WO2010091589A1 - Procédé d'authentification de sécurité - Google Patents

Procédé d'authentification de sécurité Download PDF

Info

Publication number
WO2010091589A1
WO2010091589A1 PCT/CN2009/075968 CN2009075968W WO2010091589A1 WO 2010091589 A1 WO2010091589 A1 WO 2010091589A1 CN 2009075968 W CN2009075968 W CN 2009075968W WO 2010091589 A1 WO2010091589 A1 WO 2010091589A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
iwf
security authentication
mme
network
Prior art date
Application number
PCT/CN2009/075968
Other languages
English (en)
Chinese (zh)
Inventor
李志军
宗在峰
郝振武
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2010091589A1 publication Critical patent/WO2010091589A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to a security authentication technology in a third generation mobile communication system, and more particularly to a security authentication method for implementing a circuit switched (CS) domain service under an evolved packet domain system (EPS) access.
  • CS circuit switched
  • EPS evolved packet domain system
  • 3GPP 3rd Generation Partnership Project
  • 3GPP 3rd Generation Partnership Project
  • PS Core Packet Switched Core
  • UTRAN Universal Mobile Telecommunication System Radio Access Network
  • EPC Evolved PS Core
  • GSM EDGE GSM EDGE radio access.
  • Mesh GERAN, GSM EDGE Radio Access Network
  • WLAN Wireless Local Area Network
  • GSM Global System for Mobile communications
  • EDGE Enhanced Data Rate for GSM Evolution
  • EPS Evolved Packet System
  • FIG. 1 is a network architecture diagram of a prior art user terminal (UE, User Equipment) implementing a circuit switched (CS) circuit under EPS network access.
  • E-UTRAN can provide higher uplink and downlink rates, lower transmission delay and more reliable wireless transmission; the network elements included in E-UTRAN are evolved base stations (eNodeBs, evolved NodeBs), Used to provide radio resources for UE access.
  • the Serving Gateway (S-GW) is a user plane entity responsible for routing data of user plane data.
  • the Packet Data Network Gateway (P-GW) is responsible for the gateway function of the UE accessing the Packet Data Network (PDN).
  • PDN Packet Data Network
  • the P-GW and the S-GW can be combined in one physical entity.
  • the Mobility Management Entity is a control plane entity that temporarily stores user data, manages and stores the UE context, assigns temporary identifiers to users, and authenticates users.
  • GERAN/UTRAN is a radio access network of a GSM/Universal Mobile Telecommunications System (UMTS) network, including a base station and a base station controller portion.
  • the Mobile Switching Center (MSC) / Visitor Location Register (VLR) belongs to the CS domain network element.
  • the basic voice service of the user and the supplementary service based on the voice service are provided through the CS domain.
  • the EPS system itself does not provide and control CS services such as voice calls, and can only provide data for Internet Protocol (IP) data.
  • IP Internet Protocol
  • the CS service such as the voice of the UE under the EPS access, is implemented by the CS domain.
  • the UE and the MSC are transmitted through the IP signaling channel carried on the EPS network.
  • the interaction signaling between the /VLR performs an interaction process such as location update and call signaling, and the voice media stream is transmitted through the IP user plane channel carried on the EPS network.
  • the network architecture shown in FIG. 1 can be used to implement the UE to perform CS services such as voice through CS domain control under the EPS network access.
  • the network architecture is called CS service establishment on the PS bearer (CSoPS, CS over PS).
  • CSoPS PS bearer
  • CS over PS PS bearer
  • IWF Internet element
  • the IWF provides an A/IU-CS interface with the MSC/VLR, and completes the conversion of the IP signaling message received from the UE into an A/IU-CS interface message and sends it to the MSC/VLR, and the reverse conversion.
  • the EPS treats the IWF as an application function point (AF, Application Function), and performs application service functions based on the IP layer.
  • the IP signaling channel carried on the EPS network interacts with the IWF and the MSC/VLR to perform an interaction process such as registration, location update, and voice call, thereby completing the establishment process of the bearer and the call setup.
  • the MME needs to switch from the EPS network to the UMTS/GSM network
  • the MME receives the handover request, for the voice service
  • the MME needs to send a handover request message to the current IWF of the UE, so that the IWF converts the handover request message to the current control call.
  • the MSC/VLR sends a handover request message, so the MME where the UE is currently located needs to be able to know the IWF where the UE is currently located.
  • the process of the UE accessing the CS domain through the EPS network in the prior art includes three main parts: 1.
  • the UE accesses the EPS network and creates a bearer for the CSoPS; 2.
