WO2011015060A1 - Extensible authentication protocol authentication method, base station and authentication server thereof - Google Patents

Extensible authentication protocol authentication method, base station and authentication server thereof Download PDF

Info

Publication number
WO2011015060A1
WO2011015060A1 PCT/CN2010/072054 CN2010072054W WO2011015060A1 WO 2011015060 A1 WO2011015060 A1 WO 2011015060A1 CN 2010072054 W CN2010072054 W CN 2010072054W WO 2011015060 A1 WO2011015060 A1 WO 2011015060A1
Authority
WO
WIPO (PCT)
Prior art keywords
mss
base station
authentication
tek
target base
Prior art date
Application number
PCT/CN2010/072054
Other languages
French (fr)
Chinese (zh)
Inventor
张正阳
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011015060A1 publication Critical patent/WO2011015060A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer

Definitions

  • the present invention relates to a mobile communication network authentication technology, and in particular to an EAP (Extensible Authentication Protocol) authentication method, a base station, and an authentication server that support fast handover in a high-speed motion scenario.
  • EAP Extensible Authentication Protocol
  • mobile communication systems will also provide multimedia services such as multimedia, e-commerce, and online banking. These businesses are based on information security and cybersecurity.
  • the security mechanism of a mobile communication system is generally divided into two parts: identity authentication and key negotiation and encryption.
  • the encryption technology is the core of secure communication, and identity authentication and key agreement are important guarantees for secure communication and protection of users and operators.
  • EAP is a public key algorithm based authentication authentication technology, which provides
  • EAP Subscriber Identity Module, User Identity Module
  • USIM USIM card
  • digital certificate digital certificate
  • username/password mode etc.
  • EAP-SIM Electronic Appendix
  • EAP-ATA EAP-ATA
  • EAP-TLS EAP-MSCHAPv2
  • the certification and authorization model is shown in Figure 1.
  • the authentication system There are three entities in the authentication system: requester, authenticator, and authentication server.
  • EAP authentication the actual authentication work is performed between the requester and the authentication server.
  • the authenticator is between the requester and the authentication server. Its role is to forward the authentication information between the requester and the authentication server.
  • the authentication message is encapsulated in the EAP protocol packet
  • the EAP packet is encapsulated in a MAC (Media Access Control) layer PKM (Private Key Management) message between the requester and the authenticator.
  • the EAP packets are encapsulated into the other top AAA (authentication 3 ⁇ 4 authorization 3 ⁇ 4 Accounting, authentication, authorization, and Hutchison shell length
  • a mobile terminal station (Mobile Subscriber Station, MSS for short) is a requester, and a base station (BS) is a base station.
  • the EAP protocol uses a public key cryptosystem to establish a secure channel shared between the base station and the terminal.
  • the shared secure channel then provides security for the TEK (Traffic Encryption Key) exchange.
  • TEK Traffic Encryption Key
  • MSS Mobile broadband communication systems all need mobile communication services that support vehicle speed. In the process of MSS movement, it is inevitable to switch between BSs. The length of handover time seriously affects the communication quality of MSS during handover, in order to prevent switching time. The long cause of dropped calls or degraded service quality, MSS must perform fast switching and authentication.
  • the entire handover process involves four entities: a mobile terminal MSS, a current serving BS, a target BS, and an authentication server (or an authentication server, referred to as AS).
  • the MSS usually re-enters the network with the target BS.
  • the target BS needs to re-confirm the trust relationship with the MSS. Because the complexity of different authentication mechanisms is different, the length of the authentication time is different.
  • the MSS must quickly establish a trust relationship with the target BS.
  • the traditional handover authentication method is: Before the MSS handover, a complete authentication is performed by the serving BS and the target BS, and a new AK (Authentication Key) and TEK are negotiated between the MSS and the target BS and then executed. Switch. Such switching is often caused by too long authentication time, which leads to different degrees of communication service quality after the establishment of a new trust relationship, especially for services with strong real-time requirements, such as voice, video, videophone, etc. More serious, users can see the problem of declining service quality such as pauses and interruptions. Therefore, in order to ensure the quality of service, it is necessary to provide a network authentication method that can support fast handover.
  • AK Authentication Key
  • the technical problem to be solved by the present invention is to provide an extensible authentication protocol authentication method, a base station, and an authentication server, which can support fast handover in a high-speed motion scenario.
  • the present invention provides an extensible authentication protocol authentication method, which includes Include: when the mobile terminal (MSS) switches from the current serving base station to the target progress, before the handover, the service encryption key (TEK) shared by the MSS and the serving base station is sent to the authentication server ( AS) backup;
  • the AS sends the backed up TEK to the target base station; and after the handover is completed, the MSS establishes a trust relationship with the target base station, the MSS and the target base station Using the TEK for secure communication services;
  • the step of establishing a trust relationship between the MSS and the target base station includes: sending, by the MSS, an authentication request message that includes a digital certificate of the MSS to the target base station, requesting access to the target base station;
  • the target base station After receiving the authentication request message, the target base station sends the digital certificate to the AS for validity verification;
  • the target base station sends an authentication response message to the MSS, and includes an authentication key (AK) in the authentication response message, thereby verifying with the MSS.
  • AK authentication key
  • the method further includes, if the digital certificate authentication fails the validity verification, the target base station rejects the MSS access.
  • the method further includes: after the MSS establishes a trust relationship with the target base station, the target base station transmits the TEK to the MSS by using the AK encryption; and the MSS obtains the TEK according to the AK decryption. .
  • the MSS includes a microwave access global interworking (WiMAX) terminal.
  • WiMAX microwave access global interworking
  • the present invention also provides an authentication server (AS) supporting scalable authentication protocol authentication, the AS setting being:
  • the present invention also provides a serving base station supporting scalable authentication protocol authentication, the service base station being configured as:
  • the service encryption key (TEK) shared by the MSS is sent to the authentication server, so that the AS sends the TEK to the target base station when the MSS switches, the target base station After the MSS handover is completed, and the trust relationship is established with the MSS, the TMS is used to perform a secure communication service with the MSS;
  • the present invention also provides a target base station supporting scalable authentication protocol authentication, the target base station being set as:
  • the target base station is configured to: receive an authentication request message including a digital certificate of the MSS from the MSS, send the digital certificate to the AS for validity verification, and in the digital certificate
  • an authentication response message is sent to the MSS, and an authentication key (AK) is included in the authentication response message, so that a trust relationship is established with the MSS through the verification certificate.
  • AK authentication key
  • the target base station is further configured to reject the MSS access when the digital certificate authentication fails the validity verification.
  • the target base station is further configured to, after establishing a trust relationship with the MSS, transmit the TEK to the MSS by using the AK encryption, so that the MSS obtains the TEK according to the AK decryption.
  • the EAP authentication method for supporting fast handover proposed by the present invention introduces a backup mechanism of the service key before the handover, and ensures that the terminal quickly establishes a trust relationship with the new base station, and then quickly utilizes the backup password.
  • the key carries out the communication service, which greatly improves the speed of handover authentication, and is very beneficial to the terminal's fast access authentication in the high-speed handover scenario of the wireless network.
  • Figure 1 is a schematic diagram of an EAP authentication and authorization model
  • Figure 2 is a schematic diagram of network authentication and authorization during fast handover
  • FIG. 3 is a flowchart of an EAP authentication method for supporting fast handover according to an embodiment of the present invention
  • FIG. 4 is a flowchart of an EAP authentication method for supporting fast handover according to an application example of the present invention.
  • an EAP authentication method for supporting fast handover includes the following steps:
