WO2012000327A1 - Method and device for realizing authentication - Google Patents

Method and device for realizing authentication Download PDF

Info

Publication number
WO2012000327A1
WO2012000327A1 PCT/CN2011/071783 CN2011071783W WO2012000327A1 WO 2012000327 A1 WO2012000327 A1 WO 2012000327A1 CN 2011071783 W CN2011071783 W CN 2011071783W WO 2012000327 A1 WO2012000327 A1 WO 2012000327A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication vector
terminal
authentication
level
acquisition flag
Prior art date
Application number
PCT/CN2011/071783
Other languages
French (fr)
Chinese (zh)
Inventor
胡帅来
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012000327A1 publication Critical patent/WO2012000327A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and apparatus for implementing authentication. Background technique
  • the terminal can roam from the 2G MSC/VLR to the 2G&3G MSC/VLR, and can also roam from the 2G network to the 3G network within the 2G&3G MSC/VLR.
  • the MSC/VLR needs to process the authentication process. There are two key points in the process of processing the authentication: the first is to acquire and save the authentication vector, and the second is to select the correct authentication vector to initiate the authentication process.
  • the MSC/VLR is mainly obtained through two channels:
  • the home location register/authentication center (HLR/Auc) is responsible for generating the authentication vector of the terminal, and the MSC/VLR can obtain the authentication vector from the HLR/Auc and save it.
  • HLR/Auc can provide multiple sets of authentication vectors at one time.
  • the MSC/VLR can obtain the authentication vector from the previous MSC/VLR through the MAP-SEND-IDENTIFICATION message in the 3GPP TS 29.002 protocol when processing the location update procedure across the VLR. save.
  • the authentication vector generated by HLR/Auc is determined by the random number RAND, period Looking at the triples composed of XRES and encryption key CK; for 3G terminals, the authentication vector generated by HLR/Auc is composed of RAND, XRES, CK, integrity key IK, and authentication token AUTN. Quintuple.
  • the MSC/VLR When the authentication vector is obtained from the previous MSC/VLR, if the MSC/VLR is connected with a lower MAP protocol version, then only the triples can be passed in the MAP-SEND-IDENTIFICATION message due to the limitation of the version.
  • the triplet can be derived from the quintuple, but not vice versa. Therefore, even for a 3G terminal, the 2G MSC/VLR can only provide the converted triples to the 2G&3G MSC/VLR.
  • the MSC/VLR needs to select an appropriate authentication vector according to the current radio access type and terminal type of the terminal to ensure successful authentication.
  • the authentication vector obtained by the 2G&3G MSC/VLR from the 2G MSC/VLR can only be a triple.
  • the 2G&3G MSC/VLR can be connected to both the 2G Base Station Controller (BSC) and the 3G Radio Network Controller (RNC). If the terminal is accessed through the BSC at this time, the triplet is used according to the definition of the 3GPP TS 33.102 protocol. Successful authentication can be performed, and the authentication vector obtained by the 2G&3G MSC/VLR from the 2G MSC/VLR is available. However, if the terminal roams from the BSC under the 2G&3G MSC/VLR to the RNC, subsequent authentication if the saved triplet is still used will result in authentication failure. Or the terminal roams directly from the 2G MSC/VLR to the RNC under the 2G&3G MSC/VLR, and the authentication fails for the same reason.
  • BSC Base Station Controller
  • RNC 3G Radio Network Controller
  • the MSC/VLR or the HLR and the 2G MSC/VLR are connected by a lower MAP protocol version, then only the triplet can be passed in the MAP-SEND-IDENTIFICATION message due to the version restriction. , then no matter which level of network the terminal first accesses, as long as roaming to a high-level network (such as RNC under 3G network or RNC under 2G&3G network), the MSC/VLR of the high-level network can only obtain ternary Group. Once the triplet authentication vector is used, the result is also an authentication failure.
  • the MSC/VLR of the high-level network can only obtain the authentication vector of the terminal from the MSC/VLR of the previous network. Go to the triplet authentication vector. If the version of the MAP protocol is a low version, the MSC/VLR of the high-level network can only obtain the triplet when acquiring the authentication vector of the terminal from the MSC/VLR of the previous network, regardless of where the terminal roams to the high-level network. Authentication vector.
  • the networking scenario involving the above authentication process is shown in Figure 1.
  • the 2G MSC/VLR 100 only supports connection to the BSC 120, while the 2G&3G MSC/VLR 110 supports both BSC 121 and RNC 122 access.
  • the connection S220 between the 2G MSC/VLR 100 and the 2G&3G MSC/VLR 110 is limited by the capabilities of the device and can only be communicated using the lower version of the MAP protocol; and the 2G&3G MSC/VLR 110 can access the 2G MSC through the connection.
  • /VLR 100 obtains the authentication vector of the terminal.
  • the 2G MSC/VLR 100 and the 2G&3G MSC/VLR 110 are connected to the HLR/Auc through S200 and S222 respectively, and the MAP protocol is also used.
  • the S200 may also be limited by the ability of the device to communicate with the lower version of the MAP protocol.
  • the 2G MSC/VLR 100 and 2G&3G MSC/VLR 110 will obtain the authentication vector of the terminal from the HLR/Auc through their respective connections.
  • FIG. 2 When the terminal 000 roams from the 2G MSC/VLR 100 to the 2G&3G MSC/VLR 110, the specific application scenario is shown in FIG. 2, and the process shown in FIG. 2 includes the following steps:
  • Step 201 The 3G terminal roams from the 2G MSC/VLR to the 2G&3G MSC/VLR, and accesses the network through the RNC.
  • the terminal initiates a location update process to provide information about the previous location area.
  • Step 202 The 2G&3G MSC/VLR obtains the address of the 2G MSC/VLR according to the location area information, and sends a MAP-SEND-IDENTIFICATION request message to obtain the user identifier and the authentication vector from the 2G MSC/VLR.
  • Step 203 Since the 2G&3G MSC/VLR and the 2G MSC/VLR are connected by a lower version of the MAP protocol, the authentication vector returned by the 2G MSC/VLR is triplet information.
  • Step 205 The HLR/Auc returns the authentication vector of the terminal.
  • Step 206 The 2G&3G MSC/VLR initiates the authentication process using the authentication vector obtained from the HLR/Auc.
  • the main object of the present invention is to provide a method and apparatus for implementing authentication to avoid unnecessary authentication failure.
  • a method for implementing authentication comprising:
  • the process of obtaining the authentication vector includes:
  • Determining that the terminal is a terminal corresponding to the high-level network and searching for an authentication vector acquisition flag set by the terminal, and when finding the authentication vector acquisition flag, acquiring a high-level authentication vector applicable to the high-level network.
  • the method further includes:
  • the terminal is a 3G terminal
  • the high-level network is a 2G&3G network.
  • An apparatus for implementing authentication comprising an authentication vector acquisition mark maintenance unit and an authentication vector processing unit;
  • the authentication vector acquisition flag maintenance unit is configured to add an authentication vector acquisition flag to the terminal to which the low-level authentication vector is assigned;
  • the authentication vector processing unit is configured to: when the terminal accesses the high-level network, obtain an authentication vector acquisition flag of the terminal added by the identifier maintenance unit according to the authentication vector, and obtain an identifier suitable for a high-level network. High level authentication vector.
  • the authentication vector processing unit acquires the authentication vector, it is specifically used to determine that the terminal is a terminal corresponding to the high-level network, and finds an authentication vector acquisition flag set by the terminal, when the authentication is found.
  • the vector gets the tag, it gets a high-level authentication vector for the high-level network.
  • the authentication vector processing unit is further configured to:
  • the apparatus further includes an authentication unit for initiating an authentication process based on the high-level authentication vector applicable to the high-level network acquired by the authentication vector processing unit.
