WO2014113921A1 - Method and network device for security authentication of mobile communication system - Google Patents

Method and network device for security authentication of mobile communication system Download PDF

Info

Publication number
WO2014113921A1
WO2014113921A1 PCT/CN2013/070841 CN2013070841W WO2014113921A1 WO 2014113921 A1 WO2014113921 A1 WO 2014113921A1 CN 2013070841 W CN2013070841 W CN 2013070841W WO 2014113921 A1 WO2014113921 A1 WO 2014113921A1
Authority
WO
WIPO (PCT)
Prior art keywords
access network
network element
lte
sgsn
umts
Prior art date
Application number
PCT/CN2013/070841
Other languages
French (fr)
Chinese (zh)
Inventor
陈璟
靳维生
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201380070865.9A priority Critical patent/CN105075306B/en
Priority to PCT/CN2013/070841 priority patent/WO2014113921A1/en
Publication of WO2014113921A1 publication Critical patent/WO2014113921A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement

Definitions

  • Embodiments of the present invention relate to the field of communications, and in particular, to a method and a network device for secure authentication of a mobile communication system.
  • Long Term Evolution Long Term Evolution
  • SAE System Architecture Evolution
  • 3rd Generation Partnership Project 3rd Generation Partnership Project
  • WCDMA Wideband Code Division Multiple Access
  • TD-SCDMA Time Division-Synchronous Code Division Multiple Access
  • CDMA Division Code Division Multiple Access 2000
  • the Universal Mobile Telecommunication System (UMTS) network and the LTE/SAE network have developed an Authentication and Key Agreement ("AKA") mechanism to perform UE and network. Two-way authentication.
  • the two-way authentication mechanism of the UMTS network is called UMTS AKA
  • the two-way authentication mechanism of the LTE/SAE network is called an Evolved Packet System (“EPS”) AKA.
  • UE User Equipment
  • UE accesses a 2G/3G core network through an LTE access network. Since the 2G/3G core network can only obtain UMTS AV from the HSS, the LTE UE refuses to use the UMTS AV for authentication when accessing through the LTE network. Therefore, the LTE UE cannot access the 2G/3G core network through the LTE access network.
  • the embodiments of the present invention provide a method and a network device for secure authentication of a mobile communication system, which enable an LTE UE to use a 2G/3G network.
  • a method for secure authentication of a mobile communication system including:
  • the HSS receives a request for a special authentication vector sent by the network element of the access network, and the request for the special authentication vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN;
  • the HSS generates a special authentication vector according to the request for the special authentication vector
  • the HSS sends the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
  • the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is the access network element
  • the attach request message is converted, and the attach request message is sent by the LTE UE.
  • the access network element, the SGSN, and the LTE UE complete the security authentication, including: the access network The network element sends the special authentication vector to the SGSN, where the SGSN sends a UMTS AKA authentication challenge to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the challenge to the LTE.
  • the LTE UE After the LTE UE verifies and generates the RES and the key K ASME according to the LTE AKA authentication challenge, the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network The SGSN and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates according to the CK and or IK. K ASME , the access network element and the The LTE UE shares the K ASME .
  • whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.
  • the request for the special authentication vector is sent by the access network element to the SGSN.
  • the request for the authentication vector after the request is sent includes:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the HSS in combination with the first aspect or the first to fifth possible implementation manners of the first aspect, the HSS generates a special authentication vector according to the request for the special authentication vector:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converting the EPS AV into the UMTS AV format includes:
  • the HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS
  • the K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
  • the access network element generating the K ASME according to the CK and or the ⁇ includes:
  • a method for secure authentication of a mobile communication system including:
  • the SGSN receives the UMTS attach request message, and the UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE; the SGSN sends the request authentication vector to the access network element. Requesting, after the access network element receives the request for the authentication vector, sending a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, and then sends the request to the HSS.
  • Access network element
  • the SGSN After receiving the special authentication vector from the access network element, the SGSN sends a UMTS AKA authentication challenge to the access network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.
  • the SGSN, the access network element, and the LTE UE complete the security authentication, including:
  • the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the SG AKA authentication response is converted into a UMTS
  • the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates according to the CK and or IK. K ASME , the access network element and the LTE UE share the K ASME .
  • the second possible implementation of the second aspect
  • the access network element receives the request for the authentication vector Requests to send a request for a special authentication vector to the HSS include:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converting the EPS AV into the UMTS AV format includes:
  • the HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS
  • the K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
  • the access network element generating the K ASME according to the CK and or the ⁇ includes:
  • the third aspect provides a security authentication method for a mobile communication system, including: the access network element converts an attach request message from the LTE UE into a UMTS attach request message;
  • the access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the access network element after receiving the UMTS attach request message;
  • the access network element After receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS can perform the special authentication.
  • the vector is sent to the access network element network element;
  • the access network element receives the UMTS AKA authentication challenge, and the UMTS AKA authentication challenge is sent by the SGSN to the SGSN by the access network element sending the special authentication vector to the SGSN;
  • the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
  • the security authentication of the access network element, the SGSN, and the LTE UE is performed by:
  • the LTE UE After the LTE UE verifies the LTE AKA authentication challenge, the RES and the key K ASME are generated;
  • the access network element receives the LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the LTE AKA authentication response including the RES is converted into a UMTS AKA authentication response including the RES, where the access network element, the SGSN, and the LTE UE further perform security authentication, the access network element:
  • the network element sends the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the SGSN.
  • Network access network element
  • the access network element generates K ASME according to the CK and or IK, the access network element and the LTE UE A total of KASME °
  • whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.
  • the access network element receives the request for the authentication vector and sends a request for a special request.
  • the request for the authentication vector to the HSS includes:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converting the EPS AV into the UMTS AV format includes:
  • the HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS
  • the K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
  • the access network element generating the K ASME according to the CK and or the ⁇ includes:
  • an HSS including: a receiving module, a processing module, and a sending module; the receiving module is configured to receive a request for a special authentication vector sent by an access network element, where the request for the special authentication vector is requested by the The access network element receives the request for the authentication vector sent by the SGSN and sends the request;
  • the processing module is configured to generate a special authentication vector according to the request for the special authentication vector; the sending module is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE The UE completes the security certification.
  • the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is the access network element
  • the attach request message is converted, and the attach request message is sent by the LTE UE.
  • the access network element, the SGSN, and the LTE UE complete the security authentication, including: the access network The network element sends the special authentication vector to the SGSN, and the SGSN sends the UMTS.
  • the AKA authentication challenge is performed to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge, and then sends the LTE UE to the LTE UE, and the LTE UE verifies and generates the RES according to the LTE AKA authentication challenge.
  • the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access.
  • the network element, the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
  • the comparing, by the SGSN, whether the RES and the XRES are the same include: when the comparison result is different, the security authentication is suspended.
  • the request for the special authentication vector is sent by the access network element to the SGSN.
  • the request for the authentication vector after the request is sent includes:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the processing module is configured to generate a special authentication vector according to the request for the special authentication vector Includes:
  • the processing module is configured to generate an EPS AV for the LTE UE;
  • the processing module is configured to convert the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the processing module is configured to convert the EPS AV into the UMTS AV format, including:
  • the processing module is configured to use RAND in the EPS AV as the RAND of the UMTS AV, and the processing module is configured to use the AUTN in the EPS AV as the AUTN of the UMTS AV, and the processing module is used to use the XRES in the EPS AV As the XRES of the UMTS AV, the processing module is configured to split the K ASME in the EPS AV into two parts, respectively, as the CK and the IK of the UMTS AV.
  • the access network element generates a K ASME according to the CK and or IK, including:
  • an SGSN including: a receiving module; a sending module;
  • the receiving module is configured to receive a UMTS attach request message sent by an access network element, where the
  • the UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE;
  • the sending module is configured to send a request for the authentication vector to the access network element, so that after receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so that the HSS Generating the special authentication vector according to the request for the special authentication vector, and then sending the special authentication vector to the access network element;
  • the receiving module is further configured to receive the special authentication vector from the network element of the access network, where the sending module is further configured to send the UMTS AKA authentication challenge to the access network element after the receiving module receives the special authentication vector, So that the SGSN, the access network element, and the LTE UE complete the security authentication.
  • the SGSN, the access network element, and the LTE are used.
  • the UE completes the security certification including:
  • the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
  • the SGSN further includes a processing module
  • the special authentication vector contains XRES, CK, IK;
  • the further completing the security authentication for the access network element, the SGSN and the LTE UE comprises: the access network element converting the LTE AKA authentication response into a UMTS AKA authentication response and The UMTS AKA authentication response is sent to the receiving module, and the processing module is configured to compare whether the RES and the XRES are the same. When the comparison result is the same, the sending module sends the CK and or IK to the access network element.
  • the access network element generates K ASME according to the CK and or IK, and the CK and or IK are sent by the sending module, and the access network element and the LTE UE share the K ASME .
  • the processing module is configured to compare whether the RES and the XRES are the same, and further includes: when the comparison result is different, the suspension is performed. safety certificate.
  • the access network element receives the request for the authentication vector Requests to send a request for a special authentication vector to the HSS include:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converting the EPS AV into the UMTS AV format includes:
  • the HSS uses RAND in the EPS AV as the RAND of the UMTS AV
  • the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV
  • the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV
  • the HSS uses the K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
  • the access network element generating the K ASME according to the CK and or IK includes:
  • a sixth aspect provides an access network element, including: a receiving module, a processing module, and a sending module;
  • the receiving module is configured to receive an attach request message from an LTE UE; the processing module is configured to convert the attach request message into a UMTS attach request message;
  • the sending module is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the receiving module after receiving the UMTS attach request message; the sending module is further configured to receive the request at the receiving module Requesting a request for the authentication vector to send a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS sends the special authentication vector to the receiving module;
  • the receiving module is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the sending module to the SGSN by the sending module, and the processing module is further configured to convert the UMTS AKA authentication challenge into The LTE AKA authentication challenge is to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
  • the access network element the SGSN, and the LTE are used.
  • the UE completes the security certification including:
  • the LTE UE After the LTE UE verifies the LTE AKA authentication challenge, the RES and the key K ASME are generated;
  • the receiving module is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the processing module is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the sending module further comprises: the processing module further configured to:
  • the SGSN is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the SGSN.
  • Network access network element
  • the processing module is further configured to generate a K ASME according to the CK and or IK, the access network element and the LTE UE being the KASME.
  • whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.
  • the sending module is further configured to receive, at the receiving module, the request for the authentication vector After sending a request for a special authentication vector to the HSS includes:
  • the receiving module is configured to receive the request for the authentication vector sent by the SGSN;
  • the processing module is configured to identify that the LTE UE accesses the 2G or 3G network;
  • the processing module is further configured to add, in the authentication vector, the indication information to generate the request for the special authentication vector, the indication information is used to instruct the HSS to generate the special authentication vector.
  • the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converting the EPS AV into the UMTS AV format includes: The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS
  • the K ASME (256 bits) in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
  • the LTE UE can be used to use the 2G/3G network.
  • FIG. 1 is a schematic flowchart of an authentication method of a mobile communication system according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of an authentication method of a mobile communication system according to another embodiment of the present invention
  • FIG. 3 is a schematic flow chart of an authentication method of a mobile communication system according to another embodiment of the present invention.
  • FIG. 4 is a schematic flow chart of an authentication method of a mobile communication system according to another embodiment of the present invention.
  • FIG. 5 is a schematic block diagram of a home subscriber server according to an embodiment of the present invention.
  • FIG. 6 is a schematic block diagram of a GPRS service supporting node according to an embodiment of the present invention
  • FIG. 7 is a schematic block diagram of an access network element according to an embodiment of the present invention
  • FIG. 8 is a schematic block diagram of a home subscriber server according to another embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of a GPRS service support node according to another embodiment of the present invention;
  • FIG. 10 is a schematic block diagram of an access network element according to another embodiment of the present invention.
  • GSM Global System of Mobile communication
  • CDMA code division multiple access
  • WCDMA Wideband Code Division Multiple Access
  • GSM General Packet Radio Service
  • UMT Universal Mobile Telecommunication System
  • Wi-Fi Worldwide Interoperability for Microwave Access
  • the access network element in the embodiment of the present invention is an enhanced access network element for supporting the LTE UE to access the 2G/3G core network.
  • the access network element may have the following functions: The function of the LTE eNB, the LTE UE may access the 2G/3G core network through the access network element without modification, and the LTE UE considers that The LTE network is being accessed, instead of the 2G/3G core network; the access network element in the embodiment of the present invention can also implement the function of a Mobility Management Entity (called " ⁇ "). Such as the security protection function of NAS signaling.
  • Mobility Management Entity
  • FIG. 1 shows a schematic flow diagram of a method 100 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. As shown in FIG. 1, the method 100 includes:
  • the HSS receives a request for a special authentication vector sent by the network element of the access network, where the request for the special authentication vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN.
  • the HSS generates a special authentication vector according to the request for the special authentication vector.
  • the HSS sends the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
  • the HSS in order to enable the LTE UE to use the 2G or 3G network, after the access network element identifies that the LTE UE accesses the 2G/3G network, the HSS generates a special authentication vector for the LTE UE, so that the SGSN The access network element and the LTE UE complete the security authentication, so that the LTE UE can use the 2G or 3G core network.
  • the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message by the access network element.
  • the attach request message is sent by the LTE UE.
  • the obtaining, by the access network element, the SGSN, and the LTE UE, the security authentication includes: sending, by the access network element, the special authentication vector to the SGSN, where the SGSN sends a UMTS AKA authentication challenge to the access
  • the network element the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge, and sends the LTE UE to the LTE UE.
  • the LTE UE After the LTE UE performs verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , The LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
  • the access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the The SGSN sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, the access network element and the
  • the LTE UE shares the K ASME .
  • the SGSN compares whether the RES and the XRES are the same, and includes, when the comparison is If the results are different, the safety certification is suspended.
  • the request for the special authentication vector is sent by the access network element after receiving the request for the authentication vector sent by the SGSN, and the sending includes:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the HSS generates a special authentication vector according to the request for the special authentication vector:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converts the EPS AV into a UMTS AV format, including:
  • the HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS
  • the K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
  • the access network element generates the K ASME according to the CK and or the ⁇ :
  • the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element.
  • the HSS After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN.
  • the LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
  • FIG. 2 shows a schematic flow diagram of a method 200 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 2 and its description of the disclosed method may be based on the embodiment of the present invention and the method disclosed in FIG. 1 based on an embodiment of the present invention. As shown in FIG. 2, the method 200 includes:
  • the SGSN receives the UMTS attach request message, where the UMTS attach request is that the access network element converts the attach request message sent by the LTE UE, and S220, the SGSN sends a request to the access network element.
  • the request for the authentication vector so that the access network element receives the request for the authentication vector, and sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector.
  • the SGSN receives the special authentication vector from the network element of the access network, and sends the
  • the UMTS AKA authentication challenge is applied to the access network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.
  • the access network element requests the HSS to obtain a special authentication vector, and the HSS generates a special authentication according to the request of the SGSN.
  • the SGSN, the access network element, and the LTE UE complete the security authentication, and enable the LTE UE to use the 2G or 3G core network without modifying the LTE UE.
  • the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE.
  • the LTE UE After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
  • the access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and The UMTS AKA authentication response is sent to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, the access network.
  • the network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
  • whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
  • the request for sending the special authentication vector to the HSS includes:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • generating the special authentication vector according to the request for the H S S according to the request for the special authentication vector includes:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converts the EPS AV into a UMTS AV format, including:
  • the HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS
  • the K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
  • the access network element generates the K ASME according to the CK and or the ⁇ :
  • the message sent by the LTE UE is converted to be applicable to the network element of the access network.
  • the message of the 2G or 3G network is identified by the access network element.
  • the LTE UE accesses the 2G through the access network element.
  • the HSS After the scenario of the 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN.
  • the LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
  • FIG. 3 shows a schematic flow diagram of a method 300 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention.
  • the method disclosed in Figure 3 and its description may be based on the embodiments of Figures 1 through 2 of the present invention and the methods disclosed in Figures 1 through 2 of the present invention.
  • the method 300 includes: S310.
  • the access network element converts an attach request message from the LTE UE into a UMTS attach request message.
