IKE-AUTH response message.
图 4所示实施例与图 3所示实施例的不同之处在于图 4所示实施例中不 携带消息类型为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 则标识 仅对 H(e)NB执行设备认证, 而没有步骤 405和步骤 406的宿主认证过程。 另外, SeGW仅支持基于证书的设备认证时的具体认证协商过程与上述图 4 中 SeGW仅支持 EAP-AKA设备认证时的具体认证协商过程相同, 只是步骤 504执行的为 SeGW对 H(e)NB的基于证书的设备认证过程, 在此不再赘述。  The embodiment shown in FIG. 4 is different from the embodiment shown in FIG. 3 in that the embodiment shown in FIG. 4 does not carry a NOTIFY header field whose message type is MULTIPLE-AUTH_SUPPORTED, and the identifier is only executed for H(e)NB. Device authentication without the host authentication process of steps 405 and 406. In addition, the specific authentication negotiation process when the SeGW only supports the certificate-based device authentication is the same as the specific authentication negotiation process in the case where the SeGW only supports the EAP-AKA device authentication in FIG. 4, but only the Step 504 performs the SeGW to the H(e)NB. The certificate-based device authentication process is not described here.
总结图 3和图 4所示的实施例可知,当 IKE— SA— INIT响应和 IKE— AUTH 请求中没有携带第一标识时, 根据 SeGW的本地安全策略, 执行对 H(e)NB 的设备认证; 当 IKE— SA— INIT响应和 IKE— AUTH请求中携带第一标识时, 根据 SeGW的本地安全策略, 执行对 H(e)NB的设备认证和宿主认证。  Summarizing the embodiment shown in FIG. 3 and FIG. 4, when the first identifier is not carried in the IKE-SA-INIT response and the IKE-AUTH request, the device authentication of the H(e)NB is performed according to the local security policy of the SeGW. When the first identifier is carried in the IKE-SA-INIT response and the IKE-AUTH request, device authentication and host authentication for the H(e)NB are performed according to the local security policy of the SeGW.
基于上述 H(e)NB支持所有的认证方式的基础上, 若 SeGW也支持所有 的认证方式,则在 IKE— SA— INIT响应中还可以通过携带第二标识来进行认证 协商, 该第二标识用于请求对 H(e)NB执行基于证书的设备认证或 EAP-AKA 设备认证。 下面将通过具体的实施例进行说明。  Based on the foregoing H(e)NB supporting all the authentication modes, if the SeGW also supports all the authentication modes, the IKE-SA-INIT response may also perform the authentication negotiation by carrying the second identifier, the second identifier. Used to request to perform certificate-based device authentication or EAP-AKA device authentication for the H(e)NB. The following description will be made by way of specific examples.
图 5为本发明认证协商方法第三实施例的第一信令流程图。 本实施例中 以 SeGW仅对 H(e)NB执行基于证书的设备认证为例。 此时 IKE— SA— INIT响 应和 IKE— AUTH请求中没有携带第一标识, 并且 IKE SA INIT响应中携带 的第二标识表示支持对 H(e)NB执行基于证书的设备认证, 例如第二标识可 以为消息类型为证书认证 (CERT— AUTH ) 的 NOTIFY 头域、 或证书请求 ( CERTREQ ) 头域。 如图 5所示, 包括如下步骤: FIG. 5 is a first signaling flowchart of a third embodiment of an authentication negotiation method according to the present invention. In this embodiment For example, the SeGW performs certificate-based device authentication only for the H(e)NB. The IKE-SA-INIT response and the IKE-AUTH request do not carry the first identifier, and the second identifier carried in the IKE SA INIT response indicates that the certificate-based device authentication is performed on the H(e)NB, for example, the second identifier. It can be a NOTIFY header field, or a certificate request (CERTREQ) header field with a message type of certificate authentication (CERT_AUTH). As shown in FIG. 5, the following steps are included:
步骤 601、 H(e)NB向 SeGW发送 IKE— SA— INIT请求消息;  Step 601: The H(e)NB sends an IKE_SA_INIT request message to the SeGW.
步骤 602、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB;  Step 602: The SeGW sends an IKE_SA_INIT response message to the H(e)NB.
SeGW 判断仅需要对 H(e)NB 执行基于证书的设备认证, 因此在 IKE SA INIT 响 应 消 息 中 没 有 携 带 消 息 类 型 为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 但携带表示 SeGW支持 或者请求基于证书的设备认证的第二标识, 例如第二标识可以为消息类型为 CERT— AUTH的 NOTIFY头域、 或 CERTREQ头域, 以表示该 SeGW仅请求 或者支持对 H(e)NB进行基于证书的设备认证;  The SeGW judges that only the certificate-based device authentication needs to be performed on the H(e)NB. Therefore, the IKE SA INIT response message does not carry the NOTIFY header field whose message type is MULTIPLE-AUTH_SUPPORTED, but carries the SeGW support or requests the certificate-based The second identifier of the device authentication, for example, the second identifier may be a NOTIFY header field with a message type of CERT_AUTH, or a CERTREQ header field, to indicate that the SeGW only requests or supports certificate-based device authentication for the H(e)NB;
步骤 603、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中相应地也 不携带消息类型为 MULTIPLE— AUTH— SUPPORTED 的 NOTIFY 头域表示 H(e)NB支持基于证书的设备认证;  Step 603: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field of the message type MULTIPLE_AUTH_SUPPORTED is not carried. The H(e)NB supports certificate-based device authentication.
至此, H(e)NB和 SeGW根据上述消息交互, 还可能结合本地的安全策 略, 协商好需要进行基于证书的设备认证;  At this point, H(e)NB and SeGW interact according to the above message, and may also cooperate with the local security policy to negotiate certificate-based device authentication.
步骤 604、 SeGW对 H(e)NB执行基于证书的设备认证过程,为清晰起见, 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息。  Step 604: The SeGW performs a certificate-based device authentication process on the H(e)NB. For the sake of clarity, the SeGW returns the H(e)NB IKE-AUTH response message.
图 6为本发明认证协商方法第三实施例的第二信令流程图。 本实施例中 以 SeGW仅对 H(e)NB执行 EAP-AKA设备认证为例。 此时 IKE— SA— INIT响 应和 IKE— AUTH请求中没有携带第一标识, 并且 IKE SA INIT响应中携带 的第二标识表示支持对 H(e)NB执行 EAP-AKA设备认证,例如第二标识可以 为消息类型为 EAP-AKA认证 ( EAP-AKA— AUTH ) 的 NOTIFY头域或 EAP 头域。 如图 6所示, 包括如下步骤: 步骤 701、 H(e)NB向 SeGW发送 IKE— SA— INIT请求消息; 步骤 702、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB; FIG. 6 is a second signaling flowchart of a third embodiment of an authentication negotiation method according to the present invention. In this embodiment, the EGW-AKA device authentication is performed only on the H(e)NB by the SeGW. The IKE-SA-INIT response and the IKE-AUTH request do not carry the first identifier, and the second identifier carried in the IKE SA INIT response indicates that the EAP-AKA device authentication, such as the second identifier, is supported for the H(e)NB. It can be a NOTIFY header field or an EAP header field whose message type is EAP-AKA authentication ( EAP-AKA-AUTH ). As shown in Figure 6, the following steps are included: Step 701: The H(e)NB sends an IKE_SA_INIT request message to the SeGW. Step 702: The SeGW sends an IKE_SA_INIT response message to the H(e)NB.
SeGW 判断仅需要对 H(e)NB 执行 EAP-AKA 设备认证, 因此在 IKE— SA— INIT 响 应 消 息 中 没 有 携 带 消 息 类 型 为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 但携带有表示 SeGW支 持 EAP-AKA 设备认证的第二标识, 例如第二标识可以为消息类型为 EAP-AKA— AUTH的 NOTIFY头域或 EAP头域,以表示该 SeGW仅请求或者 支持对 H(e)NB进行设备认证;  The SeGW judges that only the EAP-AKA device authentication needs to be performed on the H(e)NB. Therefore, the NOTIFY header field with the message type MULTIPLE-AUTH_SUPPORTED is not carried in the IKE-SA-INIT response message, but carries the SeGW support EAP- The second identifier of the AKA device authentication, for example, the second identifier may be a NOTIFY header field or an EAP header field with a message type of EAP-AKA-AUTH, to indicate that the SeGW only requests or supports device authentication for the H(e)NB;
步骤 703、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中相应地也 不携带消息类型为 MULTIPLE— AUTH— SUPPORTED 的 NOTIFY 头域表示 H(e)NB支持 EAP-AKA设备认证;  Step 703: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field of the message type MULTIPLE_AUTH_SUPPORTED is not carried, and the H(e)NB supports the EAP-AKA device authentication.
至此, H(e)NB和 SeGW根据上述消息交互, 还可能结合本地的安全策 略, 协商好需要进行 EAP-AKA设备认证;  At this point, H(e)NB and SeGW interact according to the above message, and may also cooperate with the local security policy to negotiate EAP-AKA device authentication.
步骤 704、 SeGW对 H(e)NB执行 EAP-AKA设备认证过程,为清晰起见, 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息。  Step 704: The SeGW performs an EAP-AKA device authentication process on the H(e)NB. For the sake of clarity, the SeGW returns the H(e)NB IKE-AUTH response message.
上述图 5和图 6所示的实施例中,以 IKE— SA— INIT响应消息中携带表示 SeGW支持或者请求不同设备认证的第二标识为例, 说明当 IKE— SA— INIT响 应消息中携带表示 SeGW支持或者请求基于证书的设备认证的第二标识时, 即 SeGW对 H(e)NB执行基于证书的设备认证; 当 IKE— SA— INIT响应消息中 携带表示 SeGW支持或者请求 EAP-AKA设备认证的第二标识时, 即 SeGW 对 H ( e)NB执行 EAP-AKA设备认证。  In the embodiment shown in FIG. 5 and FIG. 6 , the IKE-SA-INIT response message carries the second identifier indicating that the SeGW supports or requests the authentication of different devices, and the IKE-SA-INIT response message carries the representation. When the SeGW supports or requests the second identifier of the certificate-based device authentication, that is, the SeGW performs certificate-based device authentication on the H(e)NB; when the IKE-SA-INIT response message carries the indication that the SeGW supports or requests the EAP-AKA device authentication The second identity, that is, SeGW performs EAP-AKA device authentication for H(e)NB.
