WO2012174959A1 - Procédé, système et passerelle d'authentification de groupe dans une communication entre machines - Google Patents

Procédé, système et passerelle d'authentification de groupe dans une communication entre machines Download PDF

Info

Publication number
WO2012174959A1
WO2012174959A1 PCT/CN2012/075475 CN2012075475W WO2012174959A1 WO 2012174959 A1 WO2012174959 A1 WO 2012174959A1 CN 2012075475 W CN2012075475 W CN 2012075475W WO 2012174959 A1 WO2012174959 A1 WO 2012174959A1
Authority
WO
WIPO (PCT)
Prior art keywords
mtc terminal
mtc
key
authentication
gateway
Prior art date
Application number
PCT/CN2012/075475
Other languages
English (en)
Chinese (zh)
Inventor
夏正雪
田甜
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012174959A1 publication Critical patent/WO2012174959A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of machine type communication (MTC) security, and more particularly to a method, system and gateway for group authentication in machine to machine (M2M) communication.
  • MTC machine type communication
  • M2M machine to machine
  • MTC Devices MTC Devices
  • M2M communication is introduced into the communication network technology.
  • the goal of M2M communication is to enable all MTC terminals to have the ability to network and communicate, thus enabling information exchange between machines and machines, machines and people, people and machines.
  • MTC terminals A large number of MTC terminals will be deployed in the M2M system, most of which are low mobility MTC terminals.
  • an MTC application will have multiple MTC terminals participating in the communication, and these MTC terminals together become part of the MTC group.
  • the MTC terminals belonging to the same MTC group may be in the same location, or have the same MTC characteristics, or belong to the same MTC user. These can be flexibly used as the basis for grouping, and each MTC terminal in the MTC group is for the network. It is all visible. For MTC terminals in the same group, it may be necessary to communicate with the network independently, so independent session keys of each MTC terminal are also necessary.
  • the M2M system is required.
  • the system is capable of uniquely identifying the MTC group and has the ability to verify that the MTC terminal is a legitimate member of the MTC group.
  • the existing security mechanisms of the second generation (2G) and third generation (3G) mobile network systems mainly include: authentication and encryption. Certification, the process of identifying the legality of the other party's identity.
  • the following is a brief description of the Authentication and Key Agreement (AKA) authentication process for the Universal Mobile Telecommunication System (UMTS).
  • AKA Authentication and Key Agreement
  • UMTS Universal Mobile Telecommunication System
  • EPS Evolved Packet System
  • the AKA authentication of UMTS is based on the root key K stored in the Home Location Register (HLR) and the Universal Subscriber Identity Module (USIM) card built into the terminal for authentication.
  • HLR Home Location Register
  • USIM Universal Subscriber Identity Module
  • Step 101 The terminal sends an access request to a Serving GPRS Support Node/Visitors Location Register (SGSN/VLR) of the General Packet Radio Service (GPRS).
  • SGSN/VLR Serving GPRS Support Node/Visitors Location Register
  • GPRS General Packet Radio Service
  • Step 102 The SGSN/VLR initiates an authentication request to the HLR/Authentication Center (AuC) according to the terminal identifier.
  • AuC HLR/Authentication Center
  • Step 103 The HLR/AuC generates multiple sets of authentication vectors.
  • each set of authentication vectors consists of an authentication vector quintuple: a random number (RAND), a desired response (XRES), an authentication token (AUTN), a confidentiality key (CK), and an integrity key (IK).
  • RAND random number
  • XRES desired response
  • AUTN authentication token
  • CK confidentiality key
  • IK integrity key
  • Step 104 the HLR/AuC sends the generated multiple sets of authentication vector quintuals to the SGSN/VLR requesting authentication;
  • Step 105 The SGSN/VLR receives and saves multiple sets of authentication vector quintuets sent by the HLR/AuC.
  • Step 106 The SGSN/VLR selects a group from the multiple sets of authentication vectors, and sets the RAND, The AUTN sends to the terminal that sends the access request;
  • Step 107 the USIM card in the terminal checks whether the AUTN can accept, if yes, step 108 is performed;
  • the checking whether the AUTN can be accepted for example: whether the AUTN is composed of a valid authentication token.
  • the terminal receives the authentication message of the SGSN/VLR, first calculates the message authentication code XMAC in the authentication message, and compares the XMAC with the MAC in the AUTN. If different, the authentication is rejected and the authentication process is abandoned; if the same, the terminal verifies the reception.