  • the device is disposed in a functional entity capable of performing authentication management processing on the terminal, including the mobile switching center MSC/visiting location register VLR;
  • the terminal is a 3G terminal, and the high-level network is a 2G&3G network.
  • the method and device for realizing authentication of the invention can avoid unnecessary authentication failure, facilitate normal communication of the terminal, and improve user satisfaction.
  • FIG. 1 is a schematic diagram of a hybrid networking architecture of the prior art
  • FIG. 2 is a prior art authentication flowchart
  • FIG. 3 is a flowchart of an authentication process according to an embodiment of the present invention
  • FIG. 5 is a diagram of an authentication apparatus according to an embodiment of the present invention. detailed description
  • the 2G&3G MSC/VLR can be as follows The principle processes the authentication vector:
  • the 2G&3G MSC/VLR can set an authentication vector acquisition flag associated with the user to indicate that the terminal saves the authentication vector due to the 2G network access.
  • the terminal roams to the 3G network and accesses the 2G&3G MSC/VLR, it can be determined whether the terminal is set with the authentication vector acquisition flag, and if so, the authentication vector saved by the terminal is an unsuitable triplet. Therefore, the authentication vector is directly deleted, and the authentication vector acquisition flag can be cleared, and then the HLR/Auc is re-acquired to obtain an authentication vector suitable for the 3G network.
  • Figure 3 depicts the authentication process for the first time accessing the 2G network after the terminal roams to the 2G&3G MSC/VLR.
  • the most important points are: 2G&3G MSC/VLR sets the authentication vector acquisition flag according to the terminal type and access type, and deletes the saved information by judging the identification of the authentication vector when the terminal roams again to the 3G network. It does not apply to the authentication vector of the 3G network, and instead obtains the authentication vector applicable to the 3G network to the HLR/Auc, thereby avoiding authentication failure.
  • the process shown in Figure 3 includes the following steps:
  • Step 301 The terminal is a 3G terminal, roaming from the 2G MSC/VLR to the 2G&3G MSC/VLR, and accessing the network through the BSC.
  • the terminal initiates a location update process to provide information about the previous location area.
  • Step 302 The 2G&3G MSC/VLR obtains the address of the 2G MSC/VLR according to the location area information, and sends a MAP-SEND-IDENTIFICATION request message to the 2G MSC/VLR. Get the user ID and authentication vector.
  • Step 303 Since the 2G&3G MSC/VLR and the 2G MSC/VLR are connected by a lower version of the MAP protocol, the authentication vector returned by the 2G MSC/VLR is triplet information.
  • Step 304 The 2G&3G MSC/VLR determines that the terminal is a 3G terminal, and accesses through the BSC. Therefore, while the authentication vector is saved according to the prior art, an authentication vector acquisition flag is set for the terminal in the self record to indicate The terminal stores an authentication vector due to 2G network access.
  • Step 305 The 2G&3G MSC/VLR initiates an authentication process.
  • Step 306 The terminal continues to roam from the 2G network of the 2G&3G MSC/VLR to the 3G network, and initiates a location update process.
  • Step 307 The 2G&3G MSC/VLR determines that the terminal is a 3G terminal and is accessed through the RNC. Therefore, it searches for the authentication vector acquisition flag set for the terminal in its own record. When the authentication vector acquisition flag is found, The description indicates that the authentication vector saved for the terminal is a triad that is not applicable, so the authentication vector can be directly deleted, and the authentication vector acquisition flag can be cleared.
  • Step 308 The 2G&3G MSC/VLR obtains an authentication vector for the 3G network from the HLR/Auc through the MAP message.
  • Step 309 HLR/Auc returns the user's authentication vector.
  • Step 310 The 2G&3G MSC/VLR initiates an authentication process using an authentication vector for the 3G network obtained from the HLR/Auc.
  • an authentication vector acquisition flag can be added to the terminal; and when the terminal accesses the high-level network, The authentication vector acquisition flag of the terminal acquires an authentication vector suitable for a high-level network.
  • the MSC/VLR of the high-level network obtains the end from the MSC/VLR of the previous network regardless of where the terminal roams to the high-level network.
  • the high-level authentication vector applicable to the high-level network which is embodied as the 5-tuple authentication vector, cannot be obtained.
  • an authentication vector acquisition flag may be added to the terminal; and when the terminal accesses the high-level network, the authentication vector applicable to the high-level network is obtained according to the authentication vector acquisition flag of the terminal.
  • the foregoing operation method may represent the process shown in FIG. 4.
  • the process shown in FIG. 4 includes the following steps: Step 410: Add an authentication vector acquisition flag to the terminal that is assigned the low-level authentication vector. For example, when the terminal corresponding to the high-level network accesses through the low-level network, an authentication vector acquisition flag is added to the terminal; or, for the terminal that has communicated through the low-version MAP protocol, an authentication vector acquisition flag is added to the terminal.
  • Step 420 When the terminal accesses the high-level network, obtain the high-level authentication vector applicable to the high-level network according to the authentication vector acquisition flag of the terminal.
  • FIG. 5 is a diagram of an authentication apparatus according to an embodiment of the present invention.
  • the apparatus includes a connected authentication vector acquisition token maintenance unit and an authentication vector processing unit, and further includes an authentication unit.
  • the device may be disposed in a functional entity such as an MSC/VLR capable of performing authentication management on the terminal or the like.
  • the authentication vector acquisition flag maintenance unit may add an authentication vector acquisition flag to the terminal for the terminal to which the low-level authentication vector is assigned.
  • the authentication vector processing unit is configured to: when the terminal accesses the high-level network, obtain the markup maintenance unit to the authentication vector acquisition flag set for the terminal; and when the authentication vector acquisition flag is found, Obtaining a high-level authentication vector suitable for a high-level network according to the authentication vector acquisition flag.
  • the acquired high-level authentication vector applicable to the high-level network may also be sent to the authentication unit, and the authentication unit initiates an authentication process for the terminal.
  • the authentication vector processing unit determines that it is necessary to acquire a high-level authentication vector suitable for the high-level network
  • the low-level authentication vector previously saved for the terminal may be deleted;
  • the authentication vector acquisition flag maintenance unit clears the authentication vector acquisition flag added for the terminal, and the authentication vector acquisition flag maintenance unit clears the authentication vector acquisition flag added for the terminal according to the received notification.
  • the method for realizing the authentication of the present invention can avoid the unnecessary authentication failure shown in FIG. 2, which is beneficial to the normal communication of the terminal and improves the user satisfaction.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention discloses a method and device for realizing authentication, each of them can append an authentication vector obtaining tag to a terminal which has been allocated with a low grade authentication vector; when the terminal accesses to a high level network, a high grade authentication vector applicable to the high level network is obtained according to the authentication vector obtaining tag of the terminal. Both of the method and device for realizing authentication in the present invention can avoid meaningless authentication failure, contribute to the normal communication of the terminal, and improve the user satisfaction.