  • the UE initiates registration with the IWF;
  • the registration of the CS domain is initiated to the MSC. It can be seen that the UE needs to perform three times of security authentication on the UE when the UE accesses the network through the EPS and registers with the CS domain, including:
  • Access authentication when the UE accesses the EPS network It is executed by the MME, and the UE is authenticated by the non-access stratum (NAS, Non Access Stratum) access control;
  • NAS Non Access Stratum
  • IP security authentication before the UE registers with the IWF The IPSec protocol is used between the UE and the IWF to establish a secure IP connection to ensure mutual trust between the UE and the IWF;
  • the access authentication when the UE accesses the EPS network and the identity authentication when the UE registers with the CS domain are all established mature mechanisms. These mechanisms have a similar idea: the UE and the network jointly hold a long-term key, and the Home Location Register (HLR, Home Subscriber Server) in the home network saves the UE.
  • the important parameters of the authentication are sent to the authentication network element in the network, and the authentication network element calculates the authentication challenge for the UE, and the UE reversely calculates the authentication response according to the authentication challenge, and the authentication network element Verifying the correctness of the authentication response means authenticating the UE.
  • the security authentication mechanism between the UE and the IWF uses an IPSec-based tunnel encryption mechanism.
  • the authentication and encryption parameters used by the IWF to establish an IPSec tunnel are derived from Authentication Authorization Accounting (AAA). Month server.
  • AAA Authentication Authorization Accounting
  • the IWF queries the AAA server (V-AAA) of the visited network for authentication and encryption parameters
  • the V-AAA queries the AAA server (H-AAA) of the home network for authentication and encryption parameters
  • H. -AAA obtains authentication and encryption parameters from the HSS of the home network.
  • the IPSec mechanism between the UE and the IWF can ensure the security authentication of the IWF to the UE.
  • the IPSec tunnel encryption mechanism is used to greatly increase the complexity of the IWF processing signaling and reduce the efficiency of signaling processing for frequent signaling communication between the UE and the IWF. Moreover, the communication procedure is greatly increased for the UE. The complexity.
  • the IPSec tunnel encryption mechanism is adopted, so that the IWF needs to establish an interface with the AAA server to obtain parameters such as a long-term key for each UE. Therefore, the interface between the IWF and the AAA is only used to perform the transmission of the authentication parameters. However, it is necessary to deploy a complete set of Diameter protocol stations, which greatly increases the complexity of the IWF.
  • the usual AAA server is used for interworking between the mobile communication technology defined by the non-3GPP and the mobile communication technology defined by the 3GPP, and the use of the IPSec mechanism between the UE and the IWF, so that the CSoPS architecture must be introduced into the AAA server, thereby increasing the overall The complexity of the architecture.
  • the main purpose of the present invention is to provide a security authentication method, which is to reduce the complexity of implementing the security authentication of the UE by the IWF, and improve the efficiency of the IWF processing signaling.
  • the invention provides a security authentication method, the method comprising:
  • An Internet Element receives a registration request from a User Terminal (UE);
  • the IWF performs an authentication parameter or a security authentication for performing security authentication on the UE according to the authentication network element. Status, performing security authentication on the UE.
  • the authentication network element is a mobility management entity (MME) in a packet domain system (EPS) network, and the IWF obtains an authentication parameter for performing security authentication on the UE from the MME, and performs the UE on the authentication parameter according to the authentication parameter. safety certificate.
  • MME mobility management entity
  • EPS packet domain system
  • the IWF obtains the authentication parameter from the MME, and specifically includes:
  • the IWF requests the authentication parameter from the MME
  • the MME sends an authentication parameter obtained from a Home Subscriber Server (HSS) to the IWF.
  • HSS Home Subscriber Server
  • the IWF obtains the authentication parameter from the MME, and specifically includes:
  • the MME After the MME obtains the authentication parameter from the HSS, the MME actively sends the authentication parameter to the IWF.