  • the access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the access network element after receiving the UMTS attach request message;
  • the access network element After receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS can The special authentication vector is sent to the access network element network element;
  • the access network element receives the UMTS AKA authentication challenge, and the UMTS AKA authentication challenge is sent by the SGSN to the SGSN by the access network element sending the special authentication vector to the SGSN;
  • the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
  • the information sent by the LTE UE is converted into the information applicable to the 2G or 3G network system by the access network element, and the access network element identifies the scenario that the LTE UE accesses the 2G or 3G network.
  • the HSS generates a special authentication vector, so that the access network element, the SGSN, and the LTE UE can complete the security authentication, so that the LTE UE can use the existing 2G or 3G core network.
  • the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K ASME ;
  • the access network element receives the LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the access network element, the SGSN, and the LTE UE further complete the security authentication, including:
  • the access network element converts the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, and the access network element sends the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN Comparing whether the RES and the XRES are the same, when the comparison result is the same, the SGSN sends the CK and or IK to the access network element;
  • the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE jointly have the KASME °
  • whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
  • the request, by the access network element, after receiving the request for the authentication vector, sending a request for the special authentication vector to the HSS includes:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the special authentication vector generated by the HSS according to the request for the special authentication vector includes:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converts the EPS AV into a UMTS AV format, including:
  • the HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, and the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, the HSS the EPS AV
  • the XRES in the XRES is the XRES of the UMTS AV
  • the HSS splits the K ASME in the EPS AV into two parts, respectively as the CK and the IK of the UMTS AV.
  • the access network element generates the K ASME according to the CK and or the ⁇ :
  • the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element.
  • the HSS After the scenario of the 2G or 3G core network, the HSS generates a special authentication vector, and the security authentication between the LTE UE and the network is completed through the access network element and the SGSN.
  • the LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
  • FIG. 4 shows a schematic flow diagram of a method 400 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention.
  • the method 400 includes:
  • the LTE UE accesses the 2G/3G core network through the access network element, and an RRC connection is established between the LTE UE and the access network element.
  • the LTE UE sends an attach request message to the access network element, and the access network element converts the attach request message received from the LTE UE into a UMTS attach request message identifiable by the SGSN of the 2G/3G core network in the UMTS system.
  • the network access NE sends the converted UMTS attach request message to the SGSN.
  • the SGSN sends a request for the authentication vector to the access network element, and the access network element receives the request for the authentication vector sent by the SGSN;
  • the access network element identifies that the LTE UE accesses the 2G or 3G network. Further, the access network element can identify the UE type that passes through the access network element, that is, the access network element can identify the LTE. The UE accesses the 2G or 3G network;
  • the access network element adds the indication information to the authentication vector to generate the request for the special authentication vector, and the indication information is used to indicate that the HSS generates the special authentication vector.
  • the HSS identifies the scenario in which the LTE UE accesses the 2G/3G network according to the indication information in the request of the special authentication vector sent by the access network element.
  • the HSS generates the special authentication vector, including:
  • the HSS generates EPS AV for the LTE UE
  • HSS sets the 0th bit in the authentication management domain AMF to 1 to indicate that this authentication vector is EPS.
  • HSS generates RAND, AUTN, CK, IK and XRES;
  • the HSS derives KASME based on CK and IK.
  • EPS AV consists of K ASME , AUTN , XRES , RAND , where the 0th bit of the AMF parameter in the AUTN has a value of 1.
  • the HSS converts the EPS AV into a UMTS AV format format such that the EPS AV can be sent to the SGSN through an existing UMTS authentication response.
  • the method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits).
  • K ASME 256bits
  • the value of the 0th bit of the AMF in the AUTN is still 1.
  • the vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector.
  • the HSS transmits the special authentication vector to the access network element, and the access network element sends the special authentication vector to the SGSN;
  • the SGSN performs a UMTS AKA authentication procedure based on the special authentication vector received from the access network element.
  • the SGSN sends the UMTS AKA authentication 4 to the access network element.
  • the UMTS AKA authentication challenge includes RAND and AUTNo.
  • the access network element converts the received UMTS AKA authentication challenge into an LTE AKA authentication challenge.
  • the RAND and AUTN in the UMTS AKA authentication challenge are sent to the LTE UE in the LTE AKA authentication challenge.
  • the LTE UE verifies the AUTN. Further, since the value of the 0th bit of the AMF in the AUTN is 1, the LTE UE checks the AMF. The LTE UE generates the RES and the key K ASME .
  • the LTE UE sends an LTE AKA authentication response to the access network element, and the LTE AKA authentication response includes the RES.
  • the access network element converts the LTE AKA authentication response into a UMTS AKA authentication response, and sends the RES in the LTE AKA authentication response to the SGSN in the UMTS AKA authentication response.
  • the SGSN compares whether the RES and the XRES are the same.
  • the security authentication is suspended;
  • the SGSN initiates a security mode process, in which CK and or IK are sent to the access network element.
  • the access network element generates K ASME according to CK and or IK.
  • the access network element generates K ASME according to CK and or IK.
  • the access network element and the LTE UE share the key K ASME .
  • the LTE NAS SMC process and the LTE AS SMC process are performed between the access network element and the LTE UE to establish an LTE air interface security.
  • the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the SGSN identifies that the LTE UE accesses the 2G or 3G core through the access network element.
  • the HSS After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN.
  • the LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
  • the home subscriber server HSS 500 includes: a receiving module 510, a processing module 520, and a sending module 530.
  • the receiving module 510 is configured to receive a request for a special authentication vector sent by an access network element, where the special authentication is required.
  • the request of the vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN;
  • the processing module 520 is configured to generate a special authentication vector according to the request for the special authentication vector
  • the sending module 530 is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
  • the HSS in order to enable the LTE UE to use the 2G or 3G network, after the access network element identifies that the LTE UE accesses the 2G/3G core network, the HSS generates a special authentication vector for the LTE UE, so that the The SGSN, the access network element, and the LTE UE complete the security authentication, so that the LTE UE can use the 2G or 3G core network.
  • the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message by the access network element.
  • the attach request message is sent by the LTE UE.
  • the SGSN sends the UMTS AKA authentication challenge to the access network element, and the SGSN sends the UMTS AKA authentication challenge to the SGSN.
  • the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
  • the access network element converts the LTE ⁇ authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, where the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, The SGSN sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
  • whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
  • the request for the special authentication vector is sent by the access network element after receiving the request for the authentication vector sent by the SGSN, including:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the processing module 520 is configured to generate a special authentication vector according to the request for the special authentication vector, including:
  • the processing module 520 is configured to generate EPS AV for the LTE UE;
  • the processing module 520 is configured to set the 0th bit in the authentication management domain AMF to 1 to indicate that the authentication vector is EPS AV;
  • the processing module 520 is configured to generate RAND, AUTN, CK, IK, and XRES;
  • EPS AV consists of K ASME , AUTN, XRES, RAND, of which AMF in AUTN The 0th bit of the parameter has a value of 1.
  • the processing module 520 is configured to convert the EPS AV into a UMTS AV format format, so that the EPS AV can be sent to the SGSN by using an existing UMTS authentication response.
  • the method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits).
  • the value of the 0th bit of the AMF in the AUTN is still 1.
  • the vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector.
  • the access network element generates the K ASME according to the CK and or IK, including:
  • the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the network element of the access network, and the network element of the access network identifies that the LTE UE accesses the network element through the access network.
  • the HSS After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and the security authentication between the LTE UE and the network is completed by the access network element and the SGSN.
  • the LTE UE is not required to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
  • Figure 6 shows a schematic block diagram of a GPRS service support node 600 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 6 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiment of the present invention and FIG. 5 and FIG. Revealed device.
  • the GPRS service support node SGSN600 includes: a receiving module 610; a sending module 620;
  • the receiving module 610 is configured to receive a UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message sent by the LTE UE by the access network element;
  • the sending module 620 is configured to send a request for the authentication vector to the access network element, so that the access network element sends the request for the authentication vector, and then sends a request for the special authentication vector to the HSS.
  • the request, and then the HSS generates the special authentication vector according to the request for the special authentication vector, and sends the special authentication vector to the access network element;
  • the receiving module 610 is further configured to receive the special authentication vector from the network element of the access network, where the sending module 620 is further configured to send the UMTS AKA authentication challenge to the access network after the receiving module 610 receives the special authentication vector.
  • the network element so that the SGSN, the access network element, and the LTE UE complete the security authentication.
  • the access network element of the access network after the network element of the access network identifies the scenario in which the LTE UE accesses the 2G or 3G network, the access network element requests the HSS to obtain a special authentication vector, and the HSS generates a special authentication vector according to the request.
  • the SGSN, the access network element, and the LTE UE complete the security authentication, and enable the LTE UE to use the 2G or 3G core network without modifying the LTE UE.
  • the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE.
  • the LTE UE After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security authentication.
  • the SGSN further includes a processing module 630;
  • the special authentication vector includes XRES, CK, and IK;
  • the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
  • the access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiving module 610, where the processing module 630 is configured to compare whether the RES and the XRES are the same, when the comparison is performed.
  • the sending module 620 sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, and the CK and or IK are sent by the sending module 620.
  • the processing module 630 is configured to compare whether the RES and the XRES are the same. Further, when the comparison result is different, the security authentication is suspended.
  • the request for sending the special authentication vector to the HSS includes:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converts the EPS AV into a UMTS AV format, including:
  • the HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS
  • the K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
  • the access network element generates the K ASME according to the CK and or the ⁇ :
  • the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the SGSN identifies that the LTE UE accesses the 2G or 3G core through the access network element.
  • the HSS After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN.
  • the LTE UE is not required to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in the embodiment to complete the security authentication and use the 2G. Or 3G core network resources.
  • FIG. 7 shows a schematic block diagram of an access network element 700 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 7 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiments of the present invention and FIGS. 5 to 6 and The apparatus disclosed in Figures 5-6.
  • the access network element 700 includes: a receiving module 710, a processing module 720, and a sending module 730;
  • the receiving module 710 is configured to receive an attach request message from an LTE UE; the processing module 720 is configured to convert the attach request message into a UMTS attach request message;
  • the sending module 730 is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the receiving module 710 after receiving the UMTS attach request message, and the sending module 730 is further used in the receiving module.
  • the 710 After receiving the request for the authentication vector, the 710 sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS sends the special authentication vector to the receiving.
  • the receiving module 710 is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the sending module 730 to the SGSN by the sending module 730, and the processing module 720 is further configured to authenticate the UMTS AKA.
  • the challenge is converted into an LTE AKA authentication challenge, and the sending module 730 is further configured to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
  • the information sent by the LTE UE is converted to be applicable to the network element of the access network.
  • the information of the 2G or 3G network system is identified by the access network element as a scenario in which the LTE UE accesses the 2G or 3G network, and the HSS generates a special authentication vector to enable the access network element, the SGSN, and the LTE UE to complete the security.
  • Authentication enables LTE UEs to use existing 2G or 3G core networks.
  • the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K ASME ; the receiving module 710 is configured to receive the LTE UE.
  • the LTE AKA that sent the RES The response is such that the access network element, the SGSN, and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the access network element, the SGSN, and the LTE UE further complete the security authentication, including:
  • the processing module 720 is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the sending module 730 is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element.
  • the processing module 720 is further configured to generate a K ASME according to the CK and or IK, where the access network element and the LTE UE share the K ASME .
  • whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
  • the sending module 730 is further configured to: after the receiving module 710 receives the request for the authentication vector, send a request for the special authentication vector to the HSS, including:
  • the receiving module 710 is configured to receive the request for the authentication vector that is sent by the SGSN.
  • the processing module 720 is configured to identify that the LTE UE accesses the 2G or 3G network.
  • the processing module 720 is further configured to add, in the authentication vector, the indication information to generate the request for the special authentication vector, where the indication information is used to indicate that the HSS generates the special authentication vector.
  • the special authentication vector generated by the HSS according to the request for the special authentication vector includes:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converts the EPS AV into a UMTS AV format, including:
  • the HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS The AUTN in the EPS AV is used as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, and the HSS splits the K ASME (256 bits) in the EPS AV into two parts, respectively The CK and the IK as the UMTS AV.
  • the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element.
  • the HSS After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN.
  • the LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
  • FIG. 8 shows a schematic block diagram of a user home server 800 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 8 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 based on the embodiment of the present invention, and FIG. 5 to FIG. 7 based on the embodiment of the present invention and based on The apparatus disclosed in Figures 5 to 7 of the embodiment of the present invention.
  • the user home server HSS800 includes: a receiver 810, a processor 820, and a transmitter 830;
  • the receiver 810 is configured to receive a request for a special authentication vector sent by the network element of the access network, where the request for the special authentication vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN;
  • the processor 820 is configured to generate a special authentication vector according to the request for the special authentication vector.
  • the transmitter 830 is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN And the LTE UE completes the security certification.
  • the HSS in order to enable the LTE UE to use the 2G or 3G network, after the access network element identifies that the LTE UE accesses the 2G/3G core network, the HSS generates a special authentication vector for the LTE UE, so that the The SGSN, the access network element, and the LTE UE complete the security authentication, so that the LTE UE can use the 2G or 3G core network.
  • the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message by the access network element.
  • the attach request message is sent by the LTE UE.
  • the SGSN sends the UMTS AKA authentication challenge to the access network element, and the SGSN sends the UMTS AKA authentication challenge to the SGSN.
  • the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
  • the access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the The SGSN sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
  • whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
  • the request for the special authentication vector is sent by the access network element after receiving the request for the authentication vector sent by the SGSN, including:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds the indication information to the authentication vector to generate the required special authentication vector.
  • the request information is used to instruct the HSS to generate the special authentication vector.
  • the processor 820 is configured to generate a special authentication vector according to the request for the special authentication vector, including:
  • the processor 820 is configured to generate an EPS AV for the LTE UE;
  • the processor 820 is configured to set the 0th bit in the authentication management domain AMF to 1 to indicate that the authentication vector is EPS AV;
  • the processor 820 is configured to generate RAND, AUTN, CK, IK and XRES;
  • EPS AV consists of K ASME , AUTN , XRES , RAND , where the 0th bit of the AMF parameter in the AUTN has a value of 1.
  • the processor 820 is configured to convert the EPS AV into a UMTS AV format format, so that the EPS AV can be sent to the SGSN by using an existing UMTS authentication response.
  • the method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits).
  • the value of the 0th bit of the AMF in the AUTN is still 1.
  • the vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector.
  • the access network element generates the K ASME according to the CK and or IK, including:
  • the access network element in accordance with the generation rule K ASME CKIIIK, which generates based on the K ASME and CK or IK. ⁇ indicates concatenation, IK is added after CK.
  • the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the network element of the access network, and the network element of the access network identifies that the LTE UE accesses the network element through the access network.
  • the HSS After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and the security authentication between the LTE UE and the network is completed by the access network element and the SGSN.
  • FIG. 9 shows a schematic block diagram of a GPRS service support node 900 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 9 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiment of the present invention, FIG. 5 and FIG. Revealed device.
  • the GPRS service support node SGSN900 includes: a receiver 910; a transmitter 920;
  • the receiver 910 is configured to receive a UMTS attach request message sent by an access network element, where the
  • the UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE;
  • the transmitter 920 is configured to send a request for the authentication vector to the access network element, so that after receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so as to The HSS generates the special authentication vector according to the request for the special authentication vector, and sends the special authentication vector to the access network element;
  • the receiver 910 is further configured to receive the special authentication vector from the network element of the access network, where the transmitter 920 is further configured to send the UMTS AKA authentication challenge to the access network after the receiver 910 receives the special authentication vector.
  • the network element so that the SGSN, the access network element, and the LTE UE complete the security authentication.
  • the access network element of the access network after the network element of the access network identifies the scenario in which the LTE UE accesses the 2G or 3G network, the access network element requests the HSS to obtain a special authentication vector, and the HSS generates a special authentication vector according to the request.
  • the SGSN, the access network element, and the LTE UE complete the security authentication, and enable the LTE UE to use the 2G or 3G core network without modifying the LTE UE.
  • the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE.
  • the LTE UE After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security recognition Certificate.