Description

一种实现鉴权的方法和装置 技术领域  Method and device for realizing authentication
本发明涉及通信领域, 具体涉及一种实现鉴权的方法和装置。 背景技术  The present invention relates to the field of communications, and in particular, to a method and apparatus for implementing authentication. Background technique
目前, 虽然 3G网络在逐渐普及, 但运营商出于市场和成本的考虑, 通 常会釆用逐步过渡的策略, 从而出现 2G&3G的移动交换中心 /访问位置寄 存器(MSC/VLR )共同组网的情况。 在处于过渡阶段的移动通讯网络中, 通常会出现原有的 2G MSC/VLR和新建的 2G&3G MSC/VLR混合组网的情 况。  At present, although 3G networks are gradually becoming popular, operators often adopt a gradual transition strategy for market and cost considerations, and thus the 2G&3G mobile switching center/visit location register (MSC/VLR) is co-networked. . In the mobile communication network in the transition phase, the original 2G MSC/VLR and the newly built 2G&3G MSC/VLR hybrid network usually appear.
在上述的网络条件下, 终端可以从 2G MSC/VLR 漫游到 2G&3G MSC/VLR, 同样也可以在 2G&3G MSC/VLR内从 2G网络漫游到 3G网络 中。 在漫游过程中, MSC/VLR需要处理鉴权过程。 处理鉴权过程有两个关 键点: 第一是获取和保存鉴权向量, 第二是选取正确的鉴权向量发起鉴权 过程。  Under the above network conditions, the terminal can roam from the 2G MSC/VLR to the 2G&3G MSC/VLR, and can also roam from the 2G network to the 3G network within the 2G&3G MSC/VLR. During the roaming process, the MSC/VLR needs to process the authentication process. There are two key points in the process of processing the authentication: the first is to acquire and save the authentication vector, and the second is to select the correct authentication vector to initiate the authentication process.
对于鉴权向量的获取, MSC/VLR主要通过两个渠道获取:  For the acquisition of the authentication vector, the MSC/VLR is mainly obtained through two channels:
归属位置寄存器 /鉴权中心 (HLR/Auc ) 负责生成终端的鉴权向量, MSC/VLR则可以从 HLR/Auc中获取鉴权向量并保存。 当然, 为了避免重 复多次获取鉴权向量, HLR/Auc可以一次性提供多组鉴权向量。  The home location register/authentication center (HLR/Auc) is responsible for generating the authentication vector of the terminal, and the MSC/VLR can obtain the authentication vector from the HLR/Auc and save it. Of course, in order to avoid repeatedly obtaining the authentication vector, HLR/Auc can provide multiple sets of authentication vectors at one time.
除了从 HLR/Auc中获取鉴权向量以外, MSC/VLR在处理跨 VLR的位 置 更 新 过 程 时 , 可 以 通 过 3GPP TS 29.002 协 议 中 的 MAP-SEND-IDENTIFICATION消息从先前的 MSC/VLR获取鉴权向量并保 存。  In addition to obtaining the authentication vector from the HLR/Auc, the MSC/VLR can obtain the authentication vector from the previous MSC/VLR through the MAP-SEND-IDENTIFICATION message in the 3GPP TS 29.002 protocol when processing the location update procedure across the VLR. save.
对于 2G终端而言, HLR/Auc生成的鉴权向量是由随机数 RAND、 期 望响应 XRES、 加密密钥 CK组成的三元组; 对于 3G终端而言, HLR/Auc 生成的鉴权向量则是由 RAND、XRES、CK、完整性密钥 IK、鉴权令牌 AUTN 组成的五元组。 For 2G terminals, the authentication vector generated by HLR/Auc is determined by the random number RAND, period Looking at the triples composed of XRES and encryption key CK; for 3G terminals, the authentication vector generated by HLR/Auc is composed of RAND, XRES, CK, integrity key IK, and authentication token AUTN. Quintuple.
在向先前的 MSC/VLR获取鉴权向量时,如果 MSC/VLR之间釆用较低 的 MAP 协 议 版 本 相 连 , 那 么 受 到 版 本 的 限 制 , MAP-SEND-IDENTIFICATION 消息中只能传递三元组。 当然, 对于 MSC/VLR而言, 可以由五元组推导出三元组, 反之却不可以。 因此, 即便 是一个 3G终端, 2G MSC/VLR也只能将转换后的三元组提供给 2G&3G MSC/VLR使用。 并且, 在获取了鉴权向量后, MSC/VLR发起鉴权过程前, 需要根据终端当前的无线接入类型和终端类型选择合适的鉴权向量, 才能 保证鉴权成功。  When the authentication vector is obtained from the previous MSC/VLR, if the MSC/VLR is connected with a lower MAP protocol version, then only the triples can be passed in the MAP-SEND-IDENTIFICATION message due to the limitation of the version. Of course, for the MSC/VLR, the triplet can be derived from the quintuple, but not vice versa. Therefore, even for a 3G terminal, the 2G MSC/VLR can only provide the converted triples to the 2G&3G MSC/VLR. After the MSC/VLR initiates the authentication process, the MSC/VLR needs to select an appropriate authentication vector according to the current radio access type and terminal type of the terminal to ensure successful authentication.
如前所述, 终端从 2G MSC/VLR 漫游到 2G&3G MSC/VLR 中后, 2G&3G MSC/VLR从 2G MSC/VLR获取到的鉴权向量只能是三元组。  As mentioned above, after the terminal roams from the 2G MSC/VLR to the 2G&3G MSC/VLR, the authentication vector obtained by the 2G&3G MSC/VLR from the 2G MSC/VLR can only be a triple.
2G&3G MSC/VLR可以同时与 2G的基站控制器( BSC )和 3G的无线 网络控制器(RNC )相连, 如果终端此时是通过 BSC接入, 那么根据 3GPP TS 33.102协议的定义,使用三元组可以进行成功的鉴权, 2G&3G MSC/VLR 从 2G MSC/VLR 获取的鉴权向量是可用的。 然而, 若终端又从 2G&3G MSC/VLR下的 BSC漫游到 RNC , 则后续如果仍然使用保存的三元组进行 鉴权, 那么将会导致鉴权失败。 或者终端从 2G MSC/VLR 直接漫游到 2G&3G MSC/VLR下的 RNC , 也会由于同样原因导致鉴权失败。  The 2G&3G MSC/VLR can be connected to both the 2G Base Station Controller (BSC) and the 3G Radio Network Controller (RNC). If the terminal is accessed through the BSC at this time, the triplet is used according to the definition of the 3GPP TS 33.102 protocol. Successful authentication can be performed, and the authentication vector obtained by the 2G&3G MSC/VLR from the 2G MSC/VLR is available. However, if the terminal roams from the BSC under the 2G&3G MSC/VLR to the RNC, subsequent authentication if the saved triplet is still used will result in authentication failure. Or the terminal roams directly from the 2G MSC/VLR to the RNC under the 2G&3G MSC/VLR, and the authentication fails for the same reason.
另一种情况下 ,如果 MSC/VLR之间或者 HLR与 2G MSC/VLR之间釆 用 较低的 MAP 协议版本相连 , 那 么 受到版本的 限制 , MAP-SEND-IDENTIFICATION消息中只能传递三元组, 那么无论终端首先 接入哪个层次的网络, 只要漫游到高层次的网络(如 3G网络下的 RNC, 或者 2G&3G 网络下的 RNC ),那么高层次网络的 MSC/VLR只能获取三元 组。 一旦使用了三元组鉴权向量, 那么结果也是鉴权失败。 In the other case, if the MSC/VLR or the HLR and the 2G MSC/VLR are connected by a lower MAP protocol version, then only the triplet can be passed in the MAP-SEND-IDENTIFICATION message due to the version restriction. , then no matter which level of network the terminal first accesses, as long as roaming to a high-level network (such as RNC under 3G network or RNC under 2G&3G network), the MSC/VLR of the high-level network can only obtain ternary Group. Once the triplet authentication vector is used, the result is also an authentication failure.
总之, 若 MAP协议版本为高版本, 则只要终端由低层次网络漫游到高 层次网络,高层次网络的 MSC/VLR从前一个网络的 MSC/VLR获取该终端 的鉴权向量时,都只能获取到三元组鉴权向量。若 MAP协议版本为低版本, 则无论终端从哪里漫游到高层次网络,高层次网络的 MSC/VLR从前一个网 络的 MSC/VLR获取该终端的鉴权向量时, 都只能获取到三元组鉴权向量。  In summary, if the MAP protocol version is a high version, as long as the terminal roams from the low-level network to the high-level network, the MSC/VLR of the high-level network can only obtain the authentication vector of the terminal from the MSC/VLR of the previous network. Go to the triplet authentication vector. If the version of the MAP protocol is a low version, the MSC/VLR of the high-level network can only obtain the triplet when acquiring the authentication vector of the terminal from the MSC/VLR of the previous network, regardless of where the terminal roams to the high-level network. Authentication vector.