  • the authentication parameter for performing security authentication on the UE is: an authentication parameter of the EPS network for performing access authentication on the UE, and/or an authentication parameter of the circuit switched service established on the packet switched bearer (CSoPS) service to the UE .
  • CSoPS packet switched bearer
  • the authentication network element is an MME in the EPS network, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MME, and specifically includes:
  • the IWF obtains the address of the MME according to the MME information in the registration request of the UE; the IWF requests the MME to query the authentication status when the UE accesses the EPS network; and the MME returns to the IWF when the UE accesses the EPS network. Certification status;
  • the IWF verifies whether the UE passes the security authentication according to the authentication status when the UE accesses the EPS network, and returns a security authentication result to the UE.
  • the authentication network element is an MME in the EPS network, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MME, and specifically includes:
  • the EPS network After the UE successfully attaches to the EPS network, the EPS network establishes a bearer for the UE, and the MME After the IWF is allocated to the UE, the authentication status of the UE when the UE accesses the EPS network is actively sent to the IWF;
  • the IWF verifies whether the UE passes the security authentication according to the authentication status when the UE accesses the EPS network, and returns a security authentication result to the UE.
  • the authentication status of the UE when accessing the EPS network includes at least one of the following states: a security authentication status of the non-access stratum (NAS) authentication by the EPS network, a state in which the EPS network allows the UE to access, and an EPS network.
  • a state is established for the UE to bear and assign an Internet Protocol (IP) address.
  • IP Internet Protocol
  • the authentication network element is a mobile switching center (MSC) in a circuit switched (CS) domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes: the IWF receives the registration of the UE. And requesting, according to the identifier information used to indicate registration to the CS domain in the registration request, initiating a registration process of the CS domain to the MSC instead of the UE;
  • MSC mobile switching center
  • CS circuit switched
  • the IWF verifies whether the UE passes the security authentication according to the security authentication status when the UE initiates registration with the CS domain, and returns a security authentication result to the UE.
  • the authentication network element is an MSC in the CS domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes:
  • the UE When the IWF receives the registration request of the UE, and the registration request does not have the identifier information for initiating the registration to the CS domain, the UE performs the CS domain registration process to the MSC instead of the UE according to the policy configuration of the network;
  • the IWF verifies whether the UE passes the security authentication according to the security authentication status when the UE initiates registration with the CS domain, and returns a security authentication result to the UE.
  • the identifier information used by the UE to initiate registration to the CS domain in the registration request sent by the UE to the IWF is an indication that the UE initiates a location update procedure to the CS domain.
  • the authentication network element is an MSC in the CS domain, and the IWF performs security authentication on the UE according to the security authentication status of the UE by the MSC, and specifically includes: After receiving the registration request of the UE, the IWF pre-defaults the UE registration success, and determines whether to cancel the registration of the UE on the IWF according to the security authentication status of the MSC to the UE when the UE requests registration to the CS domain.
  • the security authentication method provided by the present invention is used by the IWF according to the authentication parameters stored in the home network when receiving the registration request from the UE, and is similar to that used when the UE accesses the EPS network or the UE registers with the CS domain.
  • the authentication algorithm performs security authentication on the UE.
  • the security authentication is performed on the UE according to the security authentication status when the UE accesses the EPS network or registers with the CS domain.
  • the invention reduces the frequent signaling communication between the UE and the IWF, reduces the complexity of the IWF and the UE processing signaling, and improves the efficiency of the IWF processing signaling.
  • the AAA server is no longer needed in the architecture of the present invention. The complexity of the overall architecture is reduced, and the complexity of implementing the IWF for secure authentication of the UE is also reduced.