  • Step 301 Before the handover, the service encryption key (TEK) shared by the mobile terminal (MSS) and the current serving base station (BS) is sent to the authentication server (AS) for backup and storage;
  • TK service encryption key
  • MSS mobile terminal
  • BS current serving base station
  • AS authentication server
  • Step 302 When switching, the AS sends the backed up service encryption key TEK to the target base station.
  • Step 303 After the handover, the mobile terminal and the target base station establish a trust relationship, and use the service encryption key TEK to perform a secure communication service.
  • WiMAX Worldwide Interoperability for Microwave Access
  • WiMAX is an emerging wireless broadband access technology that is a new air interface standard for mobile and microwave frequency bands. Therefore, WiMAX combines the three characteristics of wireless, broadband and mobile, and can be used as a wireless extension technology for cable and DSL (Digital Subscriber Loop).
  • Connecting 802.11 wireless access hotspots to the Internet can also connect environments such as corporate and home to wired backbone lines, and is also a set of standards for providing data services within the metropolitan area in the IEEE 802 standard.
  • the WiMAX security mechanism uses a PKM-based EAP authentication method, which defines a secure way for a base station BS to distribute key data to a subscriber station SS, including authentication authentication, key exchange, and data encryption.
  • the goal is to provide access. Control and ensure the confidentiality of the data link.
  • Key management implements key negotiation and maintenance for each security association, distributes keys for established security associations, and performs key updates when appropriate, mainly for negotiation of authentication key AK and service encryption key TEK. And updates.
  • the PKM-EAP-based authentication method solves the problem that the one-way authentication and authentication mechanism lacks scalability, and is more suitable for fast authentication in a mobile scenario.
  • FIG. 4 is a specific example of an EAP authentication method for supporting fast handover according to the present invention.
  • the entire authentication and authorization working process (including initial authentication and fast handover authentication) is described as follows:
  • Step 401 The MSS establishes an initial wireless connection with the serving BS, and the MSS sends an “authentication request message” to the BS, where the authentication request message includes an X.509 digital certificate of the MSS.
  • Step 402 The service BS sends the certificate to the authentication server, and the authentication server checks the validity of the certificate.
  • Step 403 If the certificate authentication is passed, the serving BS sends an “authentication response message” to the MSS, where the authentication response message includes an authentication key (AK) of the serving BS; otherwise, the serving BS rejects the access request of the MSS;
  • AK authentication key
  • the MSS and the service BS establish a trust relationship by verifying the certificate.
  • Step 404 The MSS sends a "TEK request message" to the serving BS to request a service encryption key (TEK);
  • Step 405 The service BS applies for the TEK to the authentication server.
  • Step 406 the TEK application is successful, the serving BS sends a "TEK response message" to the MSS, the TEK response message carries the TEK, and the TEK uses AK encryption, and the MSS uses the AK decryption transmitted by the serving BS in step 403 to obtain the TEK;
  • the initial authentication and authorization process ends, and the MSS and the serving BS can use TEK. Conduct confidential business communications.
  • Step 407 in the service communication process, the MS and the service BS periodically update the AK and the TEK to ensure the security of the communication;
  • Step 408 Before the handover, the serving BS sends the currently used service encryption key (TEK) to the authentication server for backup and storage;
  • TKA currently used service encryption key
  • Step 409 when switching, the authentication server sends the backed up service encryption key (TEK) to the target BS;
  • Step 410 after the handover, the MSS and the target BS repeat steps 401 to 403 to quickly establish a trust relationship, and then the target BS transmits the backed up TEK to the MSS using the newly negotiated AK encryption, and the two parties share the backup service encryption key TEK;
  • Step 411 The MSS and the target BS continue the communication service by using the backed up service encryption key (TEK).
  • TEK backed up service encryption key
  • the present invention also provides an EAP authentication system that supports fast handover, including a mobile terminal (MSS), a serving base station (serving BS), a target base station (target BS), and an authentication server (AS), where:
  • MSS mobile terminal
  • serving BS serving base station
  • target BS target base station
  • AS authentication server
  • the service BS is configured to send a service encryption key (TEK) shared with the MSS to the AS backup before the MSS handover;
  • TKI service encryption key
  • An authentication server is configured to send the backed up TEK to the target BS when the MSS switches;
  • the MSS uses the backed up TEK to continue the communication service.
  • the MSS is configured to send an authentication request message including an X.509 digital certificate of the MSS to the target BS when establishing a trust relationship with the target BS, requesting access to the target BS;
  • the target BS After receiving the authentication request message, the target BS sends the digital certificate to the AS for validity verification, and sends an authentication response message to the MSS when the digital certificate passes the verification.
  • the authentication response message (AK) is included in the certificate response message, thereby establishing a trust relationship with the MSS through the verification certificate; if the digital certificate authentication fails the verification, the MSS access is denied.
  • the TEK is transmitted to the MSS by using AK encryption
  • the MSS includes but is not limited to a WiMAX terminal.
  • the present invention provides a serving base station supporting scalable authentication protocol authentication, the serving base station being configured as:
  • the service encryption key (TEK) shared by the MSS is sent to the authentication server, so that the AS sends the TEK to the target base station when the MSS switches, the target base station After the MSS handover is completed, and the trust relationship is established with the MSS, the TMS is used to perform a secure communication service with the MSS;
  • the present invention also provides a target base station supporting scalable authentication protocol authentication, the target base station being set as:
  • the target BS is configured to: receive a digital certificate including the MSS from the MSS, and send an authentication response message to the MSS when the digital certificate passes the validity verification, where the authentication response is
  • the message includes an authentication key (AK) to establish a trust relationship with the MSS through the verification certificate.
  • AK authentication key
  • the target base station is further configured to reject the MSS access when the digital certificate authentication fails the validity verification.
  • the target base station is further configured to: after establishing a trust relationship with the MSS, transmit the TEK to the MSS by using the AK encryption, so that the MSS obtains the AK decryption according to the AK.
  • the TEK is obtained.
  • the present invention has the following advantages and effects as compared with the prior art:
  • the service encryption key backup mechanism can greatly improve the speed of key negotiation after handover, and meet the requirements of fast handover under high-speed mobile conditions, and the quality of real-time services is not affected.
  • the transmission of the service encryption key is completed by the authentication server.
  • the closed transmission medium ensures the security of the network, and can prevent attacks such as man-in-the-middle attacks, identity forgery, eavesdropping, and interception, and accelerates without sacrificing system security.
  • the speed of key negotiation greatly increases the speed of EAP authentication.
  • the broadband technology used by the mobile terminal includes but is not limited to WiMAX technology, and other mobile terminals based on 3G (3rd Generation, third generation mobile communication) technology can also Using and referring to the design concept of the present invention, the 3G technology here includes but is not limited to TD-SCDMA (Time Division-Synchronous Code Division Multiple Access), CDMA2000, WCDMA (Wideband CDMA, Wideband Code Division Multiple Access) , HSDPA (High Speed Downlink Packet Access), HSUPA (High Speed Uplink Packet Access), LTE (Long Term Evolution), etc., according to a simple modification of the invention And play are within the scope of the invention.
  • TD-SCDMA Time Division-Synchronous Code Division Multiple Access
  • CDMA2000 Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • HSDPA High Speed Downlink Packet Access
  • HSUPA High Speed Uplink Packet Access
  • LTE Long Term Evolution
  • the EAP authentication method for supporting fast handover proposed by the present invention introduces a service confidentiality before handover
  • the key backup mechanism ensures that the terminal quickly establishes a trust relationship with the new base station, and quickly uses the backup key to carry out the communication service, which greatly improves the speed of handover authentication, and is very beneficial for the terminal to quickly access authentication in the high-speed handover scenario of the wireless network. .

