WO2010091589A1 - Security authentication method - Google Patents

Security authentication method Download PDF

Info

Publication number
WO2010091589A1
WO2010091589A1 PCT/CN2009/075968 CN2009075968W WO2010091589A1 WO 2010091589 A1 WO2010091589 A1 WO 2010091589A1 CN 2009075968 W CN2009075968 W CN 2009075968W WO 2010091589 A1 WO2010091589 A1 WO 2010091589A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
iwf
security authentication
mme
network
Prior art date
Application number
PCT/CN2009/075968
Other languages
French (fr)
Chinese (zh)
Inventor
李志军
宗在峰
郝振武
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2010091589A1 publication Critical patent/WO2010091589A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to a security authentication technology in a third generation mobile communication system, and more particularly to a security authentication method for implementing a circuit switched (CS) domain service under an evolved packet domain system (EPS) access.
  • CS circuit switched
  • EPS evolved packet domain system
  • 3GPP 3rd Generation Partnership Project
  • 3GPP 3rd Generation Partnership Project
  • PS Core Packet Switched Core
  • UTRAN Universal Mobile Telecommunication System Radio Access Network
  • EPC Evolved PS Core
  • GSM EDGE GSM EDGE radio access.
  • Mesh GERAN, GSM EDGE Radio Access Network
  • WLAN Wireless Local Area Network
  • GSM Global System for Mobile communications
  • EDGE Enhanced Data Rate for GSM Evolution
  • EPS Evolved Packet System
  • FIG. 1 is a network architecture diagram of a prior art user terminal (UE, User Equipment) implementing a circuit switched (CS) circuit under EPS network access.
  • E-UTRAN can provide higher uplink and downlink rates, lower transmission delay and more reliable wireless transmission; the network elements included in E-UTRAN are evolved base stations (eNodeBs, evolved NodeBs), Used to provide radio resources for UE access.
  • the Serving Gateway (S-GW) is a user plane entity responsible for routing data of user plane data.
  • the Packet Data Network Gateway (P-GW) is responsible for the gateway function of the UE accessing the Packet Data Network (PDN).
  • PDN Packet Data Network
  • the P-GW and the S-GW can be combined in one physical entity.
  • the Mobility Management Entity is a control plane entity that temporarily stores user data, manages and stores the UE context, assigns temporary identifiers to users, and authenticates users.
  • GERAN/UTRAN is a radio access network of a GSM/Universal Mobile Telecommunications System (UMTS) network, including a base station and a base station controller portion.
  • the Mobile Switching Center (MSC) / Visitor Location Register (VLR) belongs to the CS domain network element.
  • the basic voice service of the user and the supplementary service based on the voice service are provided through the CS domain.
  • the EPS system itself does not provide and control CS services such as voice calls, and can only provide data for Internet Protocol (IP) data.
  • IP Internet Protocol
  • the CS service such as the voice of the UE under the EPS access, is implemented by the CS domain.
  • the UE and the MSC are transmitted through the IP signaling channel carried on the EPS network.
  • the interaction signaling between the /VLR performs an interaction process such as location update and call signaling, and the voice media stream is transmitted through the IP user plane channel carried on the EPS network.
  • the network architecture shown in FIG. 1 can be used to implement the UE to perform CS services such as voice through CS domain control under the EPS network access.
  • the network architecture is called CS service establishment on the PS bearer (CSoPS, CS over PS).
  • CSoPS PS bearer
  • CS over PS PS bearer
  • IWF Internet element
  • the IWF provides an A/IU-CS interface with the MSC/VLR, and completes the conversion of the IP signaling message received from the UE into an A/IU-CS interface message and sends it to the MSC/VLR, and the reverse conversion.
  • the EPS treats the IWF as an application function point (AF, Application Function), and performs application service functions based on the IP layer.
  • the IP signaling channel carried on the EPS network interacts with the IWF and the MSC/VLR to perform an interaction process such as registration, location update, and voice call, thereby completing the establishment process of the bearer and the call setup.
  • the MME needs to switch from the EPS network to the UMTS/GSM network
  • the MME receives the handover request, for the voice service
  • the MME needs to send a handover request message to the current IWF of the UE, so that the IWF converts the handover request message to the current control call.
  • the MSC/VLR sends a handover request message, so the MME where the UE is currently located needs to be able to know the IWF where the UE is currently located.
  • the process of the UE accessing the CS domain through the EPS network in the prior art includes three main parts: 1.
  • the UE accesses the EPS network and creates a bearer for the CSoPS; 2.
  • the UE initiates registration with the IWF;
  • the registration of the CS domain is initiated to the MSC. It can be seen that the UE needs to perform three times of security authentication on the UE when the UE accesses the network through the EPS and registers with the CS domain, including:
  • Access authentication when the UE accesses the EPS network It is executed by the MME, and the UE is authenticated by the non-access stratum (NAS, Non Access Stratum) access control;
  • NAS Non Access Stratum
  • IP security authentication before the UE registers with the IWF The IPSec protocol is used between the UE and the IWF to establish a secure IP connection to ensure mutual trust between the UE and the IWF;
  • the access authentication when the UE accesses the EPS network and the identity authentication when the UE registers with the CS domain are all established mature mechanisms. These mechanisms have a similar idea: the UE and the network jointly hold a long-term key, and the Home Location Register (HLR, Home Subscriber Server) in the home network saves the UE.
  • the important parameters of the authentication are sent to the authentication network element in the network, and the authentication network element calculates the authentication challenge for the UE, and the UE reversely calculates the authentication response according to the authentication challenge, and the authentication network element Verifying the correctness of the authentication response means authenticating the UE.
  • the security authentication mechanism between the UE and the IWF uses an IPSec-based tunnel encryption mechanism.
  • the authentication and encryption parameters used by the IWF to establish an IPSec tunnel are derived from Authentication Authorization Accounting (AAA). Month server.
  • AAA Authentication Authorization Accounting
  • the IWF queries the AAA server (V-AAA) of the visited network for authentication and encryption parameters
  • the V-AAA queries the AAA server (H-AAA) of the home network for authentication and encryption parameters
  • H. -AAA obtains authentication and encryption parameters from the HSS of the home network.
  • the IPSec mechanism between the UE and the IWF can ensure the security authentication of the IWF to the UE.
  • the IPSec tunnel encryption mechanism is used to greatly increase the complexity of the IWF processing signaling and reduce the efficiency of signaling processing for frequent signaling communication between the UE and the IWF. Moreover, the communication procedure is greatly increased for the UE. The complexity.
  • the IPSec tunnel encryption mechanism is adopted, so that the IWF needs to establish an interface with the AAA server to obtain parameters such as a long-term key for each UE. Therefore, the interface between the IWF and the AAA is only used to perform the transmission of the authentication parameters. However, it is necessary to deploy a complete set of Diameter protocol stations, which greatly increases the complexity of the IWF.
  • the usual AAA server is used for interworking between the mobile communication technology defined by the non-3GPP and the mobile communication technology defined by the 3GPP, and the use of the IPSec mechanism between the UE and the IWF, so that the CSoPS architecture must be introduced into the AAA server, thereby increasing the overall The complexity of the architecture.
  • the main purpose of the present invention is to provide a security authentication method, which is to reduce the complexity of implementing the security authentication of the UE by the IWF, and improve the efficiency of the IWF processing signaling.
  • the invention provides a security authentication method, the method comprising:
  • An Internet Element receives a registration request from a User Terminal (UE);
  • the IWF performs an authentication parameter or a security authentication for performing security authentication on the UE according to the authentication network element. Status, performing security authentication on the UE.
  • the authentication network element is a mobility management entity (MME) in a packet domain system (EPS) network, and the IWF obtains an authentication parameter for performing security authentication on the UE from the MME, and performs the UE on the authentication parameter according to the authentication parameter. safety certificate.
  • MME mobility management entity
  • EPS packet domain system
  • the IWF obtains the authentication parameter from the MME, and specifically includes:
  • the IWF requests the authentication parameter from the MME
  • the MME sends an authentication parameter obtained from a Home Subscriber Server (HSS) to the IWF.
  • HSS Home Subscriber Server
  • the IWF obtains the authentication parameter from the MME, and specifically includes:
  • the MME After the MME obtains the authentication parameter from the HSS, the MME actively sends the authentication parameter to the IWF.
  • the authentication parameter for performing security authentication on the UE is: an authentication parameter of the EPS network for performing access authentication on the UE, and/or an authentication parameter of the circuit switched service established on the packet switched bearer (CSoPS) service to the UE .
  • CSoPS packet switched bearer
  • the authentication network element is an MME in the EPS network, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MME, and specifically includes:
  • the IWF obtains the address of the MME according to the MME information in the registration request of the UE; the IWF requests the MME to query the authentication status when the UE accesses the EPS network; and the MME returns to the IWF when the UE accesses the EPS network. Certification status;
  • the IWF verifies whether the UE passes the security authentication according to the authentication status when the UE accesses the EPS network, and returns a security authentication result to the UE.
  • the authentication network element is an MME in the EPS network, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MME, and specifically includes:
  • the EPS network After the UE successfully attaches to the EPS network, the EPS network establishes a bearer for the UE, and the MME After the IWF is allocated to the UE, the authentication status of the UE when the UE accesses the EPS network is actively sent to the IWF;
  • the IWF verifies whether the UE passes the security authentication according to the authentication status when the UE accesses the EPS network, and returns a security authentication result to the UE.
  • the authentication status of the UE when accessing the EPS network includes at least one of the following states: a security authentication status of the non-access stratum (NAS) authentication by the EPS network, a state in which the EPS network allows the UE to access, and an EPS network.
  • a state is established for the UE to bear and assign an Internet Protocol (IP) address.
  • IP Internet Protocol
  • the authentication network element is a mobile switching center (MSC) in a circuit switched (CS) domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes: the IWF receives the registration of the UE. And requesting, according to the identifier information used to indicate registration to the CS domain in the registration request, initiating a registration process of the CS domain to the MSC instead of the UE;
  • MSC mobile switching center
  • CS circuit switched
  • the IWF verifies whether the UE passes the security authentication according to the security authentication status when the UE initiates registration with the CS domain, and returns a security authentication result to the UE.
  • the authentication network element is an MSC in the CS domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes:
  • the UE When the IWF receives the registration request of the UE, and the registration request does not have the identifier information for initiating the registration to the CS domain, the UE performs the CS domain registration process to the MSC instead of the UE according to the policy configuration of the network;
  • the IWF verifies whether the UE passes the security authentication according to the security authentication status when the UE initiates registration with the CS domain, and returns a security authentication result to the UE.
  • the identifier information used by the UE to initiate registration to the CS domain in the registration request sent by the UE to the IWF is an indication that the UE initiates a location update procedure to the CS domain.
  • the authentication network element is an MSC in the CS domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes: After receiving the registration request of the UE, the IWF pre-defaults the UE registration success, and determines whether to cancel the registration of the UE on the IWF according to the security authentication status of the MSC to the UE when the UE requests registration to the CS domain.
  • the security authentication method provided by the present invention is used by the IWF according to the authentication parameters stored in the home network when receiving the registration request from the UE, and is similar to that used when the UE accesses the EPS network or the UE registers with the CS domain.
  • the authentication algorithm performs security authentication on the UE.
  • the security authentication is performed on the UE according to the security authentication status when the UE accesses the EPS network or registers with the CS domain.
  • the invention reduces the frequent signaling communication between the UE and the IWF, reduces the complexity of the IWF and the UE processing signaling, and improves the efficiency of the IWF processing signaling.
  • the AAA server is no longer needed in the architecture of the present invention. The complexity of the overall architecture is reduced, and the complexity of implementing the IWF for secure authentication of the UE is also reduced.
  • FIG. 1 is a network architecture diagram of a UE implementing a CS service under an EPS network access in the prior art
  • FIG. 2 is a flowchart of obtaining an authentication and encryption parameter from an AAA server by an IWF in the prior art
  • FIG. 4 is a flowchart of a security authentication method according to Embodiment 1 of the present invention.
  • FIG. 5 is a flowchart of a security authentication method according to Embodiment 2 of the present invention.
  • FIG. 6 is a flowchart of a security authentication method according to Embodiment 3 of the present invention.
  • FIG. 7 is a flowchart of a method for secure authentication according to Embodiment 4 of the present invention. detailed description
  • the security authentication method provided by the present invention is applied to the security authentication of the IWF to the UE when the CS domain service is implemented under the EPS access.
  • the method mainly includes the following steps: Step 301: The IWF receives the UE from the UE. Registration request. The UE sends a registration request to the IWF before registering with the IWF.
  • Step 302 The IWF performs security authentication on the UE according to the authentication parameter or the security authentication status of the security authentication of the UE by the authentication network element.
  • the authentication network element in the present invention includes: an MME in an EPS network, an MSC in a CS domain, and the like.
  • the authentication network element of the present invention is not limited to the MME and MSC enumerated above.
  • the IWF may obtain an authentication parameter for performing security authentication on the UE from the MME, and the authentication parameter may be at least one of the following two authentication parameters:
  • the MME itself uses an authentication parameter for performing NAS access authentication on the UE.
  • the authentication parameter of the CSoPS that is sent by the HSS to the MME and is used by the IWF to authenticate the UE.