  • the SGSN further includes a processor 930;
  • the special authentication vector includes XRES, CK, and IK;
  • the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
  • the access network element converts the LTE ⁇ authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiver 910
  • the processor 930 is configured to compare whether the RES and the XRES are the same, when the comparison When the result is the same, the transmitter 920 sends the CK and or IK to the access network element, and the access network element generates the K ASME according to the CK and or IK, and the CK and or IK are sent by the The 920 is sent, and the access network element and the LTE UE share the K ASME .
  • the processor 930 is configured to compare whether the RES and the XRES are the same. Further, when the comparison result is different, the security authentication is suspended.
  • the request for sending the special authentication vector to the HSS includes:
  • the access network element identifies that the LTE UE accesses the 2G or 3G network
  • the access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
  • the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converts the EPS AV into a UMTS AV format, including:
  • the HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, and the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, the HSS the EPS AV
  • the XRES in the XRES is the XRES of the UMTS AV
  • the HSS splits the K ASME in the EPS AV into two parts, respectively as the CK and the IK of the UMTS AV.
  • the access network element generates the K ASME according to the CK and or the ⁇ :
  • the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the SGSN identifies that the LTE UE accesses the 2G or 3G core through the access network element.
  • the HSS After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN.
  • the LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
  • FIG. 10 shows a schematic block diagram of an access network element 1000 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 10 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 based on the embodiment of the present invention may also be based on the embodiments of the present invention and FIGS. 5 to 9 and The apparatus disclosed in Figures 5-9.
  • the access network element 1000 includes: a receiver 1010, a processor 1020, and a transmitter 1030.
  • the receiver 1010 is configured to receive an attach request message from an LTE UE, where the processor 1020 is configured to convert the attach request message into a UMTS attach request message.
  • the transmitter 1030 is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the receiver 1010 after receiving the UMTS attach request message; the transmitter 1030 is also used in the receiver.
  • 1010 After receiving the request for the authentication vector, 1010 sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS sends the special authentication vector to the receiving. 1010;
  • the receiver 1010 is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the SGSN after the transmitter 1030 sends the special authentication vector to the SGSN;
  • the processor 1020 is further configured to convert the UMTS AKA authentication challenge into an LTE AKA authentication challenge, where the transmitter 1030 is further configured to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the SGSN The LTE UE completes the security authentication.
  • the information sent by the LTE UE is converted into the information applicable to the 2G or 3G network system by the access network element, and the access network element identifies the scenario that the LTE UE accesses the 2G or 3G network.
  • the HSS generates a special authentication vector, so that the access network element, the SGSN, and the LTE UE can complete the security authentication, so that the LTE UE can use the existing 2G or 3G core network.
  • the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K ASME ;
  • the receiver 1010 is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete security authentication.
  • the special authentication vector includes XRES, CK, and IK;
  • the access network element, the SGSN, and the LTE UE further complete the security authentication, including:
  • the processor 1020 is further configured to convert the LTE AKA authentication response including the RES to include the
  • the UMTS AKA authentication response of the RES is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same, when the comparison result is the same, The SGSN sends the CK and or IK to the access network element;
  • the processor 1020 is further configured to generate a K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
  • whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
  • the transmitter 1030 is further configured to: after the receiver 1010 receives the request for the authentication vector, send a request for the special authentication vector to the HSS, including:
  • the receiver 1010 is configured to receive the request for the authentication vector sent by the SGSN.
  • the processor 1020 is configured to identify that the LTE UE accesses the 2G or 3G network.
  • the processor 1020 is further configured to add, in the authentication vector, the indication information to generate the request for the special authentication vector, where the indication information is used to indicate the HSS. Generate this special authentication vector.
  • the special authentication vector generated by the HSS according to the request for the special authentication vector includes:
  • the HSS generates EPS AV for the LTE UE
  • the HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
  • the HSS converts the EPS AV into a UMTS AV format, including:
  • the HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS
  • the K ASME (256 bits) in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
  • the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element.
  • the HSS After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN.
  • the LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
  • Computer readable media includes computer storage media and Communication medium, wherein the communication medium includes any medium that facilitates the transfer of a computer program from one location to another.
  • a storage medium may be any available media that can be accessed by a computer.
  • computer readable media may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, disk storage media or other magnetic storage device, or can be used for carrying or storing in the form of an instruction or data structure.
  • the desired program code and any other medium that can be accessed by the computer may suitably be a computer readable medium.
  • the software is transmitted from a website, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable , fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, wireless, and microwaves are included in the fixing of the associated media.
  • coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, wireless, and microwaves are included in the fixing of the associated media.
  • a disk and a disc include a compact disc (CD), a laser disc, a compact disc, a digital versatile disc (DVD), a floppy disc, and a Blu-ray disc, wherein the disc is usually magnetically copied, and the disc is The laser is used to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media.
  • CD compact disc
  • DVD digital versatile disc
  • a floppy disc a digital versatile disc
  • Blu-ray disc wherein the disc is usually magnetically copied, and the disc is The laser is used to optically replicate the data.

Abstract

Disclosed are a method and a network device for security authentication of a mobile communication system. The method for security authentication of a mobile communication system comprises: an HSS receiving a request for a special authentication vector sent by a network element of an access network, wherein the request for a special authentication vector is sent by the network element of the access network after receiving a request for an authentication vector sent by an SGSN; the HSS generating a special authentication vector according to the request for a special authentication vector; and the HSS sending the special authentication vector to the network element of the access network, so that the network element of the access network, the SGSN, and an LTE UE complete security authentication. The disclosed method and network device for security authentication of a mobile communication system enable an LTE UE to use a 2G/3G network.

Description

移动通信系统的安全 ^人证的方法和网络设备  Mobile communication system security method and network device
技术领域 Technical field
本发明实施例涉及通信领域, 尤其涉及移动通信系统的安全认证的方法和 网络设备。  Embodiments of the present invention relate to the field of communications, and in particular, to a method and a network device for secure authentication of a mobile communication system.
背景技术 长期演进( Long Term Evolution ,筒称为 "LTE" )/系统架构演进 (System Architecture Evolution , 筒称为 "SAE" )网络是标准组织第三代合作伙伴计 划(3rd Generation Partnership Project , 筒称为 "3GPP" )制定的新的移动通 信系统。 这种网络将是现有的包括宽带码分多址 (Wideband Code Division Multiple Access , 筒称为 "WCDMA" ) 网络、 时分-同步码分多址 (Time Division-Synchronous Code Division Multiple Access , 筒称为 "TD-SCDMA" ) 网络、 码分多址 2000 (Code Division Multiple Access 2000 , 筒称为 "CDMA2000" )网络在内的 3G网络的下一步演进方向。 目前在某些国家, 已经有商业部署的 LTE/SAE网络正在运行。安全是移动通信系统商业运营必 不可少的特性, 认证是安全特性中的一个重要特性。 通用移动通信系统 ( Universal Mobile Telecommunication System, 筒称为 "UMTS" ) 网络和 LTE/SAE网络制定了认证和密钥协商 (Authentication and Key Agreement , 筒称为 "AKA" )机制来执行 UE和网络之间的双向认证。 UMTS网络的双 向认证机制称为 UMTS AKA, LTE/SAE网络的双向认证机制称为演进分组 系统 ( Evolved Packet System, 筒称为 "EPS" ) AKA。 在某些特殊场景下, 存在着 LTE 用户设备(User Equipment, 筒称为 "UE" ) 通过 LTE接入网 接入 2G/3G核心网的情况。 由于 2G/3G核心网只能从 HSS获得 UMTS AV , 而 LTE UE在通过 LTE网络接入时, 会拒绝使用 UMTS AV进行认证, 因此 LTE UE不能够通过 LTE接入网接入 2G/3G核心网。 发明内容 BACKGROUND OF THE INVENTION Long Term Evolution (Long Term Evolution) is a system organization evolution (System Architecture Evolution, "SAE") is a standard organization 3rd Generation Partnership Project (3rd Generation Partnership Project) A new mobile communication system for "3GPP". Such a network will be an existing Wideband Code Division Multiple Access (WCDMA) network, Time Division-Synchronous Code Division Multiple Access (Time Division-Synchronous Code Division Multiple Access) "TD-SCDMA") The next evolution direction of 3G networks such as network and Code Division Multiple Access 2000 ("CDMA Division"). Currently in some countries, commercial deployments of LTE/SAE networks are in operation. Security is an indispensable feature of the commercial operation of mobile communication systems. Authentication is an important feature in security features. The Universal Mobile Telecommunication System (UMTS) network and the LTE/SAE network have developed an Authentication and Key Agreement ("AKA") mechanism to perform UE and network. Two-way authentication. The two-way authentication mechanism of the UMTS network is called UMTS AKA, and the two-way authentication mechanism of the LTE/SAE network is called an Evolved Packet System ("EPS") AKA. In some special scenarios, there is a case where an LTE user equipment (User Equipment, called "UE") accesses a 2G/3G core network through an LTE access network. Since the 2G/3G core network can only obtain UMTS AV from the HSS, the LTE UE refuses to use the UMTS AV for authentication when accessing through the LTE network. Therefore, the LTE UE cannot access the 2G/3G core network through the LTE access network. . Summary of the invention
有鉴于此, 本发明实施例提供了一种移动通信系统的安全认证的方法和网 络设备, 能够使 LTE UE使用 2G/3G网络。 第一方面, 提供了一种移动通信系统的安全认证方法, 包括:In view of this, the embodiments of the present invention provide a method and a network device for secure authentication of a mobile communication system, which enable an LTE UE to use a 2G/3G network. In a first aspect, a method for secure authentication of a mobile communication system is provided, including:
HSS接收接入网网元发送的要求特殊认证向量的请求, 该要求特殊认证 向量的请求由该接入网网元接收到 SGSN 发送的要求认证向量的请求后发 送; The HSS receives a request for a special authentication vector sent by the network element of the access network, and the request for the special authentication vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN;
该 HSS根据该要求特殊认证向量的请求, 生成特殊认证向量;  The HSS generates a special authentication vector according to the request for the special authentication vector;
该 HSS将该特殊认证向量发送给该接入网网元, 以便该接入网网元、 该 SGSN和 LTE UE完成安全认证。  The HSS sends the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
在第一种可能的实现方式中, 该要求认证向量的请求是该 SGSN在接收 到该接入网网元发送的 UMTS attach request 消息后发送, 该 UMTS attach request消息是该接入网网元将 attach request消息转换所得, 该 attach request 消息由该 LTE UE发送。  In a first possible implementation manner, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is the access network element The attach request message is converted, and the attach request message is sent by the LTE UE.
在第二种可能的实现方式中, 结合第一方面或第一方面的第一种可能的 实现方式, 该以便该接入网网元、 该 SGSN和 LTE UE完成安全认证包括: 该接入网网元将该特殊认证向量发送给该 SGSN , 该 SGSN发送 UMTS AKA认证挑战给该接入网网元, 该接入网网元将该 UMTS AKA认证挑战转 换成 LTE AKA认证挑战后发送给该 LTE UE, 该 LTE UE根据该 LTE AKA 认证挑战进行验证并生成 RES和密钥 KASME后, 该 LTE UE将包含该 RES 的 LTE AKA认证响应发送给该接入网网元, 以便该接入网网元、 该 SGSN 和该 LTE UE进一步完成安全认证。 In a second possible implementation, in combination with the first aspect or the first possible implementation manner of the first aspect, the access network element, the SGSN, and the LTE UE complete the security authentication, including: the access network The network element sends the special authentication vector to the SGSN, where the SGSN sends a UMTS AKA authentication challenge to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the challenge to the LTE. After the LTE UE verifies and generates the RES and the key K ASME according to the LTE AKA authentication challenge, the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network The SGSN and the LTE UE further complete the security authentication.
在第三种可能的实现方式中, 结合第一方面或第一方面的第一种至第二 种可能的实现方式, 该特殊认证向量中包含 XRES、 CK、 IK;  In a third possible implementation, in combination with the first aspect or the first to the second possible implementation manner of the first aspect, the special authentication vector includes XRES, CK, and IK;
该以便该接入网网元、该 SGSN和该 LTE UE进一步完成安全认证包括: 该接入网网元将该 LTE AKA认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该 SGSN, 该 SGSN比较该 RES和该 XRES 是否相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入 网网元, 该接入网网元根据该 CK和或 IK生成 KASME, 该接入网网元和该 LTE UE共享该 KASMEAnd the SG AKA authentication response is converted into a UMTS The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates according to the CK and or IK. K ASME , the access network element and the The LTE UE shares the K ASME .
在第四种可能的实现方式中, 结合第一方面的第三种可能的实现方式, 该 SGSN比较该 RES和该 XRES是否相同还包括,当该比较结果为不相同时, 中止进行安全认证。  In a fourth possible implementation manner, in combination with the third possible implementation manner of the first aspect, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.
在第五种可能的实现方式中, 结合第一方面或第一方面的第一至第四任 一种可能的实现方式, 该要求特殊认证向量的请求由该接入网网元接收到 SGSN发送的要求认证向量的请求后发送包括:  In a fifth possible implementation, in combination with the first aspect or the first to the fourth possible implementation manners of the first aspect, the request for the special authentication vector is sent by the access network element to the SGSN. The request for the authentication vector after the request is sent includes:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
在第六种可能的实现方式中, 结合第一方面或第一方面的第一至第五任 一种可能的实现方式, 该 HSS根据该要求特殊认证向量的请求, 生成特殊认 证向量包括:  In a sixth possible implementation, in combination with the first aspect or the first to fifth possible implementation manners of the first aspect, the HSS generates a special authentication vector according to the request for the special authentication vector:
该 HSS为该 LTE UE生成 EPS AV;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
在第七种可能的实现方式中, 结合第一方面的第六种可能的实现方式, 该 HSS将该 EPS AV转换成 UMTS AV格式包括:  In a seventh possible implementation, in combination with the sixth possible implementation of the first aspect, the HSS converting the EPS AV into the UMTS AV format includes:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN, 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME拆 分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
在第八种可能的实现方式中, 结合第一方面的第三至第七任一种可能的 实现方式, 该接入网网元根据该 CK和或 ΙΚ生成 KASME包括: In an eighth possible implementation, in combination with the third to the seventh possible implementation manners of the foregoing aspect, the access network element generating the K ASME according to the CK and or the 包括 includes:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该 KASME。 The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK KASME.
第二方面, 提供了一种移动通信系统的安全认证方法, 包括:  In a second aspect, a method for secure authentication of a mobile communication system is provided, including:
SGSN接收接入网网元发送 UMTS attach request消息, 该 UMTS attach request消息是该接入网网元将 LTE UE发送的 attach request消息转换所得; 该 SGSN向该接入网网元发送要求认证向量的请求, 以便该接入网网元 接收到该要求认证向量的请求后, 向 HSS发送要求特殊认证向量的请求, 进 而以便该 HSS根据该要求特殊认证向量的请求生成该特殊认证向量后发送 给该接人网网元;  The SGSN receives the UMTS attach request message, and the UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE; the SGSN sends the request authentication vector to the access network element. Requesting, after the access network element receives the request for the authentication vector, sending a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, and then sends the request to the HSS. Access network element;
该 SGSN接收来自于该接入网网元的该特殊认证向量后, 发送 UMTS AKA认证挑战给该接入网网元, 以便该 SGSN、 该接入网网元和该 LTE UE 完成安全认证。  After receiving the special authentication vector from the access network element, the SGSN sends a UMTS AKA authentication challenge to the access network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.
在第一种可能的实现方式中, 该以便该 SGSN、 该接入网网元和该 LTE UE完成安全认证包括:  In a first possible implementation, the SGSN, the access network element, and the LTE UE complete the security authentication, including:
该接入网网元将该 UMTS AKA认证挑战转换成 LTE AKA认证挑战后发 送给该 LTE UE,该 LTE UE根据该 LTE AKA认证挑战进行验证并生成 RES 和密钥 KASME后, 该 LTE UE将包含该 RES的 LTE AKA认证响应发送给该 接入网网元, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认 证。 After the UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
在第二种可能的实现方式中, 结合第二方面或第二方面的第一种可能的 实现方式, 该特殊认证向量包含 XRES、 CK、 IK;  In a second possible implementation manner, in combination with the second aspect or the first possible implementation manner of the second aspect, the special authentication vector includes XRES, CK, and IK;
该以便该接入网网元、该 SGSN和该 LTE UE进一步完成安全认证包括: 该接入网网元将该 LTE AKA认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该 SGSN, 该 SGSN比较该 RES和该 XRES 是否相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入 网网元, 该接入网网元根据该 CK和或 IK生成 KASME, 该接入网网元和该 LTE UE共享该 KASME。 在第三种可能的实现方式中, 结第二方面的第二种可能的实现方式, 该And the SG AKA authentication response is converted into a UMTS The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates according to the CK and or IK. K ASME , the access network element and the LTE UE share the K ASME . In a third possible implementation, the second possible implementation of the second aspect,
SGSN比较该 RES和该 XRES是否相同还包括, 当该比较结果为不相同时, 中止进行安全认证。 Whether the SGSN compares the RES and the XRES is the same or not, when the comparison result is different, the security authentication is suspended.