Abstract

The present invention provides an Extensible Authentication Protocol (EAP) authentication method which includes: when a Mobile Subscriber Station (MSS) hands over from a current serving base station to a target base station, a Traffic Encryption Key (TEK) shared between said MSS and said serving base station is sent to an Authentication Server (AS) for backup before said handover; said AS sends said backed up TEK to said target base station at the time of said handover; and said MSS establishes a trust relationship with said target base station after said handover is completed, and said MSS and said target base station use said TEK to perform secure communication services; thereby a fast handover is realized. The present invention also provides an authentication server supporting EAP authentication and a base station thereof.

Description

一种可扩展的鉴权协议认证方法、 基站及鉴权服务器  Scalable authentication protocol authentication method, base station and authentication server
技术领域 Technical field
本发明涉及移动通信网络认证技术, 特别涉及到一种在高速运动场景下 支持快速切换的 EAP ( Extensible Authentication Protocol, 可扩展的鉴权协议 ) 认证方法、 基站及鉴权服务器。  The present invention relates to a mobile communication network authentication technology, and in particular to an EAP (Extensible Authentication Protocol) authentication method, a base station, and an authentication server that support fast handover in a high-speed motion scenario.
背景技术 Background technique
随着移动通信技术的飞速发展, 移动通信系统除了提供基本话音业务之 外, 还将提供多媒体、 电子商务、 网上银行等数据业务。 这些业务的开展都 是以信息安全和网络安全为基础。  With the rapid development of mobile communication technologies, in addition to providing basic voice services, mobile communication systems will also provide multimedia services such as multimedia, e-commerce, and online banking. These businesses are based on information security and cybersecurity.
移动通信系统的安全机制总体分为两个部分: 身份认证与密钥协商和加 密。 其中加密技术是实现安全通信的核心, 而身份认证与密钥协商是实现安 全通信、 保护用户和运营商利益的重要保证。  The security mechanism of a mobile communication system is generally divided into two parts: identity authentication and key negotiation and encryption. The encryption technology is the core of secure communication, and identity authentication and key agreement are important guarantees for secure communication and protection of users and operators.
EAP 是一种基于公钥算法的鉴权认证技术, 它提供了包括基于 SIM EAP is a public key algorithm based authentication authentication technology, which provides
( Subscriber Identity Module, 用户身份识别模块) /USIM卡、 数字证书、 用 户名 /密码方式等用户及设备认证方式, 具体包括 EAP-SIM、 EAP-ATA、 EAP-TLS、 EAP-MSCHAPv2等方法, 其认证授权模型如图 1所示。 该认证系 统中具有三个实体: 请求者、 认证者和认证服务器。 在 EAP认证中, 实际的 认证工作在请求者和认证服务器之间进行, 认证者处于请求者和认证服务器 之间, 它的作用是转发请求者和认证服务器之间的认证信息。 认证消息被封 装在 EAP协议包中, 在请求者和认证者之间, EAP包被封装在 MAC ( Media Access Control, 媒体访问控制)层 PKM ( Private Key Management, 密钥管理 协议) 消息上发送, 在认证者与认证服务器之间, EAP包被封装到其他高层 AAA ( Authentication ¾ Authorization ¾ Accounting, 认证、 授权和记贝长)认证 协议(如 Radius ) 中发送。 (Subscriber Identity Module, User Identity Module) / USIM card, digital certificate, username/password mode, etc., including EAP-SIM, EAP-ATA, EAP-TLS, EAP-MSCHAPv2, etc. The certification and authorization model is shown in Figure 1. There are three entities in the authentication system: requester, authenticator, and authentication server. In EAP authentication, the actual authentication work is performed between the requester and the authentication server. The authenticator is between the requester and the authentication server. Its role is to forward the authentication information between the requester and the authentication server. The authentication message is encapsulated in the EAP protocol packet, and the EAP packet is encapsulated in a MAC (Media Access Control) layer PKM (Private Key Management) message between the requester and the authenticator. between the authenticator and the authentication server, the EAP packets are encapsulated into the other top AAA (authentication ¾ authorization ¾ Accounting, authentication, authorization, and Hutchison shell length) authentication protocol (e.g. Radius) transmitted.
在图 1 中所示的移动通信系统中, 移动终端 /移动用户站 (Mobile Subscriber Station, 简称 MSS )是请求者, 基站( Base Station, 简称 BS )是 认证者, 鉴权服务器(Authentication Server, 简称 AS )是认证服务器。 In the mobile communication system shown in FIG. 1, a mobile terminal station (Mobile Subscriber Station, MSS for short) is a requester, and a base station (BS) is a base station. The authenticator, Authentication Server (AS), is the authentication server.
EAP协议釆用公钥密码体系来建立基站与终端之间共享的安全通道, 共 享的安全通道随后为 TEK ( Traffic Encrypting Key, 业务加密密钥 )交换提供 安全保证。 这种密钥分发的两层机制设计, 使得在更新 TEK时不会由于受计 算量较大的公钥操作影响而导致过重的系统负荷。  The EAP protocol uses a public key cryptosystem to establish a secure channel shared between the base station and the terminal. The shared secure channel then provides security for the TEK (Traffic Encryption Key) exchange. This two-layer mechanism of key distribution is designed so that when the TEK is updated, it will not cause excessive system load due to the impact of a large amount of public key operations.
移动宽带通信系统都需要支持车载速度的移动通信业务,在 MSS移动过 程中, 不可避免在 BS之间进行切换, 切换时间的长短严重影响着 MSS在切 换时的通信质量,为了防止由于切换时间过长引起掉线或业务质量下降, MSS 必须进行快速切换及认证。  Mobile broadband communication systems all need mobile communication services that support vehicle speed. In the process of MSS movement, it is inevitable to switch between BSs. The length of handover time seriously affects the communication quality of MSS during handover, in order to prevent switching time. The long cause of dropped calls or degraded service quality, MSS must perform fast switching and authentication.
如图 2所示的快速切换时的网络认证和授权示意图所示, 整个切换过程 涉及四个实体: 移动终端 MSS、 当前服务 BS、 目标 BS和认证服务器(或称 鉴权服务器, 简称 AS )。 在切换过程中, MSS通常要与目标 BS之间进行网 络重入, 目标 BS要重新确认与 MSS的信任关系, 由于不同的认证机制复杂 度不同, 认证时间的长短也不相同, 要实现快速切换, MSS 必须与目标 BS 之间快速建立起信任关系。  As shown in the schematic diagram of network authentication and authorization during fast handover as shown in FIG. 2, the entire handover process involves four entities: a mobile terminal MSS, a current serving BS, a target BS, and an authentication server (or an authentication server, referred to as AS). During the handover process, the MSS usually re-enters the network with the target BS. The target BS needs to re-confirm the trust relationship with the MSS. Because the complexity of different authentication mechanisms is different, the length of the authentication time is different. The MSS must quickly establish a trust relationship with the target BS.
传统切换认证的方法是: 在 MSS切换以前, 通过服务 BS与目标 BS执 行一次完整的认证,并在 MSS与目标 BS之间协商出新的 AK ( Authentication Key, 鉴权密钥)和 TEK然后执行切换。 这样的切换往往由于认证时间过长, 导致在新的信任关系建立之后, 通信业务质量受到不同程度的影响, 尤其对 于实时性要求较强的业务, 如话音、 视频、 可视电话等业务, 影响更为严重, 用户可以体察到停顿、 断续等业务质量下降问题。 因此, 为了保证业务质量, 有必要提供一种能够支持快速切换的网络认 证方法。  The traditional handover authentication method is: Before the MSS handover, a complete authentication is performed by the serving BS and the target BS, and a new AK (Authentication Key) and TEK are negotiated between the MSS and the target BS and then executed. Switch. Such switching is often caused by too long authentication time, which leads to different degrees of communication service quality after the establishment of a new trust relationship, especially for services with strong real-time requirements, such as voice, video, videophone, etc. More serious, users can see the problem of declining service quality such as pauses and interruptions. Therefore, in order to ensure the quality of service, it is necessary to provide a network authentication method that can support fast handover.