  • the IWF may also perform security authentication on the UE according to the security authentication status of the UE by the MME; and may perform security authentication on the UE according to the security authentication status of the UE by the MSC.
  • Step 401 The UE requests to attach to the EPS network, and requests the EPS network to establish an IP bearer for the IP network, and the request is sent to the MME through the E-UTR AN.
  • the UE may use a specific Access Point Name (APN, Access Point Name) for CSoPS to require the EPS network to establish a bearer dedicated to CSoPS.
  • APN Access Point Name
  • Step 402 The MME obtains an authentication parameter for performing security authentication on the UE from the HSS, and performs an authentication operation on the UE by using the authentication parameter.
  • the EPS network Since the UE is initially connected to the EPS network, the EPS network needs to authenticate the UE, and the EPS network uses the N AS authentication mechanism to authenticate the UE. After the authentication is passed, the MME will store information about the security authentication status of the NAS authentication for the UE.
  • Step 403 Since the UE is initially accessing the EPS network, and the MME does not have the service configuration data of the UE, the MME sends a location update request to the HSS, and requests to download the service configuration data of the UE.
  • Step 404 The HSS returns a location update response to the MME, and carries the service configuration data of the UE and the authentication parameter for performing security authentication on the UE.
  • the authentication parameter that the HSS downloads to the MME in the present invention must include an authentication parameter for the EPS network to perform access authentication on the UE, and may further include an authentication for the IWF to perform security authentication on the UE under the CSoPS service. parameter. If the home network supports CSoPS and the UE has CSoPS capability, an authentication parameter dedicated to CSoPS is configured in the HSS.
  • Step 405 After receiving the location update response of the HSS, the MME stores the service configuration data of the UE and the authentication parameter for performing security authentication on the UE, and allocates the S-GW/P-GW according to the network situation and the indication of the service data configuration.
  • the assigned S-GW/P-GW sends a bearer setup request.
  • Step 406 The S-GW/P-GW establishes a bearer of the corresponding CSoPS for the UE, and returns a bearer setup response to the MME after the establishment is completed, including an IP address allocated for the UE.
  • Step 407 The MME sends an attach response to the UE, and returns an IP address allocated to the UE to the MME.
  • the EPS network allocates an IWF of the visited network to the UE according to the APN provided by the UE for CSoPS, and returns the allocated IWF to the UE in the attach response.
  • the IWF can be a specific IWF address or a Full Qualified Domain Name (FQDN) for discovering the IWF.
  • Step 408 The UE acquires an IWF address of the visited network from the EPS network.
  • the UE may initiate a Domain Name System (DNS) query to obtain a suitable IWF address after attaching to the EPS network.
  • DNS Domain Name System
  • Another process in which the UE obtains the IWF address of the visited network may be that the UE configures the home network.
  • the IWF and by initiating a request to the IWF of the home network, the IWF of the home network provides a suitable visited network IWF for the UE according to the visited network accessed by the UE. If the UE obtains the domain name of the IWF of the visited network, the UE may obtain the IP address of the IWF through a DNS query mechanism.
  • the UE may initiate registration with the corresponding IWF.
  • the purpose of the registration is to enable the IWF to simulate the UE accessing the base station virtualized by the IWF, and enable the IWF to obtain the location information of the UE in the EPS network. And other necessary information.
  • Step 409 After obtaining the IWF address of the visited network, the UE initiates a registration request to the IWF.
  • the information carried in the request mainly includes: an International Mobile Subscriber Identity (IMSI) of the UE, an IP address of the UE, and a UE connection.
  • IMSI International Mobile Subscriber Identity
  • IP address of the UE an IP address of the UE
  • UE connection a UE connection.
  • TAI Tracking Area Identity
  • Step 410 The IWF obtains an address of the MME currently attached by the UE according to the registration request of the UE.
  • the UE When the UE registers with the IWF, it carries the identification information of the MME that the UE obtains when it is attached to the EPS network.
  • the IWF can obtain the specific address of the MME by looking up the table or by using the DNS domain name mechanism.
  • Step 411 The IWF initiates an establishment request of the Sv interface to the MME, and queries the MME for the authentication parameter of the UE.
  • the Sv interface is used to establish the connection between the EPS network (with the MME as the main control core) and the CS network (the base station simulated by the IWF as the access terminal), so as to transmit the information and control signaling necessary for the interconnection between the networks.
  • Step 412 The MME establishes an Sv interface with the IWF, and returns a setup success response to the IWF after the establishment is completed, and the response carries the authentication parameter of the UE.
  • the MME obtains only the authentication parameters for the EPS network to perform access authentication for the UE from the HSS, the MME returns only for the EPS network.
  • Step 413 The IWF calculates an authentication challenge by using an authentication algorithm according to the authentication parameter obtained from the MME.
  • Step 414 The IWF initiates an authentication challenge request to the UE.
  • Step 415 The UE inversely calculates the authentication response according to the authentication challenge and using an authentication algorithm.
  • Step 416 The UE returns the calculated authentication response to the IWF.
  • Step 417 The IWF verifies whether the authentication response is correct, and sends a registration success response to the UE after verifying that the authentication response is correct.
  • the IWF obtains the MME address from the registration request of the UE, and actively establishes an Sv interface with the MME, and queries the MME for the authentication parameter.
  • the present invention provides a feasible method for the other embodiment of the process of FIG. 4, that is, in the process that the UE shown in FIG. 4 is attached to the EPS network, the UE is successfully attached to the EPS network, and the EPS network is established for the UE.
  • the MME can actively establish an Sv interface with the IWF, and send the authentication parameter obtained in step 404 to the IWF through the interface. Then, when the UE initiates registration with the IWF, the IWF does not need to request the MME to establish an Sv interface again and requests to query the authentication parameters, and can directly use the authentication parameters sent by the previous MME to the IWF to perform security authentication on the UE.
  • Step 501 The UE attaches to the EPS network, and through the NAS authentication, the EPS network establishes a bearer for the UE, and the UE obtains the allocated IP address.
  • Step 502 The UE acquires an IWF address of the visited network from the EPS network.
  • Step 503 The UE initiates a registration request to the IWF, where the information carried in the request mainly includes:
  • the IMSI of the UE The IMSI of the UE, the IP address of the UE, the TAI of the UE accessing the EPS network, and the address or identification information of the MME accessed by the UE.
  • Step 504 The IWF obtains an address of the MME accessed by the UE.
  • the IWF Since the UE is never registered on the IWF, the IWF needs to verify whether the UE is legal after obtaining the IMSI, IP address, and the like from the registration request of the UE.
  • the IWF may check whether the UE is authenticated by the EPS network from the UE status information of the MME.
  • Step 505 The IWF initiates an establishment request of the Sv interface to the MME, and queries the MME for the authentication status of the UE.
  • the IWF requests the MME to verify the authentication status of the UE by providing the MME with information such as the IMSI and IP address of the UE.
  • Step 506 The MME establishes an Sv interface with the IWF, and returns a setup success response to the IWF after the establishment is completed, where the response carries the authentication status of the UE.
  • the MME stores the complete context data of the UE, where the information such as the IMSI and the IP address of the UE is recorded, and the MME queries the context data stored by the MME according to the information such as the IMSI and the IP address provided by the IWF. Whether there is a corresponding information such as the IMSI and the IP address, if any, the UE is considered to have passed the access authentication of the EPS network, and returns the authentication status of the UE to the IWF, that is, the information indicates that the UE has passed the access of the EPS network. Certification. On the other hand, if there is no corresponding IMSI and IP address of the UE on the MME, the UE is considered to have no access authentication through the EPS, and the MME identifies that the UE does not pass the EPS network access authentication.
  • the authentication status when the UE accesses the EPS network includes at least one of the following states:
  • the EPS network performs the NAS authentication security authentication status on the UE (if the EPS network is paired)
  • the UE performs the NAS authentication process
  • the EPS network establishes a state for the UE to bear and allocate an Internet Protocol IP address.
  • Step 507 After obtaining the authentication status of the UE accessing the EPS network from the MME, the IWF sends a registration success response to the UE if it confirms that the UE has passed the access authentication of the EPS network, otherwise rejects the registration of the UE.
  • the process shown in Figure 5 is that the IWF actively establishes an Sv interface with the MME and queries the MME for the authentication status of the UE through the interface.
  • the present invention provides a feasible method for the other embodiment of the process of FIG. 5, that is, after the UE successfully attaches to the EPS network, the EPS network establishes a bearer for the CSoPS for the UE, and the MME allocates the IWF to the UE.
  • the MME can actively establish an Sv interface with the IWF, and send the authentication status of the UE to the IWF through the interface.
  • the IWF does not need to request the MME to establish an Sv interface and query the authentication status of the UE, and can directly determine whether the UE has passed the EPS network by using the authentication status sent by the previous MME to the IWF. Certification.
  • Step 601 The UE attaches to the EPS network, and through the NAS authentication, the EPS network establishes a bearer for the UE, and the UE obtains the allocated IP address.
  • Step 602 The UE acquires an IWF address of the visited network from the EPS network.
  • Step 603 The UE initiates a registration request to the IWF, where the information carried in the request mainly includes:
  • the IMSI of the UE The IMSI of the UE, the IP address of the UE, the TAI of the UE accessing the EPS network, and the address or identification information of the MME accessed by the UE.
  • the UE may carry an identifier indicating the registration to the CS domain in the registration request.
  • the identifier information used to indicate the registration to the CS domain may be the identifier information of the location update process initiated by the CS domain, indicating that the UE wants to register to the CS network through the CS domain location update process. In this way, the registration request initiated by the UE to the IWF and the CS domain simultaneously constitutes a joint registration request.
  • Step 604 After receiving the registration request of the UE, the IWF obtains the IMSI of the UE, the IP address of the UE, the TAI of the UE accessing the EPS network, the address or identifier of the MME accessed by the UE, and the like, according to the registration.
  • the identifier information used to indicate registration to the CS domain is determined in the request, and the UE needs to initiate a registration process to the CS domain.
  • the IWF may convert the TAI into a CS domain location information (LAI, Location Area Identity) through a certain mapping rule; if the UE is in the joint registration request With the LAI carried, the IWF can directly use the LAI.
  • LAI Location Area Identity
  • Step 605 The IWF initiates a location update request of the CS domain to the MSC instead of the UE, and the request carries the LAI.
  • Step 606 The MSC initiates a location update request to the HLR, and requests to download the service configuration data of the UE.
  • the MSC Since the UE is not registered on the MSC, the MSC needs to obtain an authentication parameter from the HLR to authenticate the UE.
  • Step 607 After receiving the location update request sent by the MSC, the HLR returns a location update response to the MSC, where the response carries the service configuration data of the UE and the authentication parameter for performing security authentication on the UE.
  • Step 608 The MSC calculates an authentication challenge by using an authentication algorithm according to the authentication parameter returned by the HLR.
  • Step 609 The MSC sends an authentication challenge request to the UE by using the IWF.
  • Step 610 The UE calculates an authentication response by using an authentication algorithm according to the long-term key stored by the UE. Should.
  • the long-term key stored in the UE is consistent with the long-term key stored in the HLR/HSS.
  • Step 611 The UE returns an authentication response to the MSC through the IWF.
  • Step 612 After receiving the authentication response, the MSC verifies whether the authentication response is correct, to determine whether the UE is a legitimate user, and sends a location update response to the IWF after determining the validity.
  • the location update response is the security authentication status when the UE registers with the CS domain.
  • Step 613 After receiving the location update response sent by the MSC, the IWF sends a registration success response to the UE.
  • the registration success response needs to be sent to the UE after receiving the location update response of the MSC.
  • the IWF receives the registration request of the UE, and initiates a location update to the CS domain according to the identifier information used to indicate registration to the CS domain in the registration request, so that the UE sends the location update to the CS domain. registered.
  • the present invention further provides a feasible method for the other embodiment of the process of FIG. 6, that is, if the registration request initiated by the UE does not carry the identifier information indicating that the registration is initiated to the CS domain, the IWF receives the registration request.
  • the UE can actively initiate the location update request of the CS domain to the MSC, and use the MSC to authenticate the UE to the UE, so that the IWF considers that the UE is the IWF. Secure and trustworthy, and according to this, the IWF requests registration from the IWF through the UE. In the process, the IWF will also need to map the TAI of the EPS network to the LAI of the CS domain.
  • the security authentication method in Embodiment 4 of the present invention is as shown in FIG. 7, which is different from Embodiment 3 in that after receiving the registration request of the UE, the IWF may Pre-default UE registration is successful, and registration by the UE, as shown in steps 703 and 704; then the UE initiates a location update request to the CS domain, and the MSC performs authentication of the CS domain for the UE, in the process, if authentication is performed Failure (ie, the UE does not pass the authentication), then the IWF intercepts the authentication failure response in step 712, and the IWF will actively initiate step 713 to fetch Eliminate the registration of the UE on the IWF. On the other hand, if the UE passes the authentication of the CS domain, the IWF may intercept the authentication success response in step 712, so that the UE passes the security authentication, and thus does not actively cancel the UE registration on the IWF.
  • the present invention implements the security authentication of the IWF to the UE when the UE implements the CS domain service by accessing the EPS network, which is beneficial to improving the authentication efficiency of the IWF to the UE and improving the IWF processing signaling capability.