另外, 也可以是当 IKE— SA— INIT响应消息中携带表示 SeGW支持或者 请求基于证书的设备认证的第二标识时, 即 SeGW对 H(e)NB执行基于证书 的设备认证; 而当 IKE— SA— INIT响应消息中没有携带第二标识时, 即 SeGW 对 H(e)NB执行 EAP-AKA设备认证。 或者也可以是当 IKE— SA— INIT响应消 息中携带表示 SeGW 支持或者请求 EAP-AKA设备认证的第二标识时, 即 SeGW对 H(e)NB执行 EAP-AKA设备认证; 而当 IKE— SA— INIT响应消息中 没有携带第二标识时, 即 SeGW对 H(e)NB执行基于证书的设备认证。 In addition, when the IKE-SA-INIT response message carries the second identifier indicating that the SeGW supports or requests the certificate-based device authentication, that is, the SeGW performs certificate-based device authentication on the H(e)NB; When the SA-INIT response message does not carry the second identifier, the SeGW performs EAP-AKA device authentication on the H(e)NB. Or when the IKE-SA-INIT response message carries the second identifier indicating that the SeGW supports or requests the EAP-AKA device authentication, that is, The SeGW performs EAP-AKA device authentication on the H(e)NB; and when the IKE-SA-INIT response message does not carry the second identifier, the SeGW performs certificate-based device authentication on the H(e)NB.
图 7为本发明认证协商方法第三实施例的第三信令流程图。 本实施例中 以 SeGW仅对 H(e)NB执行基于证书的设备认证和 EAP-AKA宿主认证为例。 此时 IKE— SA— INIT 响应和 IKE— AUTH 请求中携带第一标识 , 并且 IKE SA INIT响应中携带的第二标识表示 SeGW支持基于证书设备认证, 例 如第二标识可以为消息类型为 CERT— AUTH的 NOTIFY头域或 CERTREQ头 域。 如图 7所示, 包括如下步骤:  FIG. 7 is a third signaling flowchart of a third embodiment of the authentication negotiation method according to the present invention. In this embodiment, the SeGW performs only certificate-based device authentication and EAP-AKA host authentication for the H(e)NB as an example. The IKE-SA-INIT response and the IKE-AUTH request carry the first identifier, and the second identifier carried in the IKE SA INIT response indicates that the SeGW supports certificate-based device authentication. For example, the second identifier may be a message type CERT-AUTH. The NOTIFY header field or the CERTREQ header field. As shown in Figure 7, the following steps are included:
步骤 801、 H(e)NB向 SeGW发送 IKE— SA— INIT请求消息;  Step 801: The H(e)NB sends an IKE_SA_INIT request message to the SeGW.
步骤 802、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB;  Step 802: The SeGW sends an IKE_SA_INIT response message to the H(e)NB.
SeGW判断需要对 H(e)NB执行基于证书的设备认证和 EAP-AKA宿主认 证 , 因 此 在 IKE— SA— INIT 响 应 消 息 中 携 带 消 息 类 型 为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 还携带表示 SeGW支持 或者请求基于证书的设备认证的第二标识, 例如第二标识可以为消息类型为 CERT— AUTH的 NOTIFY头域或 CERTREQ头域,以表示该 SeGW仅请求或 者支持对 H(e)NB进行基于证书的设备认证和 EAP-AKA宿主认证;  The SeGW determines that the certificate-based device authentication and the EAP-AKA host authentication need to be performed on the H(e)NB. Therefore, the IKE-SA-INIT response message carries the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORTED, and carries the SeGW. Supporting or requesting a second identifier of the certificate-based device authentication, for example, the second identifier may be a NOTIFY header field or a CERTREQ header field with a message type of CERT_AUTH, to indicate that the SeGW only requests or supports the H(e)NB based on Certificate device certification and EAP-AKA host certification;
步骤 803、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中携带消息 类型为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域表示 H(e)NB支持 基于证书的设备认证和 EAP-AKA宿主认证;  Step 803: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field carrying the message type MULTIPLE-AUTH_SUPPORTED indicates that the H(e)NB supports certificate-based device authentication and EAP-AKA host authentication.
至此, H(e)NB和 SeGW根据上述消息交互, 还可能结合本地的安全策 略, 协商好需要进行基于证书的设备认证和 EAP-AKA宿主认证;  At this point, H(e)NB and SeGW interact according to the above message, and may also cooperate with the local security policy to negotiate certificate-based device authentication and EAP-AKA host authentication.
步骤 804、 SeGW对 H(e)NB执行基于证书的设备认证过程,为清晰起见, 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息;  Step 804: The SeGW performs a certificate-based device authentication process on the H(e)NB. For the sake of clarity, the SeGW returns the H(e)NB IKE-AUTH response message.
步骤 805、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中携带消息 类型为 ANOTHER— AUTH— FOLLOWS的 NOTIFY头域和 AUTH头域表示设 备认证已经完成, 下一步将接着对 H (e)NB执行 EAP-AKA宿主认证; 需要说明的是, 此处的步骤 805 和上面的 803 也可以合并在同一条 IKE— AUTH请求消息, 即将 ANOTHER— AUTH— FOLLOWS的 NOTIFY头域 和 MULTIPLE— AUTH— SUPPORTED 的 NOTIFY 头域绑定在同一条 IKE— AUTH请求消息中; Step 805: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field and the AUTH header field carrying the message type ANOTHER_AUTH_FOLLOWS indicate that the device authentication has been completed, and the next step is to proceed to H(e). NB performs EAP-AKA host authentication; It should be noted that step 805 and 803 above can also be combined in the same IKE-AUTH request message, that is, the NOTIFY header field of ANOTHER-AUTH-FOLLOWS and the NOTIFY header field of MULTIPLE-AUTH-SUPPORTED are bound together. An IKE-AUTH request message;
步骤 806、 SeGW对 H(e)NB执行 EAP-AKA宿主认证过程,为清晰起见, 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息。  Step 806: The SeGW performs an EAP-AKA host authentication process on the H(e)NB. For the sake of clarity, the SeGW returns the H(e)NB IKE-AUTH response message.
图 8为本发明认证协商方法第三实施例的第四信令流程图。 本实施例中 以 SeGW仅对 H(e)NB执行 EAP-AKA设备认证和 EAP-AKA宿主认证为例。 此时 IKE— SA— INIT 响应和 IKE— AUTH 请求中携带第一标识 , 并且 IKE SA INIT响应中携带的第二标识表示支持对 H(e)NB执行 EAP-AKA设 备认证, 例如第二标识可以为消息类型为 EAP-AKA— AUTH的 NOTIFY头域 或 EAP头域。 如图 8所示, 包括如下步骤:  FIG. 8 is a fourth signaling flowchart of a third embodiment of the authentication negotiation method according to the present invention. In this embodiment, the SeGW only performs EAP-AKA device authentication and EAP-AKA host authentication for the H(e)NB as an example. The IKE-SA-INIT response and the IKE-AUTH request carry the first identifier, and the second identifier carried in the IKE SA INIT response indicates that the EAP-AKA device authentication is performed on the H(e)NB, for example, the second identifier may be It is a NOTIFY header field or an EAP header field whose message type is EAP-AKA-AUTH. As shown in Figure 8, the following steps are included:
步骤 901、 H(e)NB向 SeGW发送 IKE— SA— INIT请求消息;  Step 901: The H(e)NB sends an IKE_SA_INIT request message to the SeGW.
步骤 902、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB;  Step 902: The SeGW sends an IKE_SA_INIT response message to the H(e)NB.
SeGW判断需要对 H(e)NB执行 EAP-AKA设备认证和 EAP-AKA宿主认 证 , 因 此 在 IKE— SA— INIT 响 应 消 息 中 携 带 消 息 类 型 为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 还携带表示 SeGW支持 EAP-AKA 设备认证的第二标识, 例如第二标识可以为消息类型为 EAP-AKA— AUTH的 NOTIFY头域或 EAP头域,以表示该 SeGW仅请求或者 支持对 H(e)NB进行设备认证和宿主认证;  The SeGW determines that the EAP-AKA device authentication and the EAP-AKA host authentication need to be performed on the H(e)NB. Therefore, the IKE-SA-INIT response message carries the NOTIFY header field with the message type MULTIPLE-AUTH-SUPPORTED, and carries the SeGW. A second identifier supporting the EAP-AKA device authentication, for example, the second identifier may be a NOTIFY header field or an EAP header field of the EAP-AKA-AUTH message type, to indicate that the SeGW only requests or supports the device for the H(e)NB. Certification and host certification;
步骤 903、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中携带消息 类型为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域表示 H(e)NB支持 EAP-AKA设备认证和 EAP-AKA宿主认证;  Step 903: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field carrying the message type MULTIPLE-AUTH_SUPPORTED indicates that the H(e)NB supports EAP-AKA device authentication and EAP-AKA host authentication.
至此, H(e)NB和 SeGW根据上述消息交互, 还可能结合本地的安全策 略, 协商好需要进行 EAP-AKA设备认证和 EAP-AKA宿主认证;  At this point, H(e)NB and SeGW interact according to the above message, and may also cooperate with the local security policy to negotiate EAP-AKA device authentication and EAP-AKA host authentication.
步骤 904、 SeGW对 H(e)NB执行 EAP-AKA设备认证过程,为清晰起见, 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息; Step 904: The SeGW performs an EAP-AKA device authentication process on the H(e)NB. For the sake of clarity, The IKE-AUTH response message that SeGW returns to H(e)NB is omitted here;