  • the sequence number (SQN) is within the valid range, if not within the valid range, send a synchronization failure message to the SGSN/VLR, and abandon the authentication process, if the XMAC is the same as the MAC in the AUTN, and the SQN is verified to be within the valid range. , go to step 108.
  • Step 108 The terminal calculates the response value RES and sends it to the SGSN/VLR.
  • the SGSN/VLR compares the RES sent by the terminal with the XRES sent by the HLR/AuC. If they are consistent, the authentication passes, otherwise the authentication fails.
  • the USIM card of the terminal calculates IK and CK at the same time, which is used for confidentiality and integrity protection in subsequent data transmission. In this way, the establishment of a secure channel between the terminal and the network is completed.
  • the group authentication is performed based on the MTC Gateway Device in the MTCe (MTCe) scenario.
  • the authentication is divided into two parts: The first part is: MTC Gateway Device and Core Network (Core Network, CN Two-way authentication between, for example, AKA certification.
  • the second part is: Two-way authentication between the MTC Gateway Device and the MTC Device, and the MTC Gateway Device notifies the CN of the authentication result of the MTC Device and the MTC Device.
  • the MTC Devices in the group have at least one identical attribute, the identity of the members in the CN independent storage group; the MTC Devices in the group communicate through a proprietary protocol, which may not be in 3GPP.
  • All MTC Devices in the group forward key material to MTC Delegate, MTC Delegate compute group key, and replace all MTC Devices and CN for authentication. Further MTC Delegate is variable.
  • scenario 1 it only involves a brief description of the solution, and does not involve the details of the solution, and the MTC Gateway Device derives the session key between the MTC Device and the CN, and sends it to the MTC Device and the CN, so that the MTC Device and the CN cannot be guaranteed. End-to-end security.
  • the MTC Gateway Device may belong to different operators. If the MTC Device and the MTC Gateway Device are non-3GPP networks, the authentication method is beyond the scope of 3GPP research.
  • the advantage of Option 2 is that the MTC Device can complete group authentication without knowing Kg.
  • Ki comes from does not stipulate, how does CN know that Ki is not specified, and each group authentication in this scheme is limited to online MTC Device. If an attacker maliciously interferes with MTC Device, it will not cause it. Stop entering the group, exiting the group, etc., will have a serious impact on the system.
  • the wrong Ki is sent for unknown reasons, it will cause the derivation of the entire key material to fail, and
  • the main purpose of the embodiments of the present invention is to provide a method, a system, and a gateway for group authentication in M2M communication, which can reduce a large amount of signaling load caused by individual authentication of an MTC terminal, and solve the above-mentioned possible security. Threats to meet the corresponding security needs.
  • the embodiment of the present invention provides a method for group authentication in M2M communication, where the method includes: a machine type communication (MTC) terminal gateway and a core network (CN) performs two-way authentication and calculates key material;
  • MTC machine type communication
  • CN core network
  • the MTC terminal gateway performs mutual authentication with the MTC terminal. After the authentication is passed, the key material is sent to the MTC terminal, so that the MTC terminal generates the authenticated communication key according to the received key material and the hash value of the root key.
  • the CN Notifying the authenticated MTC terminal of the CN, the CN generates the authenticated communication key based on the key material and the hash value of the root key of the authenticated MTC terminal.
  • the method further includes: the low mobility MTC terminal that belongs to the same MTC user in the same location covered by the MTC terminal gateway is signed by the same MTC group.
  • the MTC terminal gateway performs mutual authentication with the CN, including:
  • the MTC terminal gateway initiates an access request to the Access Security Management Device (ASME); the ASME requests an authentication vector from the Home Subscriber Server/Home Location Register (HSS/HLR) according to the received request; the HSS/HLR generates an authentication vector based on the subscription data. And a hash value of the MTC terminal root key associated with the MTC terminal gateway, and returned to the ASME for saving; the ASME and the MTC terminal gateway authenticate using the authentication vector, and then calculate the key material and establish a secure channel.
  • the key material is specifically: a key material calculated by a confidentiality key and an integrity key.
  • the method further includes:
  • the MTC terminal gateway determines whether the MTC terminal is authenticated, and whether the MTC terminal gateway has the key material. If the MTC terminal is not authenticated, the MTC terminal gateway and the MTC terminal perform mutual authentication, and then send the key material to MTC terminal; if it has been authenticated but no key material exists, re-perform the MTC terminal gateway and the CN for mutual authentication, calculate the key material and send it to the MTC terminal; if it is authenticated and the key material exists, directly to the MTC terminal Send key material.
  • the method for performing mutual authentication between the MTC terminal gateway and the CN includes: AKA authentication;
  • the MTC terminal gateway performs mutual authentication with the MTC terminal, including: performing mutual authentication according to Internet Protocol Security (IPSec), Secure Transport Layer Protocol (TLS), Public Key Infrastructure (PKI) certificate, or local access technology.
  • IPSec Internet Protocol Security
  • TLS Secure Transport Layer Protocol
  • PKI Public Key Infrastructure
  • the embodiment of the invention further provides a system for group authentication in M2M communication, the system comprising:
  • the MTC terminal gateway is configured to perform mutual authentication with the CN, calculate key material, and perform mutual authentication with the MTC terminal. After the authentication is passed, the key material is sent to the MTC terminal, and the MTC terminal that passes the authentication is notified to the CN.
  • the CN is configured to generate an authenticated communication key according to a key material and a hash value of the root key of the authenticated MTC terminal;
  • the MTC terminal is configured to generate a verified communication key according to a hash value of the key material and the root key.
  • the MTC terminal gateway is further configured to sign a low mobility MTC terminal that belongs to the same MTC user in the same location to the same MTC group.
  • the CN further includes: an ASME and an HSS/HLR, where
  • the ASME is configured to obtain, in the MTC terminal gateway and the CN mutual authentication process, a hash value of the MTC terminal root key associated with the MTC terminal gateway from the HSS/HLR, and save the value in the ASME.
  • the MTC terminal gateway is further configured to determine, in the process of performing mutual authentication with the MTC terminal, whether the MTC terminal is authenticated, whether the MTC terminal gateway has a key material, and if the MTC terminal is not authenticated, The MTC terminal gateway and the MTC terminal perform two-way authentication, and then send the key material to the MTC terminal; if it has been authenticated but does not have the key material, the two-way authentication of the MTC terminal gateway and the CN is performed again, and the key material is calculated. Sent to the MTC terminal; if the key material is authenticated and present, the key material is sent directly to the MTC terminal.
  • An MTC terminal gateway where the MTC terminal gateway includes:
  • the CN two-way authentication module is configured to perform mutual authentication with the CN and calculate a key material; the terminal two-way authentication module is configured to perform mutual authentication with the MTC terminal, and after the authentication is passed, the key material is sent to the MTC terminal, so that the MTC terminal is configured according to the MTC terminal.
  • Receiving the authenticated communication key by the received key material and the hash value of the own root key, and notifying the CN of the authenticated MTC terminal, so that the CN according to the key material and the root of the authenticated MTC terminal The hash value of the key generates the authenticated communication key.
  • the MTC terminal gateway further includes:
  • the contracting module is used to cover the same MTC group with the low mobility MTC terminal that belongs to the same MTC user in the same location.
  • the terminal two-way authentication module is also used in the process of performing mutual authentication with the MTC terminal. If the MTC terminal is authenticated, the MTC terminal gateway has the key material Kg. If the MTC terminal is not authenticated, the MTC terminal 63 performs mutual authentication with the MTC terminal 63, and then sends the key material to the MTC terminal. If the key material Kg is already authenticated but the key material Kg is not present, the CN mutual authentication module is triggered to re-authenticate with the CN62, and the key material is calculated and sent to the MTC terminal. If the key material Kg is authenticated and directly exists, the MTC terminal is directly sent to the MTC terminal. Send key material.
  • the MTC terminal gateway performs mutual authentication with the CN, and calculates the key material; the MTC terminal gateway performs mutual authentication with the MTC terminal, and the authentication passes the backward MTC terminal.
  • Sending a key material causing the MTC terminal to generate an authenticated communication key according to the received key material and a hash value of the own root key; notifying the CN to pass the authenticated MTC terminal, so that the CN according to the key material and the The authenticated communication key is generated by the hash value of the root key of the authenticated MTC terminal.