目前涉及上述鉴权过程的组网场景如图 1所示。 图 1中, 2G MSC/VLR 100仅支持和 BSC 120相连,而 2G&3G MSC/VLR 110则同时支持 BSC 121 和 RNC 122接入。 2G MSC/VLR 100和 2G&3G MSC/VLR 110之间的连接 S220, 受到设备能力的限制, 只能釆用版本较低的 MAP协议进行通讯; 并 且, 2G&3G MSC/VLR 110可以通过该连接从 2G MSC/VLR 100获取到终 端的鉴权向量。  The networking scenario involving the above authentication process is shown in Figure 1. In Figure 1, the 2G MSC/VLR 100 only supports connection to the BSC 120, while the 2G&3G MSC/VLR 110 supports both BSC 121 and RNC 122 access. The connection S220 between the 2G MSC/VLR 100 and the 2G&3G MSC/VLR 110 is limited by the capabilities of the device and can only be communicated using the lower version of the MAP protocol; and the 2G&3G MSC/VLR 110 can access the 2G MSC through the connection. /VLR 100 obtains the authentication vector of the terminal.
2G MSC/VLR 100和 2G&3G MSC/VLR 110分别通过 S200、 S222与 HLR/Auc相连, 釆用的也是 MAP协议。 当然, S200也可能因受到设备能 力的限制, 只能釆用版本较低的 MAP协议进行通讯。 2G MSC/VLR 100和 2G&3G MSC/VLR 110会通过各自的连接从 HLR/Auc获取终端的鉴权向量。  The 2G MSC/VLR 100 and the 2G&3G MSC/VLR 110 are connected to the HLR/Auc through S200 and S222 respectively, and the MAP protocol is also used. Of course, the S200 may also be limited by the ability of the device to communicate with the lower version of the MAP protocol. The 2G MSC/VLR 100 and 2G&3G MSC/VLR 110 will obtain the authentication vector of the terminal from the HLR/Auc through their respective connections.
当终端 000从 2G MSC/VLR 100漫游到 2G&3G MSC/VLR 110中时, 具体的应用场景如图 2所示, 图 2所示流程包括以下步骤:  When the terminal 000 roams from the 2G MSC/VLR 100 to the 2G&3G MSC/VLR 110, the specific application scenario is shown in FIG. 2, and the process shown in FIG. 2 includes the following steps:
步骤 201 : 3G终端从 2G MSC/VLR漫游到 2G&3G MSC/VLR, 通过 RNC接入网络。 终端发起位置更新过程, 提供前一个位置区的信息。  Step 201: The 3G terminal roams from the 2G MSC/VLR to the 2G&3G MSC/VLR, and accesses the network through the RNC. The terminal initiates a location update process to provide information about the previous location area.
步骤 202: 2G&3G MSC/VLR根据所述位置区信息,获取 2G MSC/VLR 的地址,并发送 MAP-SEND-IDENTIFICATION请求消息,向 2G MSC/VLR 获取用户标识和鉴权向量。  Step 202: The 2G&3G MSC/VLR obtains the address of the 2G MSC/VLR according to the location area information, and sends a MAP-SEND-IDENTIFICATION request message to obtain the user identifier and the authentication vector from the 2G MSC/VLR.
步骤 203: 由于 2G&3G MSC/VLR和 2G MSC/VLR之间釆用低版本的 MAP协议相连, 因此 2G MSC/VLR返回的鉴权向量为三元组信息。 步骤 204: 2G&3G MSC/VLR判断出是 3G终端、 并且是 RNC接入, 如果鉴权向量为三元组信息, 则不保存该鉴权向量, 而是直接丟弃, 并通 过 MAP消息向 HLR/Auc获取新的鉴权向量。 Step 203: Since the 2G&3G MSC/VLR and the 2G MSC/VLR are connected by a lower version of the MAP protocol, the authentication vector returned by the 2G MSC/VLR is triplet information. Step 204: The 2G&3G MSC/VLR determines that it is a 3G terminal and is an RNC access. If the authentication vector is a triplet information, the authentication vector is not saved, but is directly discarded, and the MAP message is sent to the HLR/ Auc gets a new authentication vector.
步骤 205: HLR/Auc返回终端的鉴权向量。  Step 205: The HLR/Auc returns the authentication vector of the terminal.
步骤 206: 2G&3G MSC/VLR使用从 HLR/Auc获取的鉴权向量发起鉴 权过程。  Step 206: The 2G&3G MSC/VLR initiates the authentication process using the authentication vector obtained from the HLR/Auc.
可见, 在图 2所示场景中, 在终端鉴权过程中, 会因为没有获取合适 的鉴权向量而导致一次无谓的鉴权失败。 这显然不利于终端的正常通信, 降低了用户满意度。 发明内容  It can be seen that in the scenario shown in FIG. 2, in the terminal authentication process, a unnecessary authentication failure is caused because the appropriate authentication vector is not obtained. This is obviously not conducive to the normal communication of the terminal, reducing user satisfaction. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种实现鉴权的方法和装置, 避免出现无谓的鉴权失败。  In view of this, the main object of the present invention is to provide a method and apparatus for implementing authentication to avoid unnecessary authentication failure.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
一种实现鉴权的方法, 该方法包括:  A method for implementing authentication, the method comprising:
针对被分配有低等级鉴权向量的终端添加鉴权向量获取标记; 在所述 终端接入高层次网络时, 根据该终端的鉴权向量获取标记获取适用于高层 次网络的高等级鉴权向量。  Adding an authentication vector acquisition flag to the terminal to which the low-level authentication vector is assigned; when the terminal accesses the high-level network, acquiring the high-level authentication vector applicable to the high-level network according to the authentication vector acquisition flag of the terminal .
获取所述鉴权向量的过程包括:  The process of obtaining the authentication vector includes:
判断出所述终端为对应高层次网络的终端, 查找为该终端所设置的鉴 权向量获取标记, 当查找到该鉴权向量获取标记时, 获取适用于高层次网 络的高等级鉴权向量。  Determining that the terminal is a terminal corresponding to the high-level network, and searching for an authentication vector acquisition flag set by the terminal, and when finding the authentication vector acquisition flag, acquiring a high-level authentication vector applicable to the high-level network.
该方法进一步包括:  The method further includes:
删除为所述终端所保存的低等级鉴权向量, 清除为该终端所添加的鉴 权向量获取标记。  Deleting the low-level authentication vector saved for the terminal, clearing the authentication vector acquisition flag added for the terminal.
获取所述鉴权向量之后, 进一步应用该鉴权向量发起鉴权过程。 所述终端为 3G终端, 所述高层次网络为 2G&3G网络。 After obtaining the authentication vector, the authentication vector is further applied to initiate an authentication process. The terminal is a 3G terminal, and the high-level network is a 2G&3G network.
一种实现鉴权的装置, 该装置包括鉴权向量获取标记维护单元、 鉴权 向量处理单元; 其中,  An apparatus for implementing authentication, the apparatus comprising an authentication vector acquisition mark maintenance unit and an authentication vector processing unit; wherein
所述鉴权向量获取标记维护单元, 用于针对被分配有低等级鉴权向量 的终端添加鉴权向量获取标记;  The authentication vector acquisition flag maintenance unit is configured to add an authentication vector acquisition flag to the terminal to which the low-level authentication vector is assigned;
所述鉴权向量处理单元, 用于在所述终端接入高层次网络时, 根据所 述鉴权向量获取标记维护单元中添加的该终端的鉴权向量获取标记, 获取 适用于高层次网络的高等级鉴权向量。  The authentication vector processing unit is configured to: when the terminal accesses the high-level network, obtain an authentication vector acquisition flag of the terminal added by the identifier maintenance unit according to the authentication vector, and obtain an identifier suitable for a high-level network. High level authentication vector.