步骤 905、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中携带消息 类型为 ANOTHER— AUTH— FOLLOWS的 NOTIFY头域和 AUTH头域表示设 备认证已经完成, 下一步将接着对 H (e)NB执行 EAP-AKA宿主认证;  Step 905: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field and the AUTH header field carrying the message type ANOTHER_AUTH_FOLLOWS indicate that the device authentication has been completed, and the next step is to proceed to H(e). NB performs EAP-AKA host authentication;
需要说明的是, 此处的步骤 905 和上面的 903 不可以合并在同一条 It should be noted that step 905 here and 903 above cannot be combined in the same article.
IKE— AUTH请求消息, 即必须将 ANOTHER— AUTH— FOLLOWS的 NOTIFY 头域和 MULTIPLE— AUTH— SUPPORTED 的 NOTIFY 头域分开在不同的 IKE— AUTH消息中携带; IKE—AUTH request message, that is, the NOTIFY header field of ANOTHER_AUTH_FOLLOWS and the NOTIFY header field of MULTIPLE_AUTH_SUPPORTED must be separated in different IKE-AUTH messages;
步骤 906、 SeGW对 H(e)NB执行 EAP-AKA宿主认证过程,为清晰起见, 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息。  Step 906: The SeGW performs an EAP-AKA host authentication process on the H(e)NB. For the sake of clarity, the SeGW returns the H(e)NB IKE-AUTH response message.
同上述图 5和图 6所示的实施例, 该图 7和图 8所示的实施例中, 也可 以是当 IKE— SA— INIT响应消息中携带表示 SeGW支持或者请求基于证书的设 备认证的第二标识时, 即 SeGW对 H(e)NB执行基于证书的设备认证; 而当 IKE SA INIT 响应消息中没有携带第二标识时, 即 SeGW对 H(e)NB执行 EAP-AKA设备认证。 或者也可以是当 IKE— SA— INIT 响应消息中携带表示 SeGW支持或者请求 EAP-AKA设备认证的第二标识时, 即 SeGW对 H(e)NB 执行 EAP-AKA设备认证; 而当 IKE— SA— INIT响应消息中没有携带第二标识 时, 即 SeGW对 H(e)NB执行基于证书的设备认证。  With the embodiment shown in FIG. 5 and FIG. 6 above, in the embodiment shown in FIG. 7 and FIG. 8, the IKE-SA-INIT response message may also carry the device authentication indicating that the SeGW supports or requests the certificate-based device. The second identifier, that is, the SeGW performs certificate-based device authentication on the H(e)NB; and when the IKE SA INIT response message does not carry the second identifier, the SeGW performs EAP-AKA device authentication on the H(e)NB. Alternatively, when the IKE-SA-INIT response message carries the second identifier indicating that the SeGW supports or requests the EAP-AKA device authentication, that is, the SeGW performs EAP-AKA device authentication on the H(e)NB; and when the IKE-SA – When the second identifier is not carried in the INIT response message, the SeGW performs certificate-based device authentication on the H(e)NB.
通过上述实施例可以实现 H(e)NB 支持所有认证方式的条件下, 无论 SeGW 支持所有认证方式或者仅支持部分认证方式, 均可以釆用上述实施例 中的标识完成 H(e)NB和 SeGW之间的认证协商,从而实现对 H(e)NB的认证, 而不会出现异常情况。  The H(e)NB can support the H(e)NB and the SeGW by using the identifier in the foregoing embodiment, whether the HGW supports all the authentication modes or only the partial authentication mode. Between the authentication and the negotiation, the authentication of the H(e)NB is achieved without an abnormal situation.
下面对 SeGW支持所有的认证方式, H(e)NB可能支持所有或者只支持 部分认证方式的情况下如何进行认证协商进行详细说明。 在此种情况下, 除 了 IKE— SA— INIT 响应中携带请求对 H(e)NB 执行基于证书的设备认证或 EAP-AKA设备认证的第二标识外, IKE— AUTH 请求中也要携带请求对 H(e)NB执行基于证书的设备认证或 EAP-AKA设备认证的第三标识。 而基于 这种情况下的认证协商中可能还是存在异常情况。 The following is a description of how all authentication methods are supported by the SeGW. The H(e)NB may support all or only partial authentication methods. In this case, in addition to the IKE-SA-INIT response carrying the second identity requesting the certificate-based device authentication or EAP-AKA device authentication for the H(e)NB, the IKE-AUTH request also carries the request pair. The H(e)NB performs a certificate-based device authentication or a third identity of the EAP-AKA device authentication. However, there may still be an abnormal situation in the authentication negotiation based on this case.
图 9为本发明认证协商方法第四实施例的第一信令流程图。 本实施例中 以 SeGW对 H(e)NB执行基于证书的设备认证为例。 此时 IKE— SA— INIT响应 和 IKE— AUTH请求中没有携带第一标识 , 并且 IKE SA INIT响应中携带的 第二标识和 IKE— AUTH 请求中携带的第三标识均表示请求或者支持对 H(e)NB执行基于证书的设备认证。 如图 9所示, 包括如下步骤:  FIG. 9 is a first signaling flowchart of a fourth embodiment of an authentication negotiation method according to the present invention. In this embodiment, the certificate-based device authentication is performed on the H(e)NB by the SeGW as an example. The IKE-SA-INIT response and the IKE-AUTH request do not carry the first identifier, and the second identifier carried in the IKE SA INIT response and the third identifier carried in the IKE-AUTH request indicate the request or support for H ( e) NB performs certificate-based device authentication. As shown in Figure 9, the following steps are included:
步骤 1001、 H(e)NB向 SeGW发送 IKE— SA— INIT请求消息;  Step 1001: The H(e)NB sends an IKE_SA_INIT request message to the SeGW.
步骤 1002、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB;  Step 1002: The SeGW sends an IKE_SA_INIT response message to the H(e)NB.
SeGW 判断仅需要对 H(e)NB 执行基于证书的设备认证, 因此在 SeGW judges that only certificate-based device authentication is required for H(e)NB, so
IKE SA INIT 响 应 消 息 中 没 有 携 带 消 息 类 型 为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 但携带表示 SeGW支持 或者请求基于证书的设备认证的第二标识, 例如第二标识可以为消息类型为 CERT— AUTH的 NOTIFY头域、 或 CERTREQ头域, 以表示该 SeGW仅请求 或者支持对 H(e)NB进行基于证书的设备认证; The IKE SA INIT response message does not carry the NOTIFY header field with the message type MULTIPLE-AUTH_SUPPORTED, but carries the second identifier indicating that the SeGW supports or requests the certificate-based device authentication. For example, the second identifier may be the message type CERT_AUTH. a NOTIFY header field, or a CERTREQ header field, to indicate that the SeGW only requests or supports certificate-based device authentication for the H(e)NB;
步骤 1003、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中相应地也 不携带消息类型为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 但携 带表示 H(e)NB 支持基于证书的设备认证的第三标识, 例如第三标识可以为 消息类型为 CERT— AUTH的 NOTIFY头域、 或 AUTH头域、 或指示基于证 书的设备认证的网络接入标识 (Network Access Identifier, NAI ) , 以表示 H(e)NB同样支持基于证书的设备认证;  Step 1003: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORTED is not carried, but the bearer indicates that the H(e)NB supports the certificate-based device authentication. The third identifier, for example, the third identifier may be a NOTIFY header field of message type CERT_AUTH, or an AUTH header field, or a Network Access Identifier (NAI) indicating certificate-based device authentication, to indicate H (e) NB also supports certificate-based device authentication;
至此, H(e)NB和 SeGW根据上述消息交互, 还可能结合本地的安全策 略, 协商好需要进行基于证书的设备认证;  At this point, H(e)NB and SeGW interact according to the above message, and may also cooperate with the local security policy to negotiate certificate-based device authentication.
步骤 1004、 SeGW对 H(e)NB执行基于证书的设备认证过程, 为清晰起 见 , 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息。  Step 1004: The SeGW performs a certificate-based device authentication process on the H(e)NB. For the sake of clarity, the SeGW returns the H(e)NB IKE-AUTH response message.
另夕卜, 当 IKE— SA— INIT响应和 IKE— AUTH请求中携带第一标识时, 若 IKE SA INIT响应中携带的第二标识和 IKE— AUTH请求中携带的第三标识 均表示请求对 H(e)NB执行基于证书的设备认证, 则可以根据 SeGW的本地 安全策略,执行对 H(e)NB的基于证书的设备认证和 EAP-AKA宿主认证。其 中 H(e)NB和 SeGW进行消息交互以协商认证方式以及基于证书的设备认证 的信令流程同上述图 9所示的实施例, EAP-AKA宿主认证的信令流程与上述 带有宿主认证实施例中的信令流程相同, 在此不再赘述。 In addition, when the first identifier is carried in the IKE-SA-INIT response and the IKE-AUTH request, The second identifier carried in the IKE SA INIT response and the third identifier carried in the IKE-AUTH request indicate that the request to perform certificate-based device authentication for the H(e)NB may be performed according to the local security policy of the SeGW. e) NB's certificate-based device authentication and EAP-AKA host authentication. The signaling flow in which the H(e)NB and the SeGW perform message interaction to negotiate the authentication mode and the certificate-based device authentication is the same as the embodiment shown in FIG. 9 above, the signaling procedure of the EAP-AKA host authentication and the above-mentioned host authentication The signaling process in the embodiment is the same, and details are not described herein again.