发明内容 Summary of the invention
本发明要解决的技术问题是提供一种可扩展的鉴权协议认证方法、 基站 及鉴权服务器, 能够在高速运动场景下支持快速切换。  The technical problem to be solved by the present invention is to provide an extensible authentication protocol authentication method, a base station, and an authentication server, which can support fast handover in a high-speed motion scenario.
为了解决上述问题, 本发明提供了一种可扩展的鉴权协议认证方法, 包 括: 当移动终端 (MSS )从当前的服务基站切换到目标进展时, 在所述切换前, 将所述 MSS 和所述服务基站所共享的业务加密密钥 ( TEK )发送至鉴权服务器( AS )备份; In order to solve the above problems, the present invention provides an extensible authentication protocol authentication method, which includes Include: when the mobile terminal (MSS) switches from the current serving base station to the target progress, before the handover, the service encryption key (TEK) shared by the MSS and the serving base station is sent to the authentication server ( AS) backup;
在所述切换时, 所述 AS将备份的所述 TEK发送给所述目标基站; 以及 所述切换完成后,所述 MSS与所述目标基站建立起信任关系,所述 MSS 和所述目标基站使用所述 TEK进行安全通信业务;  At the time of the handover, the AS sends the backed up TEK to the target base station; and after the handover is completed, the MSS establishes a trust relationship with the target base station, the MSS and the target base station Using the TEK for secure communication services;
从而实现快速切换。  Thereby achieving fast switching.
其中, 所述 MSS与所述目标基站建立起信任关系的步骤包括: 所述 MSS向所述目标基站发送包含所述 MSS的数字证书的认证请求消 息, 请求接入所述目标基站;  The step of establishing a trust relationship between the MSS and the target base station includes: sending, by the MSS, an authentication request message that includes a digital certificate of the MSS to the target base station, requesting access to the target base station;
接收到所述认证请求消息后, 所述目标基站将其中的所述数字证书发送 给所述 AS进行有效性验证; 以及  After receiving the authentication request message, the target base station sends the digital certificate to the AS for validity verification;
如果所述数字证书通过所述有效性验证,则所述目标基站向所述 MSS发 送认证响应消息, 并在所述认证响应消息中包含鉴权密钥(AK ) , 从而与所 述 MSS通过验证证书建立起信任关系。  And if the digital certificate passes the validity verification, the target base station sends an authentication response message to the MSS, and includes an authentication key (AK) in the authentication response message, thereby verifying with the MSS. The certificate establishes a trust relationship.
上述方法还包括, 如果所述数字证书认证未通过所述有效性验证, 则所 述目标基站拒绝所述 MSS接入。  The method further includes, if the digital certificate authentication fails the validity verification, the target base station rejects the MSS access.
上述方法还包括, 所述 MSS与所述目标基站建立起信任关系后, 所述目 标基站将所述 TEK使用所述 AK加密传递给所述 MSS; 所述 MSS根据所述 AK解密获得所述 TEK。  The method further includes: after the MSS establishes a trust relationship with the target base station, the target base station transmits the TEK to the MSS by using the AK encryption; and the MSS obtains the TEK according to the AK decryption. .
其中, 所述 MSS包括微波存取全球互通( WiMAX )终端。  The MSS includes a microwave access global interworking (WiMAX) terminal.
本发明还提供一种支持可扩展的鉴权协议认证的鉴权服务器(AS ) , 所 述 AS设置为:  The present invention also provides an authentication server (AS) supporting scalable authentication protocol authentication, the AS setting being:
在 MSS切换前, 接收由服务基站发送的, 所述服务基站与所述 MSS共 享的业务加密密钥 (TEK ) ; 以及,  Receiving, by the serving base station, a service encryption key (TEK) shared by the serving base station and the MSS before the MSS handover;
在所述 MSS切换时, 将所述 TEK发送给目标基站, 以使所述目标基站 在所述 MSS切换完成, 与所述 MSS建立起信任关系后, 与所述 MSS使用所 述 TEK进行安全通信业务; Transmitting the TEK to the target base station when the MSS is switched, so that the target base station completes the handover of the MSS, establishes a trust relationship with the MSS, and uses the MSS with the MSS. Said TEK for secure communication services;
从而支持快速切换。  This supports fast switching.
本发明还提供一种支持可扩展的鉴权协议认证的服务基站, 所述服务基 站设置为:  The present invention also provides a serving base station supporting scalable authentication protocol authentication, the service base station being configured as:
在 MSS切换前, 将与所述 MSS共享的业务加密密钥 (TEK )发送给鉴 权服务器, 以使所述 AS在所述 MSS切换时, 将所述 TEK发送给目标基站, 所述目标基站在所述 MSS切换完成, 与所述 MSS建立起信任关系后, 与所 述 MSS使用所述 TEK进行安全通信业务;  Before the MSS handover, the service encryption key (TEK) shared by the MSS is sent to the authentication server, so that the AS sends the TEK to the target base station when the MSS switches, the target base station After the MSS handover is completed, and the trust relationship is established with the MSS, the TMS is used to perform a secure communication service with the MSS;
从而支持快速切换。  This supports fast switching.
本发明还提供一种支持可扩展的鉴权协议认证的目标基站, 所述目标基 站设置为:  The present invention also provides a target base station supporting scalable authentication protocol authentication, the target base station being set as:
在 MSS切换时, 接收由 AS发送的服务基站和所述 MSS共享的 TEK, 以及, 在所述 MSS切换完成, 与所述 MSS建立起信任关系后, 与所述 MSS 使用所述 TEK进行安全通信业务;  Receiving, by the MSS, the serving base station and the TSK shared by the MSS, and after the MSS handover is completed, establishing a trust relationship with the MSS, using the TEK for secure communication with the MSS. Business
从而支持快速切换。  This supports fast switching.
其中, 所述目标基站是设置为: 从所述 MSS接收包含所述 MSS的数字 证书的认证请求消息, 将其中的所述数字证书发送给所述 AS进行有效性验 证, 并在所述数字证书通过所述有效性验证时, 向所述 MSS发送认证响应消 息, 在所述认证响应消息中包含鉴权密钥 ( AK ) , 从而与所述 MSS通过验 证证书建立起信任关系。  The target base station is configured to: receive an authentication request message including a digital certificate of the MSS from the MSS, send the digital certificate to the AS for validity verification, and in the digital certificate When the validity verification is performed, an authentication response message is sent to the MSS, and an authentication key (AK) is included in the authentication response message, so that a trust relationship is established with the MSS through the verification certificate.
其中, 所述目标基站还设置为当所述数字证书认证未通过所述有效性验 证时, 则拒绝所述 MSS接入。  The target base station is further configured to reject the MSS access when the digital certificate authentication fails the validity verification.
其中, 所述目标基站还设置为与所述 MSS 建立起信任关系后, 将所述 TEK使用所述 AK加密传递给所述 MSS,以使所述 MSS根据所述 AK解密获 得所述 TEK。  The target base station is further configured to, after establishing a trust relationship with the MSS, transmit the TEK to the MSS by using the AK encryption, so that the MSS obtains the TEK according to the AK decryption.
本发明所提出的支持快速切换的 EAP认证方法, 在切换前引入了业务密 钥的备份机制, 保证终端与新的基站快速建立信任关系后, 迅速利用备份密 钥开展通信业务, 大大提高了切换认证的速度, 非常有利于无线网络在高速 切换场景下的终端快速接入认证。 附图概述 The EAP authentication method for supporting fast handover proposed by the present invention introduces a backup mechanism of the service key before the handover, and ensures that the terminal quickly establishes a trust relationship with the new base station, and then quickly utilizes the backup password. The key carries out the communication service, which greatly improves the speed of handover authentication, and is very beneficial to the terminal's fast access authentication in the high-speed handover scenario of the wireless network. BRIEF abstract
附图用来提供对本发明的进一步理解, 并且构成说明书的一部分, 与本 发明的实施例一起用于解释本发明, 并不构成对本发明的限制。 在附图中: 图 1是 EAP认证授权模型示意图;  The drawings are intended to provide a further understanding of the invention, and are intended to be a part of the description of the invention. In the drawings: Figure 1 is a schematic diagram of an EAP authentication and authorization model;
图 2是快速切换时的网络认证和授权示意图;  Figure 2 is a schematic diagram of network authentication and authorization during fast handover;