在第四种可能的实现方式中, 结合第二方面或第二方面的第一种至第三 种任一可能的实现方式, 该以便该接入网网元接收到该要求认证向量的请求 后, 向 HSS发送要求特殊认证向量的请求包括:  In a fourth possible implementation, in combination with the second aspect or any one of the first to third possible implementation manners of the second aspect, the access network element receives the request for the authentication vector Requests to send a request for a special authentication vector to the HSS include:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
在第五种可能的实现方式中, 结合第二方面或第二方面的第一种至第四 种可能的实现方式,该以便该 HSS根据该要求特殊认证向量的请求生成该特 殊认证向量包括:  In a fifth possible implementation, in combination with the second aspect or the first to fourth possible implementation manners of the second aspect, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector:
该 HSS为该 LTE UE生成 EPS AV ;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
在第六种可能的实现方式中, 结合第二方面的第五种可能的实现方式, 该 HSS将该 EPS AV转换成 UMTS AV格式包括:  In a sixth possible implementation, in combination with the fifth possible implementation of the second aspect, the HSS converting the EPS AV into the UMTS AV format includes:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN , 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME拆 分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
在第七种可能的实现方式中, 结合第二方面的第二种至第六种任一可能 的实现方式, 该接入网网元根据该 CK和或 ΙΚ生成 KASME包括: In a seventh possible implementation manner, in combination with the second to sixth possible implementation manners of the second aspect, the access network element generating the K ASME according to the CK and or the 包括 includes:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK
KASME。 第三方面, 提供了一种移动通信系统的安全认证方法, 包括: 接入网网元将来自于 LTE UE的 attach request消息转换为 UMTS attach request消息; KASME. The third aspect provides a security authentication method for a mobile communication system, including: the access network element converts an attach request message from the LTE UE into a UMTS attach request message;
该接入网网元将该 UMTS attach request消息发送给 SGSN,以便该 SGSN 收到该 UMTS attach request消息后发送要求认证向量的请求给该接入网网 元;  The access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the access network element after receiving the UMTS attach request message;
该接入网网元收到该要求认证向量的请求后发送要求特殊认证向量的请 求给该 HSS ,以便该 HSS根据要求特殊认证向量的请求生成该特殊认证向量, 进而以便该 HSS将该特殊认证向量发送给该接入网网网元;  After receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS can perform the special authentication. The vector is sent to the access network element network element;
该接入网网元接收 UMTS AKA认证挑战, 该 UMTS AKA认证挑战为该 接入网网元将该特殊认证向量发送给该 SGSN后由该 SGSN发送;  The access network element receives the UMTS AKA authentication challenge, and the UMTS AKA authentication challenge is sent by the SGSN to the SGSN by the access network element sending the special authentication vector to the SGSN;
该接入网网元将该 UMTS AKA认证挑战转换成 LTE AKA认证挑战后发 送给该 LTE UE, 以便该接入网网元、 该 SGSN和该 LTE UE完成安全认证。  The access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
在第一种可能的实现方式中, 该以便该接入网网元、 该 SGSN和该 LTE UE完成安全认证包括:  In a first possible implementation manner, the security authentication of the access network element, the SGSN, and the LTE UE is performed by:
该 LTE UE验证该 LTE AKA认证挑战后生成 RES和密钥 KASME; After the LTE UE verifies the LTE AKA authentication challenge, the RES and the key K ASME are generated;
该接入网网元接收该 LTE UE发送的包含该 RES的 LTE AKA认证响应, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认证。  The access network element receives the LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
在第二种可能的实现方式中,结合第三方面或第三方面的第一种可能的实 现方式, 该特殊认证向量包含 XRES、 CK和 IK;  In a second possible implementation manner, in combination with the third aspect or the first possible implementation manner of the third aspect, the special authentication vector includes XRES, CK, and IK;
该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认证包括: 该接入网网元将包含该 RES的 LTE AKA认证响应转换为包含该 RES的 UMTS AKA认证响应,该接入网网元将该包含该 RES的 UMTS AKA认证响 应发送给该 SGSN, 以便该 SGSN比较该 RES和该 XRES是否相同, 当该比 较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入网网元;  The LTE AKA authentication response including the RES is converted into a UMTS AKA authentication response including the RES, where the access network element, the SGSN, and the LTE UE further perform security authentication, the access network element: The network element sends the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the SGSN. Network access network element;
该接入网网元根据该 CK和或 IK生成 KASME,该接入网网元和该 LTE UE 共早该 KASME ° The access network element generates K ASME according to the CK and or IK, the access network element and the LTE UE A total of KASME °
在第三种可能的实现方式中, 结合第三方面的第二种可能的实现方式, 该 SGSN比较该 RES和该 XRES是否相同还包括,当该比较结果为不相同时, 中止进行安全认证。  In a third possible implementation manner, in combination with the second possible implementation manner of the third aspect, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.
在第四种可能的实现方式中, 结合第三方面或第三方面的第一至第三任 一种可能的实现方式, 该接入网网元收到该要求认证向量的请求后发送要求 特殊认证向量的请求给该 HSS包括:  In a fourth possible implementation, in combination with the third aspect or the first to the third possible implementation manners of the third aspect, the access network element receives the request for the authentication vector and sends a request for a special request. The request for the authentication vector to the HSS includes:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
在第五种可能的实现方式中, 结合第三方面或第三方面的第一至第四任 一种可能的实现方式,该以便该 HSS根据要求特殊认证向量的请求生成该特 殊认证向量包括:  In a fifth possible implementation, in combination with the third aspect or the first to fourth possible implementation manners of the third aspect, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:
该 HSS为该 LTE UE生成 EPS AV;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
在第六种可能的实现方式中, 结合第三方面的第五种可能的实现方式, 该 HSS将该 EPS AV转换成 UMTS AV格式包括:  In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the third aspect, the HSS converting the EPS AV into the UMTS AV format includes:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN , 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME拆 分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
在第七种可能的实现方式中, 结合第三方面的第二至第六任一种可能的 实现方式, 该接入网网元根据该 CK和或 ΙΚ生成 KASME包括: In a seventh possible implementation, in combination with the second to the sixth possible implementation manners of the third aspect, the access network element generating the K ASME according to the CK and or the 包括 includes:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该 KASME。 The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK KASME.
第四方面, 提供了一种 HSS , 包括: 接收模块, 处理模块, 发送模块; 该接收模块用于接收接入网网元发送的要求特殊认证向量的请求, 该要 求特殊认证向量的请求由该接入网网元接收到 SGSN发送的要求认证向量的 请求后发送;  In a fourth aspect, an HSS is provided, including: a receiving module, a processing module, and a sending module; the receiving module is configured to receive a request for a special authentication vector sent by an access network element, where the request for the special authentication vector is requested by the The access network element receives the request for the authentication vector sent by the SGSN and sends the request;
该处理模块用于根据该要求特殊认证向量的请求, 生成特殊认证向量; 该发送模块用于将该特殊认证向量发送给该接入网网元, 以便该接入网 网元、 该 SGSN和 LTE UE完成安全认证。  The processing module is configured to generate a special authentication vector according to the request for the special authentication vector; the sending module is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE The UE completes the security certification.
在第一种可能的实现方式中, 该要求认证向量的请求是该 SGSN在接收 到该接入网网元发送的 UMTS attach request 消息后发送, 该 UMTS attach request消息是该接入网网元将 attach request消息转换所得, 该 attach request 消息由该 LTE UE发送。  In a first possible implementation manner, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is the access network element The attach request message is converted, and the attach request message is sent by the LTE UE.
在第二种可能的实现方式中, 结合第四方面或第四方面的第一种可能的 实现方式, 该以便该接入网网元、 该 SGSN和 LTE UE完成安全认证包括: 该接入网网元将该特殊认证向量发送给该 SGSN , 该 SGSN发送 UMTS In a second possible implementation, in combination with the fourth aspect or the first possible implementation manner of the fourth aspect, the access network element, the SGSN, and the LTE UE complete the security authentication, including: the access network The network element sends the special authentication vector to the SGSN, and the SGSN sends the UMTS.
AKA认证挑战给该接入网网元, 该接入网网元将该 UMTS AKA认证挑战转 换成 LTE AKA认证挑战后发送给该 LTE UE, 该 LTE UE根据该 LTE AKA 认证挑战进行验证并生成 RES和密钥 KASME后, 该 LTE UE将包含该 RES 的 LTE AKA认证响应发送给该接入网网元, 以便该接入网网元、 该 SGSN 和该 LTE UE进一步完成安全认证。 The AKA authentication challenge is performed to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge, and then sends the LTE UE to the LTE UE, and the LTE UE verifies and generates the RES according to the LTE AKA authentication challenge. After the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
在第三种可能的实现方式中, 结合第四方面或第四方面的第一种至第二 种可能的实现方式, 该特殊认证向量中包含 XRES、 CK、 IK;  In a third possible implementation, in combination with the fourth aspect or the first to the second possible implementation manner of the fourth aspect, the special authentication vector includes XRES, CK, and IK;
该以便该接入网网元、该 SGSN和该 LTE UE进一步完成安全认证包括: 该接入网网元将该 LTE AKA认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该 SGSN, 该 SGSN比较该 RES和该 XRES 是否相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入 网网元, 该接入网网元根据该 CK和或 IK生成 KASME, 该接入网网元和该 LTE UE共享该 KASMEAnd the SG AKA authentication response is converted into a UMTS The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access. The network element, the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
在第四种可能的实现方式中, 结合第四方面的第三种可能的实现方式, 该 SGSN比较该 RES和该 XRES是否相同还包括,当该比较结果为不相同时, 中止进行安全认证。  In a fourth possible implementation manner, in combination with the third possible implementation manner of the fourth aspect, the comparing, by the SGSN, whether the RES and the XRES are the same include: when the comparison result is different, the security authentication is suspended.
在第五种可能的实现方式中, 结合第四方面或第四方面的第一至第四任 一种可能的实现方式, 该要求特殊认证向量的请求由该接入网网元接收到 SGSN发送的要求认证向量的请求后发送包括:  In a fifth possible implementation, in combination with the fourth or fourth possible implementation manner of the fourth aspect, the request for the special authentication vector is sent by the access network element to the SGSN. The request for the authentication vector after the request is sent includes:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
在第六种可能的实现方式中, 结合第四方面或第四方面的第一至第五任 一种可能的实现方式, 该处理模块用于根据该要求特殊认证向量的请求, 生 成特殊认证向量包括:  In a sixth possible implementation, in combination with the fourth aspect or the first to fifth possible implementation manners of the fourth aspect, the processing module is configured to generate a special authentication vector according to the request for the special authentication vector Includes:
该处理模块用于为该 LTE UE生成 EPS AV;  The processing module is configured to generate an EPS AV for the LTE UE;
该处理模块用于将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式的 EPS AV为该特殊认证向量。  The processing module is configured to convert the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
在第七种可能的实现方式中, 结合第四方面的第六种可能的实现方式, 该处理模块用于将该 EPS AV转换成 UMTS AV格式包括:  In a seventh possible implementation, in combination with the sixth possible implementation manner of the fourth aspect, the processing module is configured to convert the EPS AV into the UMTS AV format, including:
该处理模块用于将该 EPS AV中的 RAND作为该 UMTS AV的 RAND, 该处理模块用于将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN, 该处 理模块用于将该 EPS AV中的 XRES作为该 UMTS AV的 XRES , 该处理模 块用于将该 EPS AV中的 KASME拆分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The processing module is configured to use RAND in the EPS AV as the RAND of the UMTS AV, and the processing module is configured to use the AUTN in the EPS AV as the AUTN of the UMTS AV, and the processing module is used to use the XRES in the EPS AV As the XRES of the UMTS AV, the processing module is configured to split the K ASME in the EPS AV into two parts, respectively, as the CK and the IK of the UMTS AV.
在第八种可能的实现方式中, 结合第四方面的第三至第七任一种可能的 实现方式, 该接入网网元根据该 CK和或 IK生成 KASME包括: In an eighth possible implementation, combining any of the third to seventh aspects of the fourth aspect In an implementation manner, the access network element generates a K ASME according to the CK and or IK, including:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK
KASME。 KASME.
第五方面, 提供了一种 SGSN, 包括: 接收模块; 发送模块;  In a fifth aspect, an SGSN is provided, including: a receiving module; a sending module;
该接收模块用于接收接入网网元发送的 UMTS attach request消息, 该 The receiving module is configured to receive a UMTS attach request message sent by an access network element, where the
UMTS attach request消息是该接入网网元将 LTE UE发送的 attach request消 息转换所得; The UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE;
该发送模块用于向该接入网网元发送要求认证向量的请求, 以便该接入 网网元接收到该要求认证向量的请求后,向 HSS发送要求特殊认证向量的请 求,进而以便该 HSS根据该要求特殊认证向量的请求生成该特殊认证向量后 发送给该接入网网元;  The sending module is configured to send a request for the authentication vector to the access network element, so that after receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so that the HSS Generating the special authentication vector according to the request for the special authentication vector, and then sending the special authentication vector to the access network element;
该接收模块还用于接收来自于该接入网网元的该特殊认证向量, 该发送 模块还用于该接收模块接收到该特殊认证向量后发送 UMTS AKA认证挑战 给该接入网网元, 以便该 SGSN、 该接入网网元和该 LTE UE完成安全认证。  The receiving module is further configured to receive the special authentication vector from the network element of the access network, where the sending module is further configured to send the UMTS AKA authentication challenge to the access network element after the receiving module receives the special authentication vector, So that the SGSN, the access network element, and the LTE UE complete the security authentication.
在第一种可能的实现方式中, 该以便该 SGSN、 该接入网网元和该 LTE In a first possible implementation, the SGSN, the access network element, and the LTE are used.
UE完成安全认证包括: The UE completes the security certification including:
该接入网网元将该 UMTS AKA认证挑战转换成 LTE AKA认证挑战后发 送给该 LTE UE,该 LTE UE根据该 LTE AKA认证挑战进行验证并生成 RES 和密钥 KASME后, 该 LTE UE将包含该 RES的 LTE AKA认证响应发送给该 接入网网元, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认 证。 After the UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
在第二种可能的实现方式中, 结合第五方面或第五方面的第一种可能的 实现方式, 该 SGSN还包括处理模块;  In a second possible implementation manner, in combination with the fifth aspect or the first possible implementation manner of the fifth aspect, the SGSN further includes a processing module;
该特殊认证向量包含 XRES、 CK、 IK;  The special authentication vector contains XRES, CK, IK;
该以便该接入网网元、该 SGSN和该 LTE UE进一步完成安全认证包括: 该接入网网元将该 LTE AKA认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该接收模块, 该处理模块用于比较该 RES和 该 XRES是否相同, 当该比较结果为相同时, 该发送模块将该 CK和或 IK发 送给该接入网网元, 该接入网网元才艮据该 CK和或 IK生成 KASME , 该 CK和 或 IK由该发送模块发送, 该接入网网元和该 LTE UE共享该 KASMEThe further completing the security authentication for the access network element, the SGSN and the LTE UE comprises: the access network element converting the LTE AKA authentication response into a UMTS AKA authentication response and The UMTS AKA authentication response is sent to the receiving module, and the processing module is configured to compare whether the RES and the XRES are the same. When the comparison result is the same, the sending module sends the CK and or IK to the access network element. The access network element generates K ASME according to the CK and or IK, and the CK and or IK are sent by the sending module, and the access network element and the LTE UE share the K ASME .