图 10为本发明认证协商方法第四实施例的第二信令流程图。本实施例中 以 SeGW对 H(e)NB执行 EAP-AKA设备认证为例。 此时 IKE— SA— INIT响应 和 IKE— AUTH请求中没有携带第一标识 , 并且 IKE SA INIT响应中携带的 第二标识和 IKE— AUTH 请求中携带的第三标识均表示请求或者支持对 H(e)NB执行 EAP-AKA设备认证。 如图 10所示, 包括如下步骤:  FIG. 10 is a second signaling flowchart of a fourth embodiment of an authentication negotiation method according to the present invention. In this embodiment, the EAP-AKA device authentication is performed by the SeGW on the H(e)NB as an example. The IKE-SA-INIT response and the IKE-AUTH request do not carry the first identifier, and the second identifier carried in the IKE SA INIT response and the third identifier carried in the IKE-AUTH request indicate the request or support for H ( e) NB performs EAP-AKA device authentication. As shown in Figure 10, the following steps are included:
步骤 1101、 H(e)NB向 SeGW发送 IKE— SA— INIT请求消息;  Step 1101: The H(e)NB sends an IKE_SA_INIT request message to the SeGW.
步骤 1102、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB;  Step 1102: The SeGW sends an IKE_SA_INIT response message to the H(e)NB.
根据本地安全策略, SeGW判断仅需要对 H(e)NB执行 EAP-AKA设备认 证, 因 此在 IKE— SA— INIT 响应 消 息 中 没有携 带 消 息类型 为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 但携带表示 SeGW支持 或者请求 EAP-AKA设备认证的第二标识, 例如第二标识可以为消息类型为 EAP-AKA— AUTH的 NOTIFY头域、或 EAP头域, 以表示该 SeGW仅请求或 者支持对 H(e)NB进行 EAP-AKA设备认证;  According to the local security policy, the SeGW determines that only the E(AP) device needs to perform EAP-AKA device authentication. Therefore, the IKE-SA-INIT response message does not carry the NOTIFY header field with the message type MULTIPLE-AUTH-SUPPORTED, but carries the representation. The SeGW supports or requests the second identifier of the EAP-AKA device authentication. For example, the second identifier may be a NOTIFY header field with a message type of EAP-AKA-AUTH, or an EAP header field, to indicate that the SeGW only requests or supports the H (e). NB performs EAP-AKA device authentication;
步骤 1103、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中相应地也 不携带消息类型为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 但携 带表示 H(e)NB支持 EAP-AKA设备认证的第三标识,例如第三标识可以为消 息类型为 EAP-AKA— AUTH的 NOTIFY头域、 或指示 EAP-AKA设备认证的 网络接入标识( NAI ) , 以表示 H(e)NB同样支持 EAP-AKA设备认证; 至此, H(e)NB和 SeGW根据上述消息交互, 还可能结合本地的安全策 略, 协商好需要进行 EAP-AKA设备认证; 步骤 1104、 SeGW对 H(e)NB执行 EAP-AKA设备认证过程 , 为清晰起 见 , 此处省略了 SeGW返回 H(e)NB的 IKE— AUTH响应消息。 Step 1103: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORTED is not carried, but the bearer indicates that the H(e)NB supports the EAP-AKA device authentication. The third identifier, for example, the third identifier may be a NOTIFY header field of message type EAP-AKA_AUTH, or a network access identifier (NAI) indicating EAP-AKA device authentication, to indicate that H(e)NB also supports EAP. - AKA device authentication; At this point, H(e)NB and SeGW interact according to the above message, and may also cooperate with the local security policy to negotiate EAP-AKA device authentication; Step 1104: The SeGW performs an EAP-AKA device authentication process on the H(e)NB. For the sake of clarity, the IKE-AUTH response message of the SeGW returning to the H(e)NB is omitted here.
另夕卜, 当 IKE— SA— INIT响应和 IKE— AUTH请求中携带第一标识时 , 若 IKE SA INIT响应中携带的第二标识和 IKE— AUTH请求中携带的第三标识 均表示请求对 H(e)NB执行 EAP-AKA设备认证, 则可以根据 SeGW的本地 安全策略, 执行对 H(e)NB的 EAP-AKA设备认证和 EAP-AKA宿主认证。 其 中 H(e)NB和 SeGW进行消息交互以协商认证方式以及 EAP-AKA设备认证 的信令流程同上述图 10所示的实施例, EAP-AKA宿主认证的信令流程与上 述带有宿主认证实施例中的信令流程相同, 在此不再赘述。  In addition, when the first identifier is carried in the IKE-SA-INIT response and the IKE-AUTH request, if the second identifier carried in the IKE SA INIT response and the third identifier carried in the IKE-AUTH request indicate the request to the H (e) If the NB performs EAP-AKA device authentication, the EAP-AKA device authentication and EAP-AKA host authentication for the H(e)NB may be performed according to the local security policy of the SeGW. The signaling process in which the H(e)NB and the SeGW perform message interaction to negotiate the authentication mode and the EAP-AKA device authentication is the same as the embodiment shown in FIG. 10, the signaling procedure of the EAP-AKA host authentication and the above-mentioned host authentication. The signaling process in the embodiment is the same, and details are not described herein again.
图 11 为本发明认证协商方法第四实施例的第三信令流程图。 当 FIG. 11 is a third signaling flowchart of a fourth embodiment of the authentication negotiation method according to the present invention. when
IKE SA INIT响应和 IKE— AUTH请求中没有携带第一标识时 ,若第二标识和 第三标识分别请求对家庭无线接入点执行不同的设备认证, 则要根据 SeGW 的本地安全策略, 拒绝对 H(e)NB执行设备认证, 或者按照第三标识请求执 行的设备认证执行对 H(e)NB的设备认证。 如图 11所示, 包括如下步骤: 步骤 1201、 H(e)NB向 SeGW发送 IKE— SA— INIT请求消息; When the IKE SA INIT response and the IKE-AUTH request do not carry the first identifier, if the second identifier and the third identifier respectively request different device authentication for the home wireless access point, the network security policy according to the SeGW is rejected. The H(e)NB performs device authentication, or performs device authentication for the H(e)NB according to the device authentication performed by the third identification request. As shown in FIG. 11, the method includes the following steps: Step 1201: The H(e)NB sends an IKE_SA_INIT request message to the SeGW.
步骤 1202、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB;  Step 1202: The SeGW sends an IKE_SA_INIT response message to the H(e)NB.
根据本地安全策略, SeGW判断仅需要对 H(e)NB执行设备认证, 因此 在 IKE— SA— INIT 响 应 消 息 中 没 有 携 带 消 息 类 型 为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 以表示该 SeGW仅请求 或者支持对 H(e)NB进行设备认证; 其中 SeGW支持的设备认证又包括基于 证书的设备认证和 EAP-AKA设备认证, 因此该步骤 1202中携带表示 SeGW 请求或者支持基于证书的设备认证的第二标识, 例如第二标识可以为消息类 型为 CERT— AUTH的 NOTIFY头域、或 CERTREQ头域,以说明此时的 SeGW 支持基于证书的设备认证;  According to the local security policy, the SeGW determines that only the device authentication needs to be performed on the H(e)NB. Therefore, the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORTED is not carried in the IKE_SA_INIT response message, indicating that the SeGW only requests Or device authentication for the H(e)NB is supported. The device authentication supported by the SeGW includes the certificate-based device authentication and the EAP-AKA device authentication. Therefore, the step 1202 carries the device that indicates the SeGW request or supports the certificate-based device authentication. The second identifier, for example, the second identifier may be a NOTIFY header field with a message type of CERT_AUTH, or a CERTREQ header field, to indicate that the SeGW supports certificate-based device authentication at this time;
步骤 1203、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中相应地也 不携带消息类型为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 但携 带表示 H(e)NB仅支持基于 EAP-AKA设备认证的第三标识,例如第三标识可 以为消息类型为 EAP-AKA— AUTH的 NOTIFY头域、 或指示 EAP-AKA设备 认证的网络接入标识(NAI ) , 表示 H(e)NB支持 EAP-AKA设备认证; Step 1203: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORTED is not carried, but The band indicates that the H(e)NB only supports the third identity based on the EAP-AKA device authentication. For example, the third identifier may be a NOTIFY header field with a message type of EAP-AKA-AUTH, or a network access indicating EAP-AKA device authentication. Identification (NAI), indicating that H(e)NB supports EAP-AKA device authentication;
由于 H(e)NB可能仅支持 EAP-AKA设备认证, 因此在步骤 1203中发送 的 IKE— AUTH请求消息中表明 H(e)NB仅支持 EAP-AKA设备认证 , 但步骤 1202中 SeGW选择为请求或者支持基于证书的设备认证,因此出现异常情况; 步骤 1204、 SeGW根据本地安全策略作进一步的处理, 具体地, SeGW 可以根据本地安全策略在此异常情况下拒绝对 H(e)NB 进行设备认证, 并结 束本流程; 由于 SeGW支持所有的认证方式, 因此 SeGW也可以根据本地安 全策略允许执行对 H(e)NB的 EAP-AKA设备认证。  Since the H(e)NB may only support EAP-AKA device authentication, the IKE-AUTH request message sent in step 1203 indicates that the H(e)NB only supports EAP-AKA device authentication, but the SeGW selects the request in step 1202. Or the certificate-based device authentication is supported, so an abnormal situation occurs. Step 1204: The SeGW performs further processing according to the local security policy. Specifically, the SeGW may refuse to perform device authentication on the H(e)NB according to the local security policy. And end this process; Because SeGW supports all authentication methods, SeGW can also perform EAP-AKA device authentication for H(e)NB according to the local security policy.
图 12为本发明认证协商方法第四实施例的第四信令流程图。 与图 11相 比的区别在于, 第二标识和第三标识所带的信息相反, 如图 12所示, 包括如 下步骤:  FIG. 12 is a fourth signaling flowchart of a fourth embodiment of an authentication negotiation method according to the present invention. The difference compared with Fig. 11 is that the information of the second identifier and the third identifier are opposite, as shown in Fig. 12, including the following steps:
步骤 1301、 H(e)NB向 SeGW发送 IKE— SA— INIT请求消息;  Step 1301: The H(e)NB sends an IKE_SA_INIT request message to the SeGW.