  • the MTC terminal and the CN respectively generate the communication key by using the key material and the hash value of the MTC terminal root key, thereby avoiding the sending of the session key by the MTC terminal gateway to the MTC terminal and the CN, and ensuring the MTC terminal and the CN. End-to-end security.
  • FIG. 1 is a schematic diagram of an existing authentication technology and a process in a system such as a UMTS and an EPS;
  • FIG. 2 is a schematic diagram of a network element structure according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a method for group authentication in an M2M communication according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a two-way authentication performed by an MTC terminal gateway and a CN according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an MTC terminal gateway and an MTC according to an embodiment of the present invention. Schematic diagram of the process of performing mutual authentication in the terminal;
  • FIG. 6 is a schematic structural diagram of a system for group authentication in M2M communication according to an embodiment of the present invention. detailed description
  • the basic idea of the embodiment of the present invention is: the MTC terminal gateway and the core network (CN) perform mutual authentication and calculate the key material; the MTC terminal gateway and the MTC terminal perform mutual authentication, and after the authentication passes, the key material is sent to the MTC terminal, and Notifying the CN of the authenticated MTC terminal; the MTC terminal generates the authenticated communication key according to the received key material and the hash value of the own root key, and at the same time, the CN according to the key material and the authenticated MTC The hash value of the root key of the terminal generates an authenticated communication key.
  • FIG. 2 is a schematic diagram of a network element architecture according to an embodiment of the present invention.
  • the architecture includes: an MTC terminal 201 connected to an MTC terminal gateway 202; and an MTC terminal gateway 202 connected to an access security in an M2M system.
  • the Management Equipment (ASME) 203; ASME 203 is connected to the Home Subscriber Server/Home Location Register (HSS/HLR) 204.
  • ASME203 and HSS/HLR204 belong to the core network side.
  • FIG. 3 is a schematic flowchart of a method for group authentication in M2M communication according to an embodiment of the present invention. As shown in FIG. 3, the method includes:
  • Step 301 The MTC terminal gateway and the CN perform mutual authentication, and calculate a key material.
  • the method for performing mutual authentication by the MTC terminal gateway and the CN includes: AKA authentication.
  • the key material is specifically: a key material calculated by the confidentiality key CK and the integrity key IK.
  • the key material Kg CKIIIK, the specific calculation method and process adopt the prior art, and details are not described herein again.
  • the method further includes: the MTC terminal gateway covers a low mobility MTC device that belongs to the same MTC user in the same location and is contracted to the same MTC group.
  • the two-way authentication process further includes: obtaining the foregoing from the HSS/HLR
  • the hash value of the MTC Device root key associated with the MTC terminal gateway is stored in the Access Security Management Device (ASME).
  • the hash value of the MTC Device root key associated with the MTC terminal gateway is specifically:
  • the MTC terminal gateway covers the hash value of all MTC Device root keys of the same MTC group.
  • the two-way authentication by the MTC terminal gateway and the CN specifically includes: the MTC terminal gateway initiates an access request to the ASME; the ASME requests an authentication vector from the HSS/HLR according to the received request; and the HSS/HLR generates an authentication vector AV according to the subscription data (1) ... n ), and the hash value of the MTC Device root key associated with the MTC terminal gateway, and returned to the ASME for saving; the ASME and the MTC terminal gateway use the authentication vector for authentication, and the authentication is passed after calculation Key material and establish a secure channel.
  • the establishing the security channel specifically refers to: the ASME selects the confidentiality key CK and the integrity key IK corresponding to the MTC terminal gateway, and uses the confidentiality and integrity protection for subsequent communication.
  • Step 302 The MTC terminal gateway and the MTC device perform mutual authentication. After the authentication is passed, the key material is sent to the MTC device, and the MTC device that is authenticated by the CN is notified. Specifically, the MTC terminal gateway and the MTC Device perform mutual authentication. : Two-way authentication based on Internet Protocol Security (IPSec), Secure Transport Layer Protocol (TLS), Public Key Infrastructure (PKI) certificates, or local access technologies.