  • FIG. 1 is a network architecture diagram of a UE implementing a CS service under an EPS network access in the prior art
  • FIG. 2 is a flowchart of obtaining an authentication and encryption parameter from an AAA server by an IWF in the prior art
  • FIG. 4 is a flowchart of a security authentication method according to Embodiment 1 of the present invention.
  • FIG. 5 is a flowchart of a security authentication method according to Embodiment 2 of the present invention.
  • FIG. 6 is a flowchart of a security authentication method according to Embodiment 3 of the present invention.
  • FIG. 7 is a flowchart of a method for secure authentication according to Embodiment 4 of the present invention. detailed description
  • the security authentication method provided by the present invention is applied to the security authentication of the IWF to the UE when the CS domain service is implemented under the EPS access.
  • the method mainly includes the following steps: Step 301: The IWF receives the UE from the UE. Registration request. The UE sends a registration request to the IWF before registering with the IWF.
  • Step 302 The IWF performs security authentication on the UE according to the authentication parameter or the security authentication status of the security authentication of the UE by the authentication network element.
  • the authentication network element in the present invention includes: an MME in an EPS network, an MSC in a CS domain, and the like.
  • the authentication network element of the present invention is not limited to the MME and MSC enumerated above.
  • the IWF may obtain an authentication parameter for performing security authentication on the UE from the MME, and the authentication parameter may be at least one of the following two authentication parameters:
  • the MME itself uses an authentication parameter for performing NAS access authentication on the UE.
  • the authentication parameter of the CSoPS that is sent by the HSS to the MME and is used by the IWF to authenticate the UE.
  • the IWF may also perform security authentication on the UE according to the security authentication status of the UE by the MME; and may perform security authentication on the UE according to the security authentication status of the UE by the MSC.
  • Step 401 The UE requests to attach to the EPS network, and requests the EPS network to establish an IP bearer for the IP network, and the request is sent to the MME through the E-UTR AN.
  • the UE may use a specific Access Point Name (APN, Access Point Name) for CSoPS to require the EPS network to establish a bearer dedicated to CSoPS.
  • APN Access Point Name
  • Step 402 The MME obtains an authentication parameter for performing security authentication on the UE from the HSS, and performs an authentication operation on the UE by using the authentication parameter.
  • the EPS network Since the UE is initially connected to the EPS network, the EPS network needs to authenticate the UE, and the EPS network uses the N AS authentication mechanism to authenticate the UE. After the authentication is passed, the MME will store information about the security authentication status of the NAS authentication for the UE.
  • Step 403 Since the UE is initially accessing the EPS network, and the MME does not have the service configuration data of the UE, the MME sends a location update request to the HSS, and requests to download the service configuration data of the UE.
  • Step 404 The HSS returns a location update response to the MME, and carries the service configuration data of the UE and the authentication parameter for performing security authentication on the UE.
  • the authentication parameter that the HSS downloads to the MME in the present invention must include an authentication parameter for the EPS network to perform access authentication on the UE, and may further include an authentication for the IWF to perform security authentication on the UE under the CSoPS service. parameter. If the home network supports CSoPS and the UE has CSoPS capability, an authentication parameter dedicated to CSoPS is configured in the HSS.
  • Step 405 After receiving the location update response of the HSS, the MME stores the service configuration data of the UE and the authentication parameter for performing security authentication on the UE, and allocates the S-GW/P-GW according to the network situation and the indication of the service data configuration.
  • the assigned S-GW/P-GW sends a bearer setup request.
  • Step 406 The S-GW/P-GW establishes a bearer of the corresponding CSoPS for the UE, and returns a bearer setup response to the MME after the establishment is completed, including an IP address allocated for the UE.
  • Step 407 The MME sends an attach response to the UE, and returns an IP address allocated to the UE to the MME.
  • the EPS network allocates an IWF of the visited network to the UE according to the APN provided by the UE for CSoPS, and returns the allocated IWF to the UE in the attach response.