步骤 1302、 SeGW发送 IKE— SA— INIT响应消息给 H(e)NB;  Step 1302: The SeGW sends an IKE-SA_INIT response message to the H(e)NB.
根据本地安全策略, SeGW判断仅需要对 H(e)NB执行设备认证, 因此 在 IKE— SA— INIT 响 应 消 息 中 没 有 携 带 消 息 类 型 为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 以表示该 SeGW仅请求 或者支持对 H(e)NB进行设备认证; 其中 SeGW支持的设备认证又包括基于 证书的设备认证和 EAP-AKA设备认证, 因此该步骤 1302中携带表示 SeGW 请求或者支持 EAP-AKA设备认证的第二标识, 例如第二标识可以为消息类 型为 EAP-AKA— AUTH的 NOTIFY头域、或 EAP头域, 以说明此时的 SeGW 支持 EAP-AKA设备认证;  According to the local security policy, the SeGW determines that only the device authentication needs to be performed on the H(e)NB. Therefore, the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORTED is not carried in the IKE_SA_INIT response message, indicating that the SeGW only requests Or device authentication for the H(e)NB is supported. The device authentication supported by the SeGW includes the certificate-based device authentication and the EAP-AKA device authentication. Therefore, the step 1302 carries the first representation of the SeGW request or the EAP-AKA device authentication. The second identifier, for example, the second identifier may be a NOTIFY header field with a message type of EAP-AKA-AUTH, or an EAP header field, to indicate that the SeGW supports EAP-AKA device authentication at this time;
步骤 1303、 H(e)NB向 SeGW发送 IKE— AUTH请求消息, 其中相应地也 不携带消息类型为 MULTIPLE— AUTH— SUPPORTED的 NOTIFY头域, 但携 带表示 H(e)NB仅支持基于证书的设备认证的第三标识, 例如第三标识可以 为消息类型为 CERT— AUTH的 NOTIFY头域、 或 AUTH头域、 或指示基于 证书的设备认证的网络接入标识(NAI ) , 表示 H(e)NB支持基于证书的设备 认证; Step 1303: The H(e)NB sends an IKE-AUTH request message to the SeGW, where the NOTIFY header field of the message type MULTIPLE-AUTH_SUPPORTED is not carried, but the bearer indicates that the H(e)NB only supports the certificate-based device. The third identifier of the authentication, for example, the third identifier can For a NOTIFY header field of message type CERT_AUTH, or an AUTH header field, or a Network Access Identity (NAI) indicating certificate-based device authentication, indicating that H(e)NB supports certificate-based device authentication;
由于 H(e)NB可能仅支持基于证书的设备认证, 因此在步骤 1303中发送 的 IKE— AUTH请求消息中表明 H(e)NB仅支持基于证书的设备认证, 但步骤 1302中 SeGW选择为请求或者支持 EAP-AKA设备认证,因此出现异常情况; 步骤 1304、 SeGW根据本地安全策略作进一步的处理, 具体地, SeGW 可以根据策略在此异常情况下拒绝对 H(e)NB进行设备认证, 并结束本流程; 由于 SeGW支持所有的认证方式, 因此 SeGW也可以根据策略允许执行对 H(e)NB的基于证书的设备认证。  Since the H(e)NB may only support certificate-based device authentication, the IKE-AUTH request message sent in step 1303 indicates that the H(e)NB only supports certificate-based device authentication, but the SeGW selects the request in step 1302. Or the EAP-AKA device authentication is supported, and an abnormal situation occurs. Step 1304: The SeGW performs further processing according to the local security policy. Specifically, the SeGW may refuse to perform device authentication on the H(e)NB according to the policy, and This process is terminated; since the SeGW supports all authentication methods, the SeGW can also perform certificate-based device authentication for the H(e)NB according to the policy.
另夕卜, 当 IKE— SA— INIT响应和 IKE— AUTH请求中携带第一标识时 , 若 第二标识和第三标识的内容不一致, 属于图 11 或图 12 所示的情况时, 则 SeGW根据本地安全策略,拒绝对 H(e)NB执行设备认证和宿主认证,或者按 照第三标识请求执行的设备认证类型执行对 H(e)NB的该类型的设备认证 (基 于证书或者 EAP-AKA )和 EAP-AKA宿主认证。 其中 H(e)NB和 SeGW进行 消息交互以协商认证方式以及基于证书的设备认证的信令流程同上述图 11 或图 12所示的实施例, EAP-AKA宿主认证的信令流程与上述带有宿主认证 实施例中的信令流程相同, 在此不再赘述。 IKE SA INIT响应和 IKE— AUTH请求中携带不同的标识,可以实现认证协商 过程; 但是由于 SeGW支持所有的认证方式, 而 H(e)NB可能仅支持部分或 者所有认证方式, 因此该认证协商的过程可能会存在 SeGW设定的设备认证 方式 H(e)NB并不支持, 此时理论上 SeGW也是可以调整并继续下面的认证 过程的, 所以在任何情况下的认证协商仍然可以实现。  In addition, when the first identifier is carried in the IKE-SA-INIT response and the IKE-AUTH request, if the contents of the second identifier and the third identifier are inconsistent and belong to the situation shown in FIG. 11 or FIG. 12, the SeGW is based on The local security policy, which refuses to perform device authentication and host authentication for the H(e)NB, or performs device authentication of this type (based on certificate or EAP-AKA) for the H(e)NB according to the type of device authentication performed by the third identity request. And EAP-AKA host certification. The signaling flow in which the H(e)NB and the SeGW perform message exchange to negotiate the authentication mode and the certificate-based device authentication are the same as the embodiment shown in FIG. 11 or FIG. 12, and the signaling flow of the EAP-AKA host authentication and the foregoing The signaling process in the host authentication embodiment is the same and will not be described here. The IKE SA INIT response and the IKE-AUTH request carry different identifiers to implement the authentication negotiation process. However, since the SeGW supports all authentication methods, and the H(e)NB may only support some or all authentication methods, the authentication negotiation The process may have the device authentication mode set by SeGW. H(e)NB does not support. In this case, the SeGW can theoretically adjust and continue the following authentication process, so the authentication negotiation can still be implemented under any circumstances.
图 13为本发明安全网关实施例的结构示意图。 如图 13所示, 该安全网 关包括: 接收模块 11 , 发送模块 12和处理模块 13。 其中接收模块 11用于接 收家庭无线接入点 (H(e)NB ) 发送的因特网密钥交换 -安全联盟-初始化 ( IKE SA INIT ) 请求, 以及接收 H(e)NB 发送的因特网密钥交换 -认证 ( IKE AUTH ) 请求; 发送模块 12 用于发送 IKE— SA— INIT 响应以及 IKE AUTH 响应至 H(e)NB; 处理模块用于才艮据 IKE— SA— INIT 响应和 IKE AUTH请求中是否携带有支持对 H(e)NB执行设备认证和宿主认证的第 一标识, 执行对 H ( e)NB的认证。 FIG. 13 is a schematic structural diagram of an embodiment of a security gateway according to the present invention. As shown in FIG. 13, the security gateway includes: a receiving module 11, a sending module 12, and a processing module 13. The receiving module 11 is used for receiving Receiving an Internet Key Exchange-Security Alliance-Initialization (IKE SA INIT) request sent by the Home Wireless Access Point (H(e)NB), and receiving an Internet Key Exchange-Authentication (IKE AUTH) sent by the H(e)NB The requesting module 12 is configured to send an IKE-SA-INIT response and an IKE AUTH response to the H(e)NB; the processing module is configured to carry a support pair H in the IKE-SA-INIT response and the IKE AUTH request. e) The NB performs the first identifier of the device authentication and the host authentication, and performs authentication on the H(e)NB.
釆用该安全网关实现对 H(e)NB 的认证的具体方法详见上述认证协商方 法实施例, 在此不再赘述。  The specific method for the authentication of the H(e)NB by using the security gateway is described in the above-mentioned authentication negotiation method embodiment, and details are not described herein again.
本发明提供的安全网关通过与 H(e)NB之间的消息交互完成认证协商的 过程, 并对 H(e)NB进行认证, 提供了一种简单准确的认证机制。  The security gateway provided by the present invention completes the process of authentication negotiation through message interaction with the H(e)NB, and authenticates the H(e)NB, providing a simple and accurate authentication mechanism.
图 14为本发明家庭无线接入点实施例的结构示意图。 如图 14所示, 该 家庭无线接入点包括: 发送模块 21、 接收模块 22和处理模块 23。 其中发送 模块 21 用于发送 IKE— SA— INIT 请求以及 IKE— AUTH 请求至安全网关 ( SeGW ) ; 接收模块 22 用于接收 SeGW发送的 IKE— SA— INIT 响应以及 IKE— AUTH响应; 处理模块 23用于根据 IKE— SA— INIT响应中是否携带有支 持对 H(e)NB执行设备认证和宿主认证的第一标识, 决定是否在 IKE— AUTH 请求中也携带第一标识。  FIG. 14 is a schematic structural diagram of an embodiment of a home wireless access point according to the present invention. As shown in FIG. 14, the home wireless access point includes: a sending module 21, a receiving module 22, and a processing module 23. The sending module 21 is configured to send an IKE-SA_INIT request and an IKE-AUTH request to the security gateway (SeGW); the receiving module 22 is configured to receive the IKE-SA-INIT response and the IKE-AUTH response sent by the SeGW; And determining whether to carry the first identifier in the IKE-AUTH request according to whether the IKE-SA-INIT response carries a first identifier that supports device authentication and host authentication for the H(e)NB.
釆用该家庭无线接入点与 SeGW 实现信息的交互, 从而可以实现对 H(e)NB的认证, 其具体方法详见上述认证协商方法实施例, 在此不再赘述。  The home wireless access point and the SeGW are used to implement the information exchange, so that the authentication of the H(e)NB can be implemented. For the specific method, refer to the foregoing authentication negotiation method embodiment, and details are not described herein.