在第三种可能的实现方式中, 结第五方面的第二种可能的实现方式, 该 处理模块用于比较该 RES和该 XRES是否相同还包括, 当该比较结果为不相 同时, 中止进行安全认证。  In a third possible implementation manner, the second possible implementation manner of the fifth aspect, the processing module is configured to compare whether the RES and the XRES are the same, and further includes: when the comparison result is different, the suspension is performed. safety certificate.
在第四种可能的实现方式中, 结合第五方面或第五方面的第一种至第三 种任一可能的实现方式, 该以便该接入网网元接收到该要求认证向量的请求 后, 向 HSS发送要求特殊认证向量的请求包括:  In a fourth possible implementation manner, in combination with the fifth aspect or any one of the first to third possible implementation manners of the fifth aspect, the access network element receives the request for the authentication vector Requests to send a request for a special authentication vector to the HSS include:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
在第五种可能的实现方式中, 结合第五方面或第五方面的第一种至第四 种可能的实现方式,该以便该 HSS根据该要求特殊认证向量的请求生成该特 殊认证向量包括:  In a fifth possible implementation, in combination with the fifth aspect or the first to fourth possible implementation manners of the fifth aspect, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector:
该 HSS为该 LTE UE生成 EPS AV;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
在第六种可能的实现方式中, 结合第五方面的第五种可能的实现方式, 该 HSS将该 EPS AV转换成 UMTS AV格式包括:  In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the fifth aspect, the HSS converting the EPS AV into the UMTS AV format includes:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN, 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME拆 分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 在第七种可能的实现方式中, 结合第五方面的第二种至第六种任一可能 的实现方式, 该接入网网元根据该 CK和或 IK生成 KASME包括: The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively. In a seventh possible implementation, in combination with the second to sixth possible implementation manners of the fifth aspect, the access network element generating the K ASME according to the CK and or IK includes:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK
KASME。 KASME.
第六方面, 提供了一种接入网网元, 包括: 接收模块, 处理模块, 发送 模块;  A sixth aspect provides an access network element, including: a receiving module, a processing module, and a sending module;
该接收模块用于接收来自 LTE UE的 attach request消息; 该处理模块用 于将该 attach request消息转换为 UMTS attach request消息;  The receiving module is configured to receive an attach request message from an LTE UE; the processing module is configured to convert the attach request message into a UMTS attach request message;
该发送模块用于将该 UMTS attach request消息发送给 SGSN, 以便该 SGSN收到该 UMTS attach request消息后发送要求认证向量的请求给该接收 模块; 该发送模块还用于在该接收模块收到该要求认证向量的请求后发送要 求特殊认证向量的请求给该 HSS ,以便该 HSS根据要求特殊认证向量的请求 生成该特殊认证向量, 进而以便该 HSS将该特殊认证向量发送给该接收模 块;  The sending module is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the receiving module after receiving the UMTS attach request message; the sending module is further configured to receive the request at the receiving module Requesting a request for the authentication vector to send a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS sends the special authentication vector to the receiving module;
该接收模块还用于接收 UMTS AKA认证挑战, 该 UMTS AKA认证挑战 为该发送模块将该特殊认证向量发送给该 SGSN后由该 SGSN发送; 该处理 模块还用于将该 UMTS AKA认证挑战转换成 LTE AKA认证挑战,该发送模 块还用于将该 LTE AKA认证挑战发送给该 LTE UE, 以便该接入网网元、 该 SGSN和该 LTE UE完成安全认证。  The receiving module is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the sending module to the SGSN by the sending module, and the processing module is further configured to convert the UMTS AKA authentication challenge into The LTE AKA authentication challenge is to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
在第一种可能的实现方式中, 该以便该接入网网元、 该 SGSN和该 LTE In a first possible implementation, the access network element, the SGSN, and the LTE are used.
UE完成安全认证包括: The UE completes the security certification including:
该 LTE UE验证该 LTE AKA认证挑战后生成 RES和密钥 KASME; After the LTE UE verifies the LTE AKA authentication challenge, the RES and the key K ASME are generated;
该接收模块用于接收该 LTE UE发送的包含该 RES的 LTE AKA认证响 应, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认证。  The receiving module is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete security authentication.
在第二种可能的实现方式中,结合第六方面或第六方面的第一种可能的实 现方式, 该特殊认证向量包含 XRES、 CK和 IK; 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认证包括: 该处理模块还用于将包含该 RES的 LTE AKA认证响应转换为包含该 RES的 UMTS AKA认证响应, 该发送模块还用于将该包含该 RES的 UMTS AKA认证响应发送给该 SGSN , 以便该 SGSN比较该 RES和该 XRES是否 相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入网网 元; In a second possible implementation, in combination with the sixth aspect or the first possible implementation manner of the sixth aspect, the special authentication vector includes XRES, CK, and IK; The processing module is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the sending module further comprises: the processing module further configured to: The SGSN is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the SGSN. Network access network element;
该处理模块还用于根据该 CK和或 IK生成 KASME ,该接入网网元和该 LTE UE共早该 KASME。 The processing module is further configured to generate a K ASME according to the CK and or IK, the access network element and the LTE UE being the KASME.
在第三种可能的实现方式中, 结合第六方面的第二种可能的实现方式, 该 SGSN比较该 RES和该 XRES是否相同还包括,当该比较结果为不相同时, 中止进行安全认证。  In a third possible implementation manner, in combination with the second possible implementation manner of the sixth aspect, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.
在第四种可能的实现方式中, 结合第六方面或第六方面的第一至第三任 一种可能的实现方式, 该发送模块还用于在该接收模块收到该要求认证向量 的请求后发送要求特殊认证向量的请求给该 HSS包括:  In a fourth possible implementation, in combination with the first to third possible implementation manners of the sixth aspect or the sixth aspect, the sending module is further configured to receive, at the receiving module, the request for the authentication vector After sending a request for a special authentication vector to the HSS includes:
该接收模块用于接收该 SGSN发送的该要求认证向量的请求;  The receiving module is configured to receive the request for the authentication vector sent by the SGSN;
该处理模块用于识别出是 LTE UE接入 2G或 3G网络;  The processing module is configured to identify that the LTE UE accesses the 2G or 3G network;
该处理模块还用于在该认证向量中加入指示信息生成该要求特殊认证向 量的请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The processing module is further configured to add, in the authentication vector, the indication information to generate the request for the special authentication vector, the indication information is used to instruct the HSS to generate the special authentication vector.
在第五种可能的实现方式中, 结合第六方面或第六方面的第一至第四任 一种可能的实现方式,该以便该 HSS根据要求特殊认证向量的请求生成该特 殊认证向量包括:  In a fifth possible implementation, in combination with the sixth aspect or the first to fourth possible implementation manners of the sixth aspect, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:
该 HSS为该 LTE UE生成 EPS AV ;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
在第六种可能的实现方式中, 结合第六方面的第五种可能的实现方式, 该 HSS将该 EPS AV转换成 UMTS AV格式包括: 该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN, 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME ( 256bits ) 拆分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the sixth aspect, the HSS converting the EPS AV into the UMTS AV format includes: The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME (256 bits) in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
在第七种可能的实现方式中, 结合第六方面的第二至第六任一种可能的 实现方式, 该处理模块进一步用于按照生成规则 KASME=CKIIIK , 根据该 CK 和或 IK生成该 KASMEIn a seventh possible implementation, in combination with the second to the sixth possible implementation manners of the sixth aspect, the processing module is further configured to generate the according to the CK and or IK according to the generation rule K ASME =CKIIIK K ASME .
通过上述方案, 能够使 LTE UE使用 2G/3G网络。 附图说明  Through the above scheme, the LTE UE can be used to use the 2G/3G network. DRAWINGS
为了更清楚地说明本发明实施例的技术方案, 下面将对本发明实施例中所 需要使用的附图作筒单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明 的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the embodiments of the present invention will be briefly described. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings may also be obtained from those of ordinary skill in the art in view of the drawings.
图 1是根据本发明实施例的移动通信系统的认证方法的示意性流程图; 图 2是根据本发明另一实施例的移动通信系统的认证方法的示意图流程 图;  1 is a schematic flowchart of an authentication method of a mobile communication system according to an embodiment of the present invention; FIG. 2 is a schematic flowchart of an authentication method of a mobile communication system according to another embodiment of the present invention;
图 3是根据本发明另一实施例的移动通信系统的认证方法的示意性流程 图;  3 is a schematic flow chart of an authentication method of a mobile communication system according to another embodiment of the present invention;
图 4是根据本发明另一实施例的移动通信系统的认证方法的示意性流程 图;  4 is a schematic flow chart of an authentication method of a mobile communication system according to another embodiment of the present invention;
图 5是根据本发明实施例的归属用户服务器的示意性框图;  FIG. 5 is a schematic block diagram of a home subscriber server according to an embodiment of the present invention; FIG.
图 6是根据本发明实施例的 GPRS服务支撑节点的示意性框图; 图 7是根据本发明实施例的接入网网元的示意性框图;  6 is a schematic block diagram of a GPRS service supporting node according to an embodiment of the present invention; FIG. 7 is a schematic block diagram of an access network element according to an embodiment of the present invention;
图 8是根据本发明另一实施例的归属用户服务器的示意性框图; 图 9是根据本发明另一实施例的 GPRS服务支撑节点的示意性框图; 图 10是根据本发明另一实施例的接入网网元的示意性框图。 具体实施方式 FIG. 8 is a schematic block diagram of a home subscriber server according to another embodiment of the present invention; FIG. 9 is a schematic block diagram of a GPRS service support node according to another embodiment of the present invention; FIG. 10 is a schematic block diagram of an access network element according to another embodiment of the present invention. detailed description
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行清 楚、 完整地描述, 显然, 所描述的实施例是本发明的一部分实施例, 而不是全 部实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作出创造性劳 动的前提下所获得的所有其他实施例, 都应属于本发明保护的范围。  BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail below with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, rather than all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts shall fall within the scope of the present invention.
应理解, 本发明实施例的技术方案可以应用于各种 2G或 3G通信系统, 例 如: 全球移动通讯( Global System of Mobile communication, 筒称为 "GSM" ) 系统、 码分多址(Code Division Multiple Access , 筒称为 "CDMA" ) 系统、 宽 带码分多址( Wideband Code Division Multiple Access , 筒称为 "WCDMA" ) 系 统、 通用分组无线业务(General Packet Radio Service, 筒称为 "GPRS" )、 通用 移动通信系统 ( Universal Mobile Telecommunication System, 筒称为 "UMTS" )、 全球互联微波接入 ( Worldwide Interoperability for Microwave Access , 筒称为 "WiMAX" )通信系统等。  It should be understood that the technical solution of the embodiments of the present invention can be applied to various 2G or 3G communication systems, for example: Global System of Mobile communication ("GSM") system, code division multiple access (Code Division Multiple) Access, called "CDMA" system, Wideband Code Division Multiple Access ("WCDMA") system, General Packet Radio Service (General Packet Radio Service) Universal Mobile Telecommunication System (UMT), Worldwide Interoperability for Microwave Access ("Wireless") communication system, etc.
本发明实施例中的接入网网元, 是一种增强的接入网网元, 用于支持 LTE UE接入 2G/3G核心网。在发明所有实施例中,接入网网元可具备如下功能: LTE eNB的功能, LTE UE可以不需要进行修改通过该接入网网元接入 2G/3G核心网, 而且使 LTE UE认为其正在接入的是 LTE网络, 而不是 2G/3G核心网; 本发明 实施例中的接入网网元还可以实现部分移动性管理实体( Mobility Management Entity , 筒称为 "ΜΜΕ" ) 的功能, 如对 NAS信令的安全保护功能。  The access network element in the embodiment of the present invention is an enhanced access network element for supporting the LTE UE to access the 2G/3G core network. In all the embodiments of the present invention, the access network element may have the following functions: The function of the LTE eNB, the LTE UE may access the 2G/3G core network through the access network element without modification, and the LTE UE considers that The LTE network is being accessed, instead of the 2G/3G core network; the access network element in the embodiment of the present invention can also implement the function of a Mobility Management Entity (called "ΜΜΕ"). Such as the security protection function of NAS signaling.
图 1示出了根据本发明实施例的移动通信系统的安全认证的方法 100的示 意性流程图。 如图 1所示, 该方法 100包括:  1 shows a schematic flow diagram of a method 100 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. As shown in FIG. 1, the method 100 includes:
S110 , HSS接收接入网网元发送的要求特殊认证向量的请求, 该要求特 殊认证向量的请求由该接入网网元接收到 SGSN发送的要求认证向量的请求 后发送; S120 , 该 HSS根据该要求特殊认证向量的请求, 生成特殊认证向量;S110. The HSS receives a request for a special authentication vector sent by the network element of the access network, where the request for the special authentication vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN. S120. The HSS generates a special authentication vector according to the request for the special authentication vector.
S130 , 该 HSS将该特殊认证向量发送给该接入网网元, 以便该接入网网 元、 该 SGSN和 LTE UE完成安全认证。 S130. The HSS sends the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
在本发明实施例中, 为了使 LTE UE能够使用 2G或 3G网络, 在接入网网 元识别出是 LTE UE接入 2G/3G网络后, HSS为该 LTE UE生成特殊认证向量, 以便该 SGSN、 该接入网网元和该 LTE UE完成安全认证, 使 LTE UE可以使 用 2G或 3G核心网。  In the embodiment of the present invention, in order to enable the LTE UE to use the 2G or 3G network, after the access network element identifies that the LTE UE accesses the 2G/3G network, the HSS generates a special authentication vector for the LTE UE, so that the SGSN The access network element and the LTE UE complete the security authentication, so that the LTE UE can use the 2G or 3G core network.
可选地, 该要求认证向量的请求是该 SGSN在接收到该接入网网元发送 的 UMTS attach request消息后发送, 该 UMTS attach request消息是该接入网 网元将 attach request消息转换所得,该 attach request消息由该 LTE UE发送。  Optionally, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message by the access network element. The attach request message is sent by the LTE UE.
可选地, 该以便该接入网网元、 该 SGSN和 LTE UE完成安全认证包括: 该接入网网元将该特殊认证向量发送给该 SGSN , 该 SGSN发送 UMTS AKA认证挑战给该接入网网元, 该接入网网元将该 UMTS AKA认证挑战转 换成 LTE AKA认证挑战后发送给该 LTE UE, 该 LTE UE根据该 LTE AKA 认证挑战进行验证并生成 RES和密钥 KASME后, 该 LTE UE将包含该 RES 的 LTE AKA认证响应发送给该接入网网元, 以便该接入网网元、 该 SGSN 和该 LTE UE进一步完成安全认证。 Optionally, the obtaining, by the access network element, the SGSN, and the LTE UE, the security authentication includes: sending, by the access network element, the special authentication vector to the SGSN, where the SGSN sends a UMTS AKA authentication challenge to the access The network element, the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge, and sends the LTE UE to the LTE UE. After the LTE UE performs verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , The LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
可选地, 该特殊认证向量中包含 XRES、 CK、 IK;  Optionally, the special authentication vector includes XRES, CK, and IK;
可选地, 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全 认证包括:  Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
该接入网网元将该 LTE AKA认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该 SGSN, 该 SGSN比较该 RES和该 XRES 是否相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入 网网元, 该接入网网元根据该 CK和或 IK生成 KASME, 该接入网网元和该The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the The SGSN sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, the access network element and the
LTE UE共享该 KASMEThe LTE UE shares the K ASME .
可选地, 该 SGSN比较该 RES和该 XRES是否相同还包括, 当该比较结 果为不相同时, 中止进行安全认证。 Optionally, the SGSN compares whether the RES and the XRES are the same, and includes, when the comparison is If the results are different, the safety certification is suspended.
可选地, 该要求特殊认证向量的请求由该接入网网元接收到 SGSN发送 的要求认证向量的请求后发送包括:  Optionally, the request for the special authentication vector is sent by the access network element after receiving the request for the authentication vector sent by the SGSN, and the sending includes:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
可选地, 该 HSS根据该要求特殊认证向量的请求, 生成特殊认证向量包 括:  Optionally, the HSS generates a special authentication vector according to the request for the special authentication vector:
该 HSS为该 LTE UE生成 EPS AV;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
可选地, 该 HSS将该 EPS AV转换成 UMTS AV格式包括:  Optionally, the HSS converts the EPS AV into a UMTS AV format, including:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN , 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME拆 分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
可选地, 该接入网网元才艮据该 CK和或 ΙΚ生成 KASME包括: Optionally, the access network element generates the K ASME according to the CK and or the 包括:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该 KASME。 The access network element generates the K A SME according to the CK and or IK according to the generation rule K ASME =CKIIIK.