  • IPSec Internet Protocol Security
  • TLS Secure Transport Layer Protocol
  • PKI Public Key Infrastructure
  • the method further includes: determining, by the MTC terminal gateway, whether the MTC device is authenticated, whether the MTC terminal gateway has the key material Kg, and if the MTC Device is not authenticated, The MTC terminal gateway and the MTC Device perform bidirectional authentication, and then send the key material to the MTC Device; if it has been authenticated but does not have the key material Kg, return to step 301 to re-authenticate the MTC terminal gateway and the CN.
  • the key material is calculated and sent to the MTC terminal; if the key material Kg is authenticated and present, the key material is sent directly to the MTC Device.
  • Step 303 The MTC Device obtains a hash value according to the received key material and its own root key.
  • the authenticated communication key is generated, and at the same time, the CN generates the authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC Device.
  • the MTC Device generates the authenticated communication key according to the received key material and the hash value of the own root key, specifically: the MTC Device according to the received key material Kg and the root key thereof.
  • the hash value is generated to correspond to its own secret key CKi and integrity key IKi for subsequent confidentiality and integrity protection.
  • the CN generates the authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC Device, where the ASME receives the authenticated MTC Device advertised by the MTC terminal gateway.
  • the secret key CKi and the integrity key IKi are generated according to the key material Kg and the hash value of the root key corresponding to the MTC Device for subsequent confidentiality and integrity protection.
  • the confidentiality key CK and the integrity key IK for calculating the key material in the CN are obtained from the HSS/HLR in the process of performing the mutual authentication between the MTC terminal gateway and the CN in step 301.
  • FIG. 4 is a schematic flowchart of a two-way authentication performed by an MTC terminal gateway and a CN according to an embodiment of the present invention. As shown in FIG. 4, the authentication includes the following steps:
  • Step 401 The MTC Gateway Device initiates an access request to the ASME.
  • the access request includes an identity of the MTC Gateway Device.
  • Step 402 The ASME requests an authentication vector from the HSS/HLR according to the received request.
  • Step 403 The HSS/HLR checks the MTC Gateway Device subscription data to confirm the MTC.
  • the Gateway Device is an agent that subscribes to a group of MTC Devices, and generates an authentication vector AV (1....n) and a hash value of the MTC Device root key associated with the MTC Gateway Device;
  • Step 404 The HSS/HLR sends an authentication data response message to the ASME.
  • the response message includes the foregoing authentication vector in step 403, and the MTC Device.
  • the hash value of the root key is the foregoing authentication vector in step 403, and the MTC Device.
  • Step 405 The ASME saves the authentication vector sent by the HSS/HLR and the hash value of the MTC Device root key.
  • Step 406 The ASME initiates an authentication request to the MTC Gateway Device, where the request message carries a random number (Rand) and an authentication token (AUTN);
  • Rand random number
  • AUTN authentication token
  • Step 407 the MTC Gateway Device calculates an authentication response (RES), a confidentiality key CK, and an integrity key IK according to the Rand and AUTN authentication networks;
  • RES authentication response
  • CK confidentiality key
  • IK integrity key
  • Step 408 the MTC Gateway Device returns an RES to the ASME;
  • step 409 the ASME verifies whether the RES and the XRES are consistent. If they are consistent, the authentication passes, and the corresponding confidentiality key CK and integrity key IK are selected for subsequent calculation of the key material, thereby achieving confidentiality and integrity protection; if not, the authentication fails;
  • Step 410 Establish a safety channel between the MTC Gateway Device and the network.
  • the specific calculation method and process adopt the prior art, and details are not described herein.
  • FIG. 5 is a schematic flowchart of a two-way authentication performed by an MTC terminal gateway and an MTC terminal according to an embodiment of the present invention. As shown in FIG. 5, the process includes the following steps:
  • Step 501 The MTC Device initiates an access request to the MTC Gateway Device, where the request includes the identity of the MTC Device.
  • Step 502 The MTC Gateway Device determines whether the MTC Device is authenticated, and whether the MTC Gateway Device has the key material Kg. If the MTC Device is not authenticated, step 503 is performed. If the key material Kg is not present, Execute Step 504 re-establishes the secure channel between the MTC Gateway Device and the CN. If the key material Kg is authenticated and exists, step 505 is performed;