图 15为本发明认证协商系统实施例的结构示意图。 如图 15所示, 该认 证协商系统包括: 安全网关 (SeGW ) 1和家庭无线接入点 (H(e)NB ) 2。 其 中 H(e)NB2用于发送 IKE— SA— INIT请求以及 IKE— AUTH请求 , 接收返回的 IKE SA INIT响应以及 IKE— AUTH响应; 并根据 IKE— SA— INIT响应中是否 携带有支持对 H(e)NB2 执行设备认证和宿主认证的第一标识, 决定是否在 IKE— AUTH 请求中也携带第一标识; SeGWl , 用于接收 H(e)NB2 发送的 IKE SA INIT 请求以及 IKE— AUTH 请求; 发送 IKE— SA— INIT 响应以及 IKE AUTH响应至 H(e)NB2; 并根据 IKE SA INIT响应和 IKE— AUTH请求 中是否携带有支持对 H(e)NB2执行设备认证和宿主认证的第一标识, 执行对 H(e)NB2的认证。 FIG. 15 is a schematic structural diagram of an embodiment of an authentication negotiation system according to the present invention. As shown in FIG. 15, the authentication negotiation system includes: a security gateway (SeGW) 1 and a home wireless access point (H(e)NB) 2. Where H(e)NB2 is used to send the IKE_SA_INIT request and the IKE_AUTH request, receive the returned IKE SA INIT response and the IKE_AUTH response; and according to whether the IKE-SA-INIT response carries the support pair H ( e) NB2 performs the first identifier of the device authentication and the host authentication, and determines whether the first identifier is also carried in the IKE-AUTH request; the SeGW1 is configured to receive the IKE SA INIT request sent by the H(e)NB2 and the IKE_AUTH request; Send IKE—SA—INIT response and IKE AUTH responds to H(e)NB2; and performs H(e)NB2 according to whether the IKE SA INIT response and the IKE-AUTH request carry the first identifier supporting device authentication and host authentication for H(e)NB2 Certification.
其中, SeGWl包括:接收模块 11 ,发送模块 12和处理模块 13。 H(e)NB2 包括: 发送模块 21、 接收模块 22和处理模块 23。  The SeGW1 includes: a receiving module 11, a sending module 12, and a processing module 13. H(e)NB2 includes: a transmitting module 21, a receiving module 22, and a processing module 23.
釆用该认证协商系统实现 SeGW对 H(e)NB的认证的具体方法详见上述 认证协商方法实施例, 在此不再赘述。  The specific method for implementing the authentication of the H(e)NB by the SeGW in the authentication negotiation system is described in the foregoing embodiment of the authentication negotiation method, and details are not described herein.
本发明提供的认证协商系统通过 SeGW与 H(e)NB之间的消息交互完成 认证协商的过程, 并对 H(e)NB进行认证, 提供了一种简单准确的认证机制。  The authentication negotiation system provided by the present invention completes the authentication negotiation process by using the message exchange between the SeGW and the H(e)NB, and authenticates the H(e)NB, thereby providing a simple and accurate authentication mechanism.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流 程, 是可以通过计算机程序来指令相关的硬件来完成, 所述的程序可存储于 一计算机可获取存储介质中, 该程序在执行时, 可包括如上述各方法的实施 例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体( Read-Only Memory, ROM )或随机存 己忆体 ( Random Access Memory, RAM )等。  A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer-accessible storage medium. When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或 者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技 术方案的本质脱离本发明各实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权 利 要 求 书 Claim
1、 一种认证协商方法, 其特征在于, 包括:  A method for authentication negotiation, which is characterized by comprising:
接收家庭无线接入点 H(e)NB 发送的因特网密钥交换 -安全联盟-初始化 Receiving Home Wireless Access Point H(e)NB Sending Internet Key Exchange - Security Alliance - Initialization
IKE— SA— INIT请求; IKE-SA—INIT request;
发送 IKE— SA— INIT响应至所述 H(e)NB;  Sending an IKE_SA_INIT response to the H(e)NB;
接收所述 H(e)NB发送的第一因特网密钥交换 -认证 IKE AUTH请求; 根据所述 IKE— SA— INIT响应和第一 IKE— AUTH请求中是否携带有支持 对所述 H(e)NB执行设备认证和宿主认证的第一标识,执行对所述 H(e)NB的 认证。  Receiving, by the H(e)NB, a first Internet Key Exchange-Authentication IKE AUTH request; according to whether the IKE-SA_INIT response and the first IKE-AUTH request carry support for the H(e) The NB performs a first identifier of the device authentication and the host authentication, and performs authentication on the H(e)NB.
2、 根据权利要求 1 所述的认证协商方法, 其特征在于, 所述第一标识 为消息类型为多认证支持的通知头域。  The authentication negotiation method according to claim 1, wherein the first identifier is a notification header field whose message type is multi-authentication support.
3、 根据权利要求 2所述的认证协商方法, 其特征在于, 所述根据所述 IKE SA INIT响应和第一 IKE— AUTH请求中是否携带所述第一标识 ,执行对 所述 Η(»ΝΒ的认证具体包括:  The authentication negotiation method according to claim 2, wherein the performing the Η (»ΝΒ according to whether the IKE SA INIT response and the first IKE-AUTH request carry the first identifier The certification includes:
当所述 IKE— SA— INIT响应和第一 IKE— AUTH请求中没有携带所述第一 标识时, 支持对所述 H(e)NB执行设备认证。  When the first identifier is not carried in the IKE_SA_INIT response and the first IKE-AUTH request, device authentication is performed on the H(e)NB.
4、 根据权利要求 3 所述的认证协商方法, 其特征在于, 所述 IKE SA INIT响应中携带有第二标识, 用于请求对所述 H(e)NB执行基于证 书的设备认证或可扩展的认证协议-认证与密钥协商 EAP-AKA设备认证。  The authentication negotiation method according to claim 3, wherein the IKE SA INIT response carries a second identifier, and is used to request to perform certificate-based device authentication or scalability on the H(e)NB. Authentication Protocol - Authentication and Key Agreement EAP-AKA Device Certification.
5、 根据权利要求 4所述的认证协商方法, 其特征在于, 所述支持对所 述 H(e)NB执行设备认证具体包括:  The authentication negotiation method according to claim 4, wherein the supporting the performing device authentication on the H(e)NB specifically includes:
若所述 IKE— SA— INIT响应中携带请求对所述 H(e)NB执行基于证书的设 备认证的第二标识, 则支持对所述 H(e)NB执行基于证书的设备认证; 或者 若所述 IKE— SA— INIT响应中携带请求对所述 H(e)NB执行 EAP-AKA设 备认证的第二标识 , 则支持对所述 H(e)NB执行 EAP-AKA设备认证。  Supporting performing certificate-based device authentication on the H(e)NB if the IKE-SA-INIT response carries a second identifier requesting to perform certificate-based device authentication on the H(e)NB; or The IKE-SA-INIT response carries a second identifier that performs EAP-AKA device authentication on the H(e)NB, and supports performing EAP-AKA device authentication on the H(e)NB.
6、 根据权利要求 4 所述的认证协商方法, 其特征在于, 所述第一 IKE AUTH请求中携带有第三标识, 用于请求对所述 H(e)NB执行基于证书 的设备认证或 EAP-AKA设备认证。 The authentication negotiation method according to claim 4, wherein the first The IKE AUTH request carries a third identifier for requesting to perform certificate-based device authentication or EAP-AKA device authentication for the H(e)NB.
7、 根据权利要求 6所述的认证协商方法, 其特征在于, 所述支持对所 述 H(e)NB执行设备认证具体包括:  The authentication negotiation method according to claim 6, wherein the supporting the performing device authentication on the H(e)NB specifically includes:
若所述第二标识和所述第三标识均为请求对所述 H(e)NB执行基于证书 的设备认证的标识, 则支持对所述 H(e)NB执行基于证书的设备认证; 或者 若所述第二标识和所述第三标识均为请求对所述 H(e)NB执行 EAP-AKA 设备认证的标识, 则支持对所述 H(e)NB执行 EAP-AKA设备认证; 或者 若所述第二标识和所述第三标识分别为请求对所述 H(e)NB 执行不同的 设备认证的标识, 则拒绝对所述 H(e)NB执行设备认证, 或者按照所述第三  If the second identifier and the third identifier are both identifiers for performing certificate-based device authentication on the H(e)NB, performing certificate-based device authentication on the H(e)NB; or If the second identifier and the third identifier are both identifiers for performing EAP-AKA device authentication on the H(e)NB, performing EAP-AKA device authentication on the H(e)NB; or If the second identifier and the third identifier respectively are identifiers for performing different device authentication on the H(e)NB, performing device authentication on the H(e)NB, or according to the foregoing three
8、 根据权利要求 2所述的认证协商方法, 其特征在于, 所述根据所述 IKE SA INIT响应和第一 IKE— AUTH请求中是否携带所述第一标识 ,执行对 所述 Η(»ΝΒ的认证具体包括: The authentication negotiation method according to claim 2, wherein the performing the Η (»ΝΒ according to whether the IKE SA INIT response and the first IKE-AUTH request carry the first identifier The certification includes:
当所述 IKE— SA— ΙΝΙΤ响应和第一 IKE— AUTH请求中携带有所述第一标 识时, 支持对所述 H(e)NB执行设备认证和宿主认证。  When the IKE-SA_ΙΝΙΤ response and the first IKE-AUTH request carry the first identifier, device authentication and host authentication are performed on the H(e)NB.
9、 根据权利要求 8 所述的认证协商方法, 其特征在于, 所述 IKE SA INIT响应中还携带有第二标识, 用于请求对所述 H(e)NB执行基于 证书的设备认证或 EAP-AKA设备认证。  The authentication negotiation method according to claim 8, wherein the IKE SA INIT response further carries a second identifier, configured to request to perform certificate-based device authentication or EAP on the H(e)NB. - AKA equipment certification.
10、 根据权利要求 9所述的认证协商方法, 其特征在于, 所述支持对所 述 Η(»ΝΒ执行设备认证和宿主认证具体包括:  The authentication negotiation method according to claim 9, wherein the supporting the device authentication and the host authentication specifically includes:
若所述 IKE— SA— ΙΝΙΤ响应中携带请求对所述 H(e)NB执行基于证书的设 备认证的第二标识, 则支持对所述 H(e)NB执行基于证书的设备认证和宿主 认证 或者  Supporting performing certificate-based device authentication and host authentication on the H(e)NB if the IKE-SA_ΙΝΙΤ response carries a second identifier requesting to perform certificate-based device authentication on the H(e)NB Or