  • the IWF can be a specific IWF address or a Full Qualified Domain Name (FQDN) for discovering the IWF.
  • Step 408 The UE acquires an IWF address of the visited network from the EPS network.
  • the UE may initiate a Domain Name System (DNS) query to obtain a suitable IWF address after attaching to the EPS network.
  • DNS Domain Name System
  • Another process in which the UE obtains the IWF address of the visited network may be that the UE configures the home network.
  • the IWF and by initiating a request to the IWF of the home network, the IWF of the home network provides a suitable visited network IWF for the UE according to the visited network accessed by the UE. If the UE obtains the domain name of the IWF of the visited network, the UE may obtain the IP address of the IWF through a DNS query mechanism.
  • the UE may initiate registration with the corresponding IWF.
  • the purpose of the registration is to enable the IWF to simulate the UE accessing the base station virtualized by the IWF, and enable the IWF to obtain the location information of the UE in the EPS network. And other necessary information.
  • Step 409 After obtaining the IWF address of the visited network, the UE initiates a registration request to the IWF.
  • the information carried in the request mainly includes: an International Mobile Subscriber Identity (IMSI) of the UE, an IP address of the UE, and a UE connection.
  • IMSI International Mobile Subscriber Identity
  • IP address of the UE an IP address of the UE
  • UE connection a UE connection.
  • TAI Tracking Area Identity
  • Step 410 The IWF obtains an address of the MME currently attached by the UE according to the registration request of the UE.
  • the UE When the UE registers with the IWF, it carries the identification information of the MME that the UE obtains when it is attached to the EPS network.
  • the IWF can obtain the specific address of the MME by looking up the table or by using the DNS domain name mechanism.
  • Step 411 The IWF initiates an establishment request of the Sv interface to the MME, and queries the MME for the authentication parameter of the UE.
  • the Sv interface is used to establish the connection between the EPS network (with the MME as the main control core) and the CS network (the base station simulated by the IWF as the access terminal), so as to transmit the information and control signaling necessary for the interconnection between the networks.
  • Step 412 The MME establishes an Sv interface with the IWF, and returns a setup success response to the IWF after the establishment is completed, and the response carries the authentication parameter of the UE.
  • the MME obtains only the authentication parameters for the EPS network to perform access authentication for the UE from the HSS, the MME returns only for the EPS network.
  • Step 413 The IWF calculates an authentication challenge by using an authentication algorithm according to the authentication parameter obtained from the MME.
  • Step 414 The IWF initiates an authentication challenge request to the UE.
  • Step 415 The UE inversely calculates the authentication response according to the authentication challenge and using an authentication algorithm.
  • Step 416 The UE returns the calculated authentication response to the IWF.
  • Step 417 The IWF verifies whether the authentication response is correct, and sends a registration success response to the UE after verifying that the authentication response is correct.
  • the IWF obtains the MME address from the registration request of the UE, and actively establishes an Sv interface with the MME, and queries the MME for the authentication parameter.
  • the present invention provides a feasible method for the other embodiment of the process of FIG. 4, that is, in the process that the UE shown in FIG. 4 is attached to the EPS network, the UE is successfully attached to the EPS network, and the EPS network is established for the UE.
  • the MME can actively establish an Sv interface with the IWF, and send the authentication parameter obtained in step 404 to the IWF through the interface. Then, when the UE initiates registration with the IWF, the IWF does not need to request the MME to establish an Sv interface again and requests to query the authentication parameters, and can directly use the authentication parameters sent by the previous MME to the IWF to perform security authentication on the UE.
  • Step 501 The UE attaches to the EPS network, and through the NAS authentication, the EPS network establishes a bearer for the UE, and the UE obtains the allocated IP address.
  • Step 502 The UE acquires an IWF address of the visited network from the EPS network.
  • Step 503 The UE initiates a registration request to the IWF, where the information carried in the request mainly includes:
  • the IMSI of the UE The IMSI of the UE, the IP address of the UE, the TAI of the UE accessing the EPS network, and the address or identification information of the MME accessed by the UE.
  • Step 504 The IWF obtains an address of the MME accessed by the UE.