图 3是本发明实施例的支持快速切换的 EAP认证方法的流程图; 图 4是本发明应用示例的支持快速切换的 EAP认证方法的流程图。  3 is a flowchart of an EAP authentication method for supporting fast handover according to an embodiment of the present invention; and FIG. 4 is a flowchart of an EAP authentication method for supporting fast handover according to an application example of the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
下面结合附图及具体实施例对本发明作进一步详细描述。  The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
如图 3所示, 本发明实施例提供的一种支持快速切换的 EAP认证方法, 包括以下步骤:  As shown in FIG. 3, an EAP authentication method for supporting fast handover according to an embodiment of the present invention includes the following steps:
步骤 301、 在切换前, 将移动终端 (MSS )和当前服务基站(BS )所共 享的业务加密密钥 (TEK )发送鉴权服务器(AS )备份保存;  Step 301: Before the handover, the service encryption key (TEK) shared by the mobile terminal (MSS) and the current serving base station (BS) is sent to the authentication server (AS) for backup and storage;
步骤 302、在切换时, AS将备份的所述业务加密密钥 TEK发送给目标基 站;  Step 302: When switching, the AS sends the backed up service encryption key TEK to the target base station.
步骤 303、 切换后, 移动终端和目标基站双方建立起信任关系, 使用所 述业务加密密钥 TEK开展安全通信业务。  Step 303: After the handover, the mobile terminal and the target base station establish a trust relationship, and use the service encryption key TEK to perform a secure communication service.
本发明可以应用于 WiMAX ( Worldwide Interoperability for Microwave Access, 微波存取全球互通)移动宽带通信系统中。 WiMAX是一种新兴的无 线宽带接入技术, 是针对微波和毫米波频段提出的一种支持移动特性的新的 空中接口标准。 因此, WiMAX 融合了无线、 宽带和移动三大特点, 可作为 线缆和 DSL ( Digital Subscriber Loop, 数字用户环路)的无线扩展技术, 用于 将 802.11无线接入热点连接到互联网, 也可连接公司与家庭等环境至有线骨 干线路,同时也是 IEEE802标准中针对城域范围内提供数据业务的一组标准。 The present invention can be applied to a WiMAX (Worldwide Interoperability for Microwave Access) mobile broadband communication system. WiMAX is an emerging wireless broadband access technology that is a new air interface standard for mobile and microwave frequency bands. Therefore, WiMAX combines the three characteristics of wireless, broadband and mobile, and can be used as a wireless extension technology for cable and DSL (Digital Subscriber Loop). Connecting 802.11 wireless access hotspots to the Internet can also connect environments such as corporate and home to wired backbone lines, and is also a set of standards for providing data services within the metropolitan area in the IEEE 802 standard.
WiMAX的安全机制使用了基于 PKM的 EAP认证方法, 它定义了基站 BS向用户站 SS分发密钥数据的安全方式, 包括鉴权认证、 密钥交换和数据 加密三部分, 其目标是提供接入控制和保证数据链路的机密性。  The WiMAX security mechanism uses a PKM-based EAP authentication method, which defines a secure way for a base station BS to distribute key data to a subscriber station SS, including authentication authentication, key exchange, and data encryption. The goal is to provide access. Control and ensure the confidentiality of the data link.
密钥管理实现了每个安全关联的密钥协商与维护, 为建立的安全关联分 发密钥, 并在适当时候进行密钥更新, 主要是对鉴权密钥 AK和业务加密密 钥 TEK的协商和更新。 基于 PKM-EAP的认证方法, 解决了单向认证和认证 机制缺乏扩展性的问题, 更适用于移动场景下的快速认证。  Key management implements key negotiation and maintenance for each security association, distributes keys for established security associations, and performs key updates when appropriate, mainly for negotiation of authentication key AK and service encryption key TEK. And updates. The PKM-EAP-based authentication method solves the problem that the one-way authentication and authentication mechanism lacks scalability, and is more suitable for fast authentication in a mobile scenario.
图 4为本发明的支持快速切换的 EAP认证方法的一个具体示例, 该示例 中整个鉴权认证和授权的工作过程 (包括初始认证和快速切换认证)描述如 下: FIG. 4 is a specific example of an EAP authentication method for supporting fast handover according to the present invention. In this example, the entire authentication and authorization working process (including initial authentication and fast handover authentication) is described as follows:
步骤 401 , MSS与服务 BS建立初始无线连接, MSS向 BS发送 "认证请 求消息" , 该认证请求消息中包含 MSS的 X.509数字证书;  Step 401: The MSS establishes an initial wireless connection with the serving BS, and the MSS sends an “authentication request message” to the BS, where the authentication request message includes an X.509 digital certificate of the MSS.
步骤 402, 服务 BS将证书发给鉴权服务器, 鉴权服务器检验证书的有效 性;  Step 402: The service BS sends the certificate to the authentication server, and the authentication server checks the validity of the certificate.
步骤 403 , 如果证书认证通过, 服务 BS向 MSS发送 "认证响应消息" , 所述认证响应消息中包含服务 BS的鉴权密钥 (AK ) ; 否则, 服务 BS拒绝 MSS的接入请求;  Step 403: If the certificate authentication is passed, the serving BS sends an “authentication response message” to the MSS, where the authentication response message includes an authentication key (AK) of the serving BS; otherwise, the serving BS rejects the access request of the MSS;
至此, MSS和服务 BS通过验证证书建立了信任关系。  At this point, the MSS and the service BS establish a trust relationship by verifying the certificate.
步骤 404, MSS向服务 BS发送 "TEK请求消息" , 请求业务加密密钥 ( TEK ) ;  Step 404: The MSS sends a "TEK request message" to the serving BS to request a service encryption key (TEK);
步骤 405, 服务 BS向鉴权服务器申请 TEK;  Step 405: The service BS applies for the TEK to the authentication server.
步骤 406, TEK申请成功, 服务 BS向 MSS发送 "TEK响应消息" , 所 述 TEK响应消息中携带 TEK, 且该 TEK使用 AK加密, MSS使用步骤 403 中服务 BS传送的 AK解密获得 TEK;  Step 406, the TEK application is successful, the serving BS sends a "TEK response message" to the MSS, the TEK response message carries the TEK, and the TEK uses AK encryption, and the MSS uses the AK decryption transmitted by the serving BS in step 403 to obtain the TEK;
至此, 初始鉴权认证和授权过程结束, MSS和服务 BS可以使用 TEK进 行保密业务通信。 At this point, the initial authentication and authorization process ends, and the MSS and the serving BS can use TEK. Conduct confidential business communications.
步骤 407,在业务通信过程中, MS和服务 BS周期性地更新 AK和 TEK, 保证通信的安全性;  Step 407, in the service communication process, the MS and the service BS periodically update the AK and the TEK to ensure the security of the communication;
步骤 408, 切换前, 服务 BS将当前使用的业务加密密钥 (TEK )发送到 鉴权服务器备份保存;  Step 408: Before the handover, the serving BS sends the currently used service encryption key (TEK) to the authentication server for backup and storage;
步骤 409, 切换时, 鉴权服务器将备份的所述业务加密密钥(TEK )发送 给目标 BS;  Step 409, when switching, the authentication server sends the backed up service encryption key (TEK) to the target BS;
步骤 410, 切换后, MSS和目标 BS重复步骤 401〜步骤 403 , 迅速建立 起信任关系,然后目标 BS将备份的 TEK使用新协商的 AK加密传递给 MSS, 双方共享备份的业务加密密钥 TEK;  Step 410, after the handover, the MSS and the target BS repeat steps 401 to 403 to quickly establish a trust relationship, and then the target BS transmits the backed up TEK to the MSS using the newly negotiated AK encryption, and the two parties share the backup service encryption key TEK;
步骤 411 , MSS和目标 BS使用备份的业务加密密钥 (TEK )继续通信 业务。  Step 411: The MSS and the target BS continue the communication service by using the backed up service encryption key (TEK).
至此, 切换过程中的快速认证结束。  At this point, the fast authentication during the switching process ends.
参照图 2, 本发明还提供了一种支持快速切换的 EAP认证系统, 包括移 动终端 ( MSS ) 、 服务基站(服务 BS ) 、 目标基站(目标 BS )及鉴权服务 器(AS ) , 其中: Referring to FIG. 2, the present invention also provides an EAP authentication system that supports fast handover, including a mobile terminal (MSS), a serving base station (serving BS), a target base station (target BS), and an authentication server (AS), where:
服务 BS设置为在所述 MSS切换前, 将与 MSS共享的业务加密密钥 ( TEK )发送至 AS备份;  The service BS is configured to send a service encryption key (TEK) shared with the MSS to the AS backup before the MSS handover;