所述 IKE— SA— INIT响应中携带请求对所述 H(e)NB执行 EAP-AKA设备 Performing an EAP-AKA device on the H(e)NB by carrying the request in the IKE-SA-INIT response
11、 根据权利要求 9 所述的认证协商方法, 其特征在于, 所述第一 IKE AUTH请求中还携带有第三标识, 用于请求对所述 H(e)NB执行基于证 书的设备认证或 EAP-AKA设备认证。 The authentication negotiation method according to claim 9, wherein the first IKE AUTH request further carries a third identifier, configured to request to perform certificate-based device authentication on the H(e)NB or EAP-AKA equipment certification.
12、 根据权利要求 11 所述的认证协商方法, 其特征在于, 所述支持对 所述 H(e)NB执行设备认证和宿主认证具体包括:  The authentication negotiation method according to claim 11, wherein the supporting performing device authentication and host authentication on the H(e)NB specifically includes:
若所述第二标识和所述第三标识均为请求对所述 H(e)NB执行基于证书 的设备认证的标识, 则支持对所述 H(e)NB执行基于证书的设备认证和宿主 认证 或者  Supporting certificate-based device authentication and hosting of the H(e)NB if the second identifier and the third identifier are both identifiers for performing certificate-based device authentication on the H(e)NB Certification or
若所述第二标识和所述第三标识均为请求对所述 H(e)NB执行 EAP-AKA 设备认证的标识,则支持对所述 H(e)NB执行 EAP-AKA设备认证和宿主认证; 或者  If the second identifier and the third identifier are both identifiers for performing EAP-AKA device authentication on the H(e)NB, performing EAP-AKA device authentication and hosting on the H(e)NB Certification; or
若所述第二标识和所述第三标识分别为请求对所述 H(e)NB 执行不同的 设备认证的标识, 则拒绝对所述 H(e)NB执行设备认证和宿主认证, 或者按 照所述第三标识请求执行的设备认证支持对所述 H(e)NB执行设备认证和宿 主认证。  If the second identifier and the third identifier respectively are identifiers for performing different device authentication on the H(e)NB, performing device authentication and host authentication on the H(e)NB, or according to The device authentication performed by the third identifier request performs device authentication and host authentication for the H(e)NB.
13、 根据权利要求 8、 10或 12所述的认证协商方法, 其特征在于, 所 述支持对所述 H(e)NB执行设备认证和宿主认证具体包括:  The authentication negotiation method according to claim 8, 10 or 12, wherein the performing the device authentication and the host authentication on the H(e)NB specifically includes:
若所述第一 IKE— AUTH请求中还携带有表示将对所述 H(e)NB执行宿主 认证的第四标识, 则执行对所述 H(e)NB的设备认证和宿主认证; 或者  Performing device authentication and host authentication for the H(e)NB if the first IKE-AUTH request further carries a fourth identifier indicating that host authentication is to be performed on the H(e)NB; or
执行对所述 H(e)NB的设备认证后,接收到所述 H(e)NB发送的携带有表 示将对所述 H(e)NB执行宿主认证的第四标识的第二 IKE— AUTH请求, 则执 行对所述 H(e)NB的宿主认证。  After performing device authentication on the H(e)NB, receiving the second IKE_AUTH sent by the H(e)NB carrying a fourth identifier indicating that host authentication will be performed on the H(e)NB The request then performs host authentication for the H(e)NB.
14、 根据权利要求 13 所述的认证协商方法, 其特征在于, 所述第四标 识包括: 消息类型为接着是另一种认证的通知头域和认证头域。  The authentication negotiation method according to claim 13, wherein the fourth identifier comprises: the message type is a notification header field and an authentication header field followed by another authentication.
15、 根据权利要求 4、 5、 6、 7、 9、 10、 11或 12任一所述的认证协商 方法, 其特征在于, 请求对所述 H(e)NB 执行基于证书的设备认证的所述第二标识包括: 消 息类型为证书认证的通知头域、 或证书请求头域; 或者 15. The authentication negotiation method according to any one of claims 4, 5, 6, 7, 9, 10, 11 or 12, characterized in that The requesting to perform the certificate-based device authentication on the H(e)NB includes: a notification header field whose message type is certificate authentication, or a certificate request header field; or
请求对所述 H(e)NB执行 EAP-AKA设备认证的所述第二标识包括:消息 类型为 EAP-AKA认证的通知头域、 或 EAP头域。  The second identifier for performing EAP-AKA device authentication on the H(e)NB includes: a notification header field whose message type is EAP-AKA authentication, or an EAP header field.
16、 根据权利要求 6、 7、 11或 12所述的认证协商方法, 其特征在于, 请求对所述 H(e)NB 执行基于证书的设备认证的所述第三标识包括: 消 息类型为证书认证的通知头域、 或认证头域、 或指示基于证书的设备认证的 网络接入标识; 或者  The authentication negotiation method according to claim 6, 7, 11 or 12, wherein the requesting the third identifier of performing certificate-based device authentication on the H(e)NB comprises: the message type is a certificate The authenticated notification header field, or the authentication header field, or the network access identifier indicating the certificate-based device authentication; or
请求对所述 H(e)NB执行 EAP-AKA设备认证的所述第三标识包括:消息 类型为 EAP-AKA认证的通知头域、 或指示 EAP-AKA设备认证的网络接入 标识。  The third identifier for performing EAP-AKA device authentication on the H(e)NB includes: a notification header field whose message type is EAP-AKA authentication, or a network access identifier indicating EAP-AKA device authentication.
17、 根据权利要求 3、 5、 7、 8、 10或 12所述的认证协商方法, 其特征 在于, 所述执行对所述 H(e)NB 的认证具体包括: 根据安全网关的本地安全 策略, 执行对所述 H(e)NB的认证。  The authentication negotiation method according to claim 3, 5, 7, 8, 10 or 12, wherein the performing the authentication of the H(e)NB specifically includes: according to a local security policy of the security gateway , performing authentication on the H(e)NB.
18、 一种安全网关, 其特征在于, 包括:  18. A security gateway, comprising:
接收模块, 用于接收家庭无线接入点 H(e)NB发送的因特网密钥交换-安 全联盟-初始化 IKE— SA— INIT请求,以及接收所述 H(e)NB发送的因特网密钥 交换 -认证 IKE AUTH请求;  a receiving module, configured to receive an Internet Key Exchange-Security Association-initialize IKE-SA-INIT request sent by the home wireless access point H(e)NB, and receive an Internet key exchange sent by the H(e)NB- Authenticate IKE AUTH request;
发送模块, 用于发送 IKE— SA— INIT 响应以及 IKE AUTH 响应至所述 H(e)NB;  a sending module, configured to send an IKE_SA_INIT response and an IKE AUTH response to the H(e)NB;
处理模块, 用于根据所述 IKE— SA— INIT响应和 IKE— AUTH请求中是否 携带有支持对所述 H(e)NB 执行设备认证和宿主认证的第一标识, 执行对所 述 H(e)NB的认证。  a processing module, configured to perform, according to the IKE-SA-INIT response and the IKE-AUTH request, a first identifier that supports performing device authentication and host authentication on the H(e)NB, and performing the ) NB certification.
19、 一种家庭无线接入点, 其特征在于, 包括:  19. A home wireless access point, comprising:
发送模块, 用于发送因特网密钥交换 -安全联盟-初始化 IKE— SA— INIT请 求以及因特网密钥交换 -认证 IKE AUTH请求至安全网关; 接收模块, 用于接收所述安全网关发送的 IKE— SA— INIT 响应以及 IKE— AUTH响应; a sending module, configured to send an Internet Key Exchange-Security Association-Initialize IKE-SA-INIT request and an Internet Key Exchange-Authentication IKE AUTH request to the security gateway; a receiving module, configured to receive an IKE-SA-INIT response sent by the security gateway, and an IKE-AUTH response;
处理模块, 用于根据所述 IKE— SA— INIT 响应中是否携带有支持对所述 H(e)NB 执行设备认证和宿主认证的第一标识, 决定是否在所述 IKE— AUTH 请求中也携带所述第一标识。  a processing module, configured to determine, according to whether the IKE_SA_INIT response carries a first identifier that supports performing device authentication and host authentication on the H(e)NB, and whether to carry in the IKE-AUTH request The first identifier.
20、 一种认证协商系统, 其特征在于, 包括:  20. An authentication negotiation system, comprising:
家庭无线接入点 H(e)NB , 用于发送因特网密钥交换 -安全联盟-初始化 IKE SA INIT请求以及因特网密钥交换 -认证 IKE— AUTH请求 , 接收返回的 IKE SA INIT响应以及 IKE— AUTH响应; 并根据所述 IKE SA INIT响应中 是否携带有支持对所述 H(e)NB执行设备认证和宿主认证的第一标识, 决定 是否在所述 IKE— AUTH请求中也携带所述第一标识;  Home wireless access point H(e)NB for transmitting Internet Key Exchange-Security Association-Initializing IKE SA INIT Request and Internet Key Exchange-Authentication IKE-AUTH Request, Receiving Returned IKE SA INIT Response and IKE-AUTH And determining, according to whether the IKE SA INIT response carries a first identifier that supports performing device authentication and host authentication on the H(e)NB, and determining whether to carry the first in the IKE-AUTH request Identification
安全网关, 用于接收所述 H(e)NB 发送的 IKE— SA— INIT 请求以及 IKE— AUTH 请求; 发送 IKE— SA— INIT 响应以及 IKE— AUTH 响应至所述 H(e)NB; 并根据所述 IKE SA INIT响应和 IKE— AUTH请求中是否携带有所 述第一标识, 执行对所述 H(e)NB的认证。  a security gateway, configured to receive an IKE-SA-INIT request sent by the H(e)NB and an IKE-AUTH request; send an IKE-SA-INIT response and an IKE-AUTH response to the H(e)NB; Whether the IKE SA INIT response and the IKE-AUTH request carry the first identifier, perform authentication on the H(e)NB.
PCT/CN2009/074561 2008-12-15 2009-10-22 Authentication negotiation method and the system thereof, security gateway, home node b WO2010069202A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810239705.3A CN101754211A (en) 2008-12-15 2008-12-15 Authentication and negotiation method, system, security gateway and wireless family access point
CN200810239705.3 2008-12-15