所述鉴权向量处理单元获取所述鉴权向量时, 具体用于判断出所述终 端为对应高层次网络的终端, 查找为该终端所设置的鉴权向量获取标记, 当查找到该鉴权向量获取标记时, 获取适用于高层次网络的高等级鉴权向 量。  When the authentication vector processing unit acquires the authentication vector, it is specifically used to determine that the terminal is a terminal corresponding to the high-level network, and finds an authentication vector acquisition flag set by the terminal, when the authentication is found. When the vector gets the tag, it gets a high-level authentication vector for the high-level network.
所述鉴权向量处理单元进一步用于:  The authentication vector processing unit is further configured to:
删除为所述终端所保存的低等级鉴权向量, 并通知鉴权向量获取标记 维护单元清除为该终端所添加的鉴权向量获取标记。  Deleting the low-level authentication vector saved for the terminal, and notifying the authentication vector acquisition flag maintenance unit to clear the authentication vector acquisition flag added for the terminal.
该装置进一步包括鉴权单元, 用于根据所述鉴权向量处理单元所获取 的适用于高层次网络的高等级鉴权向量发起鉴权过程。  The apparatus further includes an authentication unit for initiating an authentication process based on the high-level authentication vector applicable to the high-level network acquired by the authentication vector processing unit.
所述装置设置于包括移动交换中心 MSC/访问位置寄存器 VLR在内的 能够对终端进行鉴权管理处理的功能实体中;  The device is disposed in a functional entity capable of performing authentication management processing on the terminal, including the mobile switching center MSC/visiting location register VLR;
所述终端为 3G终端, 所述高层次网络为 2G&3G网络。  The terminal is a 3G terminal, and the high-level network is a 2G&3G network.
本发明实现鉴权的方法和装置, 均可避免无谓的鉴权失败, 有利于终 端的正常通信, 提高了用户满意度。 附图说明  The method and device for realizing authentication of the invention can avoid unnecessary authentication failure, facilitate normal communication of the terminal, and improve user satisfaction. DRAWINGS
图 1为现有技术的混合组网架构图;  1 is a schematic diagram of a hybrid networking architecture of the prior art;
图 2为现有技术的鉴权流程图; 图 3为本发明一实施例的鉴权流程图; 2 is a prior art authentication flowchart; FIG. 3 is a flowchart of an authentication process according to an embodiment of the present invention; FIG.
图 4为本发明的鉴权流程简图;  4 is a schematic diagram of an authentication process of the present invention;
图 5为本发明一实施例的鉴权装置图。 具体实施方式  FIG. 5 is a diagram of an authentication apparatus according to an embodiment of the present invention. detailed description
在实际应用中, 在混合组网的条件下, 如果 2G&3G MSC/VLR从 2G MSC/VLR 获取到的鉴权向量是三元组, 为了减少后续鉴权失败的几率, 2G&3G MSC/VLR可按照如下原则对鉴权向量进行处理:  In practical applications, under the condition of hybrid networking, if the authentication vector obtained by the 2G&3G MSC/VLR from the 2G MSC/VLR is a triple, in order to reduce the probability of subsequent authentication failure, the 2G&3G MSC/VLR can be as follows The principle processes the authentication vector:
当终端为 3G终端 , 并且通过 2G网络接入时 , 2G&3G MSC/VLR可以 设置和该用户相关的鉴权向量获取标记,以表明该终端因 2G网络接入而保 存有鉴权向量。 当终端漫游到 3G网络并接入 2G&3G MSC/VLR时, 可以 判断终端是否被设置有鉴权向量获取标记, 如果是, 则说明为该终端所保 存的鉴权向量为不适用的三元组, 因而直接删除该鉴权向量, 并可清除该 鉴权向量获取标记, 再重新到 HLR/Auc获取适用于 3G网络的鉴权向量。  When the terminal is a 3G terminal and accesses through the 2G network, the 2G&3G MSC/VLR can set an authentication vector acquisition flag associated with the user to indicate that the terminal saves the authentication vector due to the 2G network access. When the terminal roams to the 3G network and accesses the 2G&3G MSC/VLR, it can be determined whether the terminal is set with the authentication vector acquisition flag, and if so, the authentication vector saved by the terminal is an unsuitable triplet. Therefore, the authentication vector is directly deleted, and the authentication vector acquisition flag can be cleared, and then the HLR/Auc is re-acquired to obtain an authentication vector suitable for the 3G network.
由于获取了五元组形式的适用于 3G网络的鉴权向量,从而可以避免图 2所示的无谓的鉴权失败。  Since the authentication vector for the 3G network in the form of a five-tuple is obtained, the unnecessary authentication failure shown in FIG. 2 can be avoided.
以上操作思路可以表示如图 3所示。 参见图 3 , 图 3描述了终端漫游到 2G&3G MSC/VLR后,首次从 2G网络接入的鉴权流程。其中最核心的要点 是: 2G&3G MSC/VLR根据终端类型和接入类型设置鉴权向量获取标记, 并当终端再次漫游到 3G网络时, 通过对该鉴权向量获取标记的判断, 删除 所保存的不适用于 3G网络的鉴权向量, 转而向 HLR/Auc获取适用于 3G 网络的鉴权向量, 从而避免鉴权失败。 图 3所示流程包括以下步骤:  The above operation ideas can be represented as shown in Figure 3. Referring to Figure 3, Figure 3 depicts the authentication process for the first time accessing the 2G network after the terminal roams to the 2G&3G MSC/VLR. The most important points are: 2G&3G MSC/VLR sets the authentication vector acquisition flag according to the terminal type and access type, and deletes the saved information by judging the identification of the authentication vector when the terminal roams again to the 3G network. It does not apply to the authentication vector of the 3G network, and instead obtains the authentication vector applicable to the 3G network to the HLR/Auc, thereby avoiding authentication failure. The process shown in Figure 3 includes the following steps:
步骤 301:终端为 3G终端 ,从 2G MSC/VLR漫游到 2G&3G MSC/VLR, 通过 BSC接入网络。 终端发起位置更新过程, 提供前一个位置区的信息。  Step 301: The terminal is a 3G terminal, roaming from the 2G MSC/VLR to the 2G&3G MSC/VLR, and accessing the network through the BSC. The terminal initiates a location update process to provide information about the previous location area.
步骤 302: 2G&3G MSC/VLR根据所述位置区信息,获取 2G MSC/VLR 的地址,并发送 MAP-SEND-IDENTIFICATION请求消息,向 2G MSC/VLR 获取用户标识和鉴权向量。 Step 302: The 2G&3G MSC/VLR obtains the address of the 2G MSC/VLR according to the location area information, and sends a MAP-SEND-IDENTIFICATION request message to the 2G MSC/VLR. Get the user ID and authentication vector.
步骤 303: 由于 2G&3G MSC/VLR和 2G MSC/VLR之间釆用低版本的 MAP协议相连, 因此 2G MSC/VLR返回的鉴权向量为三元组信息。  Step 303: Since the 2G&3G MSC/VLR and the 2G MSC/VLR are connected by a lower version of the MAP protocol, the authentication vector returned by the 2G MSC/VLR is triplet information.
步骤 304: 2G&3G MSC/VLR判断出终端为 3G终端, 并且是通过 BSC 接入, 因此在按照现有技术保存鉴权向量的同时, 在自身记录中为该终端 设置鉴权向量获取标记, 以表明该终端因 2G网络接入而保存有鉴权向量。  Step 304: The 2G&3G MSC/VLR determines that the terminal is a 3G terminal, and accesses through the BSC. Therefore, while the authentication vector is saved according to the prior art, an authentication vector acquisition flag is set for the terminal in the self record to indicate The terminal stores an authentication vector due to 2G network access.
步骤 305: 2G&3G MSC/VLR发起鉴权过程。  Step 305: The 2G&3G MSC/VLR initiates an authentication process.
步骤 306:终端继续从 2G&3G MSC/VLR的 2G网络漫游到 3G网络中 , 并发起位置更新过程。  Step 306: The terminal continues to roam from the 2G network of the 2G&3G MSC/VLR to the 3G network, and initiates a location update process.