Abstract

A security authentication method includes that an interworking function (IWF) receives a registration request from a user equipment (UE) (301); the IWF performs security authentication on the UE according to authentication parameters or security authentication state for performing security authentication on the UE in an authentication network element (302). The present invention can reduce the complexity for performing security authentication on the UE by the IWF, and improve the efficiency for processing signaling by the IWF.

Description

一种安全 i人证方法 技术领域  A safe i-person authentication method
本发明涉及第三代移动通信系统中的安全认证技术, 尤其涉及一种在 演进的分组域系统(EPS )接入下实现电路交换(CS )域业务的安全认证 方法„ 背景技术  The present invention relates to a security authentication technology in a third generation mobile communication system, and more particularly to a security authentication method for implementing a circuit switched (CS) domain service under an evolved packet domain system (EPS) access.
为了保持第三代移动通信系统标准化项目 ( 3GPP , 3rd Generation Partnership Project )在移动通信领域的竟争力, 3GPP目前正致力于研究对 分组交换核心网 (PS Core, Packet Switched Core )和全球移动通信系统无 线接入网 ( UTRAN , Universal Mobile Telecommunication System Radio Access Network )的演进。 目的是使得演进的分组交换核心网( EPC, Evolved PS Core ) 可以提供更高的传输速率和更短的传输延时, 并支持演进的 UTRAN ( E-UTRAN, Evolved UTRAN )、 GSM EDGE无线接入网( GERAN, GSM EDGE Radio Access Network ), UTRAN、无线局 i或网( WLAN, Wireless Local Area Network )及其他非 3GPP的接入网络之间的移动性管理。 其中, ( GSM, Global System for Mobile communications )是指全球移动通信系统, ( EDGE, Enhanced Data Rate for GSM Evolution )是指增强型数据速率 GSM 演进技术。这个演进的移动通信系统称为演进的分组域系统(EPS, Evolved Packet System )。  In order to maintain the competitiveness of the 3rd Generation Partnership Project (3GPP, 3rd Generation Partnership Project) in the field of mobile communications, 3GPP is currently working on the research of packet switched cores (PS Core, Packet Switched Core) and global mobile communications. Evolution of the Universal Mobile Telecommunication System Radio Access Network (UTRAN). The goal is to enable Evolved PS Core (EPC) to provide higher transmission rates and shorter transmission delays, and to support Evolved UTRAN (Evolved UTRAN), GSM EDGE radio access. Mesh (GERAN, GSM EDGE Radio Access Network), mobility management between UTRAN, WLAN (Wireless Local Area Network) and other non-3GPP access networks. Among them, (GSM, Global System for Mobile communications) refers to the Global System for Mobile Communications (EDGE, Enhanced Data Rate for GSM Evolution), which refers to the enhanced data rate GSM evolution technology. This evolved mobile communication system is called the Evolved Packet System (EPS).
图 1所示为现有技术的用户终端 (UE, User Equipment )在 EPS网络 接入下实现电路交换(CS , Circuit Switched ) 业务的网络架构图。 其中, E-UTRAN可以提供更高的上下行速率, 更低的传输延迟和更加可靠的无线 传输; E-UTRAN中包含的网元是演进的基站( eNodeB , evolved NodeB ), 用以为 UE的接入提供无线资源。 服务网关 (S-GW, Serving Gateway )是 一个用户面实体, 负责用户面数据的路由处理。 分组数据网网关 (P-GW, Packet Data Network Gateway )负责 UE接入分组数据网( PDN, Packet Data Network ) 的网关功能。 P-GW和 S-GW可以合设在一个物理实体中。 移动 性管理实体(MME, Mobility Management Entity )是一个控制面实体, 临 时存储用户数据, 负责管理和存储 UE上下文, 为用户分配临时标识, 对用 户进行鉴权等。 GERAN/UTRAN 为 GSM/通用移动通信系统 (UMTS , Universal Mobile Telecommunications System )网络的无线接入网, 包括基站 和基站控制器部分。 移动交换中心( MSC , Mobile Switching Center ) /拜访 位置寄存器( VLR, Visitor Location Register )属于 CS域网元。 FIG. 1 is a network architecture diagram of a prior art user terminal (UE, User Equipment) implementing a circuit switched (CS) circuit under EPS network access. Among them, E-UTRAN can provide higher uplink and downlink rates, lower transmission delay and more reliable wireless transmission; the network elements included in E-UTRAN are evolved base stations (eNodeBs, evolved NodeBs), Used to provide radio resources for UE access. The Serving Gateway (S-GW) is a user plane entity responsible for routing data of user plane data. The Packet Data Network Gateway (P-GW) is responsible for the gateway function of the UE accessing the Packet Data Network (PDN). The P-GW and the S-GW can be combined in one physical entity. The Mobility Management Entity (MME) is a control plane entity that temporarily stores user data, manages and stores the UE context, assigns temporary identifiers to users, and authenticates users. GERAN/UTRAN is a radio access network of a GSM/Universal Mobile Telecommunications System (UMTS) network, including a base station and a base station controller portion. The Mobile Switching Center (MSC) / Visitor Location Register (VLR) belongs to the CS domain network element.
当 UE在 GSM/UMTS网络接入时, 用户的基本语音业务以及基于语音 业务的补充业务等是通过 CS域提供的。 EPS系统本身并不能提供和控制语 音呼叫等 CS业务, 只能提供互联网协议(IP , Internet Protocol )数据的承 载。 现有技术中实现 UE在 EPS接入下的语音等 CS业务, 其是由 CS域来 控制实现的, 当 UE接入 EPS网络后, 通过承载在 EPS网络上的 IP信令通 道传递 UE与 MSC/VLR之间的交互信令进行位置更新和呼叫信令等交互过 程, 通过 7|载在 EPS网络上的 IP用户面通道来传递语音媒体流。  When the UE accesses the GSM/UMTS network, the basic voice service of the user and the supplementary service based on the voice service are provided through the CS domain. The EPS system itself does not provide and control CS services such as voice calls, and can only provide data for Internet Protocol (IP) data. In the prior art, the CS service, such as the voice of the UE under the EPS access, is implemented by the CS domain. After the UE accesses the EPS network, the UE and the MSC are transmitted through the IP signaling channel carried on the EPS network. The interaction signaling between the /VLR performs an interaction process such as location update and call signaling, and the voice media stream is transmitted through the IP user plane channel carried on the EPS network.
图 1所示的网络架构可以用来实现 UE在 EPS网络接入下通过 CS域控 制来执行语音等 CS 业务, 该网络架构称为 CS 业务建立在 PS 承载上 ( CSoPS , CS over PS )。 在这种网络架构中, 为了避免对 MSC/VLR的修改 和影响, 新引入互联网元(IWF, Interworking Function )来完成相关修改。 一方面, IWF提供与 MSC/VLR之间的 A/IU-CS接口, 完成将从 UE接收 到的 IP信令消息转化为 A/IU-CS接口消息发送给 MSC/VLR , 以及反向的 转化和发送操作; 另一方面, EPS 将 IWF 当作一个应用功能点 (AF , Application Function ), 执行基于 IP层上的应用服务功能。 当 UE接入 EPS网络后,通过承载在 EPS网络上的 IP信令通道与 IWF 以及 MSC/VLR之间交互进行注册、位置更新和语音呼叫等交互过程,从而 完成承载和呼叫建立的建立过程。 当 UE 需要从 EPS 网络切换到 UMTS/GSM网络, MME接收到切换请求时, 对于语音业务, MME需要给 UE当前的 IWF发送切换请求消息, 从而由该 IWF对切换请求消息转换并 给当前控制呼叫的 MSC/VLR发送切换请求消息,所以 UE当前所在的 MME 需要能够获知 UE当前所在的 IWF。 The network architecture shown in FIG. 1 can be used to implement the UE to perform CS services such as voice through CS domain control under the EPS network access. The network architecture is called CS service establishment on the PS bearer (CSoPS, CS over PS). In this network architecture, in order to avoid the modification and influence of the MSC/VLR, an Internet element (IWF, Interworking Function) is newly introduced to complete the relevant modification. On the one hand, the IWF provides an A/IU-CS interface with the MSC/VLR, and completes the conversion of the IP signaling message received from the UE into an A/IU-CS interface message and sends it to the MSC/VLR, and the reverse conversion. And the sending operation; on the other hand, the EPS treats the IWF as an application function point (AF, Application Function), and performs application service functions based on the IP layer. After the UE accesses the EPS network, the IP signaling channel carried on the EPS network interacts with the IWF and the MSC/VLR to perform an interaction process such as registration, location update, and voice call, thereby completing the establishment process of the bearer and the call setup. When the UE needs to switch from the EPS network to the UMTS/GSM network, when the MME receives the handover request, for the voice service, the MME needs to send a handover request message to the current IWF of the UE, so that the IWF converts the handover request message to the current control call. The MSC/VLR sends a handover request message, so the MME where the UE is currently located needs to be able to know the IWF where the UE is currently located.
现有技术中 UE通过 EPS网络接入到 CS域的过程,包括三个主要部分: 一、 UE接入到 EPS网络, 并创建用于 CSoPS的承载; 二、 UE向 IWF发 起注册; 三、 UE向 MSC发起 CS域的注册。 由此可以看出, UE通过 EPS 接入网络, 并注册到 CS域的过程中, 网络需要对 UE执行三次安全认证, 包括:  The process of the UE accessing the CS domain through the EPS network in the prior art includes three main parts: 1. The UE accesses the EPS network and creates a bearer for the CSoPS; 2. The UE initiates registration with the IWF; The registration of the CS domain is initiated to the MSC. It can be seen that the UE needs to perform three times of security authentication on the UE when the UE accesses the network through the EPS and registers with the CS domain, including:
1 ) UE接入到 EPS网络时的接入认证: 由 MME主导执行, 通过非接 入层( NAS, Non Access Stratum )接入控制对 UE进行身份认证;  1) Access authentication when the UE accesses the EPS network: It is executed by the MME, and the UE is authenticated by the non-access stratum (NAS, Non Access Stratum) access control;
2 ) UE向 IWF注册前的 IP安全认证: UE和 IWF之间使用 IPSec协议 建立安全的 IP连接, 以保证 UE和 IWF之间的相互信任;  2) IP security authentication before the UE registers with the IWF: The IPSec protocol is used between the UE and the IWF to establish a secure IP connection to ensure mutual trust between the UE and the IWF;
3 ) UE向 CS域注册时的身份认证: 由 MSC主导执行, 通过 CS鉴权 机制对 UE进行身份认证。  3) Identity authentication when the UE registers with the CS domain: It is executed by the MSC, and the UE is authenticated by the CS authentication mechanism.
其中, UE接入到 EPS网络时的接入认证、 UE向 CS域注册时的身份 认证均已经是确定的成熟机制。 这些机制具有一个相似的思路: UE和网络 共同持有一个长期性的密钥, 归属网中的归属位置寄存器 (HLR, Home Location Register ) /归属用户服务器 (HSS, Home Subscriber Server )保存 对 UE进行鉴权的重要参数,并将这些参数下发给网络中的鉴权网元, 由鉴 权网元对 UE计算鉴权挑战, 而 UE根据鉴权挑战反向计算鉴权响应, 鉴权 网元验证鉴权响应的正确性即实现对 UE的鉴权。 而 UE和 IWF之间的安全认证机制, 采用的是基于 IPSec的隧道加密 机制, IWF所使用的用以建立 IPSec隧道的鉴权和加密参数, 来自于认证 4受权统计(AAA, Authentication Authorization Accounting )月良务器。 :¾口图 2 所示, IWF向拜访网的 AAA服务器( V-AAA )查询鉴权和加密参数, V-AAA 向归属网的 AAA服务器( H-AAA )查询鉴权和加密参数, 而 H-AAA则从 归属网的 HSS获取鉴权和加密参数。 The access authentication when the UE accesses the EPS network and the identity authentication when the UE registers with the CS domain are all established mature mechanisms. These mechanisms have a similar idea: the UE and the network jointly hold a long-term key, and the Home Location Register (HLR, Home Subscriber Server) in the home network saves the UE. The important parameters of the authentication are sent to the authentication network element in the network, and the authentication network element calculates the authentication challenge for the UE, and the UE reversely calculates the authentication response according to the authentication challenge, and the authentication network element Verifying the correctness of the authentication response means authenticating the UE. The security authentication mechanism between the UE and the IWF uses an IPSec-based tunnel encryption mechanism. The authentication and encryption parameters used by the IWF to establish an IPSec tunnel are derived from Authentication Authorization Accounting (AAA). Month server. As shown in Figure 2, the IWF queries the AAA server (V-AAA) of the visited network for authentication and encryption parameters, and the V-AAA queries the AAA server (H-AAA) of the home network for authentication and encryption parameters, and H. -AAA obtains authentication and encryption parameters from the HSS of the home network.
UE和 IWF之间的 IPSec机制, 能够保证 IWF对 UE的安全认证, 但 是在实际应用中, 存在如下缺陷:  The IPSec mechanism between the UE and the IWF can ensure the security authentication of the IWF to the UE. However, in practical applications, the following defects exist:
a、 采用 IPSec隧道加密机制, 对于 UE和 IWF之间频繁的信令通信而 言, 大大增加了 IWF处理信令的复杂度, 降低了信令处理的效率; 而且对 于 UE也大大增加了通信程序的复杂性。  a. The IPSec tunnel encryption mechanism is used to greatly increase the complexity of the IWF processing signaling and reduce the efficiency of signaling processing for frequent signaling communication between the UE and the IWF. Moreover, the communication procedure is greatly increased for the UE. The complexity.
b、采用 IPSec隧道加密机制,使得 IWF需要和 AAA服务器建立接口, 以便获得针对每个 UE的长期密钥等参数。因此目前 IWF和 AAA之间的接 口仅用来执行鉴权参数的传递, 然而却需要部署一整套的直径 (Diameter ) 协议站, 从而大大增大了 IWF的复杂性。  b. The IPSec tunnel encryption mechanism is adopted, so that the IWF needs to establish an interface with the AAA server to obtain parameters such as a long-term key for each UE. Therefore, the interface between the IWF and the AAA is only used to perform the transmission of the authentication parameters. However, it is necessary to deploy a complete set of Diameter protocol stations, which greatly increases the complexity of the IWF.