Publications (1)

Publication Number Publication Date
WO2010069202A1 true WO2010069202A1 (en) 2010-06-24

Family

ID=42268298

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/074561 WO2010069202A1 (en) 2008-12-15 2009-10-22 Authentication negotiation method and the system thereof, security gateway, home node b

Country Status (2)

Country Link
CN (1) CN101754211A (en)
WO (1) WO2010069202A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011023223A1 (en) * 2009-08-25 2011-03-03 Nokia Siemens Networks Oy Method of performing an authentication in a communications network

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130139242A1 (en) * 2010-08-20 2013-05-30 Zte Corporation Network Accessing Device and Method for Mutual Authentication Therebetween
CN104955021B (en) * 2010-10-21 2018-10-16 中兴通讯股份有限公司 A kind of user signing contract information processing method and system
CN102833359A (en) * 2011-06-14 2012-12-19 中兴通讯股份有限公司 Tunnel information acquiring method, SeGW (security gateway), evolution H(e)NB (home node B)/H(e)NB
CN103096398B (en) 2011-11-08 2016-08-03 华为技术有限公司 A kind of method and apparatus of network switching
CN106302018B (en) * 2016-08-18 2019-04-23 北京锦鸿希电信息技术股份有限公司 Train-ground communication method and enhanced mobile wireless module EMRM
CN107820242A (en) * 2016-09-14 2018-03-20 中国移动通信有限公司研究院 A kind of machinery of consultation of authentication mechanism and device
CN110048988B (en) * 2018-01-15 2021-03-23 华为技术有限公司 Message sending method and device
WO2021134724A1 (en) * 2019-12-31 2021-07-08 华为技术有限公司 Authentication method and apparatus, and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070268888A1 (en) * 2006-05-18 2007-11-22 Cisco Technology, Inc. System and method employing strategic communications between a network controller and a security gateway
US20080162926A1 (en) * 2006-12-27 2008-07-03 Jay Xiong Authentication protocol
WO2008153456A1 (en) * 2007-06-11 2008-12-18 Telefonaktiebolaget Lm Ericsson (Publ) Method and arrangement for certificate handling

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070268888A1 (en) * 2006-05-18 2007-11-22 Cisco Technology, Inc. System and method employing strategic communications between a network controller and a security gateway
US20080162926A1 (en) * 2006-12-27 2008-07-03 Jay Xiong Authentication protocol
WO2008153456A1 (en) * 2007-06-11 2008-12-18 Telefonaktiebolaget Lm Ericsson (Publ) Method and arrangement for certificate handling

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Service and System Aspects; Security ofH(e)NB; (Release 8).", 3GPP TR 33.820 VL .1.0., 9 December 2007 (2007-12-09) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011023223A1 (en) * 2009-08-25 2011-03-03 Nokia Siemens Networks Oy Method of performing an authentication in a communications network

Also Published As

Publication number Publication date
CN101754211A (en) 2010-06-23

Similar Documents

Publication Publication Date Title
US11463874B2 (en) User profile, policy, and PMIP key distribution in a wireless communication network
US8127136B2 (en) Method for security association negotiation with extensible authentication protocol in wireless portable internet system
WO2010069202A1 (en) Authentication negotiation method and the system thereof, security gateway, home node b
WO2019017837A1 (en) Network security management method and apparatus
EP1693995B1 (en) A method for implementing access authentication of wlan user
US20060128362A1 (en) UMTS-WLAN interworking system and authentication method therefor
JP4687788B2 (en) Wireless access system and wireless access method
US20110078442A1 (en) Method, device, system and server for network authentication
US8611859B2 (en) System and method for providing secure network access in fixed mobile converged telecommunications networks
WO2008131689A1 (en) Method and system for realizing an emergency communication service and corresponding apparatuses thereof
WO2006002601A1 (en) A method for wireless lan users set-up session connection
WO2013063783A1 (en) Data security channel processing method and device
TW200830901A (en) Handoff method of mobile device utilizing dynamic tunnel
JP2010529755A (en) Method and apparatus for providing a proxy mobile key hierarchy in a wireless communication network
WO2010130121A1 (en) Method and system for accessing 3rd generation network
WO2007019771A1 (en) An access control method of the user altering the visited network, the unit and the system thereof
WO2009135385A1 (en) Method, system and device for obtaining a trust type of a non-3gpp access system
JP2008537644A (en) Method and system for fast roaming of mobile units in a wireless network
WO2010094244A1 (en) Method, device and system for performing access authentication
CN111726228B (en) Configuring liveness check using internet key exchange messages
TW201507526A (en) Trusted wireless local area network (WLAN) access scenarios
WO2011127774A1 (en) Method and apparatus for controlling mode for user terminal to access internet
WO2013174267A1 (en) Method, system, and device for securely establishing wireless local area network
WO2010015134A1 (en) Method and system and user equipment for protocol configuration option transmission
WO2012083873A1 (en) Method, apparatus and system for key generation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09832884

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09832884

Country of ref document: EP

Kind code of ref document: A1