步骤 307: 2G&3G MSC/VLR判断出终端为 3G终端,并且是通过 RNC 接入的, 因此在自身记录中查找为该终端所设置的鉴权向量获取标记, 当 查找到该鉴权向量获取标记时, 说明之前为该终端所保存的鉴权向量为不 适用的三元组, 因而可以直接删除该鉴权向量, 并可清除该鉴权向量获取 标记。  Step 307: The 2G&3G MSC/VLR determines that the terminal is a 3G terminal and is accessed through the RNC. Therefore, it searches for the authentication vector acquisition flag set for the terminal in its own record. When the authentication vector acquisition flag is found, The description indicates that the authentication vector saved for the terminal is a triad that is not applicable, so the authentication vector can be directly deleted, and the authentication vector acquisition flag can be cleared.
步骤 308: 2G&3G MSC/VLR通过 MAP消息向 HLR/Auc获取适用于 3G网络的鉴权向量。  Step 308: The 2G&3G MSC/VLR obtains an authentication vector for the 3G network from the HLR/Auc through the MAP message.
步骤 309: HLR/Auc返回用户的鉴权向量。  Step 309: HLR/Auc returns the user's authentication vector.
步骤 310: 2G&3G MSC/VLR使用从 HLR/Auc获取的适用于 3G网络 的鉴权向量发起鉴权过程。  Step 310: The 2G&3G MSC/VLR initiates an authentication process using an authentication vector for the 3G network obtained from the HLR/Auc.
由以上描述可知,对应 2G&3G等高层次网络的 3G终端等终端通过 2G 等低层次网络接入时, 可以为该终端添加鉴权向量获取标记; 并在所述终 端接入高层次网络时, 根据该终端的鉴权向量获取标记获取适用于高层次 网络的鉴权向量。  It can be seen from the above description that when a terminal such as a 3G terminal such as a 2G&3G network accesses a low-level network such as 2G, an authentication vector acquisition flag can be added to the terminal; and when the terminal accesses the high-level network, The authentication vector acquisition flag of the terminal acquires an authentication vector suitable for a high-level network.
需要说明的是, 若 MAP协议版本为低版本, 则无论终端从哪里漫游到 高层次网络,高层次网络的 MSC/VLR从前一个网络的 MSC/VLR获取该终 端的鉴权向量时, 都只能获取到作为低等级鉴权向量的三元组鉴权向量, 而无法获取体现为五元组鉴权向量的适用于高层次网络的高等级鉴权向 量。 这种情况下, 同样可以为该终端添加鉴权向量获取标记; 并在所述终 端接入高层次网络时, 根据该终端的鉴权向量获取标记获取适用于高层次 网络的鉴权向量。 It should be noted that if the MAP protocol version is a low version, the MSC/VLR of the high-level network obtains the end from the MSC/VLR of the previous network regardless of where the terminal roams to the high-level network. At the end of the authentication vector, only the triplet authentication vector as the low-level authentication vector can be obtained, and the high-level authentication vector applicable to the high-level network, which is embodied as the 5-tuple authentication vector, cannot be obtained. In this case, an authentication vector acquisition flag may be added to the terminal; and when the terminal accesses the high-level network, the authentication vector applicable to the high-level network is obtained according to the authentication vector acquisition flag of the terminal.
上述操作思路可表示如图 4所示的流程, 图 4所示流程包括以下步骤: 步骤 410: 针对被分配有低等级鉴权向量的终端, 为该终端添加鉴权向 量获取标记。 如: 在对应高层次网络的终端通过低层次网络接入时, 为该 终端添加鉴权向量获取标记; 或者, 针对曾通过低版本 MAP协议通信的终 端, 为该终端添加鉴权向量获取标记。  The foregoing operation method may represent the process shown in FIG. 4. The process shown in FIG. 4 includes the following steps: Step 410: Add an authentication vector acquisition flag to the terminal that is assigned the low-level authentication vector. For example, when the terminal corresponding to the high-level network accesses through the low-level network, an authentication vector acquisition flag is added to the terminal; or, for the terminal that has communicated through the low-version MAP protocol, an authentication vector acquisition flag is added to the terminal.
步骤 420: 在所述终端接入高层次网络时,根据该终端的鉴权向量获取 标记获取适用于高层次网络的高等级鉴权向量。  Step 420: When the terminal accesses the high-level network, obtain the high-level authentication vector applicable to the high-level network according to the authentication vector acquisition flag of the terminal.
为了保证以上操作可以顺利进行, 可以设置如图 5 所示的装置。 参见 图 5 , 图 5为本发明一实施例的鉴权装置图, 该装置包括相连的鉴权向量获 取标记维护单元、 鉴权向量处理单元, 进一步还可以包括鉴权单元。 所述 装置可设置于 MSC/VLR等能够对终端进行鉴权管理等处理的功能实体中。  In order to ensure that the above operations can be carried out smoothly, the device shown in Figure 5 can be set. Referring to FIG. 5, FIG. 5 is a diagram of an authentication apparatus according to an embodiment of the present invention. The apparatus includes a connected authentication vector acquisition token maintenance unit and an authentication vector processing unit, and further includes an authentication unit. The device may be disposed in a functional entity such as an MSC/VLR capable of performing authentication management on the terminal or the like.
具体应用时, 鉴权向量获取标记维护单元, 可以针对被分配有低等级 鉴权向量的终端, 为该终端添加鉴权向量获取标记。 鉴权向量处理单元, 能够在所述终端接入高层次网络时, 向鉴权向量获取标记维护单元查找为 所述终端所设置的鉴权向量获取标记; 并在查找到鉴权向量获取标记时, 根据该鉴权向量获取标记获取适用于高层次网络的高等级鉴权向量。  In a specific application, the authentication vector acquisition flag maintenance unit may add an authentication vector acquisition flag to the terminal for the terminal to which the low-level authentication vector is assigned. The authentication vector processing unit is configured to: when the terminal accesses the high-level network, obtain the markup maintenance unit to the authentication vector acquisition flag set for the terminal; and when the authentication vector acquisition flag is found, Obtaining a high-level authentication vector suitable for a high-level network according to the authentication vector acquisition flag.
进一步而言, 还可以将所获取的适用于高层次网络的高等级鉴权向量 发送给鉴权单元, 由鉴权单元发起对所述终端的鉴权过程。  Further, the acquired high-level authentication vector applicable to the high-level network may also be sent to the authentication unit, and the authentication unit initiates an authentication process for the terminal.
另外, 当鉴权向量处理单元确定需要获取适用于高层次网络的高等级 鉴权向量时, 可以删除之前为终端所保存的低等级鉴权向量; 并且可以通 知鉴权向量获取标记维护单元清除为该终端所添加的鉴权向量获取标记, 由鉴权向量获取标记维护单元根据收到的通知清除为该终端所添加的鉴权 向量获取标记。 In addition, when the authentication vector processing unit determines that it is necessary to acquire a high-level authentication vector suitable for the high-level network, the low-level authentication vector previously saved for the terminal may be deleted; The authentication vector acquisition flag maintenance unit clears the authentication vector acquisition flag added for the terminal, and the authentication vector acquisition flag maintenance unit clears the authentication vector acquisition flag added for the terminal according to the received notification.
上述各单元所能实现的操作已在前述技术描述中详细披露, 在此不再 赘述。  The operations that can be implemented by the above units are disclosed in detail in the foregoing technical description, and are not described herein again.
综上所述可见, 无论是方法还是装置, 本发明实现鉴权的技术, 均可 避免图 2 所示的无谓的鉴权失败, 有利于终端的正常通信, 提高了用户满 意度。  In summary, the method for realizing the authentication of the present invention can avoid the unnecessary authentication failure shown in FIG. 2, which is beneficial to the normal communication of the terminal and improves the user satisfaction.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围, 凡在本发明的精神和原则之内所作的任何修改、 等同替换和改进 等, 均应包含在本发明的保护范围之内。  The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included. Within the scope of protection of the present invention.