c、 通常的 AAA服务器是用于为非 3GPP 所定义的移动通信技术和 3GPP定义的移动通信技术实现互通, UE和 IWF之间 IPSec机制的使用, 使得 CSoPS架构必须引入 AAA服务器, 从而增加了整体架构的复杂性。 发明内容  c. The usual AAA server is used for interworking between the mobile communication technology defined by the non-3GPP and the mobile communication technology defined by the 3GPP, and the use of the IPSec mechanism between the UE and the IWF, so that the CSoPS architecture must be introduced into the AAA server, thereby increasing the overall The complexity of the architecture. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种安全认证方法, 以降低实 现 IWF对 UE进行安全认证的复杂性, 并提高 IWF处理信令的效率。  In view of the above, the main purpose of the present invention is to provide a security authentication method, which is to reduce the complexity of implementing the security authentication of the UE by the IWF, and improve the efficiency of the IWF processing signaling.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
本发明提供了一种安全认证方法, 该方法包括:  The invention provides a security authentication method, the method comprising:
互联网元(IWF )接收来自用户终端 (UE ) 的注册请求;  An Internet Element (IWF) receives a registration request from a User Terminal (UE);
所述 IWF根据鉴权网元中对 UE进行安全认证的鉴权参数或安全认证 状态, 对所述 UE进行安全认证。 The IWF performs an authentication parameter or a security authentication for performing security authentication on the UE according to the authentication network element. Status, performing security authentication on the UE.
所述鉴权网元为分组域系统( EPS )网络中的移动性管理实体( MME ), 所述 IWF从 MME获取对 UE进行安全认证的鉴权参数, 并根据所述鉴权 参数对 UE进行安全认证。  The authentication network element is a mobility management entity (MME) in a packet domain system (EPS) network, and the IWF obtains an authentication parameter for performing security authentication on the UE from the MME, and performs the UE on the authentication parameter according to the authentication parameter. safety certificate.
所述 IWF从 MME获得鉴权参数, 具体包括:  The IWF obtains the authentication parameter from the MME, and specifically includes:
所述 IWF从 UE的注册请求中获得所述 MME的地址;  Obtaining, by the IWF, an address of the MME from a registration request of the UE;
所述 IWF向 MME请求所述鉴权参数;  The IWF requests the authentication parameter from the MME;
所述 MME将从归属用户服务器 (HSS )获得的鉴权参数发送给所述 IWF。  The MME sends an authentication parameter obtained from a Home Subscriber Server (HSS) to the IWF.
所述 IWF从 MME获得鉴权参数, 具体包括:  The IWF obtains the authentication parameter from the MME, and specifically includes:
所述 MME从 HSS获得所述鉴权参数后, 将所述鉴权参数主动发送给 所述 IWF„  After the MME obtains the authentication parameter from the HSS, the MME actively sends the authentication parameter to the IWF.
所述对 UE进行安全认证的鉴权参数为:所述 EPS网络对 UE进行接入 认证的鉴权参数, 和 /或电路交换业务建立在分组交换承载上 (CSoPS ) 业 务对 UE的鉴权参数。  The authentication parameter for performing security authentication on the UE is: an authentication parameter of the EPS network for performing access authentication on the UE, and/or an authentication parameter of the circuit switched service established on the packet switched bearer (CSoPS) service to the UE .
所述鉴权网元为 EPS网络中的 MME, 所述 IWF根据 MME对 UE的 安全认证状态对 UE进行安全认证, 具体包括:  The authentication network element is an MME in the EPS network, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MME, and specifically includes:
所述 IWF根据 UE的注册请求中的 MME信息获得所述 MME的地址; 所述 IWF向 MME请求查询所述 UE接入 EPS网络时的认证状态; 所述 MME向 IWF返回 UE接入 EPS网络时的认证状态;  The IWF obtains the address of the MME according to the MME information in the registration request of the UE; the IWF requests the MME to query the authentication status when the UE accesses the EPS network; and the MME returns to the IWF when the UE accesses the EPS network. Certification status;
所述 IWF根据所述 UE接入 EPS网络时的认证状态验证所述 UE是否 通过安全认证, 并向所述 UE返回安全认证结果。  The IWF verifies whether the UE passes the security authentication according to the authentication status when the UE accesses the EPS network, and returns a security authentication result to the UE.
所述鉴权网元为 EPS网络中的 MME, 所述 IWF根据 MME对 UE的 安全认证状态对 UE进行安全认证, 具体包括:  The authentication network element is an MME in the EPS network, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MME, and specifically includes:
在所述 UE成功附着到 EPS网络, EPS网络为 UE建立了承载,且 MME 为 UE分配了 IWF之后, 所述 ΜΜΕ将所述 UE接入 EPS网络时的认证状 态主动发送给所述 IWF; After the UE successfully attaches to the EPS network, the EPS network establishes a bearer for the UE, and the MME After the IWF is allocated to the UE, the authentication status of the UE when the UE accesses the EPS network is actively sent to the IWF;
所述 IWF根据所述 UE接入 EPS网络时的认证状态验证所述 UE是否 通过安全认证, 并向所述 UE返回安全认证结果。  The IWF verifies whether the UE passes the security authentication according to the authentication status when the UE accesses the EPS network, and returns a security authentication result to the UE.
所述 UE接入 EPS网络时的认证状态包括以下状态中的至少一种: EPS 网络对 UE进行非接入层(NAS )鉴权的安全认证状态、 EPS网络允许 UE 接入的状态、 EPS网络为 UE建立承载并分配互联网协议(IP )地址的状态。  The authentication status of the UE when accessing the EPS network includes at least one of the following states: a security authentication status of the non-access stratum (NAS) authentication by the EPS network, a state in which the EPS network allows the UE to access, and an EPS network. A state is established for the UE to bear and assign an Internet Protocol (IP) address.
所述鉴权网元为电路交换(CS )域中的移动交换中心 (MSC ), 所述 IWF根据 MSC对 UE的安全认证状态对 UE进行安全认证, 具体包括: 所述 IWF接收到 UE的注册请求时, 根据所述注册请求中用以指示向 CS域发起注册的标识信息,代替所述 UE向所述 MSC发起 CS域的注册流 程;  The authentication network element is a mobile switching center (MSC) in a circuit switched (CS) domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes: the IWF receives the registration of the UE. And requesting, according to the identifier information used to indicate registration to the CS domain in the registration request, initiating a registration process of the CS domain to the MSC instead of the UE;
所述 IWF根据所述 UE向 CS域发起注册时的安全认证状态,验证所述 UE是否通过安全认证, 并向所述 UE返回安全认证结果。  The IWF verifies whether the UE passes the security authentication according to the security authentication status when the UE initiates registration with the CS domain, and returns a security authentication result to the UE.
所述鉴权网元为 CS域中的 MSC,所述 IWF根据 MSC对 UE的安全认 证状态对 UE进行安全认证, 具体包括:  The authentication network element is an MSC in the CS domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes:
所述 IWF接收到 UE的注册请求, 且注册请求中没有用以指示向 CS 域发起注册的标识信息时,根据网络的策略配置,代替所述 UE向所述 MSC 发起 CS域的注册流程;  When the IWF receives the registration request of the UE, and the registration request does not have the identifier information for initiating the registration to the CS domain, the UE performs the CS domain registration process to the MSC instead of the UE according to the policy configuration of the network;
所述 IWF根据所述 UE向 CS域发起注册时的安全认证状态,验证所述 UE是否通过安全认证, 并向所述 UE返回安全认证结果。  The IWF verifies whether the UE passes the security authentication according to the security authentication status when the UE initiates registration with the CS domain, and returns a security authentication result to the UE.
所述 UE向 IWF发送的注册请求中用以指示向 CS域发起注册的标识信 息, 是 UE向 CS域发起位置更新过程的指示。  The identifier information used by the UE to initiate registration to the CS domain in the registration request sent by the UE to the IWF is an indication that the UE initiates a location update procedure to the CS domain.
所述鉴权网元为 CS域中的 MSC,所述 IWF根据 MSC对 UE的安全认 证状态对 UE进行安全认证, 具体包括: 所述 IWF接收到 UE的注册请求后, 预先默认 UE注册成功, 并根据 UE请求注册到 CS域时 MSC对 UE的安全认证状态, 确定是否取消 UE在 IWF上的注册。 The authentication network element is an MSC in the CS domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes: After receiving the registration request of the UE, the IWF pre-defaults the UE registration success, and determines whether to cancel the registration of the UE on the IWF according to the security authentication status of the MSC to the UE when the UE requests registration to the CS domain.
本发明所提供的安全认证方法, 由 IWF在接收到来自 UE的注册请求 时, 根据归属网络中存储的鉴权参数, 并利用与 UE接入 EPS 网络或 UE 向 CS域注册时所采用的类似鉴权算法对 UE进行安全认证; 或者直接根据 UE接入 EPS网络或向 CS域注册时的安全认证状态,对 UE进行安全认证。 本发明减少了 UE与 IWF之间频繁的信令通信, 降低了 IWF和 UE处理信 令的复杂度, 提高了 IWF处理信令的效率; 另外, 本发明的架构中不再需 要 AAA服务器, 从而降低了整体架构的复杂性, 最终也降低了实现 IWF 对 UE进行安全认证的复杂性。 附图说明  The security authentication method provided by the present invention is used by the IWF according to the authentication parameters stored in the home network when receiving the registration request from the UE, and is similar to that used when the UE accesses the EPS network or the UE registers with the CS domain. The authentication algorithm performs security authentication on the UE. The security authentication is performed on the UE according to the security authentication status when the UE accesses the EPS network or registers with the CS domain. The invention reduces the frequent signaling communication between the UE and the IWF, reduces the complexity of the IWF and the UE processing signaling, and improves the efficiency of the IWF processing signaling. In addition, the AAA server is no longer needed in the architecture of the present invention. The complexity of the overall architecture is reduced, and the complexity of implementing the IWF for secure authentication of the UE is also reduced. DRAWINGS
图 1为现有技术中 UE在 EPS网络接入下实现 CS业务的网络架构图; 图 2为现有技术中 IWF从 AAA服务器获取鉴权和加密参数的流程图; 图 3为本发明一种安全认证方法的流程图;  1 is a network architecture diagram of a UE implementing a CS service under an EPS network access in the prior art; FIG. 2 is a flowchart of obtaining an authentication and encryption parameter from an AAA server by an IWF in the prior art; Flow chart of the safety certification method;
图 4为本发明实施例一的安全认证方法的流程图;  4 is a flowchart of a security authentication method according to Embodiment 1 of the present invention;
图 5为本发明实施例二的安全认证方法的流程图;  5 is a flowchart of a security authentication method according to Embodiment 2 of the present invention;
图 6为本发明实施例三的安全认证方法的流程图;  6 is a flowchart of a security authentication method according to Embodiment 3 of the present invention;
图 7为本发明实施例四的安全认证方法的流程图。 具体实施方式  FIG. 7 is a flowchart of a method for secure authentication according to Embodiment 4 of the present invention. detailed description
下面结合附图和具体实施例对本发明的技术方案进一步详细阐述。 本发明所提供的一种安全认证方法, 应用于在 EPS接入下实现 CS域 业务时 IWF对 UE的安全认证, 如图 3所示, 该方法主要包括以下步骤: 步骤 301 , IWF接收来自 UE的注册请求。 UE在注册到 IWF之前, 会向 IWF发送注册请求。 The technical solutions of the present invention are further elaborated below in conjunction with the accompanying drawings and specific embodiments. The security authentication method provided by the present invention is applied to the security authentication of the IWF to the UE when the CS domain service is implemented under the EPS access. As shown in FIG. 3, the method mainly includes the following steps: Step 301: The IWF receives the UE from the UE. Registration request. The UE sends a registration request to the IWF before registering with the IWF.
步骤 302, IWF根据鉴权网元对 UE进行安全认证的鉴权参数或安全认 证状态, 对 UE进行安全认证。  Step 302: The IWF performs security authentication on the UE according to the authentication parameter or the security authentication status of the security authentication of the UE by the authentication network element.
本发明中的鉴权网元包括: EPS网络中的 MME和 CS域中的 MSC等 等。 当然, 本发明的鉴权网元并不仅仅局限于上述列举的 MME和 MSC。 IWF可以从 MME获取对 UE进行安全认证的鉴权参数,该鉴权参数可以是 以下两种鉴权参数中的至少一种:  The authentication network element in the present invention includes: an MME in an EPS network, an MSC in a CS domain, and the like. Of course, the authentication network element of the present invention is not limited to the MME and MSC enumerated above. The IWF may obtain an authentication parameter for performing security authentication on the UE from the MME, and the authentication parameter may be at least one of the following two authentication parameters:
A、 MME自身用于对 UE进行 NAS接入认证的鉴权参数;  A. The MME itself uses an authentication parameter for performing NAS access authentication on the UE.
B、 HSS下发到 MME的专用于 IWF对 UE进行鉴权的 CSoPS的鉴权 参数。  B. The authentication parameter of the CSoPS that is sent by the HSS to the MME and is used by the IWF to authenticate the UE.
IWF也可以根据 MME对 UE的安全认证状态对 UE进行安全认证;还 可以才艮据 MSC对 UE的安全认证状态对 UE进行安全认证。  The IWF may also perform security authentication on the UE according to the security authentication status of the UE by the MME; and may perform security authentication on the UE according to the security authentication status of the UE by the MSC.
其中, IWF从 MME获取对 UE进行安全认证的鉴权参数, 对 UE进行 安全认证的实施例, 如图 4所示, 主要包括以下步骤:  The embodiment in which the IWF obtains the authentication parameter for performing security authentication on the UE from the MME, and performs security authentication on the UE, as shown in FIG. 4, mainly includes the following steps:
步骤 401 , UE请求附着到 EPS网络, 并请求 EPS网络为其建立 IP承 载, 该请求经过 E-UTR AN发送到 MME。  Step 401: The UE requests to attach to the EPS network, and requests the EPS network to establish an IP bearer for the IP network, and the request is sent to the MME through the E-UTR AN.