  • Step 503 Perform mutual authentication between the MTC Gateway Device and the MTC Device, and establish a secure channel.
  • the two-way authentication is specifically: performing two-way authentication by using an IPSec, a TLS, a PKI certificate, or a local access technology.
  • step 503 the MTC Gateway Device and the MTC Device perform the mutual authentication, and after the security channel is established, if the key material Kg does not exist in the MTC Gateway Device, step 504 is performed; if the MTC Gateway Device already exists The key material Kg is skipped to step 504, and step 505 is performed.
  • Step 504 Establish a secure channel between the MTC Gateway Device and the CN.
  • Step 505 The MTC Gateway Device sends an access response to the MTC Device, where the response message includes the key material Kg and the key lifetime of the key material Kg;
  • Step 506 At the same time, the MTC Gateway device advertises the identity of the MTC Device (such as the Device ID) to the ASME, indicating that the MTC Device passes the intra-group authentication.
  • the MTC Gateway device advertises the identity of the MTC Device (such as the Device ID) to the ASME, indicating that the MTC Device passes the intra-group authentication.
  • Step 507 The MTC Device generates a confidentiality key CKi and an integrity key IKi according to the received key material Kg and a hash value of the own root key, for subsequent confidentiality and integrity protection;
  • Step 508 After receiving the identity of the MTC Device advertised by the MTC Gateway Device, the ASME generates a confidentiality key CKi and an integrity key IKi according to the hash value of the Kg and the root key corresponding to the MTC Device, for subsequent Confidentiality and integrity protection;
  • Step 509 The MTC Device and the ASME in the core network establish a secure channel based on the confidentiality key CKi and the integrity key IKi described above.
  • FIG. 6 is a schematic structural diagram of a system for group authentication in M2M communication according to an embodiment of the present invention.
  • the system includes: an MTC terminal gateway 61, a CN62, and an MTC terminal 63, where The MTC terminal gateway 61 is configured to perform mutual authentication with the CN62, calculate key material, and perform mutual authentication with the MTC terminal 63. After the authentication is passed, the key material is sent to the MTC terminal 63, and the MTC that passes the authentication is notified to the CN62. Terminal 63;
  • the method for performing mutual authentication by the MTC terminal gateway 61 and the CN62 includes: ⁇ authentication.
  • the key material is specifically: a key material calculated by the confidentiality key CK and the integrity key ⁇ .
  • the key material Kg CKIIIK, the specific calculation method and process adopt the prior art, and details are not described herein again.
  • the two-way authentication of the MTC terminal gateway 61 and the MTC terminal 63 includes: performing two-way authentication according to IPSec, TLS, PKI certificate or local access technology.
  • the MTC terminal gateway 61 is further configured to sign a low mobility MTC terminal that belongs to the same MTC user with the same location and the same MTC group.
  • the MTC terminal gateway 61 is further configured to determine whether the MTC terminal 63 is authenticated during the two-way authentication with the MTC terminal 63, and whether the MTC terminal gateway 61 has the key material Kg itself, if the MTC terminal If the authentication is not performed, the MTC terminal gateway 61 and the MTC terminal 63 perform mutual authentication, and the key material is sent to the MTC terminal 63 after passing. If the key material Kg is not authenticated, the MTC terminal gateway is re-executed. The mutual authentication of 61 and CN62, the key material is calculated and sent to the MTC terminal 63; if the key material Kg is authenticated and the key material Kg is present, the key material is directly transmitted to the MTC terminal 63.
  • the MTC terminal gateway 61 includes: a CN two-way authentication module and a terminal two-way authentication module, wherein the CN two-way authentication module is configured to perform mutual authentication with the CN62 and calculate a key material; and the terminal two-way authentication module is configured to perform bidirectional with the MTC terminal 63.
  • the key material is sent to the MTC terminal 63, and the MTC terminal 63 generates the authenticated communication key according to the received key material and the hash value of the own root key, and notifies the CN62 of the authentication.
  • the MTC terminal 63 causes the CN 62 to generate an authenticated communication key based on the key material and the hash value of the root key of the authenticated MTC terminal 63.