Claims

权利要求书 Claim
1、 一种实现鉴权的方法, 其特征在于, 该方法包括:  A method for implementing authentication, characterized in that the method comprises:
针对被分配有低等级鉴权向量的终端添加鉴权向量获取标记; 在所述 终端接入高层次网络时, 根据该终端的鉴权向量获取标记获取适用于高层 次网络的高等级鉴权向量。  Adding an authentication vector acquisition flag to the terminal to which the low-level authentication vector is assigned; when the terminal accesses the high-level network, acquiring the high-level authentication vector applicable to the high-level network according to the authentication vector acquisition flag of the terminal .
2、 根据权利要求 1所述的方法, 其特征在于, 获取所述鉴权向量的过 程包括:  2. The method according to claim 1, wherein the process of obtaining the authentication vector comprises:
判断出所述终端为对应高层次网络的终端, 查找为该终端所设置的鉴 权向量获取标记, 当查找到该鉴权向量获取标记时, 获取适用于高层次网 络的高等级鉴权向量。  Determining that the terminal is a terminal corresponding to the high-level network, and searching for an authentication vector acquisition flag set by the terminal, and when finding the authentication vector acquisition flag, acquiring a high-level authentication vector applicable to the high-level network.
3、 根据权利要求 2所述的方法, 其特征在于, 该方法进一步包括: 删除为所述终端所保存的低等级鉴权向量, 清除为该终端所添加的鉴 权向量获取标记。  3. The method according to claim 2, wherein the method further comprises: deleting a low-level authentication vector saved for the terminal, and clearing an authentication vector acquisition flag added for the terminal.
4、根据权利要求 2所述的方法,其特征在于,获取所述鉴权向量之后, 进一步应用该鉴权向量发起鉴权过程。  The method according to claim 2, wherein after the authentication vector is acquired, the authentication vector is further applied to initiate an authentication process.
5、 根据权利要求 1至 4任一项所述的方法, 其特征在于, 所述终端为 3G终端, 所述高层次网络为 2G&3G网络。  The method according to any one of claims 1 to 4, wherein the terminal is a 3G terminal, and the high-level network is a 2G&3G network.
6、 一种实现鉴权的装置, 其特征在于, 该装置包括鉴权向量获取标记 维护单元、 鉴权向量处理单元; 其中,  A device for implementing authentication, characterized in that the device comprises an authentication vector acquisition flag maintenance unit and an authentication vector processing unit;
所述鉴权向量获取标记维护单元, 用于针对被分配有低等级鉴权向量 的终端添加鉴权向量获取标记;  The authentication vector acquisition flag maintenance unit is configured to add an authentication vector acquisition flag to the terminal to which the low-level authentication vector is assigned;
所述鉴权向量处理单元, 用于在所述终端接入高层次网络时, 根据所 述鉴权向量获取标记维护单元中添加的该终端的鉴权向量获取标记, 获取 适用于高层次网络的高等级鉴权向量。  The authentication vector processing unit is configured to: when the terminal accesses the high-level network, obtain an authentication vector acquisition flag of the terminal added by the identifier maintenance unit according to the authentication vector, and obtain an identifier suitable for a high-level network. High level authentication vector.
7、 根据权利要求 6所述的装置, 其特征在于, 所述鉴权向量处理单元 获取所述鉴权向量时, 具体用于判断出所述终端为对应高层次网络的终端, 查找为该终端所设置的鉴权向量获取标记, 当查找到该鉴权向量获取标记 时, 获取适用于高层次网络的高等级鉴权向量。 7. The apparatus according to claim 6, wherein the authentication vector processing unit When the authentication vector is obtained, it is specifically used to determine that the terminal is a terminal corresponding to the high-level network, and finds an authentication vector acquisition flag set by the terminal. When the authentication vector acquisition flag is found, the application is obtained. High-level authentication vector for high-level networks.
8、 根据权利要求 7所述的装置, 其特征在于, 所述鉴权向量处理单元 进一步用于:  8. The apparatus according to claim 7, wherein the authentication vector processing unit is further configured to:
删除为所述终端所保存的低等级鉴权向量, 并通知鉴权向量获取标记 维护单元清除为该终端所添加的鉴权向量获取标记。  Deleting the low-level authentication vector saved for the terminal, and notifying the authentication vector acquisition flag maintenance unit to clear the authentication vector acquisition flag added for the terminal.
9、 根据权利要求 7所述的方法, 其特征在于, 该装置进一步包括鉴权 单元, 用于根据所述鉴权向量处理单元所获取的适用于高层次网络的高等 级鉴权向量发起鉴权过程。  The method according to claim 7, wherein the apparatus further comprises an authentication unit, configured to initiate authentication according to the high-level authentication vector applicable to the high-level network acquired by the authentication vector processing unit. process.
10、 根据权利要求 6至 9任一项所述的装置, 其特征在于, 所述装置 设置于包括移动交换中心 MSC/访问位置寄存器 VLR在内的能够对终端进 行鉴权管理处理的功能实体中;  The device according to any one of claims 6 to 9, wherein the device is disposed in a functional entity capable of performing authentication management processing on the terminal, including the mobile switching center MSC/visiting location register VLR. ;
所述终端为 3G终端, 所述高层次网络为 2G&3G网络。  The terminal is a 3G terminal, and the high-level network is a 2G&3G network.
PCT/CN2011/071783 2010-06-29 2011-03-14 Method and device for realizing authentication WO2012000327A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010221243.XA CN101883362B (en) 2010-06-29 2010-06-29 A kind of method and apparatus realizing authentication
CN201010221243.X 2010-06-29