UE可以使用一个特定的用于 CSoPS的接入点名称( APN, Access Point Name )来要求 EPS网络为其建立专门用于 CSoPS的承载。  The UE may use a specific Access Point Name (APN, Access Point Name) for CSoPS to require the EPS network to establish a bearer dedicated to CSoPS.
步骤 402, MME从 HSS获取对 UE进行安全认证的鉴权参数, 并利用 鉴权参数对 UE进行鉴权操作。  Step 402: The MME obtains an authentication parameter for performing security authentication on the UE from the HSS, and performs an authentication operation on the UE by using the authentication parameter.
由于 UE是初始接入到 EPS网络, 因此 EPS网络需要对 UE进行鉴权, 且 EPS网络采用 N AS鉴权机制对 UE进行鉴权。 鉴权通过后, MME上将 保存对 UE进行 NAS鉴权的安全认证状态的相关信息。  Since the UE is initially connected to the EPS network, the EPS network needs to authenticate the UE, and the EPS network uses the N AS authentication mechanism to authenticate the UE. After the authentication is passed, the MME will store information about the security authentication status of the NAS authentication for the UE.
需要指出的是, 通常情况下 NAS鉴权是必须的, 但是对于某些特殊用 户和特殊应用 (如紧急呼叫), NAS鉴权过程不一定是必须的。 步骤 403 , 由于 UE是初始接入到 EPS网络, MME上并没有 UE的业 务配置数据, 因此 MME向 HSS发送位置更新请求, 并请求下载该 UE的 业务配置数据。 It should be noted that NAS authentication is usually necessary, but for some special users and special applications (such as emergency calls), the NAS authentication process is not necessarily required. Step 403: Since the UE is initially accessing the EPS network, and the MME does not have the service configuration data of the UE, the MME sends a location update request to the HSS, and requests to download the service configuration data of the UE.
步骤 404, HSS向 MME返回位置更新响应, 并在响应中携带 UE的业 务配置数据, 以及对 UE进行安全认证的鉴权参数。  Step 404: The HSS returns a location update response to the MME, and carries the service configuration data of the UE and the authentication parameter for performing security authentication on the UE.
本发明中 HSS向 MME下载的鉴权参数, 必须包括用于 EPS 网络对 UE进行接入认证的鉴权参数, 另外, 还可以进一步包括专门用于 CSoPS 业务下 IWF对 UE进行安全认证的鉴权参数。 如果归属网支持 CSoPS , 且 UE具有 CSoPS能力, 则在 HSS中配置专门用于 CSoPS的鉴权参数。  The authentication parameter that the HSS downloads to the MME in the present invention must include an authentication parameter for the EPS network to perform access authentication on the UE, and may further include an authentication for the IWF to perform security authentication on the UE under the CSoPS service. parameter. If the home network supports CSoPS and the UE has CSoPS capability, an authentication parameter dedicated to CSoPS is configured in the HSS.
步骤 405 , MME接收到 HSS的位置更新响应后, 存储 UE的业务配置 数据和对 UE进行安全认证的鉴权参数,并根据网络情况和业务数据配置的 指示分配 S-GW/P-GW, 向分配的 S-GW/P-GW发送承载建立请求。  Step 405: After receiving the location update response of the HSS, the MME stores the service configuration data of the UE and the authentication parameter for performing security authentication on the UE, and allocates the S-GW/P-GW according to the network situation and the indication of the service data configuration. The assigned S-GW/P-GW sends a bearer setup request.
步骤 406, S-GW/P-GW为 UE建立相应的 CSoPS的承载, 并在建立完 毕后向 MME返回承载建立响应, 其中包括为 UE分配的 IP地址。  Step 406: The S-GW/P-GW establishes a bearer of the corresponding CSoPS for the UE, and returns a bearer setup response to the MME after the establishment is completed, including an IP address allocated for the UE.
步骤 407, MME向 UE发送附着响应, 并将为 UE分配的 IP地址返回 给 MME。  Step 407: The MME sends an attach response to the UE, and returns an IP address allocated to the UE to the MME.
当 UE附着到 EPS网络时, EPS网络根据 UE所提供的用于 CSoPS的 APN, 为 UE分配一个拜访网的 IWF, 并在附着响应中将分配的 IWF返回 给 UE。 该 IWF可以是一个具体的 IWF地址, 也可以是一个用于发现 IWF 的全域名 (FQDN, Full Qualified Domain Name )»  When the UE is attached to the EPS network, the EPS network allocates an IWF of the visited network to the UE according to the APN provided by the UE for CSoPS, and returns the allocated IWF to the UE in the attach response. The IWF can be a specific IWF address or a Full Qualified Domain Name (FQDN) for discovering the IWF.
步骤 408 , UE从 EPS网络中获取拜访网的 IWF地址。  Step 408: The UE acquires an IWF address of the visited network from the EPS network.
需要指出的是, 如果 UE获得的是一个 IWF的 FQDN, 那么 UE可以 在附着到 EPS网络后, 发起域名系统(DNS, Domain Name System ) 查询 以获得合适的 IWF地址。  It should be noted that if the UE obtains the FQDN of an IWF, the UE may initiate a Domain Name System (DNS) query to obtain a suitable IWF address after attaching to the EPS network.
另一种 UE获得拜访网 IWF地址的过程, 可以是 UE配置了归属网的 IWF, 并通过向归属网的 IWF发起请求, 由归属网的 IWF根据 UE所接入 的拜访网,为 UE提供合适的拜访网 IWF。如果 UE所获得的是拜访网的 IWF 的域名, UE可以通过 DNS查询机制获得该 IWF的 IP地址。 Another process in which the UE obtains the IWF address of the visited network may be that the UE configures the home network. The IWF, and by initiating a request to the IWF of the home network, the IWF of the home network provides a suitable visited network IWF for the UE according to the visited network accessed by the UE. If the UE obtains the domain name of the IWF of the visited network, the UE may obtain the IP address of the IWF through a DNS query mechanism.
当 UE获得了拜访网的 IWF地址后, 可以向对应的 IWF发起注册, 注 册的目的是使得该 IWF能模拟 UE接入到由 IWF虚拟的基站, 并使得 IWF 获得 UE在 EPS网络中的位置信息和其他必要的信息。  After the UE obtains the IWF address of the visited network, the UE may initiate registration with the corresponding IWF. The purpose of the registration is to enable the IWF to simulate the UE accessing the base station virtualized by the IWF, and enable the IWF to obtain the location information of the UE in the EPS network. And other necessary information.
步骤 409, UE获得拜访网的 IWF地址后, 向 IWF发起注册请求, 该 请求中携带的信息主要包括: UE的国际移动用户识别码( IMSI, International Mobile Subscriber Identity ), UE的 IP地址、 UE接入到 EPS网络的位置区 域信息( TAI, Tracking Area Identity )、 UE接入到的 MME的地址或标识信 息。  Step 409: After obtaining the IWF address of the visited network, the UE initiates a registration request to the IWF. The information carried in the request mainly includes: an International Mobile Subscriber Identity (IMSI) of the UE, an IP address of the UE, and a UE connection. The location area information (TAI, Tracking Area Identity) of the EPS network, the address or identification information of the MME accessed by the UE.
步骤 410, IWF根据 UE的注册请求, 获得 UE当前附着的 MME的地 址。  Step 410: The IWF obtains an address of the MME currently attached by the UE according to the registration request of the UE.
UE在向 IWF注册的时候,携带 UE在附着到 EPS网络时或获得的 MME 的标识信息, IWF可以通过查表或者通过 DNS域名机制获得 MME的具体 地址。  When the UE registers with the IWF, it carries the identification information of the MME that the UE obtains when it is attached to the EPS network. The IWF can obtain the specific address of the MME by looking up the table or by using the DNS domain name mechanism.
步骤 411 , IWF向 MME发起 Sv接口的建立请求, 并向 MME查询 UE 的鉴权参数。  Step 411: The IWF initiates an establishment request of the Sv interface to the MME, and queries the MME for the authentication parameter of the UE.
Sv接口用于建立 EPS网络(以 MME为主要控制核心)和 CS网络(以 IWF模拟的基站为接入端) 的联系, 以便传输网间互联所必要的信息和控 制信令。  The Sv interface is used to establish the connection between the EPS network (with the MME as the main control core) and the CS network (the base station simulated by the IWF as the access terminal), so as to transmit the information and control signaling necessary for the interconnection between the networks.
步骤 412, MME建立和 IWF之间的 Sv接口, 并在建立完成后向 IWF 返回建立成功响应, 响应中携带 UE的鉴权参数。  Step 412: The MME establishes an Sv interface with the IWF, and returns a setup success response to the IWF after the establishment is completed, and the response carries the authentication parameter of the UE.
需要指出的是, 如果在前述步骤 404中, MME仅从 HSS获得了用于 EPS网络对 UE进行接入认证的鉴权参数, 则 MME仅返回用于 EPS网络 对 UE进行接入认证的鉴权参数; 如果在前述步骤 404中, MME还获得了 CSoPS业务对 UE的鉴权参数,则 MME可以选择返回上述两种鉴权参数中 的至少一种, 也可以根据 IWF的指示选择要返回的鉴权参数。 It should be noted that, if in the foregoing step 404, the MME obtains only the authentication parameters for the EPS network to perform access authentication for the UE from the HSS, the MME returns only for the EPS network. The authentication parameter for performing the access authentication on the UE; if the MME further obtains the authentication parameter of the CSoPS service to the UE in the foregoing step 404, the MME may choose to return at least one of the foregoing two authentication parameters, or The authentication parameters to be returned are selected according to the instructions of the IWF.
步骤 413 , IWF根据从 MME获得的鉴权参数, 利用鉴权算法计算鉴权 挑战。  Step 413: The IWF calculates an authentication challenge by using an authentication algorithm according to the authentication parameter obtained from the MME.
步骤 414 , IWF向 UE发起鉴权挑战请求。  Step 414: The IWF initiates an authentication challenge request to the UE.
步骤 415 , UE根据鉴权挑战, 并利用鉴权算法反向计算鉴权响应。 步骤 416, UE将计算得到的鉴权响应返回给 IWF。  Step 415: The UE inversely calculates the authentication response according to the authentication challenge and using an authentication algorithm. Step 416: The UE returns the calculated authentication response to the IWF.
步骤 417, IWF验证鉴权响应是否正确, 并在验证鉴权响应正确后向 UE发送注册成功响应。  Step 417: The IWF verifies whether the authentication response is correct, and sends a registration success response to the UE after verifying that the authentication response is correct.
针对图 4所示的流程, 在步骤 409~步骤 412中, 是由 IWF从 UE的注 册请求中获得 MME地址, 主动和 MME建立 Sv接口, 并向 MME查询鉴 权参数的。 而本发明针对图 4流程的另一实施例还提供了一种可行的方法, 即在图 4所示的 UE附着到 EPS网络的过程中, 在 UE成功附着到 EPS网 络, EPS网络为 UE建立了用于 CSoPS的承载,且 MME为 UE分配了 IWF (即步骤 407 )之后, MME可以主动建立和 IWF的 Sv接口, 并通过该接 口将步骤 404中获得的鉴权参数发送给 IWF。 之后, 当 UE向 IWF发起注 册时, IWF无需再次向 MME请求建立 Sv接口并请求查询鉴权参数, 可以 直接利用先前 MME发送给 IWF的鉴权参数来对 UE进行安全认证。  For the process shown in FIG. 4, in step 409 to step 412, the IWF obtains the MME address from the registration request of the UE, and actively establishes an Sv interface with the MME, and queries the MME for the authentication parameter. However, the present invention provides a feasible method for the other embodiment of the process of FIG. 4, that is, in the process that the UE shown in FIG. 4 is attached to the EPS network, the UE is successfully attached to the EPS network, and the EPS network is established for the UE. After the bearer is allocated to the CSoPS, and the MME allocates the IWF to the UE (ie, step 407), the MME can actively establish an Sv interface with the IWF, and send the authentication parameter obtained in step 404 to the IWF through the interface. Then, when the UE initiates registration with the IWF, the IWF does not need to request the MME to establish an Sv interface again and requests to query the authentication parameters, and can directly use the authentication parameters sent by the previous MME to the IWF to perform security authentication on the UE.
IWF根据 MME对 UE的安全认证状态对 UE进行安全认证的实施例, 如图 5所示, 主要包括以下步骤:  An embodiment in which the IWF performs security authentication on the UE according to the MME's security authentication status, as shown in FIG. 5, mainly includes the following steps:
步骤 501 , UE附着到 EPS网络, 通过 NAS鉴权认证, EPS网络为 UE 建立承载, UE获得分配的 IP地址。  Step 501: The UE attaches to the EPS network, and through the NAS authentication, the EPS network establishes a bearer for the UE, and the UE obtains the allocated IP address.
该步骤的操作与图 4所示流程中步骤 401~407的操作类似, 此处不再 赘述。 步骤 502 , UE从 EPS网络中获取拜访网的 IWF地址。 The operation of this step is similar to the operations of steps 401 to 407 in the flow shown in FIG. 4, and details are not described herein again. Step 502: The UE acquires an IWF address of the visited network from the EPS network.
步骤 503 , UE向 IWF发起注册请求, 该请求中携带的信息主要包括: Step 503: The UE initiates a registration request to the IWF, where the information carried in the request mainly includes:
UE的 IMSI、 UE的 IP地址、 UE接入到 EPS网络的 TAI、 UE接入到的 MME 的地址或标识信息。 The IMSI of the UE, the IP address of the UE, the TAI of the UE accessing the EPS network, and the address or identification information of the MME accessed by the UE.
步骤 504 , IWF获得 UE接入到的 MME的地址。  Step 504: The IWF obtains an address of the MME accessed by the UE.
由于 UE从未在该 IWF上注册, 因此 IWF从 UE的注册请求中获得了 IMSI、 IP地址等信息后, 需要验证 UE是否合法。 IWF可以从 MME的 UE 状态信息中检验该 UE是否被 EPS网络认证通过。  Since the UE is never registered on the IWF, the IWF needs to verify whether the UE is legal after obtaining the IMSI, IP address, and the like from the registration request of the UE. The IWF may check whether the UE is authenticated by the EPS network from the UE status information of the MME.
步骤 505 , IWF向 MME发起 Sv接口的建立请求, 并向 MME查询 UE 的认证状态。  Step 505: The IWF initiates an establishment request of the Sv interface to the MME, and queries the MME for the authentication status of the UE.
IWF通过向 MME提供 UE的 IMSI、 IP地址等信息, 来要求 MME验 证 UE的认证 ^大态。  The IWF requests the MME to verify the authentication status of the UE by providing the MME with information such as the IMSI and IP address of the UE.