  • the IWF Since the UE is never registered on the IWF, the IWF needs to verify whether the UE is legal after obtaining the IMSI, IP address, and the like from the registration request of the UE.
  • the IWF may check whether the UE is authenticated by the EPS network from the UE status information of the MME.
  • Step 505 The IWF initiates an establishment request of the Sv interface to the MME, and queries the MME for the authentication status of the UE.
  • the IWF requests the MME to verify the authentication status of the UE by providing the MME with information such as the IMSI and IP address of the UE.
  • Step 506 The MME establishes an Sv interface with the IWF, and returns a setup success response to the IWF after the establishment is completed, where the response carries the authentication status of the UE.
  • the MME stores the complete context data of the UE, where the information such as the IMSI and the IP address of the UE is recorded, and the MME queries the context data stored by the MME according to the information such as the IMSI and the IP address provided by the IWF. Whether there is a corresponding information such as the IMSI and the IP address, if any, the UE is considered to have passed the access authentication of the EPS network, and returns the authentication status of the UE to the IWF, that is, the information indicates that the UE has passed the access of the EPS network. Certification. On the other hand, if there is no corresponding IMSI and IP address of the UE on the MME, the UE is considered to have no access authentication through the EPS, and the MME identifies that the UE does not pass the EPS network access authentication.
  • the authentication status when the UE accesses the EPS network includes at least one of the following states:
  • the EPS network performs the NAS authentication security authentication status on the UE (if the EPS network is paired)
  • the UE performs the NAS authentication process
  • the EPS network establishes a state for the UE to bear and allocate an Internet Protocol IP address.
  • Step 507 After obtaining the authentication status of the UE accessing the EPS network from the MME, the IWF sends a registration success response to the UE if it confirms that the UE has passed the access authentication of the EPS network, otherwise rejects the registration of the UE.
  • the process shown in Figure 5 is that the IWF actively establishes an Sv interface with the MME and queries the MME for the authentication status of the UE through the interface.
  • the present invention provides a feasible method for the other embodiment of the process of FIG. 5, that is, after the UE successfully attaches to the EPS network, the EPS network establishes a bearer for the CSoPS for the UE, and the MME allocates the IWF to the UE.
  • the MME can actively establish an Sv interface with the IWF, and send the authentication status of the UE to the IWF through the interface.
  • the IWF does not need to request the MME to establish an Sv interface and query the authentication status of the UE, and can directly determine whether the UE has passed the EPS network by using the authentication status sent by the previous MME to the IWF. Certification.
  • Step 601 The UE attaches to the EPS network, and through the NAS authentication, the EPS network establishes a bearer for the UE, and the UE obtains the allocated IP address.
  • Step 602 The UE acquires an IWF address of the visited network from the EPS network.
  • Step 603 The UE initiates a registration request to the IWF, where the information carried in the request mainly includes:
  • the IMSI of the UE The IMSI of the UE, the IP address of the UE, the TAI of the UE accessing the EPS network, and the address or identification information of the MME accessed by the UE.
  • the UE may carry an identifier indicating the registration to the CS domain in the registration request.
  • the identifier information used to indicate the registration to the CS domain may be the identifier information of the location update process initiated by the CS domain, indicating that the UE wants to register to the CS network through the CS domain location update process. In this way, the registration request initiated by the UE to the IWF and the CS domain simultaneously constitutes a joint registration request.
  • Step 604 After receiving the registration request of the UE, the IWF obtains the IMSI of the UE, the IP address of the UE, the TAI of the UE accessing the EPS network, the address or identifier of the MME accessed by the UE, and the like, according to the registration.
  • the identifier information used to indicate registration to the CS domain is determined in the request, and the UE needs to initiate a registration process to the CS domain.
  • the IWF may convert the TAI into a CS domain location information (LAI, Location Area Identity) through a certain mapping rule; if the UE is in the joint registration request With the LAI carried, the IWF can directly use the LAI.
  • LAI Location Area Identity