鉴权服务器(AS )设置为在所述 MSS切换时, 将备份的所述 TEK发送 给目标 BS;  An authentication server (AS) is configured to send the backed up TEK to the target BS when the MSS switches;
目标 BS设置为所述 MSS切换完成后,当与所述 MSS建立起信任关系后, 与 MSS使用备份的所述 TEK继续通信业务。  After the target BS is set to complete the MSS handover, after establishing a trust relationship with the MSS, the MSS uses the backed up TEK to continue the communication service.
进一步地, MSS是设置为与目标 BS建立信任关系时, 向目标 BS发送包 含 MSS的 X.509数字证书的认证请求消息, 请求接入目标 BS;  Further, the MSS is configured to send an authentication request message including an X.509 digital certificate of the MSS to the target BS when establishing a trust relationship with the target BS, requesting access to the target BS;
目标 BS设置为接收到认证请求消息后,将其中的数字证书发送给 AS进 行有效性验证, 并在数字证书通过验证时, 向 MSS发送认证响应消息, 在认 证响应消息中包含鉴权密钥 (AK ) , 从而与 MSS通过验证证书建立起信任 关系; 如果数字证书认证未通过验证, 则拒绝 MSS接入。 After receiving the authentication request message, the target BS sends the digital certificate to the AS for validity verification, and sends an authentication response message to the MSS when the digital certificate passes the verification. The authentication response message (AK) is included in the certificate response message, thereby establishing a trust relationship with the MSS through the verification certificate; if the digital certificate authentication fails the verification, the MSS access is denied.
进一步地, 目标 BS设置为与 MSS建立起信任关系后,将所述 TEK使用 AK加密传递给 MSS;  Further, after the target BS is set to establish a trust relationship with the MSS, the TEK is transmitted to the MSS by using AK encryption;
MSS设置为根据 AK解密获得所述 TEK。  The MSS is set to obtain the TEK based on AK decryption.
其中, MSS包括但不限于 WiMAX终端。  Among them, the MSS includes but is not limited to a WiMAX terminal.
本发明提供一种支持可扩展的鉴权协议认证的服务基站, 所述服务基站 设置为:  The present invention provides a serving base station supporting scalable authentication protocol authentication, the serving base station being configured as:
在 MSS切换前, 将与所述 MSS共享的业务加密密钥 (TEK )发送给鉴 权服务器, 以使所述 AS在所述 MSS切换时, 将所述 TEK发送给目标基站, 所述目标基站在所述 MSS切换完成, 与所述 MSS建立起信任关系后, 与所 述 MSS使用所述 TEK进行安全通信业务;  Before the MSS handover, the service encryption key (TEK) shared by the MSS is sent to the authentication server, so that the AS sends the TEK to the target base station when the MSS switches, the target base station After the MSS handover is completed, and the trust relationship is established with the MSS, the TMS is used to perform a secure communication service with the MSS;
从而支持快速切换。  This supports fast switching.
本发明还提供一种支持可扩展的鉴权协议认证的目标基站, 所述目标基 站设置为:  The present invention also provides a target base station supporting scalable authentication protocol authentication, the target base station being set as:
在 MSS切换时, 接收由 AS发送的服务基站和所述 MSS共享的 TEK, 以及, 在所述 MSS切换完成, 与所述 MSS建立起信任关系后, 与所述 MSS 使用所述 TEK进行安全通信业务;  Receiving, by the MSS, the serving base station and the TSK shared by the MSS, and after the MSS handover is completed, establishing a trust relationship with the MSS, using the TEK for secure communication with the MSS. Business
从而支持快速切换。  This supports fast switching.
其中,所述目标 BS是设置为:从所述 MSS接收包含所述 MSS的数字证 并在所述数字证书通过所述有效性验证时, 向所述 MSS发送认证响应消息, 在所述认证响应消息中包含鉴权密钥 ( AK ) , 从而与所述 MSS通过验证证 书建立起信任关系。  The target BS is configured to: receive a digital certificate including the MSS from the MSS, and send an authentication response message to the MSS when the digital certificate passes the validity verification, where the authentication response is The message includes an authentication key (AK) to establish a trust relationship with the MSS through the verification certificate.
其中, 所述目标基站还设置为当所述数字证书认证未通过所述有效性验 证时, 则拒绝所述 MSS接入。  The target base station is further configured to reject the MSS access when the digital certificate authentication fails the validity verification.
其中, 所述目标基站还设置为与所述 MSS 建立起信任关系后, 将所述 TEK使用所述 AK加密传递给所述 MSS,以使所述 MSS根据所述 AK解密获 得所述 TEK。 The target base station is further configured to: after establishing a trust relationship with the MSS, transmit the TEK to the MSS by using the AK encryption, so that the MSS obtains the AK decryption according to the AK. The TEK is obtained.
综上所述, 与现有技术相比较, 本发明具有如下优点和效果: In summary, the present invention has the following advantages and effects as compared with the prior art:
1 )认证速度快  1) Fast authentication
如果不使用快速认证, 则需要在切换后重复 401 407的所有步骤, 重新 申请、 生成和响应新的业务加密密钥, 复杂的认证过程所产生的时延将大大 增加。 釆用业务加密密钥备份机制可以大大提高切换后密钥协商的速度, 满 足高速移动情况下快速切换的要求, 实时性业务的质量不受影响。  If you do not use fast authentication, you need to repeat all the steps of 401 407 after the handover, re-apply, generate and respond to the new service encryption key, and the delay caused by the complex authentication process will be greatly increased. The service encryption key backup mechanism can greatly improve the speed of key negotiation after handover, and meet the requirements of fast handover under high-speed mobile conditions, and the quality of real-time services is not affected.
2 )安全性强  2) Strong security
业务加密密钥的传送是通过鉴权服务器完成, 封闭的传输媒介保证了网 络的安全性, 可以防止中间人攻击、 身份伪造、 窃听、 拦截等攻击, 在不牺 牲系统安全性的前提下,通过加快密钥协商速度大大提高了 EAP认证的速度。  The transmission of the service encryption key is completed by the authentication server. The closed transmission medium ensures the security of the network, and can prevent attacks such as man-in-the-middle attacks, identity forgery, eavesdropping, and interception, and accelerates without sacrificing system security. The speed of key negotiation greatly increases the speed of EAP authentication.
由于本发明所述方法和技术具有较大的通用性, 该移动终端所使用到的 宽带技术包括但不限于 WiMAX技术, 其它基于 3G ( 3rd Generation, 第三 代移动通信)技术的移动终端也可以使用和借鉴本发明的设计思想, 这里 3G 技术包括但不限于 TD-SCDMA ( Time Division- Synchronous Code Division Multiple Access , 时分同步码分多址) 、 CDMA2000、 WCDMA ( Wideband CDMA, 宽带码分多址) 、 HSDPA ( High Speed Downlink Packet Access, 高 速下行分组接入 ) 、 HSUPA ( High Speed Uplink Packet Access, 高速上行链 路分组接入) 、 LTE ( Long Term Evolution, 长期演进)等, 根据该发明的简 单修改和发挥都属于该发明的范畴。  Since the method and the technology of the present invention have greater versatility, the broadband technology used by the mobile terminal includes but is not limited to WiMAX technology, and other mobile terminals based on 3G (3rd Generation, third generation mobile communication) technology can also Using and referring to the design concept of the present invention, the 3G technology here includes but is not limited to TD-SCDMA (Time Division-Synchronous Code Division Multiple Access), CDMA2000, WCDMA (Wideband CDMA, Wideband Code Division Multiple Access) , HSDPA (High Speed Downlink Packet Access), HSUPA (High Speed Uplink Packet Access), LTE (Long Term Evolution), etc., according to a simple modification of the invention And play are within the scope of the invention.
以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。  The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性 Industrial applicability
本发明所提出的支持快速切换的 EAP认证方法, 在切换前引入了业务密 钥的备份机制, 保证终端与新的基站快速建立信任关系后, 迅速利用备份密 钥开展通信业务, 大大提高了切换认证的速度, 非常有利于无线网络在高速 切换场景下的终端快速接入认证。 The EAP authentication method for supporting fast handover proposed by the present invention introduces a service confidentiality before handover The key backup mechanism ensures that the terminal quickly establishes a trust relationship with the new base station, and quickly uses the backup key to carry out the communication service, which greatly improves the speed of handover authentication, and is very beneficial for the terminal to quickly access authentication in the high-speed handover scenario of the wireless network. .