步骤 506, MME建立和 IWF之间的 Sv接口, 并在建立完成后向 IWF 返回建立成功响应, 响应中携带 UE的认证状态。  Step 506: The MME establishes an Sv interface with the IWF, and returns a setup success response to the IWF after the establishment is completed, where the response carries the authentication status of the UE.
如果 UE在 MME上认证成功, 则 MME上存储有 UE的完整的上下文 数据,其中记录了 UE的 IMSI、 IP地址等信息, MME根据 IWF提供的 IMSI、 IP地址等信息, 查询自身存储的上下文数据中是否有对应的 IMSI、 IP地址 等信息, 如果有, 则认为 UE已经通过了 EPS网络的接入认证, 并向 IWF 返回 UE的认证状态,即通过信息标识 UE已经通过了 EPS网络的接入认证。 相反, 如果 MME上没有对应 UE的 IMSI、 IP地址等参数, 则认为 UE没 有通过 EPS的接入认证, MME通过信息标识 UE没有通过 EPS网络的接 入认证。  If the UE successfully authenticates on the MME, the MME stores the complete context data of the UE, where the information such as the IMSI and the IP address of the UE is recorded, and the MME queries the context data stored by the MME according to the information such as the IMSI and the IP address provided by the IWF. Whether there is a corresponding information such as the IMSI and the IP address, if any, the UE is considered to have passed the access authentication of the EPS network, and returns the authentication status of the UE to the IWF, that is, the information indicates that the UE has passed the access of the EPS network. Certification. On the other hand, if there is no corresponding IMSI and IP address of the UE on the MME, the UE is considered to have no access authentication through the EPS, and the MME identifies that the UE does not pass the EPS network access authentication.
需要指出的是,UE接入到 EPS网络时的认证状态包括以下状态中的至 少一种:  It should be noted that the authentication status when the UE accesses the EPS network includes at least one of the following states:
a、 EPS网络对 UE进行 NAS鉴权的安全认证状态 (如果 EPS网络对 UE执行了 NAS鉴权过程 ); a. The EPS network performs the NAS authentication security authentication status on the UE (if the EPS network is paired) The UE performs the NAS authentication process);
b、 EPS网络允许 UE接入的状态;  b. The state in which the EPS network allows the UE to access;
c、 EPS网络为 UE建立承载并分配互联网协议 IP地址的状态。  c. The EPS network establishes a state for the UE to bear and allocate an Internet Protocol IP address.
步骤 507, IWF从 MME获得了 UE接入到 EPS网络的认证状态后,如 果确认 UE已通过了 EPS网络的接入认证,则向 UE发送注册成功响应, 否 则拒绝 UE的注册。  Step 507: After obtaining the authentication status of the UE accessing the EPS network from the MME, the IWF sends a registration success response to the UE if it confirms that the UE has passed the access authentication of the EPS network, otherwise rejects the registration of the UE.
图 5所示的流程,是由 IWF主动建立与 MME之间的 Sv接口并通过该 接口向 MME查询 UE的认证状态。而本发明针对图 5流程的另一实施例还 提供了一种可行的方法, 即在 UE成功附着到 EPS 网络, EPS 网络为 UE 建立了用于 CSoPS的承载, 且 MME为 UE分配了 IWF之后, MME可以 主动建立和 IWF之间的 Sv接口, 并通过该接口将 UE的认证状态发送给 IWF。 之后, 当 UE向 IWF发起注册时, IWF无需在此向 MME请求建立 Sv接口和查询 UE的认证状态, 可以直接利用先前 MME发送给 IWF的认 证状态来判定 UE是否已经通过了 EPS网络的接入认证。  The process shown in Figure 5 is that the IWF actively establishes an Sv interface with the MME and queries the MME for the authentication status of the UE through the interface. However, the present invention provides a feasible method for the other embodiment of the process of FIG. 5, that is, after the UE successfully attaches to the EPS network, the EPS network establishes a bearer for the CSoPS for the UE, and the MME allocates the IWF to the UE. The MME can actively establish an Sv interface with the IWF, and send the authentication status of the UE to the IWF through the interface. Then, when the UE initiates registration with the IWF, the IWF does not need to request the MME to establish an Sv interface and query the authentication status of the UE, and can directly determine whether the UE has passed the EPS network by using the authentication status sent by the previous MME to the IWF. Certification.
IWF根据 MSC对 UE的安全认证状态对 UE进行安全认证的实施例, 如图 6所示, 主要包括以下步骤:  An embodiment in which the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, as shown in FIG. 6, mainly includes the following steps:
步骤 601 , UE附着到 EPS网络, 通过 NAS鉴权认证, EPS网络为 UE 建立承载, UE获得分配的 IP地址。  Step 601: The UE attaches to the EPS network, and through the NAS authentication, the EPS network establishes a bearer for the UE, and the UE obtains the allocated IP address.
该步骤的操作与图 4所示流程中步骤 401~407的操作类似, 此处不再 赘述。  The operation of this step is similar to the operations of steps 401 to 407 in the flow shown in FIG. 4, and details are not described herein again.
步骤 602 , UE从 EPS网络中获取拜访网的 IWF地址。  Step 602: The UE acquires an IWF address of the visited network from the EPS network.
步骤 603 , UE向 IWF发起注册请求, 该请求中携带的信息主要包括: Step 603: The UE initiates a registration request to the IWF, where the information carried in the request mainly includes:
UE的 IMSI、 UE的 IP地址、 UE接入到 EPS网络的 TAI、 UE接入到的 MME 的地址或标识信息。 The IMSI of the UE, the IP address of the UE, the TAI of the UE accessing the EPS network, and the address or identification information of the MME accessed by the UE.
UE可以在该注册请求中, 携带一个用以指示向 CS域发起注册的标识 信息, 指明 UE希望实现注册到 CS网络的目的。 其中, 用以指示向 CS域 发起注册的标识信息可以是向 CS 域发起位置更新过程的标识信息, 指明 UE希望通过 CS域位置更新过程实现注册到 CS网络的目的。 这样, UE所 发起的同时向 IWF、 CS域的注册请求, 即构成了一个联合注册请求。 The UE may carry an identifier indicating the registration to the CS domain in the registration request. Information indicating that the UE wishes to achieve registration for the CS network. The identifier information used to indicate the registration to the CS domain may be the identifier information of the location update process initiated by the CS domain, indicating that the UE wants to register to the CS network through the CS domain location update process. In this way, the registration request initiated by the UE to the IWF and the CS domain simultaneously constitutes a joint registration request.
步骤 604, IWF接收到 UE的注册请求后, 从请求中获得 UE的 IMSI、 UE的 IP地址、 UE接入到 EPS网络的 TAI、 UE接入到的 MME的地址或 标识等信息, 并根据注册请求中用以指示向 CS域发起注册的标识信息, 判 断 UE需要向 CS域发起注册流程。  Step 604: After receiving the registration request of the UE, the IWF obtains the IMSI of the UE, the IP address of the UE, the TAI of the UE accessing the EPS network, the address or identifier of the MME accessed by the UE, and the like, according to the registration. The identifier information used to indicate registration to the CS domain is determined in the request, and the UE needs to initiate a registration process to the CS domain.
需要指出的是, 如果 UE在注册请求中携带 EPS网络的 TAI, 则 IWF 可以将 TAI通过一定的映射规则,转换成 CS域的位置信息(LAI, Location Area Identity );如果 UE在联合注册请求中携带了 LAI,则 IWF可以直接利 用该 LAI。  It should be noted that if the UE carries the TAI of the EPS network in the registration request, the IWF may convert the TAI into a CS domain location information (LAI, Location Area Identity) through a certain mapping rule; if the UE is in the joint registration request With the LAI carried, the IWF can directly use the LAI.
步骤 605 , IWF代替 UE向 MSC发起 CS域的位置更新请求, 请求中 携带 LAI。  Step 605: The IWF initiates a location update request of the CS domain to the MSC instead of the UE, and the request carries the LAI.
步骤 606, MSC向 HLR发起位置更新请求, 并请求下载 UE的业务配 置数据。  Step 606: The MSC initiates a location update request to the HLR, and requests to download the service configuration data of the UE.
由于 UE没有在该 MSC上注册, 因此 MSC需要从 HLR获取鉴权参数 对 UE进行鉴权认证。  Since the UE is not registered on the MSC, the MSC needs to obtain an authentication parameter from the HLR to authenticate the UE.
步骤 607 , HLR接收到 MSC发送的位置更新请求后, 向 MSC返回位 置更新响应,在响应中携带 UE的业务配置数据和对 UE进行安全认证的鉴 权参数。  Step 607: After receiving the location update request sent by the MSC, the HLR returns a location update response to the MSC, where the response carries the service configuration data of the UE and the authentication parameter for performing security authentication on the UE.
步骤 608, MSC根据 HLR所返回的鉴权参数, 利用鉴权算法计算鉴权 挑战。  Step 608: The MSC calculates an authentication challenge by using an authentication algorithm according to the authentication parameter returned by the HLR.
步骤 609, MSC通过 IWF向 UE发送鉴权挑战请求。  Step 609: The MSC sends an authentication challenge request to the UE by using the IWF.
步骤 610, UE根据自身所存储的长期密钥, 利用鉴权算法计算鉴权响 应。 Step 610: The UE calculates an authentication response by using an authentication algorithm according to the long-term key stored by the UE. Should.
UE中存储的长期密钥与 HLR/HSS中存储的长期密钥是一致的。  The long-term key stored in the UE is consistent with the long-term key stored in the HLR/HSS.
步骤 611 , UE通过 IWF向 MSC返回鉴权响应。  Step 611: The UE returns an authentication response to the MSC through the IWF.
步骤 612, MSC接收到鉴权响应后, 验证鉴权响应是否正确, 以判断 UE是否为合法的用户, 并在判断合法后向 IWF发送位置更新响应。 该位 置更新响应即为 UE向 CS域注册时的安全认证状态。  Step 612: After receiving the authentication response, the MSC verifies whether the authentication response is correct, to determine whether the UE is a legitimate user, and sends a location update response to the IWF after determining the validity. The location update response is the security authentication status when the UE registers with the CS domain.
步骤 613 , IWF接收到 MSC发送的位置更新响应后, 向 UE发送注册 成功响应。  Step 613: After receiving the location update response sent by the MSC, the IWF sends a registration success response to the UE.
由于 IWF是代替 UE发起 CS与的位置更新, 因此在接收到 MSC的位 置更新响应后, 需要向 UE发送注册成功响应。  Since the IWF is a location update for the CS and the UE, the registration success response needs to be sent to the UE after receiving the location update response of the MSC.
另外, 在图 6所示的流程中, IWF收到 UE的注册请求, 并根据注册 请求中用以指示向 CS域发起注册的标识信息, 代替 UE向 CS域发起位置 更新, 以便 UE向 CS域注册。 而本发明针对图 6流程的另一实施例还提供 了一种可行的方法, 即如果 UE发起的注册请求中不携带用以指示向 CS域 发起注册的标识信息, 则 IWF在收到注册请求后, 可以根据网络的策略配 置, 主动代替 UE向 MSC发起 CS域的位置更新请求, 并利用 MSC对 UE 的 CS鉴权过程, 来完成 MSC对 UE的安全认证, 从而使得 IWF认为 UE 对 IWF是安全可信的, 并据此, IWF通过 UE向 IWF的注册请求。 在此过 程中, IWF同样会需要将 EPS网络的 TAI映射成 CS域的 LAI。  In addition, in the process shown in FIG. 6, the IWF receives the registration request of the UE, and initiates a location update to the CS domain according to the identifier information used to indicate registration to the CS domain in the registration request, so that the UE sends the location update to the CS domain. registered. However, the present invention further provides a feasible method for the other embodiment of the process of FIG. 6, that is, if the registration request initiated by the UE does not carry the identifier information indicating that the registration is initiated to the CS domain, the IWF receives the registration request. Then, according to the policy configuration of the network, the UE can actively initiate the location update request of the CS domain to the MSC, and use the MSC to authenticate the UE to the UE, so that the IWF considers that the UE is the IWF. Secure and trustworthy, and according to this, the IWF requests registration from the IWF through the UE. In the process, the IWF will also need to map the TAI of the EPS network to the LAI of the CS domain.
此外, 作为本发明实施例三的另一种实现方式, 本发明实施例四的安 全认证方法如图 7所示, 其与实施例三的区别在于, IWF在接收到 UE的 注册请求后, 可以预先默认 UE注册成功, 并通过 UE的注册, 如步骤 703、 704所示; 然后 UE向 CS域发起位置更新请求, MSC将对 UE进行 CS域 的鉴权认证, 在该过程中, 如果鉴权失败(即 UE没有通过鉴权), 则 IWF 在步骤 712中将截获鉴权失败响应, 并且 IWF将主动发起步骤 713 , 来取 消 UE在 IWF上的注册。 另一方面, 如果 UE通过了 CS域的鉴权, 则 IWF 可以在步骤 712中截获鉴权成功响应,从而知道 UE通过了安全认证, 因而 也不会主动取消 UE在 IWF上的注册。 In addition, as another implementation manner of Embodiment 3 of the present invention, the security authentication method in Embodiment 4 of the present invention is as shown in FIG. 7, which is different from Embodiment 3 in that after receiving the registration request of the UE, the IWF may Pre-default UE registration is successful, and registration by the UE, as shown in steps 703 and 704; then the UE initiates a location update request to the CS domain, and the MSC performs authentication of the CS domain for the UE, in the process, if authentication is performed Failure (ie, the UE does not pass the authentication), then the IWF intercepts the authentication failure response in step 712, and the IWF will actively initiate step 713 to fetch Eliminate the registration of the UE on the IWF. On the other hand, if the UE passes the authentication of the CS domain, the IWF may intercept the authentication success response in step 712, so that the UE passes the security authentication, and thus does not actively cancel the UE registration on the IWF.
综上所述,本发明实现了 UE通过接入到 EPS网络来实现 CS域业务时, IWF对 UE的安全认证, 有利于提高 IWF对 UE的认证效率, 提高 IWF处 理信令的能力。  In summary, the present invention implements the security authentication of the IWF to the UE when the UE implements the CS domain service by accessing the EPS network, which is beneficial to improving the authentication efficiency of the IWF to the UE and improving the IWF processing signaling capability.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims

权利要求书 Claim
1、 一种安全认证方法, 其特征在于, 该方法包括:  A security authentication method, characterized in that the method comprises:
互联网元(IWF )接收来自用户终端 (UE ) 的注册请求;  An Internet Element (IWF) receives a registration request from a User Terminal (UE);
所述 IWF根据鉴权网元中对 UE进行安全认证的鉴权参数或安全认证 状态, 对所述 UE进行安全认证。  The IWF performs security authentication on the UE according to an authentication parameter or a security authentication state in the authentication network element for performing security authentication on the UE.
2、 根据权利要求 1所述安全认证方法, 其特征在于, 所述鉴权网元为 分组域系统( EPS ) 网络中的移动性管理实体 ( MME ), 所述 IWF从 MME 获取对 UE进行安全认证的鉴权参数,并根据所述鉴权参数对 UE进行安全 认证。  The security authentication method according to claim 1, wherein the authentication network element is a mobility management entity (MME) in a packet domain system (EPS) network, and the IWF obtains security from the MME from the MME. The authentication parameter of the authentication, and performing security authentication on the UE according to the authentication parameter.
3、根据权利要求 2所述安全认证方法,其特征在于,所述 IWF从 MME 获取鉴权参数, 具体包括:  The security authentication method according to claim 2, wherein the IWF obtains the authentication parameter from the MME, specifically:
所述 IWF从 UE的注册请求中获得所述 MME的地址;  Obtaining, by the IWF, an address of the MME from a registration request of the UE;
所述 IWF向 MME请求所述鉴权参数;  The IWF requests the authentication parameter from the MME;
所述 MME将从归属用户服务器 (HSS )获得的鉴权参数发送给所述 IWF。  The MME sends an authentication parameter obtained from a Home Subscriber Server (HSS) to the IWF.
4、根据权利要求 2所述安全认证方法,其特征在于,所述 IWF从 MME 获取鉴权参数, 具体包括:  The security authentication method according to claim 2, wherein the IWF obtains an authentication parameter from the MME, specifically:
所述 MME从 HSS获得所述鉴权参数后, 将所述鉴权参数主动发送给 所述 IWF„  After the MME obtains the authentication parameter from the HSS, the MME actively sends the authentication parameter to the IWF.
5、根据权利要求 1、或 2、或 3、或 4所述安全认证方法, 其特征在于, 所述对 UE进行安全认证的鉴权参数为:所述 EPS网络对 UE进行接入认证 的鉴权参数, 和 /或电路交换业务建立在分组交换承载上 (CSoPS ) 业务对 UE的鉴权参数。  The security authentication method according to claim 1, or 2, or 3, or 4, wherein the authentication parameter for performing security authentication on the UE is: the authentication of the EPS network to the UE for access authentication The weight parameter, and/or the circuit switched service establishes an authentication parameter for the UE on the packet switched bearer (CSoPS) service.
6、 根据权利要求 1所述安全认证方法, 其特征在于, 所述鉴权网元为 EPS网络中的 MME, 所述 IWF根据 MME对 UE的安全认证状态对 UE进 行安全认证, 具体包括: The security authentication method according to claim 1, wherein the authentication network element is an MME in an EPS network, and the IWF enters the UE according to a security authentication status of the MME to the UE. Line safety certification, including:
所述 IWF根据 UE的注册请求中的 MME信息获得所述 MME的地址; 所述 IWF向 MME请求查询所述 UE接入 EPS网络时的认证状态; 所述 MME向 IWF返回 UE接入 EPS网络时的认证状态;  The IWF obtains the address of the MME according to the MME information in the registration request of the UE; the IWF requests the MME to query the authentication status when the UE accesses the EPS network; and the MME returns to the IWF when the UE accesses the EPS network. Certification status;
所述 IWF根据所述 UE接入 EPS网络时的认证状态验证所述 UE是否 通过安全认证, 并向所述 UE返回安全认证结果。  The IWF verifies whether the UE passes the security authentication according to the authentication status when the UE accesses the EPS network, and returns a security authentication result to the UE.
7、 根据权利要求 1所述安全认证方法, 其特征在于, 所述鉴权网元为 EPS网络中的 MME, 所述 IWF根据 MME对 UE的安全认证状态对 UE进 行安全认证, 具体包括:  The security authentication method according to claim 1, wherein the authentication network element is an MME in the EPS network, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MME, and specifically includes:
在所述 UE成功附着到 EPS网络, EPS网络为 UE建立了承载,且 MME 为 UE分配了 IWF之后, 所述 MME将所述 UE接入 EPS网络时的认证状 态主动发送给所述 IWF;  After the UE is successfully attached to the EPS network, the EPS network establishes a bearer for the UE, and after the MME allocates the IWF to the UE, the MME actively sends the authentication status when the UE accesses the EPS network to the IWF;
所述 IWF根据所述 UE接入 EPS网络时的认证状态验证所述 UE是否 通过安全认证, 并向所述 UE返回安全认证结果。  The IWF verifies whether the UE passes the security authentication according to the authentication status when the UE accesses the EPS network, and returns a security authentication result to the UE.
8、 根据权利要求 6或 7所述安全认证方法, 其特征在于, 所述 UE接 入 EPS网络时的认证状态包括以下状态中的至少一种: EPS网络对 UE进 行非接入层 ( NAS )鉴权的安全认证状态、 EPS网络允许 UE接入的状态、 EPS网络为 UE建立承载并分配互联网协议(IP )地址的状态。  The security authentication method according to claim 6 or 7, wherein the authentication state when the UE accesses the EPS network includes at least one of the following states: the EPS network performs a non-access stratum (NAS) on the UE. The security authentication status of the authentication, the state in which the EPS network allows the UE to access, and the state in which the EPS network establishes a bearer and allocates an Internet Protocol (IP) address for the UE.
9、 根据权利要求 1所述安全认证方法, 其特征在于, 所述鉴权网元为 电路交换(CS )域中的移动交换中心 (MSC ), 所述 IWF根据 MSC对 UE 的安全认证状态对 UE进行安全认证, 具体包括:  The security authentication method according to claim 1, wherein the authentication network element is a mobile switching center (MSC) in a circuit switched (CS) domain, and the IWF is based on a security authentication status of the UE by the MSC. The UE performs security authentication, which specifically includes:
所述 IWF接收到 UE的注册请求时, 根据所述注册请求中用以指示向 CS域发起注册的标识信息,代替所述 UE向所述 MSC发起 CS域的注册流 程;  When receiving the registration request of the UE, the IWF, according to the identifier information used to indicate registration to the CS domain in the registration request, initiates a registration process of the CS domain to the MSC instead of the UE;
所述 IWF根据所述 UE向 CS域发起注册时的安全认证状态,验证所述 UE是否通过安全认证, 并向所述 UE返回安全认证结果。 Determining, according to the security authentication status when the UE initiates registration with the CS domain, the IWF Whether the UE passes the security authentication and returns a security authentication result to the UE.
10、 根据权利要求 1 所述安全认证方法, 其特征在于, 所述鉴权网元 为 CS域中的 MSC,所述 IWF根据 MSC对 UE的安全认证状态对 UE进行 安全认证, 具体包括:  The security authentication method according to claim 1, wherein the authentication network element is an MSC in the CS domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, specifically:
所述 IWF接收到 UE的注册请求, 且注册请求中没有用以指示向 CS 域发起注册的标识信息时,根据网络的策略配置,代替所述 UE向所述 MSC 发起 CS域的注册流程;  When the IWF receives the registration request of the UE, and the registration request does not have the identifier information for initiating the registration to the CS domain, the UE performs the CS domain registration process to the MSC instead of the UE according to the policy configuration of the network;
所述 IWF根据所述 UE向 CS域发起注册时的安全认证状态,验证所述 UE是否通过安全认证, 并向所述 UE返回安全认证结果。  The IWF verifies whether the UE passes the security authentication according to the security authentication status when the UE initiates registration with the CS domain, and returns a security authentication result to the UE.
11、 根据权利要求 9或 10所述安全认证方法, 其特征在于, 所述 UE 向 IWF发送的注册请求中用以指示向 CS域发起注册的标识信息, 是 UE 向 CS域发起位置更新过程的指示。  The security authentication method according to claim 9 or 10, wherein the registration request sent by the UE to the IWF is used to indicate that the registration information is initiated to the CS domain, and the UE initiates a location update process to the CS domain. Instructions.
12、 根据权利要求 1 所述安全认证方法, 其特征在于, 所述鉴权网元 为 CS域中的 MSC,所述 IWF根据 MSC对 UE的安全认证状态对 UE进行 安全认证, 具体包括:  The security authentication method according to claim 1, wherein the authentication network element is an MSC in the CS domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes:
所述 IWF接收到 UE的注册请求后, 预先默认 UE注册成功, 并根据 UE请求注册到 CS域时 MSC对 UE的安全认证状态, 确定是否取消 UE在 IWF上的注册。  After receiving the registration request of the UE, the IWF pre-defaults the UE registration success, and determines whether to cancel the UE registration on the IWF according to the security authentication status of the MSC to the UE when the UE requests registration to the CS domain.
PCT/CN2009/075968 2009-02-16 2009-12-24 Security authentication method WO2010091589A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910009065.1A CN101808321B (en) 2009-02-16 2009-02-16 Security authentication method
CN200910009065.1 2009-02-16