  • Step 605 The IWF initiates a location update request of the CS domain to the MSC instead of the UE, and the request carries the LAI.
  • Step 606 The MSC initiates a location update request to the HLR, and requests to download the service configuration data of the UE.
  • the MSC Since the UE is not registered on the MSC, the MSC needs to obtain an authentication parameter from the HLR to authenticate the UE.
  • Step 607 After receiving the location update request sent by the MSC, the HLR returns a location update response to the MSC, where the response carries the service configuration data of the UE and the authentication parameter for performing security authentication on the UE.
  • Step 608 The MSC calculates an authentication challenge by using an authentication algorithm according to the authentication parameter returned by the HLR.
  • Step 609 The MSC sends an authentication challenge request to the UE by using the IWF.
  • Step 610 The UE calculates an authentication response by using an authentication algorithm according to the long-term key stored by the UE. Should.
  • the long-term key stored in the UE is consistent with the long-term key stored in the HLR/HSS.
  • Step 611 The UE returns an authentication response to the MSC through the IWF.
  • Step 612 After receiving the authentication response, the MSC verifies whether the authentication response is correct, to determine whether the UE is a legitimate user, and sends a location update response to the IWF after determining the validity.
  • the location update response is the security authentication status when the UE registers with the CS domain.
  • Step 613 After receiving the location update response sent by the MSC, the IWF sends a registration success response to the UE.
  • the registration success response needs to be sent to the UE after receiving the location update response of the MSC.
  • the IWF receives the registration request of the UE, and initiates a location update to the CS domain according to the identifier information used to indicate registration to the CS domain in the registration request, so that the UE sends the location update to the CS domain. registered.
  • the present invention further provides a feasible method for the other embodiment of the process of FIG. 6, that is, if the registration request initiated by the UE does not carry the identifier information indicating that the registration is initiated to the CS domain, the IWF receives the registration request.
  • the UE can actively initiate the location update request of the CS domain to the MSC, and use the MSC to authenticate the UE to the UE, so that the IWF considers that the UE is the IWF. Secure and trustworthy, and according to this, the IWF requests registration from the IWF through the UE. In the process, the IWF will also need to map the TAI of the EPS network to the LAI of the CS domain.
  • the security authentication method in Embodiment 4 of the present invention is as shown in FIG. 7, which is different from Embodiment 3 in that after receiving the registration request of the UE, the IWF may Pre-default UE registration is successful, and registration by the UE, as shown in steps 703 and 704; then the UE initiates a location update request to the CS domain, and the MSC performs authentication of the CS domain for the UE, in the process, if authentication is performed Failure (ie, the UE does not pass the authentication), then the IWF intercepts the authentication failure response in step 712, and the IWF will actively initiate step 713 to fetch Eliminate the registration of the UE on the IWF. On the other hand, if the UE passes the authentication of the CS domain, the IWF may intercept the authentication success response in step 712, so that the UE passes the security authentication, and thus does not actively cancel the UE registration on the IWF.
  • the present invention implements the security authentication of the IWF to the UE when the UE implements the CS domain service by accessing the EPS network, which is beneficial to improving the authentication efficiency of the IWF to the UE and improving the IWF processing signaling capability.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Cette invention se rapporte à un procédé d'authentification de sécurité qui comprend les étapes suivantes : une fonction d'interfonctionnement (IWF) reçoit une demande d'enregistrement en provenance d'un équipement utilisateur (UE) (301) ; l'IWF exécute une authentification de sécurité sur l'UE selon des paramètres d'authentification ou un état d'authentification de sécurité de façon à exécuter une authentification de sécurité sur l'UE dans un élément de réseau d'authentification (302). La présente invention permet de réduire la complexité d'exécution d'une authentification de sécurité sur l'UE par l'IWF et d'améliorer l'efficacité d'un traitement de signalisation par l'IWF.
PCT/CN2009/075968 2009-02-16 2009-12-24 Procédé d'authentification de sécurité WO2010091589A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910009065.1A CN101808321B (zh) 2009-02-16 2009-02-16 一种安全认证方法
CN200910009065.1 2009-02-16