Claims

权 利 要 求 书 Claim
1、 一种可扩展的鉴权协议认证方法, 包括: 当移动终端(MSS )从当前 的服务基站切换到目标进展时,  1. An extensible authentication protocol authentication method, comprising: when a mobile terminal (MSS) switches from a current serving base station to a target progress,
在所述切换前, 将所述 MSS 和所述服务基站所共享的业务加密密钥 ( TEK )发送至鉴权服务器( AS )备份;  Before the switching, sending a service encryption key (TEK) shared by the MSS and the serving base station to an authentication server (AS) backup;
在所述切换时, 所述 AS将备份的所述 TEK发送给所述目标基站; 以及 所述切换完成后,所述 MSS与所述目标基站建立起信任关系,所述 MSS 和所述目标基站使用所述 TEK进行安全通信业务;  At the time of the handover, the AS sends the backed up TEK to the target base station; and after the handover is completed, the MSS establishes a trust relationship with the target base station, the MSS and the target base station Using the TEK for secure communication services;
从而实现快速切换。  Thereby achieving fast switching.
2、 如权利要求 1所述的方法, 其中,  2. The method of claim 1 wherein
所述 MSS与所述目标基站建立起信任关系的步骤包括:  The step of establishing a trust relationship between the MSS and the target base station includes:
所述 MSS向所述目标基站发送包含所述 MSS的数字证书的认证请求消 息, 请求接入所述目标基站;  Sending, by the MSS, an authentication request message including a digital certificate of the MSS to the target base station, requesting access to the target base station;
接收到所述认证请求消息后, 所述目标基站将其中的所述数字证书发送 给所述 AS进行有效性验证; 以及  After receiving the authentication request message, the target base station sends the digital certificate to the AS for validity verification;
如果所述数字证书通过所述有效性验证,则所述目标基站向所述 MSS发 送认证响应消息, 并在所述认证响应消息中包含鉴权密钥(AK ) , 从而与所 述 MSS通过验证证书建立起信任关系。  And if the digital certificate passes the validity verification, the target base station sends an authentication response message to the MSS, and includes an authentication key (AK) in the authentication response message, thereby verifying with the MSS. The certificate establishes a trust relationship.
3、 如权利要求 2所述的方法, 还包括,  3. The method of claim 2, further comprising
如果所述数字证书认证未通过所述有效性验证, 则所述目标基站拒绝所 述 MSS接入。  If the digital certificate authentication fails the validity verification, the target base station rejects the MSS access.
4、 如权利要求 2所述的方法, 还包括,  4. The method of claim 2, further comprising
所述 MSS与所述目标基站建立起信任关系后,所述目标基站将所述 TEK 使用所述 AK加密传递给所述 MSS; 所述 MSS根据所述 AK解密获得所述 TEK。  After the MSS establishes a trust relationship with the target base station, the target base station transmits the TEK to the MSS by using the AK encryption; and the MSS obtains the TEK according to the AK decryption.
5、 如权利要求 1至 4之任一项所述的方法, 其中,  The method according to any one of claims 1 to 4, wherein
所述 MSS包括微波存取全球互通(WiMAX )终端。 The MSS includes a Worldwide Interoperability for Microwave Access (WiMAX) terminal.
6、 一种支持可扩展的鉴权协议认证的鉴权服务器(AS ) , 所述 AS设置 为: 6. An authentication server (AS) supporting scalable authentication protocol authentication, the AS setting being:
在 MSS切换前, 接收由服务基站发送的, 所述服务基站与所述 MSS共 享的业务加密密钥 (TEK ) ; 以及,  Receiving, by the serving base station, a service encryption key (TEK) shared by the serving base station and the MSS before the MSS handover;
在所述 MSS切换时, 将所述 TEK发送给目标基站, 以使所述目标基站 在所述 MSS切换完成, 与所述 MSS建立起信任关系后, 与所述 MSS使用所 述 TEK进行安全通信业务;  Transmitting the TEK to the target base station when the MSS is switched, so that after the MSS handover is completed, the target base station establishes a trust relationship with the MSS, and uses the TEK to perform secure communication with the MSS. Business
从而支持快速切换。  This supports fast switching.
7、 一种支持可扩展的鉴权协议认证的服务基站, 所述服务基站设置为: 在 MSS切换前, 将与所述 MSS共享的业务加密密钥 (TEK )发送给鉴 权服务器, 以使所述 AS在所述 MSS切换时, 将所述 TEK发送给目标基站, 所述目标基站在所述 MSS切换完成, 与所述 MSS建立起信任关系后, 与所 述 MSS使用所述 TEK进行安全通信业务;  7. A serving base station supporting scalable authentication protocol authentication, the serving base station is configured to: send a service encryption key (TEK) shared with the MSS to an authentication server before the MSS handover, so that The AS sends the TEK to the target base station when the MSS is switched, and after the MSS completes the handover, and establishes a trust relationship with the MSS, the AS uses the TEK to perform security with the MSS. Communication service;
从而支持快速切换。  This supports fast switching.
8、 一种支持可扩展的鉴权协议认证的目标基站, 所述目标基站设置为: 在 MSS切换时, 接收由 AS发送的服务基站和所述 MSS共享的 TEK, 以及, 在所述 MSS切换完成, 与所述 MSS建立起信任关系后, 与所述 MSS 使用所述 TEK进行安全通信业务;  8. A target base station supporting scalable authentication protocol authentication, wherein the target base station is configured to: when the MSS is switched, receive a TEK shared by the serving base station and the MSS sent by the AS, and switch at the MSS After the trust relationship is established with the MSS, use the TEK to perform a secure communication service with the MSS.
从而支持快速切换。  This supports fast switching.
9、 如权利要求 8所述的目标基站, 其中,  9. The target base station according to claim 8, wherein
所述目标基站是设置为: 从所述 MSS接收包含所述 MSS的数字证书的 认证请求消息, 将其中的所述数字证书发送给所述 AS进行有效性验证, 并 在所述数字证书通过所述有效性验证时, 向所述 MSS发送认证响应消息, 在 所述认证响应消息中包含鉴权密钥 ( AK ) , 从而与所述 MSS通过验证证书 建立起信任关系。  The target base station is configured to: receive an authentication request message including a digital certificate of the MSS from the MSS, send the digital certificate to the AS for validity verification, and pass the digital certificate When the validity verification is performed, an authentication response message is sent to the MSS, and an authentication key (AK) is included in the authentication response message, so that a trust relationship is established with the MSS through the verification certificate.
10、 如权利要求 9所述的目标基站, 其中, 则拒绝所述 MSS接入。 10. The target base station according to claim 9, wherein The MSS access is denied.
11、 如权利要求 9所述的目标基站, 其中,  11. The target base station according to claim 9, wherein
所述目标基站还设置为与所述 MSS建立起信任关系后, 将所述 TEK使 用所述 AK加密传递给所述 MSS,以使所述 MSS根据所述 AK解密获得所述 TEK。  The target base station is further configured to, after establishing a trust relationship with the MSS, transmit the TEK to the MSS by using the AK encryption, so that the MSS obtains the TEK according to the AK decryption.
PCT/CN2010/072054 2009-08-05 2010-04-22 Extensible authentication protocol authentication method, base station and authentication server thereof WO2011015060A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910161902A CN101635923A (en) 2009-08-05 2009-08-05 EAP authentication method and system supporting fast switching
CN200910161902.2 2009-08-05