Publications (1)

Publication Number Publication Date
WO2010091589A1 true WO2010091589A1 (en) 2010-08-19

Family

ID=42561390

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075968 WO2010091589A1 (en) 2009-02-16 2009-12-24 Security authentication method

Country Status (2)

Country Link
CN (1) CN101808321B (en)
WO (1) WO2010091589A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572756B (en) * 2010-12-30 2016-04-13 中兴通讯股份有限公司 The processing method of voice call fallback, Apparatus and system
WO2015196415A1 (en) * 2014-06-26 2015-12-30 华为技术有限公司 Data secure transmission method and device
CN107770770A (en) * 2016-08-16 2018-03-06 电信科学技术研究院 A kind of access authentication method, UE and access device
CN109756896B (en) * 2017-11-02 2022-04-29 中国移动通信有限公司研究院 Information processing method, network equipment and computer readable storage medium
CN110278556B (en) * 2018-03-13 2021-11-12 中兴通讯股份有限公司 Security authentication policy determination method, device and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1672368A (en) * 2002-06-20 2005-09-21 高通股份有限公司 Inter-working function for a communication system
WO2008038949A1 (en) * 2006-09-28 2008-04-03 Samsung Electronics Co., Ltd. A system and method of providing user equipment initiated and assisted backward handover in heterogeneous wireless networks
CN101217809A (en) * 2008-01-18 2008-07-09 中兴通讯股份有限公司 A method for user log-in within different network protocols
CN101222768A (en) * 2008-01-31 2008-07-16 中兴通讯股份有限公司 Method for user's set acquiring access point name, grouping domain system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6606491B1 (en) * 1998-06-26 2003-08-12 Telefonaktiebolaget Lm Ericsson (Publ) Subscriber validation method in cellular communication system
EP2009866A1 (en) * 2007-06-26 2008-12-31 France Télécom Apparatuses and method for communicating a request for an internet protocol address to the visited serving gateway
CN101227677B (en) * 2008-02-05 2011-06-22 中兴通讯股份有限公司 Single wireless channel voice business continuity field switching method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1672368A (en) * 2002-06-20 2005-09-21 高通股份有限公司 Inter-working function for a communication system
WO2008038949A1 (en) * 2006-09-28 2008-04-03 Samsung Electronics Co., Ltd. A system and method of providing user equipment initiated and assisted backward handover in heterogeneous wireless networks
CN101217809A (en) * 2008-01-18 2008-07-09 中兴通讯股份有限公司 A method for user log-in within different network protocols
CN101222768A (en) * 2008-01-31 2008-07-16 中兴通讯股份有限公司 Method for user's set acquiring access point name, grouping domain system

Also Published As

Publication number Publication date
CN101808321A (en) 2010-08-18
CN101808321B (en) 2014-03-12

Similar Documents

Publication Publication Date Title
US20220225263A1 (en) Interworking function using untrusted network
US10021566B2 (en) Non-mobile authentication for mobile network gateway connectivity
JP4669002B2 (en) Fast context establishment for interworking in heterogeneous networks
US9167430B2 (en) Access method and system, and mobile intelligent access point
JP5972290B2 (en) Mobile router in EPS
WO2008131689A1 (en) Method and system for realizing an emergency communication service and corresponding apparatuses thereof
WO2014056445A1 (en) Method, system, and controller for routing forwarding
WO2016155012A1 (en) Access method in wireless communication network, related device and system
WO2011023052A1 (en) Handover method and handover apparatus
JP6063564B2 (en) Method, apparatus and system for accessing a mobile network
WO2009000124A1 (en) A method for selecting the gateway in the wireless network
WO2005039110A1 (en) A method of analyzing the accessing process of the selected service in the wireless local area network
WO2011026392A1 (en) Method and system for acquiring route strategies
WO2010015188A1 (en) Method, device and system for accessing mobile core network of access points
WO2013131461A1 (en) Method and device for accessing user equipment to fusion control network element
WO2009046598A1 (en) A method for establishing a dedicated bearer for a user terminal
CN111726228A (en) Configuring liveness check using internet key exchange messages
WO2012126302A1 (en) Method and system supporting simultaneous communication for dual-mode, dual-standby terminal
WO2011011945A1 (en) Message-sending method and serving gprs support node
WO2012130133A1 (en) Access point and terminal access method
WO2013016967A1 (en) Access method, system and mobile intelligent access point
WO2010091589A1 (en) Security authentication method
WO2016180179A1 (en) Method for acquiring location of terminal in wi-fi network, terminal, lte communication device, and system
WO2014022974A1 (en) Method, device, and system for data transmission
WO2011017990A1 (en) Method and system for implementing fast handover for terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09839912

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09839912

Country of ref document: EP

Kind code of ref document: A1