Publications (1)

Publication Number Publication Date
WO2010091589A1 true WO2010091589A1 (fr) 2010-08-19

Family

ID=42561390

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075968 WO2010091589A1 (fr) 2009-02-16 2009-12-24 Procédé d'authentification de sécurité

Country Status (2)

Country Link
CN (1) CN101808321B (fr)
WO (1) WO2010091589A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572756B (zh) * 2010-12-30 2016-04-13 中兴通讯股份有限公司 语音呼叫回退的处理方法、装置及系统
WO2015196415A1 (fr) * 2014-06-26 2015-12-30 华为技术有限公司 Procédé et dispositif de transmission sécurisant les données
CN107770770A (zh) * 2016-08-16 2018-03-06 电信科学技术研究院 一种接入认证方法、ue和接入设备
CN109756896B (zh) * 2017-11-02 2022-04-29 中国移动通信有限公司研究院 一种信息处理方法、网络设备及计算机可读存储介质
CN110278556B (zh) * 2018-03-13 2021-11-12 中兴通讯股份有限公司 一种安全认证策略确定方法、设备和计算机可读存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1672368A (zh) * 2002-06-20 2005-09-21 高通股份有限公司 通信系统的互通功能
WO2008038949A1 (fr) * 2006-09-28 2008-04-03 Samsung Electronics Co., Ltd. Système et procédé pour transfert intercellulaire vers l'arrière déclenché et commandé par un équipement utilisateur dans des réseaux sans fil hétérogènes
CN101217809A (zh) * 2008-01-18 2008-07-09 中兴通讯股份有限公司 不同网络协议间实现用户注册的方法
CN101222768A (zh) * 2008-01-31 2008-07-16 中兴通讯股份有限公司 一种用户设备获得接入点名称的方法和分组域系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6606491B1 (en) * 1998-06-26 2003-08-12 Telefonaktiebolaget Lm Ericsson (Publ) Subscriber validation method in cellular communication system
EP2009866A1 (fr) * 2007-06-26 2008-12-31 France Télécom Appareils et procédé pour communiquer une demande d'une adresse du protocole internet vers le Visited Serving Gateway
CN101227677B (zh) * 2008-02-05 2011-06-22 中兴通讯股份有限公司 一种单无线信道语音业务连续性的域切换方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1672368A (zh) * 2002-06-20 2005-09-21 高通股份有限公司 通信系统的互通功能
WO2008038949A1 (fr) * 2006-09-28 2008-04-03 Samsung Electronics Co., Ltd. Système et procédé pour transfert intercellulaire vers l'arrière déclenché et commandé par un équipement utilisateur dans des réseaux sans fil hétérogènes
CN101217809A (zh) * 2008-01-18 2008-07-09 中兴通讯股份有限公司 不同网络协议间实现用户注册的方法
CN101222768A (zh) * 2008-01-31 2008-07-16 中兴通讯股份有限公司 一种用户设备获得接入点名称的方法和分组域系统

Also Published As

Publication number Publication date
CN101808321A (zh) 2010-08-18
CN101808321B (zh) 2014-03-12

Similar Documents

Publication Publication Date Title
US20220225263A1 (en) Interworking function using untrusted network
US10021566B2 (en) Non-mobile authentication for mobile network gateway connectivity
JP4669002B2 (ja) 異種ネットワークにおけるインターワーキングのための高速なコンテキスト確立
US9167430B2 (en) Access method and system, and mobile intelligent access point
JP5972290B2 (ja) Epsにおけるモバイルルータ
WO2008131689A1 (fr) Procédé et système de fourniture d'un service de communication d'urgence et dispositifs correspondants
WO2016155012A1 (fr) Procédé d'accès dans un réseau de communication sans fil, dispositif et système associés
WO2014056445A1 (fr) Procédé, système et contrôleur pour transfert de routage
WO2011023052A1 (fr) Procédé de commutation et appareil de commutation
JP6063564B2 (ja) モバイル・ネットワークにアクセスするための方法、装置、及びシステム
WO2005039110A1 (fr) Analyse du traitement d'acces a un service selectionne dans un reseau local radio
WO2009000124A1 (fr) Procede de selection de passerelle dans un reseau sans fil
WO2011026392A1 (fr) Procédé et système d'acquisition de stratégies d’itinéraire
WO2010015188A1 (fr) Procédé, dispositif et système pour accéder à un cœur de réseau mobile de points d'accès
WO2013131461A1 (fr) Procédé et dispositif permettant à un équipement utilisateur d'accéder à un élément de réseau de commande de fusion
WO2009046598A1 (fr) Procédé pour établir une porteuse dédiée pour un terminal utilisateur
CN111726228A (zh) 使用互联网密钥交换消息来配置活动性检查
WO2012130133A1 (fr) Point d'accès et procédé d'accès par un terminal
WO2012126302A1 (fr) Procédé et système prenant en charge la communication simultanée pour un terminal à double mode, à double veille
WO2011011945A1 (fr) Procédé d'envoi de message et nœud de support gprs de desserte
WO2013016967A1 (fr) Procédé et système d'accès, et point d'accès intelligent mobile
WO2010091589A1 (fr) Procédé d'authentification de sécurité
WO2016180179A1 (fr) Procédé pour acquérir l'emplacement d'un terminal dans un réseau wi-fi, terminal, dispositif de communication d'évolution à long terme (lte), et système
WO2014022974A1 (fr) Procédé, dispositif et système de transmission de données
WO2011017990A1 (fr) Procédé et système de mise en œuvre de transfert rapide pour terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09839912

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09839912

Country of ref document: EP

Kind code of ref document: A1