本发明实施例中,通过该接入网网元将 LTE UE所发送的消息转换为适用于 2G或 3G网络的消息, 由接入网网元识别出 LTE UE通过该接入网网元接入 2G 或 3G网络的场景后, HSS生成特殊的认证向量, 通过该接入网网元、 SGSN完 成 LTE UE和网络之间的安全认证。 不需要对 LTE UE做修改, 使得 LTE UE可 以通过本实施例中的接入网网元接入 2G或 3G核心网,完成安全认证并使用 2G 或 3G核心网资源。 图 2示出了根据本发明实施例的移动通信系统的安全认证的方法 200的示 意性流程图。 图 2及其说明所揭示的方法, 可基于本发明实施例图 1和基于本 发明实施例图 1所揭示的方法。 如图 2所示, 该方法 200包括: In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources. 2 shows a schematic flow diagram of a method 200 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 2 and its description of the disclosed method may be based on the embodiment of the present invention and the method disclosed in FIG. 1 based on an embodiment of the present invention. As shown in FIG. 2, the method 200 includes:
S210 , SGSN接收接入网网元发送 UMTS attach request消息, 该 UMTS attach request是该接入网网元将 LTE UE发送的 attach request消息转换所得; S220 , 该 SGSN向该接入网网元发送要求认证向量的请求, 以便该接入 网网元接收到该要求认证向量的请求后,向 HSS发送要求特殊认证向量的请 求,进而以便该 HSS根据该要求特殊认证向量的请求生成该特殊认证向量后 发送给该接入网网元;  S210, the SGSN receives the UMTS attach request message, where the UMTS attach request is that the access network element converts the attach request message sent by the LTE UE, and S220, the SGSN sends a request to the access network element. The request for the authentication vector, so that the access network element receives the request for the authentication vector, and sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector. Send to the access network element;
S230 , 该 SGSN接收来自于该接入网网元的该特殊认证向量后, 发送 S230. The SGSN receives the special authentication vector from the network element of the access network, and sends the
UMTS AKA认证挑战给该接入网网元, 以便该 SGSN、 该接入网网元和该 LTE UE完成安全认证。 The UMTS AKA authentication challenge is applied to the access network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.
在本发明实施例中, 通过接入网网元识别出 LTE UE接入 2G或 3G核心网 的场景后, 接入网网元向 HSS请求获取特殊认证向量, HSS根据 SGSN的该 请求生成特殊认证向量, 使 SGSN、 接入网网元和该 LTE UE完成安全认证, 实现不需要对 LTE UE进行修改的条件下使 LTE UE使用 2G或 3G核心网。  In the embodiment of the present invention, after the LTE UE accesses the 2G or 3G core network, the access network element requests the HSS to obtain a special authentication vector, and the HSS generates a special authentication according to the request of the SGSN. The SGSN, the access network element, and the LTE UE complete the security authentication, and enable the LTE UE to use the 2G or 3G core network without modifying the LTE UE.
可选地,该以便该 SGSN、该接入网网元和该 LTE UE完成安全认证包括: 该接入网网元将该 UMTS AKA认证挑战转换成 LTE AKA认证挑战后发 送给该 LTE UE,该 LTE UE根据该 LTE AKA认证挑战进行验证并生成 RES 和密钥 KASME后, 该 LTE UE将包含该 RES的 LTE AKA认证响应发送给该 接入网网元, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认 证。 Optionally, the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE. After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security authentication.
可选地, 该特殊认证向量包含 XRES、 CK、 IK;  Optionally, the special authentication vector includes XRES, CK, and IK;
可选地, 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全 认证包括:  Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
该接入网网元将该 LTE AKA认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该 SGSN , 该 SGSN比较该 RES和该 XRES 是否相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入 网网元, 该接入网网元根据该 CK和或 IK生成 KASME , 该接入网网元和该 LTE UE共享该 KASMEThe access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and The UMTS AKA authentication response is sent to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, the access network. The network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
可选地, 该 SGSN比较该 RES和该 XRES是否相同还包括, 当该比较结 果为不相同时, 中止进行安全认证。  Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
可选地, 该以便该接入网网元接收到该要求认证向量的请求后, 向 HSS 发送要求特殊认证向量的请求包括:  Optionally, after the request for the access network element to receive the request for the authentication vector, the request for sending the special authentication vector to the HSS includes:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。 可选地, 该以便该 H S S根据该要求特殊认证向量的请求生成该特殊认证向量包括:  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector. Optionally, generating the special authentication vector according to the request for the H S S according to the request for the special authentication vector includes:
该 HSS为该 LTE UE生成 EPS AV ;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
可选地, 该 HSS将该 EPS AV转换成 UMTS AV格式 包括:  Optionally, the HSS converts the EPS AV into a UMTS AV format, including:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN , 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME拆 分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
可选地, 该接入网网元才艮据该 CK和或 ΙΚ生成 KASME包括: Optionally, the access network element generates the K ASME according to the CK and or the 包括:
该接入网网元按照生成规则 KASME=CKI IIK , 根据该 CK和或 IK生成该 KASME。 The access network element generates the KASME according to the CK and or IK according to the generation rule K ASME =CKI IIK.
本发明实施例中,通过该接入网网元将 LTE UE所发送的消息转换为适用于 In the embodiment of the present invention, the message sent by the LTE UE is converted to be applicable to the network element of the access network.
2G或 3G网络的消息, 由接入网网元识别出 LTE UE通过该接入网网元接入 2G 或 3G网络的场景后, HSS生成特殊的认证向量, 通过该接入网网元、 SGSN完 成 LTE UE和网络之间的安全认证。 不需要对 LTE UE做修改, 使得 LTE UE可 以通过本实施例中的接入网网元接入 2G或 3G核心网,完成安全认证并使用 2G 或 3G核心网资源。 The message of the 2G or 3G network is identified by the access network element. The LTE UE accesses the 2G through the access network element. After the scenario of the 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
图 3示出了根据本发明实施例的移动通信系统的安全认证的方法 300的示 意性流程图。 图 3及其说明所揭示的方法, 可基于本发明实施例图 1至图 2以 及基于本发明实施例图 1至图 2所揭示的方法。 如图 3所示, 该方法 300包括: S310 , 接入网网元将来自于 LTE UE的 attach request消息转换为 UMTS attach request消息;  3 shows a schematic flow diagram of a method 300 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. The method disclosed in Figure 3 and its description may be based on the embodiments of Figures 1 through 2 of the present invention and the methods disclosed in Figures 1 through 2 of the present invention. As shown in FIG. 3, the method 300 includes: S310. The access network element converts an attach request message from the LTE UE into a UMTS attach request message.
S320 , 该接入网网元将该 UMTS attach request消息发送给 SGSN, 以便 该 SGSN收到该 UMTS attach request消息后发送要求认证向量的请求给该接 入网网元;  S320, the access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the access network element after receiving the UMTS attach request message;
S330 , 该接入网网元收到该要求认证向量的请求后发送要求特殊认证向 量的请求给该 HSS ,以便该 HSS根据要求特殊认证向量的请求生成该特殊认 证向量, 进而以便该 HSS将该特殊认证向量发送给该接入网网网元;  S330. After receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS can The special authentication vector is sent to the access network element network element;
S340 , 该接入网网元接收 UMTS AKA认证挑战, 该 UMTS AKA认证挑 战为该接入网网元将该特殊认证向量发送给该 SGSN后由该 SGSN发送; S340, the access network element receives the UMTS AKA authentication challenge, and the UMTS AKA authentication challenge is sent by the SGSN to the SGSN by the access network element sending the special authentication vector to the SGSN;
S350 ,该接入网网元将该 UMTS AKA认证挑战转换成 LTE AKA认证挑 战后发送给该 LTE UE, 以便该接入网网元、 该 SGSN和该 LTE UE完成安 全认证。 S350. The access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
在本发明实施例中, 通过接入网网元将 LTE UE发送的信息转换为适用于 2G或 3G网络系统的信息, 由接入网网元识别出为 LTE UE接入 2G或 3G网络 的场景, 通过 HSS生成特殊的认证向量, 使接入网网元、 SGSN和 LTE UE能 够完成安全认证, 使得 LTE UE可以使用现有 2G或 3G核心网。  In the embodiment of the present invention, the information sent by the LTE UE is converted into the information applicable to the 2G or 3G network system by the access network element, and the access network element identifies the scenario that the LTE UE accesses the 2G or 3G network. The HSS generates a special authentication vector, so that the access network element, the SGSN, and the LTE UE can complete the security authentication, so that the LTE UE can use the existing 2G or 3G core network.
可选地, 该接入网网元、 该 SGSN和该 LTE UE完成安全认证包括: 该 LTE UE验证该 LTE AKA认证挑战后生成 RES和密钥 KASME; 该接入网网元接收该 LTE UE发送的包含该 RES的 LTE AKA认证响应, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认证。 Optionally, the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K ASME ; The access network element receives the LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
可选地, 该特殊认证向量包含 XRES、 CK和 IK;  Optionally, the special authentication vector includes XRES, CK, and IK;
可选地, 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认 证包括:  Optionally, the access network element, the SGSN, and the LTE UE further complete the security authentication, including:
该接入网网元将包含该 RES的 LTE AKA认证响应转换为包含该 RES的 UMTS AKA认证响应,该接入网网元将该包含该 RES的 UMTS AKA认证响 应发送给该 SGSN , 以便该 SGSN比较该 RES和该 XRES是否相同, 当该比 较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入网网元;  The access network element converts the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, and the access network element sends the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN Comparing whether the RES and the XRES are the same, when the comparison result is the same, the SGSN sends the CK and or IK to the access network element;
该接入网网元才艮据该 CK和或 IK生成 KASME ,该接入网网元和该 LTE UE 共早该 KASME ° The access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE jointly have the KASME °
可选地, 该 SGSN比较该 RES和该 XRES是否相同还包括, 当该比较结 果为不相同时, 中止进行安全认证。 可选地, 该接入网网元收到该要求认证 向量的请求后发送要求特殊认证向量的请求给该 HSS包括:  Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication. Optionally, the request, by the access network element, after receiving the request for the authentication vector, sending a request for the special authentication vector to the HSS includes:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
可选地, 该以便该 HSS根据要求特殊认证向量的请求生成该特殊认证向 量包括:  Optionally, the special authentication vector generated by the HSS according to the request for the special authentication vector includes:
该 HSS为该 LTE UE生成 EPS AV ;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
可选地, 该 HSS将该 EPS AV转换成 UMTS AV格式 包括:  Optionally, the HSS converts the EPS AV into a UMTS AV format, including:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN , 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME拆 分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, and the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, the HSS the EPS AV The XRES in the XRES is the XRES of the UMTS AV, and the HSS splits the K ASME in the EPS AV into two parts, respectively as the CK and the IK of the UMTS AV.
可选地, 该接入网网元才艮据该 CK和或 ΙΚ生成 KASME包括: Optionally, the access network element generates the K ASME according to the CK and or the 包括:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该 ASME。 The access network element generates the ASME according to the CK and or IK according to the generation rule K ASME =CKIIIK.
本发明实施例中,通过该接入网网元将 LTE UE所发送的消息转换为适用于 2G或 3G网络的消息, 由接入网网元识别出 LTE UE通过该接入网网元接入 2G 或 3G核心网的场景后, HSS生成特殊的认证向量, 通过该接入网网元、 SGSN 完成 LTE UE和网络之间的安全认证。 不需要对 LTE UE做修改, 使得 LTE UE 可以通过本实施例中的接入网网元接入 2G或 3G核心网, 完成安全认证并使用 2G或 3G核心网资源。  In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element. After the scenario of the 2G or 3G core network, the HSS generates a special authentication vector, and the security authentication between the LTE UE and the network is completed through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
图 4示出了根据本发明实施例的移动通信系统的安全认证的方法 400的示 意性流程图。 本发明实施例图 1至图 3和基于本发明实施例图 1至图 3所揭示 图 3和基于本发明实施例图 1至图 3所揭示的方法可参考图 4及其说明所揭示 的方法。 如图 4所示, 该方法 400包括:  4 shows a schematic flow diagram of a method 400 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. FIG. 1 to FIG. 3 and the method disclosed in FIG. 3 and FIG. 3 based on the embodiment of the present invention, and the method disclosed in FIG. 4 and FIG. . As shown in FIG. 4, the method 400 includes:
可选地, LTE UE通过接入网网元接入到 2G/3G核心网, LTE UE和接入网 网元之间建立 RRC连接。  Optionally, the LTE UE accesses the 2G/3G core network through the access network element, and an RRC connection is established between the LTE UE and the access network element.
LTE UE发送 attach request消息给接入网网元, 接入网网元将从 LTE UE处 收到的该 attach request消息转换为 UMTS系统中 2G/3G核心网 SGSN可识别的 UMTS attach request消息,接入网网元将转换后的 UMTS attach request消息发送 给 SGSN。  The LTE UE sends an attach request message to the access network element, and the access network element converts the attach request message received from the LTE UE into a UMTS attach request message identifiable by the SGSN of the 2G/3G core network in the UMTS system. The network access NE sends the converted UMTS attach request message to the SGSN.
SGSN发送要求认证向量的请求给该接入网网元, 该接入网网元接收该 SGSN发送的该要求认证向量的请求;  The SGSN sends a request for the authentication vector to the access network element, and the access network element receives the request for the authentication vector sent by the SGSN;
接入网网元识别出是 LTE UE接入 2G或 3G网络, 进一步的, 接入网网 元可以识别出通过该接入网网元的 UE类型, 即接入网网元能够识别出 LTE UE接入 2G或 3G网络; The access network element identifies that the LTE UE accesses the 2G or 3G network. Further, the access network element can identify the UE type that passes through the access network element, that is, the access network element can identify the LTE. The UE accesses the 2G or 3G network;
接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的请 求, 该指示信息用于指示该 HSS生成该特殊认证向量。 该 HSS根据该接入网 网元发送的特殊认证向量的请求中的指示信息识别出此场景为 LTE UE接入 2G/3G网络的场景。 该 HSS生成该特殊认证向量, 包括:  The access network element adds the indication information to the authentication vector to generate the request for the special authentication vector, and the indication information is used to indicate that the HSS generates the special authentication vector. The HSS identifies the scenario in which the LTE UE accesses the 2G/3G network according to the indication information in the request of the special authentication vector sent by the access network element. The HSS generates the special authentication vector, including:
可选地, 该 HSS为该 LTE UE生成 EPS AV;  Optionally, the HSS generates EPS AV for the LTE UE;
进一步的,  further,
HSS将认证管理域 AMF中第 0个 bit设为 1 以标示此认证向量为 EPS HSS sets the 0th bit in the authentication management domain AMF to 1 to indicate that this authentication vector is EPS.
AV; AV;
HSS生成 RAND、 AUTN , CK、 IK和 XRES ;  HSS generates RAND, AUTN, CK, IK and XRES;
HSS根据 CK和 IK推演得到 KASME , 推演规则可以为 KASME =KDF ( CK, IK ) , KDF为密钥推演函数; The HSS derives KASME based on CK and IK. The deduction rule can be K ASME =KDF ( CK, IK ) and KDF is the key derivation function;
EPS AV由 KASME、 AUTN , XRES , RAND组成, 其中 AUTN中的 AMF 参数的第 0个比特的值为 1。 EPS AV consists of K ASME , AUTN , XRES , RAND , where the 0th bit of the AMF parameter in the AUTN has a value of 1.
可选地,该 HSS将该 EPS AV转换成 UMTS AV格式格式,以使得 EPS AV 可以通过现有的 UMTS认证响应发送给 SGSN。 EPS AV转换成 UMTS AV格式 的方法包括:将 EPS AV中的 RAND、 AUTN和 XRES作为 UMTS AV的 RAND、 AUTN和 XRES,将 EPS AV中的 KASME( 256bits )拆分为两部分,分别作为 UMTS AV的 CK ( 128bits )和 IK ( 128bits )。 该 EPS AV转换成 UMTS AV格式格式 后, AUTN中的 AMF的第 0个比特的值仍然为 1。将该 EPS AV转换成 UMTS AV格式后所得的向量为该特殊认证向量。 Optionally, the HSS converts the EPS AV into a UMTS AV format format such that the EPS AV can be sent to the SGSN through an existing UMTS authentication response. The method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits). After the EPS AV is converted into the UMTS AV format, the value of the 0th bit of the AMF in the AUTN is still 1. The vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector.