Publications (1)

Publication Number Publication Date
WO2011015060A1 true WO2011015060A1 (en) 2011-02-10

Family

ID=41594938

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/072054 WO2011015060A1 (en) 2009-08-05 2010-04-22 Extensible authentication protocol authentication method, base station and authentication server thereof

Country Status (2)

Country Link
CN (1) CN101635923A (en)
WO (1) WO2011015060A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108668275A (en) * 2018-03-09 2018-10-16 深圳捷豹电波科技有限公司 Flow shares implementation method and flow sharing means

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635923A (en) * 2009-08-05 2010-01-27 中兴通讯股份有限公司 EAP authentication method and system supporting fast switching
CN101958898B (en) * 2010-09-28 2013-10-30 中国科学院研究生院 Quick EAP authentication switching method in mobile WiMax network
CN102457848B (en) * 2010-10-18 2015-12-16 中兴通讯股份有限公司 The concurrent processing method of a kind of discrimination weight and switching and system
CN102984700A (en) * 2011-09-05 2013-03-20 中兴通讯股份有限公司 Security information storage apparatus, and authentication method and system
EP2922325B1 (en) * 2012-12-19 2018-05-23 Huawei Technologies Co., Ltd. Method and apparatus for communication security processing
BR112018071151A2 (en) * 2016-04-15 2019-02-05 Qualcomm Inc Techniques for Managing Secure Content Transmissions on a Content Delivery Network
JP6825296B2 (en) 2016-10-11 2021-02-03 富士通株式会社 Edge server and its encrypted communication control method
CN108271154B (en) * 2017-01-03 2022-04-15 中兴通讯股份有限公司 Authentication method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006124326A1 (en) * 2005-05-18 2006-11-23 Motorola, Inc. Fast secure session on half-duplex voice network channels
CN1905734A (en) * 2005-07-25 2007-01-31 华为技术有限公司 Method and system for object base station to obtain KI
CN1937837A (en) * 2005-09-19 2007-03-28 华为技术有限公司 Method and device for obtaining authorized key at mobile terminal position change
CN101272301A (en) * 2008-05-07 2008-09-24 广州杰赛科技股份有限公司 Safety access method of wireless metropolitan area network
CN101635923A (en) * 2009-08-05 2010-01-27 中兴通讯股份有限公司 EAP authentication method and system supporting fast switching

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006124326A1 (en) * 2005-05-18 2006-11-23 Motorola, Inc. Fast secure session on half-duplex voice network channels
CN1905734A (en) * 2005-07-25 2007-01-31 华为技术有限公司 Method and system for object base station to obtain KI
CN1937837A (en) * 2005-09-19 2007-03-28 华为技术有限公司 Method and device for obtaining authorized key at mobile terminal position change
CN101272301A (en) * 2008-05-07 2008-09-24 广州杰赛科技股份有限公司 Safety access method of wireless metropolitan area network
CN101635923A (en) * 2009-08-05 2010-01-27 中兴通讯股份有限公司 EAP authentication method and system supporting fast switching

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108668275A (en) * 2018-03-09 2018-10-16 深圳捷豹电波科技有限公司 Flow shares implementation method and flow sharing means

Also Published As

Publication number Publication date
CN101635923A (en) 2010-01-27

Similar Documents

Publication Publication Date Title
US8127136B2 (en) Method for security association negotiation with extensible authentication protocol in wireless portable internet system
JP5597676B2 (en) Key material exchange
WO2011015060A1 (en) Extensible authentication protocol authentication method, base station and authentication server thereof
Tang et al. WiMAX security and quality of service: an end-to-end perspective
CN107690138B (en) Fast roaming method, device, system, access point and mobile station
CN111885602B (en) Heterogeneous network-oriented batch switching authentication and key agreement method
WO2019017837A1 (en) Network security management method and apparatus
US8745396B2 (en) Method for implementing the real time data service and real time data service system
US8881305B2 (en) Methods and apparatus for maintaining secure connections in a wireless communication network
WO2010115326A1 (en) Wireless local area network terminal pre-authentication method and wireless local area network system
WO2013185735A2 (en) Encryption realization method and system
CN102687537A (en) Media independent handover protocol security
CA2571255A1 (en) Wireless device authentication between different networks
KR20060067263A (en) Fast re-authentication method when handoff in wlan-umts interworking network
WO2010127539A1 (en) Method and system for authenticating accessing to stream media service
WO2013174267A1 (en) Method, system, and device for securely establishing wireless local area network
WO2011088770A1 (en) Method and system for deriving air interface encryption keys
El Bouabidi et al. Secure handoff protocol in 3GPP LTE networks
Kim et al. MoTH: mobile terminal handover security protocol for HUB switching based on 5G and beyond (5GB) P2MP backhaul environment
KR20050109685A (en) Method and system for user authentication based on extensible authentication protocol coexisting with device authentication in portable internet system
WO2012040949A1 (en) Method for fast handing over extensible authentication protocol (eap) authentication in mobile worldwide interoperability for microwave access (wimax) network
WO2011143977A1 (en) Method and system for establishing enhanced keys when terminal moves to enhanced universal terrestrial radio access network (utran)
CN114501438A (en) Enhanced EAP identity authentication method for electric power wireless private network
CA2708898C (en) Methods and apparatus for maintaining secure connections in a wireless communication network
WO2008080352A1 (en) A wlan authentication charging method based on wapi

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10805964

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10805964

Country of ref document: EP

Kind code of ref document: A1