  • the MTC terminal gateway 61 further includes: a subscription module, configured to sign a low mobility MTC terminal that belongs to the same MTC user in the same location to the same MTC group.
  • the terminal mutual authentication module is further configured to determine whether the MTC terminal 63 is authenticated during the two-way authentication with the MTC terminal 63, and whether the MTC terminal gateway 61 itself has the key material Kg, if the MTC terminal 63 is not If the authentication is performed, the MTC terminal 63 performs mutual authentication, and the key material is sent to the MTC terminal 63. If the key material Kg is not authenticated, the CN mutual authentication module is triggered to perform the mutual authentication with the CN62. The key material is sent to the MTC terminal 63; if the key material Kg is authenticated and present, the key material is sent directly to the MTC terminal 63.
  • the CN62 is configured to generate an authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC terminal 63;
  • the CN62 further includes: an ASME64 and an HSS/HLR 65, where the ASME64 is configured to acquire the MTC terminal gateway 61 from the HSS/HLR 65 in the mutual authentication process of the MTC terminal gateway 61 and the CN62.
  • the hash value of the associated MTC terminal 63 root key is stored in the ASME64.
  • the hash value of the MTC terminal 63 key of the MTC terminal gateway 61 is specifically: the MTC terminal gateway 61 covers the hash value of the 63 keys of all the MTC terminals of the same MTC group.
  • the MTC terminal gateway 61 and the CN62 performing the mutual authentication specifically include: the MTC terminal gateway 61 initiates an access request to the ASME64; the ASME64 requests an authentication vector from the HSS/HLR 65 according to the received request; and the HSS/HLR 65 generates an authentication vector AV according to the subscription data. (1...n), and the hash value of the MTC terminal 63 root key associated with the MTC terminal gateway 61, and returned to the ASME64 for saving; the ASME64 and the MTC terminal gateway 61 authenticate using the authentication vector After the key material Kg is calculated and a secure channel is established.
  • the construction The security channel specifically refers to: ASME 64 selects the confidentiality key CK and the integrity key IK corresponding to the MTC terminal gateway 61 for confidentiality and integrity protection of subsequent communication.
  • the CN62 generates the authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC terminal 63. Specifically, the ASME 64 in the CN62 receives the authenticated MTC notified by the MTC terminal gateway 61. After the identity of the terminal 63, the confidentiality key CKi and the integrity key IKi are generated based on the key material Kg and the hash value of the root key corresponding to the MTC terminal 63 for subsequent confidentiality and integrity protection.
  • the MTC terminal 63 is configured to generate an authenticated communication key according to the received key material and a hash value of the root key.
  • the MTC terminal 63 generates the authenticated communication key according to the received key material and the hash value of the own root key, specifically: the MTC terminal 63 according to the received key material Kg and its own root key.
  • the hash value is generated to correspond to its own secret key CKi and integrity key IKi for subsequent confidentiality and integrity protection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé, un système et une passerelle d'authentification de groupe dans une communication entre machines. Le procédé consiste en ce que : une passerelle de terminal de communication de type machine (terminal MTC) effectue une authentification bidirectionnelle avec un réseau fédérateur (CN) et calcule un matériel de clé; la passerelle de terminal MTC effectue une authentification bidirectionnelle avec un terminal MTC et envoie le matériel de clé au terminal après que l'authentification a réussi afin de permettre au terminal MTC de générer une clé de communication authentifiée selon le matériel de clé reçu et la valeur de hachage de la clé racine du terminal MTC; la passerelle de terminal MTC notifie au CN le terminal MTC, dont l'authentification a réussi, afin de permettre au CN de générer une clé de communication authentifiée selon le matériel de clé et la valeur de hachage de la clé racine du terminal MTC dont l'authentification a réussi. Les modes de réalisation de la présente invention réduiront grandement la charge de signalisation entre le terminal MTC et le réseau fédérateur, amélioreront l'efficacité de l'authentification de l'accès au terminal MTC, en évitant qu'une clé de session déduite par la passerelle de terminal MTC soit envoyée au terminal MTC et au CN, et en garantissant une sécurité de bout en bout entre le terminal MTC et le CN.
PCT/CN2012/075475 2011-06-21 2012-05-14 Procédé, système et passerelle d'authentification de groupe dans une communication entre machines WO2012174959A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110167280.1 2011-06-21
CN201110167280.1A CN102843233B (zh) 2011-06-21 2011-06-21 一种机器到机器通信中组认证的方法和系统