该 HSS将该特殊认证向量传输给该接入网网元,接入网网元再将该特殊认 证向量发送给该 SGSN;  The HSS transmits the special authentication vector to the access network element, and the access network element sends the special authentication vector to the SGSN;
该 SGSN根据从该接入网网元接收到的特殊认证向量执行 UMTS AKA认 证流程。 SGSN发送 UMTS AKA认证 4 战给接入网网元, 该 UMTS AKA认证 挑战中包含 RAND和 AUTNo 接入网网元将接收到的 UMTS AKA认证挑战转换成 LTE AKA认证挑战。 UMTS AKA认证挑战中的 RAND和 AUTN被放在 LTE AKA认证挑战中发送给 LTE UE。 The SGSN performs a UMTS AKA authentication procedure based on the special authentication vector received from the access network element. The SGSN sends the UMTS AKA authentication 4 to the access network element. The UMTS AKA authentication challenge includes RAND and AUTNo. The access network element converts the received UMTS AKA authentication challenge into an LTE AKA authentication challenge. The RAND and AUTN in the UMTS AKA authentication challenge are sent to the LTE UE in the LTE AKA authentication challenge.
LTE UE验证 AUTN。 进一步的, 由于 AUTN中 AMF的第 0个比特的值为 1 , 因此 LTE UE会通过对 AMF的检查。 LTE UE生成 RES和密钥 KASMEThe LTE UE verifies the AUTN. Further, since the value of the 0th bit of the AMF in the AUTN is 1, the LTE UE checks the AMF. The LTE UE generates the RES and the key K ASME .
LTE UE发送 LTE AKA认证响应给接入网网元,该 LTE AKA认证响应中包 含 RES。  The LTE UE sends an LTE AKA authentication response to the access network element, and the LTE AKA authentication response includes the RES.
接入网网元将 LTE AKA认证响应转换为 UMTS AKA认证响应, 将 LTE AKA认证响应中的该 RES放在 UMTS AKA认证响应中发送给 SGSN。  The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response, and sends the RES in the LTE AKA authentication response to the SGSN in the UMTS AKA authentication response.
SGSN比较该 RES和该 XRES是否相同。  The SGSN compares whether the RES and the XRES are the same.
可选地, 如果比较结果为该 RES和该 XRES不相同, 则中止进行安全认 证;  Optionally, if the comparison result is that the RES is different from the XRES, then the security authentication is suspended;
可选地, 如果比较结果为该 RES和该 XRES相同, 则 SGSN发起安全模 式过程, 在安全模式过程中, CK和或 IK被发送给接入网网元。  Optionally, if the comparison result is that the RES and the XRES are the same, the SGSN initiates a security mode process, in which CK and or IK are sent to the access network element.
可选地, 接入网网元根据 CK和或 IK生成 KASME。 可选地, 接入网网元根 据 CK和或 IK生成 KASME的生成规则为 KASME=CKIIIK, "II"表示串联, 即将 IK 加在 CK后面。 Optionally, the access network element generates K ASME according to CK and or IK. Optionally, the access network element generates K ASME according to CK and or IK. The generation rule is K ASME =CKIIIK, and "II" indicates concatenation, that is, IK is added after CK.
接入网网元和 LTE UE共享密钥 KASMEThe access network element and the LTE UE share the key K ASME .
可选地,接入网网元和 LTE UE之间执行 LTE NAS SMC流程和 LTE AS SMC 流程建立 LTE空口安全。  Optionally, the LTE NAS SMC process and the LTE AS SMC process are performed between the access network element and the LTE UE to establish an LTE air interface security.
本发明实施例中,通过该接入网网元将 LTE UE所发送的消息转换为适用于 2G或 3G网络的消息, 由 SGSN识别出 LTE UE通过该接入网网元接入 2G或 3G核心网的场景后, HSS生成特殊的认证向量, 通过该接入网网元、 SGSN完 成 LTE UE和网络之间的安全认证。 不需要对 LTE UE做修改, 使得 LTE UE可 以通过本实施例中的接入网网元接入 2G或 3G核心网,完成安全认证并使用 2G 或 3G核心网资源。 图 5示出了根据本发明实施例的移动通信系统的安全认证的归属用户服务 器 500的示意性框图。 图 5及其说明所揭示的装置, 可基于本发明实施例图 1 至图 4以及基于本发明实施例图 1至图 4所揭示的方法。 如图 5所示, 该归属 用户服务器 HSS500包括: 接收模块 510 , 处理模块 520 , 发送模块 530; 该接收模块 510用于接收接入网网元发送的要求特殊认证向量的请求, 该要求特殊认证向量的请求由该接入网网元接收到 SGSN发送的要求认证向 量的请求后发送; In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the SGSN identifies that the LTE UE accesses the 2G or 3G core through the access network element. After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources. FIG. 5 shows a schematic block diagram of a home subscriber server 500 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 5 and its description of the disclosed apparatus may be based on the embodiments of the present invention, FIGS. 1 through 4, and the methods disclosed in FIGS. 1 through 4 of the present invention. As shown in FIG. 5, the home subscriber server HSS 500 includes: a receiving module 510, a processing module 520, and a sending module 530. The receiving module 510 is configured to receive a request for a special authentication vector sent by an access network element, where the special authentication is required. The request of the vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN;
该处理模块 520用于根据该要求特殊认证向量的请求, 生成特殊认证向 量;  The processing module 520 is configured to generate a special authentication vector according to the request for the special authentication vector;
该发送模块 530用于将该特殊认证向量发送给该接入网网元, 以便该接 入网网元、 该 SGSN和 LTE UE完成安全认证。  The sending module 530 is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
在本发明实施例中, 为了使 LTE UE能够使用 2G或 3G网络, 在接入网网 元识别出是 LTE UE接入 2G/3G核心网后, HSS为该 LTE UE生成特殊认证向 量, 以便该 SGSN、 该接入网网元和该 LTE UE完成安全认证, 使 LTE UE可 以使用 2G或 3G核心网。  In the embodiment of the present invention, in order to enable the LTE UE to use the 2G or 3G network, after the access network element identifies that the LTE UE accesses the 2G/3G core network, the HSS generates a special authentication vector for the LTE UE, so that the The SGSN, the access network element, and the LTE UE complete the security authentication, so that the LTE UE can use the 2G or 3G core network.
可选地, 该要求认证向量的请求是该 SGSN在接收到该接入网网元发送 的 UMTS attach request消息后发送, 该 UMTS attach request消息是该接入网 网元将 attach request消息转换所得,该 attach request消息由该 LTE UE发送。  Optionally, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message by the access network element. The attach request message is sent by the LTE UE.
可选地,  Optionally,
该以便该接入网网元、 该 SGSN和 LTE UE完成安全认证包括: 该接入网网元将该特殊认证向量发送给该 SGSN , 该 SGSN发送 UMTS AKA认证挑战给该接入网网元, 该接入网网元将该 UMTS AKA认证挑战转 换成 LTE AKA认证挑战后发送给该 LTE UE, 该 LTE UE根据该 LTE AKA 认证挑战进行验证并生成 RES和密钥 KASME后, 该 LTE UE将包含该 RES 的 LTE AKA认证响应发送给该接入网网元, 以便该接入网网元、 该 SGSN 和该 LTE UE进一步完成安全认证。 可选地, 该特殊认证向量中包含 XRES、 CK、 IK; The SGSN sends the UMTS AKA authentication challenge to the access network element, and the SGSN sends the UMTS AKA authentication challenge to the SGSN. After the UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication. Optionally, the special authentication vector includes XRES, CK, and IK;
可选地, 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全 认证包括:  Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
该接入网网元将该 LTE ΑΚΑ认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该 SGSN, 该 SGSN比较该 RES和该 XRES 是否相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入 网网元, 该接入网网元根据该 CK和或 IK生成 KASME, 该接入网网元和该 LTE UE共享该 KASMEThe access network element converts the LTE ΑΚΑ authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, where the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, The SGSN sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
可选地, 该 SGSN比较该 RES和该 XRES是否相同还包括, 当该比较结 果为不相同时, 中止进行安全认证。  Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
可选的, 该要求特殊认证向量的请求由该接入网网元接收到 SGSN发送 的要求认证向量的请求后发送包括:  Optionally, the request for the special authentication vector is sent by the access network element after receiving the request for the authentication vector sent by the SGSN, including:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
可选地, 该处理模块 520用于根据该要求特殊认证向量的请求, 生成特 殊认证向量包括:  Optionally, the processing module 520 is configured to generate a special authentication vector according to the request for the special authentication vector, including:
该处理模块 520用于为该 LTE UE生成 EPS AV;  The processing module 520 is configured to generate EPS AV for the LTE UE;
进一步的,  further,
该处理模块 520用于将认证管理域 AMF中第 0个 bit设为 1以标示此认 证向量为 EPS AV;  The processing module 520 is configured to set the 0th bit in the authentication management domain AMF to 1 to indicate that the authentication vector is EPS AV;
该处理模块 520用于生成 RAND、 AUTN、 CK、 IK和 XRES;  The processing module 520 is configured to generate RAND, AUTN, CK, IK, and XRES;
该处理模块 520用于根据 CK和 IK推演得到 KASME , 推演规则可以 为 KASME =KDF ( CK, IK ) , KDF为密钥推演函数; The processing module 520 is configured to derive KASME according to CK and IK, and the derivation rule may be K ASME =KDF ( CK, IK ), and KDF is a key derivation function;
EPS AV由 KASME、 AUTN、 XRES , RAND组成, 其中 AUTN中的 AMF 参数的第 0个比特的值为 1。 EPS AV consists of K ASME , AUTN, XRES, RAND, of which AMF in AUTN The 0th bit of the parameter has a value of 1.
可选地, 该处理模块 520用于将该 EPS AV转换成 UMTS AV格式格式, 以使得 EPS AV可以通过现有的 UMTS认证响应发送给 SGSN。 EPS AV转换成 UMTS AV格式的方法包括:将 EPS AV中的 RAND、 AUTN和 XRES作为 UMTS AV的 RAND、 AUTN和 XRES ,将 EPS AV中的 KASME ( 256bits )拆分为两部分, 分别作为 UMTS AV的 CK ( 128bits )和 IK ( 128bits )。该 EPS AV转换成 UMTS AV格式格式后, AUTN中的 AMF的第 0个比特的值仍然为 1。 将该 EPS AV 转换成 UMTS AV格式格式后所得的向量为该特殊认证向量。 可选地, 该接入 网网元根据该 CK和或 IK生成 KASME包括: Optionally, the processing module 520 is configured to convert the EPS AV into a UMTS AV format format, so that the EPS AV can be sent to the SGSN by using an existing UMTS authentication response. The method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits). After the EPS AV is converted into the UMTS AV format, the value of the 0th bit of the AMF in the AUTN is still 1. The vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector. Optionally, the access network element generates the K ASME according to the CK and or IK, including:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK
KASME。 ΊΓ 表示串联, 即将 IK加在 CK后面。 本发明实施例中, 通过该接入 网网元将 LTE UE所发送的消息转换为适用于 2G或 3G网络的消息, 由接入网 网元识别出 LTE UE通过该接入网网元接入 2G或 3G网络的场景后, HSS生成 特殊的认证向量, 通过该接入网网元、 SGSN完成 LTE UE和网络之间的安全认 证。 不需要对 LTE UE做修改, 使得 LTE UE可以通过本实施例中的接入网网元 接入 2G或 3G核心网, 完成安全认证并使用 2G或 3G核心网资源。 K ASME . ΊΓ indicates concatenation, IK is added after CK. In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the network element of the access network, and the network element of the access network identifies that the LTE UE accesses the network element through the access network. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and the security authentication between the LTE UE and the network is completed by the access network element and the SGSN. The LTE UE is not required to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
图 6示出了根据本发明实施例的移动通信系统的安全认证的 GPRS服务支撑 节点 600的示意性框图。 图 6及其说明所揭示的装置, 可基于本发明实施例图 1 至图 4以及基于本发明实施例图 1至图 4所揭示的方法, 也可以基于本发明实 施例图 5以及图 5所揭示的装置。如图 6所示,该 GPRS服务支撑节点 SGSN600 包括: 接收模块 610; 发送模块 620;  Figure 6 shows a schematic block diagram of a GPRS service support node 600 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 6 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiment of the present invention and FIG. 5 and FIG. Revealed device. As shown in Figure 6, the GPRS service support node SGSN600 includes: a receiving module 610; a sending module 620;
该接收模块 610用于接收接入网网元发送的 UMTS attach request消息, 该 UMTS attach request消息是该接入网网元将 LTE UE发送的 attach request 消息转换所得;  The receiving module 610 is configured to receive a UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message sent by the LTE UE by the access network element;
该发送模块 620用于向该接入网网元发送要求认证向量的请求, 以便该 接入网网元接收到该要求认证向量的请求后,向 HSS发送要求特殊认证向量 的请求,进而以便该 HSS根据该要求特殊认证向量的请求生成该特殊认证向 量后发送给该接入网网元; The sending module 620 is configured to send a request for the authentication vector to the access network element, so that the access network element sends the request for the authentication vector, and then sends a request for the special authentication vector to the HSS. The request, and then the HSS generates the special authentication vector according to the request for the special authentication vector, and sends the special authentication vector to the access network element;
该接收模块 610还用于接收来自于该接入网网元的该特殊认证向量, 该 发送模块 620还用于该接收模块 610接收到该特殊认证向量后发送 UMTS AKA认证挑战给该接入网网元, 以便该 SGSN、 该接入网网元和该 LTE UE 完成安全认证。  The receiving module 610 is further configured to receive the special authentication vector from the network element of the access network, where the sending module 620 is further configured to send the UMTS AKA authentication challenge to the access network after the receiving module 610 receives the special authentication vector. The network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.
在本发明实施例中, 通过接入网网元识别出 LTE UE接入 2G或 3G网络的 场景后, 接入网网元向 HSS请求获取特殊认证向量, HSS根据该请求生成特 殊认证向量, 使 SGSN、 接入网网元和该 LTE UE完成安全认证, 实现不需要 对 LTEUE进行修改的条件下使 LTE UE使用 2G或 3G核心网。  In the embodiment of the present invention, after the network element of the access network identifies the scenario in which the LTE UE accesses the 2G or 3G network, the access network element requests the HSS to obtain a special authentication vector, and the HSS generates a special authentication vector according to the request. The SGSN, the access network element, and the LTE UE complete the security authentication, and enable the LTE UE to use the 2G or 3G core network without modifying the LTE UE.
可选地,该以便该 SGSN、该接入网网元和该 LTE UE完成安全认证包括: 该接入网网元将该 UMTS AKA认证挑战转换成 LTE AKA认证挑战后发 送给该 LTE UE ,该 LTE UE根据该 LTE AKA认证挑战进行验证并生成 RES 和密钥 KASME后, 该 LTE UE将包含该 RES的 LTE AKA认证响应发送给该 接入网网元, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认 证。 Optionally, the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE. After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security authentication.
可选地, 该 SGSN还包括处理模块 630 ;  Optionally, the SGSN further includes a processing module 630;
可选地, 该特殊认证向量包含 XRES、 CK、 IK;  Optionally, the special authentication vector includes XRES, CK, and IK;
可选地, 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全 认证包括:  Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
该接入网网元将该 LTE AKA认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该接收模块 610 ,该处理模块 630用于比较该 RES和该 XRES是否相同, 当该比较结果为相同时,该发送模块 620将该 CK 和或 IK发送给该接入网网元, 该接入网网元根据该 CK和或 IK生成 KASME , 该 CK和或 IK由该发送模块 620发送, 该接入网网元和该 LTE UE共享该 KASME。 可选地, 该处理模块 630用于比较该 RES和该 XRES是否相同还包括, 当该比较结果为不相同时, 中止进行安全认证。 The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiving module 610, where the processing module 630 is configured to compare whether the RES and the XRES are the same, when the comparison is performed. When the result is the same, the sending module 620 sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, and the CK and or IK are sent by the sending module 620. Sending, the access network element and the LTE UE share the KASME. Optionally, the processing module 630 is configured to compare whether the RES and the XRES are the same. Further, when the comparison result is different, the security authentication is suspended.