Publications (1)

Publication Number Publication Date
WO2012000327A1 true WO2012000327A1 (en) 2012-01-05

Family

ID=43055212

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/071783 WO2012000327A1 (en) 2010-06-29 2011-03-14 Method and device for realizing authentication

Country Status (2)

Country Link
CN (1) CN101883362B (en)
WO (1) WO2012000327A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883362B (en) * 2010-06-29 2015-09-16 中兴通讯股份有限公司 A kind of method and apparatus realizing authentication
CN102137459B (en) * 2011-02-21 2013-12-04 华为技术有限公司 Method as well as related system and device for ensuring CS (circuit-switched) domain of one-card double-standby terminal to reside in two networks simultaneously
CN111405557B (en) * 2020-03-19 2022-03-15 中国电子科技集团公司第三十研究所 Method and system for enabling 5G network to flexibly support multiple main authentication algorithms

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6671507B1 (en) * 2000-06-16 2003-12-30 Siemens Aktiengesellschaft Authentication method for inter-system handover between at least two radio communications systems
CN1642083A (en) * 2004-09-23 2005-07-20 华为技术有限公司 Network side anthority-discrimination-mode selecting method
CN101132279A (en) * 2006-08-24 2008-02-27 华为技术有限公司 Authentication method and authentication system
CN101645901A (en) * 2009-09-03 2010-02-10 烽火通信科技股份有限公司 Method for deciding user authentication mode by IMS network based on terminal capabilities
CN101883362A (en) * 2010-06-29 2010-11-10 中兴通讯股份有限公司 Method and device for realizing authentication

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101426233B (en) * 2007-11-02 2010-08-04 华为技术有限公司 Roaming user equipment gradation controlling method and gateway equipment for access service network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6671507B1 (en) * 2000-06-16 2003-12-30 Siemens Aktiengesellschaft Authentication method for inter-system handover between at least two radio communications systems
CN1642083A (en) * 2004-09-23 2005-07-20 华为技术有限公司 Network side anthority-discrimination-mode selecting method
CN101132279A (en) * 2006-08-24 2008-02-27 华为技术有限公司 Authentication method and authentication system
CN101645901A (en) * 2009-09-03 2010-02-10 烽火通信科技股份有限公司 Method for deciding user authentication mode by IMS network based on terminal capabilities
CN101883362A (en) * 2010-06-29 2010-11-10 中兴通讯股份有限公司 Method and device for realizing authentication

Also Published As

Publication number Publication date
CN101883362B (en) 2015-09-16
CN101883362A (en) 2010-11-10

Similar Documents

Publication Publication Date Title
US11290974B2 (en) Connection processing method and apparatus in multi-access scenario
KR101700448B1 (en) Method and system for managing security in mobile communication system
US8199720B2 (en) Method for handover between heterogenous radio access networks
US9560048B2 (en) Method for updating identity information about packet gateway, AAA server and packet gateway
US9526119B2 (en) Methods and apparatus for multiple data packet connections
WO2018161796A1 (en) Connection processing method and apparatus in multi-access scenario
JP5376185B2 (en) HANDOVER METHOD AND HANDOVER DEVICE
US20220159606A1 (en) Policy Control Function Network Element Selection Method, Apparatus, System, and Storage Medium
EP2497287B1 (en) Node selection in a communication network
WO2010069200A1 (en) Method for base station to obtain radio capability information of user equipment in long term evolution system
JP2011520364A (en) User information notification method, system and apparatus
EP4187856A1 (en) Communication method, device and system
WO2021120744A1 (en) Method and apparatus for recovering ims service
EP4135371A1 (en) User equipment (ue) and communication method for ue
JP2021503199A (en) Communication terminals, how to request a connection, network components and how to service the communication terminal
WO2007112690A1 (en) Route updating method and system in mobile communication system
JP7317865B2 (en) Terminal function acquisition method and device, computer storage medium
WO2024140220A1 (en) Method and system for prohibiting terminal from accessing network in core network roaming scenario
US20240073685A1 (en) Method for authentication for nswo service, device, and storage medium
WO2021136047A1 (en) Fault recovery method and apparatus for gateway
WO2012000327A1 (en) Method and device for realizing authentication
WO2013152715A1 (en) Subscription information transmission method and device for closed subscription group
WO2023004683A1 (en) Communication method, apparatus, and device
EP4054281A1 (en) User equipment (ue)
US20220345885A1 (en) User equipment (ue)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11800072

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11800072

Country of ref document: EP

Kind code of ref document: A1