Publications (1)

Publication Number Publication Date
WO2012174959A1 true WO2012174959A1 (fr) 2012-12-27

Family

ID=47370313

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/075475 WO2012174959A1 (fr) 2011-06-21 2012-05-14 Procédé, système et passerelle d'authentification de groupe dans une communication entre machines

Country Status (2)

Country Link
CN (1) CN102843233B (fr)
WO (1) WO2012174959A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10880332B2 (en) * 2017-04-24 2020-12-29 Unisys Corporation Enterprise security management tool
US11093598B2 (en) * 2015-12-28 2021-08-17 Huawei Technologies Co., Ltd. Identity authentication method and apparatus

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150103734A (ko) * 2013-01-10 2015-09-11 닛본 덴끼 가부시끼가이샤 Ue 들의 mtc 그룹에 대한 브로드캐스팅에서의 그룹 인증
CN105229986B (zh) * 2013-02-15 2019-02-12 康维达无线有限责任公司 跨域服务层资源传播
JP6165483B2 (ja) * 2013-03-27 2017-07-19 株式会社Nttドコモ 通信システム、中継装置及び通信方法
CN103596167B (zh) * 2013-10-25 2016-06-29 西安电子科技大学 基于代理的机器类型通信认证和密钥协商方法
CN104754576B (zh) * 2013-12-31 2018-07-31 华为技术有限公司 设备验证方法、用户设备及网络设备
CN105681210A (zh) * 2014-11-14 2016-06-15 中兴通讯股份有限公司 组资源更新处理方法、装置、系统及cse
CN105792095A (zh) * 2014-12-23 2016-07-20 中兴通讯股份有限公司 用于mtc分组通信的密钥协商方法、系统及网络实体
CN104602236B (zh) * 2015-02-04 2018-08-07 西安电子科技大学 一种机器类型通信中基于群组的匿名切换认证方法
CN106034027A (zh) * 2015-03-12 2016-10-19 中兴通讯股份有限公司 一种实现分组认证的方法及系统
CN105187398B (zh) * 2015-08-12 2018-01-30 四川神琥科技有限公司 一种身份认证识别方法
WO2018222132A2 (fr) 2017-05-29 2018-12-06 华为国际有限公司 Procédé d'authentification de réseau, dispositif de réseau et dispositif central de réseau
CN110267351B (zh) 2018-03-12 2022-07-22 华为云计算技术有限公司 通信方法和装置
CN110366179A (zh) * 2018-04-09 2019-10-22 中兴通讯股份有限公司 一种认证方法、设备和计算机可读存储介质
CN110324820A (zh) * 2019-07-03 2019-10-11 易联众智能(厦门)科技有限公司 一种物联网安全鉴权方法、系统及可读介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080311906A1 (en) * 2007-03-21 2008-12-18 Samsung Electronics Co., Ltd. Mobile communication network and method and apparatus for authenticating mobile node in the mobile communication network
CN101854629A (zh) * 2010-05-21 2010-10-06 西安电子科技大学 家庭基站系统中用户终端接入认证及重认证的方法
CN101867928A (zh) * 2010-05-21 2010-10-20 西安电子科技大学 移动用户通过家庭基站接入核心网的认证方法
CN102088668A (zh) * 2011-03-10 2011-06-08 西安电子科技大学 基于群组的机器类型通信设备的认证方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080311906A1 (en) * 2007-03-21 2008-12-18 Samsung Electronics Co., Ltd. Mobile communication network and method and apparatus for authenticating mobile node in the mobile communication network
CN101854629A (zh) * 2010-05-21 2010-10-06 西安电子科技大学 家庭基站系统中用户终端接入认证及重认证的方法
CN101867928A (zh) * 2010-05-21 2010-10-20 西安电子科技大学 移动用户通过家庭基站接入核心网的认证方法
CN102088668A (zh) * 2011-03-10 2011-06-08 西安电子科技大学 基于群组的机器类型通信设备的认证方法

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11093598B2 (en) * 2015-12-28 2021-08-17 Huawei Technologies Co., Ltd. Identity authentication method and apparatus
US10880332B2 (en) * 2017-04-24 2020-12-29 Unisys Corporation Enterprise security management tool

Also Published As

Publication number Publication date
CN102843233A (zh) 2012-12-26
CN102843233B (zh) 2017-05-31

Similar Documents

Publication Publication Date Title
WO2012174959A1 (fr) Procédé, système et passerelle d'authentification de groupe dans une communication entre machines
US10849191B2 (en) Unified authentication for heterogeneous networks
JP6371644B2 (ja) 単一の登録手順を使用するクライアントのグループの安全な登録
US9270672B2 (en) Performing a group authentication and key agreement procedure
US8769647B2 (en) Method and system for accessing 3rd generation network
CN104145465B (zh) 机器类型通信中基于群组的自举的方法和装置
CN101931955B (zh) 认证方法、装置及系统
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
US11997078B2 (en) Secured authenticated communication between an initiator and a responder
WO2011127810A1 (fr) Procédé et appareil d'authentification de dispositifs de communication
WO2011131052A1 (fr) Procédé et système d'authentification par groupes dans les systèmes de communication de machine à machine
EP3614741B1 (fr) Appareil de traitement pour l'accès d'un terminal à un réseau 3gpp et système de communication ansi que système et produit de programme d'ordinateur correspondants
KR20100085185A (ko) 통신시스템을 위한 상호동작 기능
CN105027529A (zh) 用于安全网络接入的方法和装置
EP1698197B1 (fr) Authentification dans un reseau de communication
Basudan LEGA: a lightweight and efficient group authentication protocol for massive machine type communication in 5G networks
WO2007025484A1 (fr) Procede de negociation de mise a jour pour cle d'autorisation et dispositif associe
KR101431214B1 (ko) 머신 타입 통신에서의 네트워크와의 상호 인증 방법 및 시스템, 키 분배 방법 및 시스템, 및 uicc와 디바이스 쌍 인증 방법 및 시스템
WO2012151933A1 (fr) Procédé et système d'authentification de service offert
CN108282775B (zh) 面向移动专用网络的动态附加认证方法及系统
Abdelkader et al. A novel advanced identity management scheme for seamless handoff in 4G wireless networks
Niranjani et al. Distributed security architecture for authentication in 4G networks
CN112039838B (zh) 一种适用于移动通信不同应用场景的二次认证方法和系统
Liu et al. The Wi-Fi device authentication method based on information hiding
WO2008034359A1 (fr) Procédé, système de communication et dispositif permettant d'identifier et d'authentifier un dispositif d'authentification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12801851

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12801851

Country of ref document: EP

Kind code of ref document: A1