可选地, 该以便该接入网网元接收到该要求认证向量的请求后, 向 HSS 发送要求特殊认证向量的请求包括:  Optionally, after the request for the access network element to receive the request for the authentication vector, the request for sending the special authentication vector to the HSS includes:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
可选地, 该以便该 HSS根据该要求特殊认证向量的请求生成该特殊认证 向量包括:  Optionally, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:
该 HSS为该 LTE UE生成 EPS AV ;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
可选地, 该 HSS将该 EPS AV转换成 UMTS AV格式 包括:  Optionally, the HSS converts the EPS AV into a UMTS AV format, including:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN , 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME拆 分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
可选地, 该接入网网元才艮据该 CK和或 ΙΚ生成 KASME包括: Optionally, the access network element generates the K ASME according to the CK and or the 包括:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK
KASME。 KASME.
本发明实施例中,通过该接入网网元将 LTE UE所发送的消息转换为适用于 2G或 3G网络的消息, 由 SGSN识别出 LTE UE通过该接入网网元接入 2G或 3G核心网的场景后, HSS生成特殊的认证向量, 通过该接入网网元、 SGSN完 成 LTE UE和网络之间的安全认证。 不需要对 LTE UE做修改, 使得 LTE UE可 以通过本实施例中的接入网网元接入 2G或 3G核心网,完成安全认证并使用 2G 或 3G核心网资源。 In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the SGSN identifies that the LTE UE accesses the 2G or 3G core through the access network element. After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE is not required to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in the embodiment to complete the security authentication and use the 2G. Or 3G core network resources.
图 7示出了根据本发明实施例的移动通信系统的安全认证的接入网网元 700 的示意性框图。 图 7及其说明所揭示的装置, 可基于本发明实施例图 1至图 4 以及基于本发明实施例图 1至图 4所揭示的方法,也可以基于本发明实施例图 5 至图 6以及图 5至图 6所揭示的装置。 如图 7所示, 该接入网网元 700包括: 接收模块 710 , 处理模块 720 , 发送模块 730;  FIG. 7 shows a schematic block diagram of an access network element 700 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 7 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiments of the present invention and FIGS. 5 to 6 and The apparatus disclosed in Figures 5-6. As shown in FIG. 7, the access network element 700 includes: a receiving module 710, a processing module 720, and a sending module 730;
该接收模块 710用于接收来自 LTE UE的 attach request消息; 该处理模 块 720用于将该 attach request消息转换为 UMTS attach request消息;  The receiving module 710 is configured to receive an attach request message from an LTE UE; the processing module 720 is configured to convert the attach request message into a UMTS attach request message;
该发送模块 730用于将该 UMTS attach request消息发送给 SGSN, 以便 该 SGSN收到该 UMTS attach request消息后发送要求认证向量的请求给该接 收模块 710; 该发送模块 730还用于在该接收模块 710收到该要求认证向量 的请求后发送要求特殊认证向量的请求给该 HSS ,以便该 HSS根据要求特殊 认证向量的请求生成该特殊认证向量,进而以便该 HSS将该特殊认证向量发 送给该接收模块 710;  The sending module 730 is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the receiving module 710 after receiving the UMTS attach request message, and the sending module 730 is further used in the receiving module. After receiving the request for the authentication vector, the 710 sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS sends the special authentication vector to the receiving. Module 710;
该接收模块 710还用于接收 UMTS AKA认证挑战, 该 UMTS AKA认证 挑战为该发送模块 730将该特殊认证向量发送给该 SGSN后由该 SGSN发送; 该处理模块 720还用于将该 UMTS AKA认证挑战转换成 LTE AKA认证挑 战, 该发送模块 730还用于将该 LTE AKA认证挑战发送给该 LTE UE, 以便 该接入网网元、 该 SGSN和该 LTE UE完成安全认证。  The receiving module 710 is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the sending module 730 to the SGSN by the sending module 730, and the processing module 720 is further configured to authenticate the UMTS AKA. The challenge is converted into an LTE AKA authentication challenge, and the sending module 730 is further configured to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
在本发明实施例中, 通过接入网网元将 LTE UE发送的信息转换为适用于 In the embodiment of the present invention, the information sent by the LTE UE is converted to be applicable to the network element of the access network.
2G或 3G网络系统的信息, 由接入网网元识别出为 LTE UE接入 2G或 3G网络 的场景, 通过 HSS生成特殊的认证向量, 使接入网网元、 SGSN和 LTE UE能 够完成安全认证, 使得 LTE UE可以使用现有 2G或 3G核心网。 The information of the 2G or 3G network system is identified by the access network element as a scenario in which the LTE UE accesses the 2G or 3G network, and the HSS generates a special authentication vector to enable the access network element, the SGSN, and the LTE UE to complete the security. Authentication enables LTE UEs to use existing 2G or 3G core networks.
可选地, 该接入网网元、 该 SGSN和该 LTE UE完成安全认证包括: 该 LTE UE验证该 LTE AKA认证挑战后生成 RES和密钥 KASME; 该接收模块 710用于接收该 LTE UE发送的包含该 RES的 LTE AKA认 证响应, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认证。 可选地, 该特殊认证向量包含 XRES、 CK和 IK; Optionally, the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K ASME ; the receiving module 710 is configured to receive the LTE UE. The LTE AKA that sent the RES The response is such that the access network element, the SGSN, and the LTE UE further complete the security authentication. Optionally, the special authentication vector includes XRES, CK, and IK;
可选地, 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认 证包括:  Optionally, the access network element, the SGSN, and the LTE UE further complete the security authentication, including:
该处理模块 720还用于将包含该 RES的 LTE AKA认证响应转换为包含 该 RES的 UMTS AKA认证响应,该发送模块 730还用于将该包含该 RES的 UMTS AKA认证响应发送给该 SGSN ,以便该 SGSN比较该 RES和该 XRES 是否相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入 网网元;  The processing module 720 is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the sending module 730 is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element.
该处理模块 720还用于才艮据该 CK和或 IK生成 KASME, 该接入网网元和 该 LTE UE共享该 KASMEThe processing module 720 is further configured to generate a K ASME according to the CK and or IK, where the access network element and the LTE UE share the K ASME .
可选地, 该 SGSN比较该 RES和该 XRES是否相同还包括, 当该比较结 果为不相同时, 中止进行安全认证。  Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
可选地, 该发送模块 730还用于在该接收模块 710收到该要求认证向量 的请求后发送要求特殊认证向量的请求给该 HSS包括:  Optionally, the sending module 730 is further configured to: after the receiving module 710 receives the request for the authentication vector, send a request for the special authentication vector to the HSS, including:
该接收模块 710用于接收该 SGSN发送的该要求认证向量的请求; 该处理模块 720用于识别出是 LTE UE接入 2G或 3G网络;  The receiving module 710 is configured to receive the request for the authentication vector that is sent by the SGSN. The processing module 720 is configured to identify that the LTE UE accesses the 2G or 3G network.
该处理模块 720还用于在该认证向量中加入指示信息生成该要求特殊认 证向量的请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The processing module 720 is further configured to add, in the authentication vector, the indication information to generate the request for the special authentication vector, where the indication information is used to indicate that the HSS generates the special authentication vector.
可选地, 该以便该 HSS根据要求特殊认证向量的请求生成该特殊认证向 量包括:  Optionally, the special authentication vector generated by the HSS according to the request for the special authentication vector includes:
该 HSS为该 LTE UE生成 EPS AV;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
可选地, 该 HSS将该 EPS AV转换成 UMTS AV格式 包括:  Optionally, the HSS converts the EPS AV into a UMTS AV format, including:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN, 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME ( 256bits ) 拆分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS The AUTN in the EPS AV is used as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, and the HSS splits the K ASME (256 bits) in the EPS AV into two parts, respectively The CK and the IK as the UMTS AV.
可选地, 该处理模块 720进一步用于按照生成规则 KASME=CKIIIK , 根 据该 CK和或 IK生成该 KASME。 ΊΓ 表示串联, 即将 IK加在 CK后面。 Alternatively, the processing module 720 is further configured in accordance with rules to generate K ASME = CKIIIK, which generates based on the K ASME and CK or IK. ΊΓ indicates concatenation, IK is added after CK.
本发明实施例中,通过该接入网网元将 LTE UE所发送的消息转换为适用于 2G或 3G网络的消息, 由接入网网元识别出 LTE UE通过该接入网网元接入 2G 或 3G网络的场景后, HSS生成特殊的认证向量, 通过该接入网网元、 SGSN完 成 LTE UE和网络之间的安全认证。 不需要对 LTE UE做修改, 使得 LTE UE可 以通过本实施例中的接入网网元接入 2G或 3G核心网,完成安全认证并使用 2G 或 3G核心网资源。  In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
图 8示出了根据本发明实施例的移动通信系统的安全认证的用户归属服务 器 800的示意性框图。 图 8及其说明所揭示的装置, 可基于本发明实施例图 1 至图 4以及基于本发明实施例图 1至图 4所揭示的方法, 以及基于本发明实施 例图 5至图 7以及基于本发明实施例图 5至图 7所揭示的装置。 如图 8所示, 该用户归属服务器 HSS800包括: 接收器 810 , 处理器 820 , 发送器 830;  FIG. 8 shows a schematic block diagram of a user home server 800 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 8 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 based on the embodiment of the present invention, and FIG. 5 to FIG. 7 based on the embodiment of the present invention and based on The apparatus disclosed in Figures 5 to 7 of the embodiment of the present invention. As shown in FIG. 8, the user home server HSS800 includes: a receiver 810, a processor 820, and a transmitter 830;
该接收器 810用于接收接入网网元发送的要求特殊认证向量的请求, 该 要求特殊认证向量的请求由该接入网网元接收到 SGSN发送的要求认证向量 的请求后发送;  The receiver 810 is configured to receive a request for a special authentication vector sent by the network element of the access network, where the request for the special authentication vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN;
该处理器 820用于根据该要求特殊认证向量的请求,生成特殊认证向量; 该发送器 830用于将该特殊认证向量发送给该接入网网元, 以便该接入 网网元、 该 SGSN和 LTE UE完成安全认证。  The processor 820 is configured to generate a special authentication vector according to the request for the special authentication vector. The transmitter 830 is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN And the LTE UE completes the security certification.
在本发明实施例中, 为了使 LTE UE能够使用 2G或 3G网络, 在接入网网 元识别出是 LTE UE接入 2G/3G核心网后, HSS为该 LTE UE生成特殊认证向 量, 以便该 SGSN、 该接入网网元和该 LTE UE完成安全认证, 使 LTE UE可 以使用 2G或 3G核心网。 可选地, 该要求认证向量的请求是该 SGSN在接收到该接入网网元发送 的 UMTS attach request消息后发送, 该 UMTS attach request消息是该接入网 网元将 attach request消息转换所得,该 attach request消息由该 LTE UE发送。 In the embodiment of the present invention, in order to enable the LTE UE to use the 2G or 3G network, after the access network element identifies that the LTE UE accesses the 2G/3G core network, the HSS generates a special authentication vector for the LTE UE, so that the The SGSN, the access network element, and the LTE UE complete the security authentication, so that the LTE UE can use the 2G or 3G core network. Optionally, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message by the access network element. The attach request message is sent by the LTE UE.
可选地,  Optionally,
该以便该接入网网元、 该 SGSN和 LTE UE完成安全认证包括: 该接入网网元将该特殊认证向量发送给该 SGSN , 该 SGSN发送 UMTS AKA认证挑战给该接入网网元, 该接入网网元将该 UMTS AKA认证挑战转 换成 LTE AKA认证挑战后发送给该 LTE UE, 该 LTE UE根据该 LTE AKA 认证挑战进行验证并生成 RES和密钥 KASME后, 该 LTE UE将包含该 RES 的 LTE AKA认证响应发送给该接入网网元, 以便该接入网网元、 该 SGSN 和该 LTE UE进一步完成安全认证。 The SGSN sends the UMTS AKA authentication challenge to the access network element, and the SGSN sends the UMTS AKA authentication challenge to the SGSN. After the UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
可选地, 该特殊认证向量中包含 XRES、 CK、 IK;  Optionally, the special authentication vector includes XRES, CK, and IK;
可选地, 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全 认证包括:  Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
该接入网网元将该 LTE AKA认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该 SGSN, 该 SGSN比较该 RES和该 XRES 是否相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入 网网元, 该接入网网元根据该 CK和或 IK生成 KASME, 该接入网网元和该 LTE UE共享该 KASMEThe access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the The SGSN sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
可选地, 该 SGSN比较该 RES和该 XRES是否相同还包括, 当该比较结 果为不相同时, 中止进行安全认证。  Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
可选的, 该要求特殊认证向量的请求由该接入网网元接收到 SGSN发送 的要求认证向量的请求后发送包括:  Optionally, the request for the special authentication vector is sent by the access network element after receiving the request for the authentication vector sent by the SGSN, including:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。 The access network element adds the indication information to the authentication vector to generate the required special authentication vector. The request information is used to instruct the HSS to generate the special authentication vector.
可选地, 该处理器 820用于根据该要求特殊认证向量的请求, 生成特殊 认证向量包括:  Optionally, the processor 820 is configured to generate a special authentication vector according to the request for the special authentication vector, including:
该处理器 820用于为该 LTE UE生成 EPS AV;  The processor 820 is configured to generate an EPS AV for the LTE UE;
进一步的,  further,
该处理器 820用于将认证管理域 AMF中第 0个 bit设为 1以标示此认证 向量为 EPS AV;  The processor 820 is configured to set the 0th bit in the authentication management domain AMF to 1 to indicate that the authentication vector is EPS AV;
该处理器 820用于生成 RAND、 AUTN , CK、 IK和 XRES;  The processor 820 is configured to generate RAND, AUTN, CK, IK and XRES;
该处理器 820用于根据 CK和 IK推演得到 KASME , 推演规则可以为 KASME =KDF ( CK, IK ) , KDF为密钥推演函数;  The processor 820 is configured to derive KASME according to CK and IK, and the derivation rule may be KASME = KDF (CK, IK), and KDF is a key derivation function;
EPS AV由 KASME、 AUTN , XRES , RAND组成, 其中 AUTN中的 AMF 参数的第 0个比特的值为 1。 EPS AV consists of K ASME , AUTN , XRES , RAND , where the 0th bit of the AMF parameter in the AUTN has a value of 1.
可选地, 该处理器 820用于将该 EPS AV转换成 UMTS AV格式格式, 以 使得 EPS AV可以通过现有的 UMTS认证响应发送给 SGSN。 EPS AV转换成 UMTS AV格式的方法包括:将 EPS AV中的 RAND、 AUTN和 XRES作为 UMTS AV的 RAND、 AUTN和 XRES ,将 EPS AV中的 KASME ( 256bits )拆分为两部分, 分别作为 UMTS AV的 CK ( 128bits )和 IK ( 128bits )。该 EPS AV转换成 UMTS AV格式格式后, AUTN中的 AMF的第 0个比特的值仍然为 1。 将该 EPS AV 转换成 UMTS AV格式格式后所得的向量为该特殊认证向量。 可选地, 该接入 网网元根据该 CK和或 IK生成 KASME包括: Optionally, the processor 820 is configured to convert the EPS AV into a UMTS AV format format, so that the EPS AV can be sent to the SGSN by using an existing UMTS authentication response. The method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits). After the EPS AV is converted into the UMTS AV format, the value of the 0th bit of the AMF in the AUTN is still 1. The vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector. Optionally, the access network element generates the K ASME according to the CK and or IK, including:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该 KASME。 ΊΓ 表示串联, 即将 IK加在 CK后面。 本发明实施例中, 通过该接入 网网元将 LTE UE所发送的消息转换为适用于 2G或 3G网络的消息, 由接入网 网元识别出 LTE UE通过该接入网网元接入 2G或 3G网络的场景后, HSS生成 特殊的认证向量, 通过该接入网网元、 SGSN完成 LTE UE和网络之间的安全认 证。 不需要对 LTE UE做修改, 使得 LTE UE可以通过本实施例中的接入网网元 接入 2G或 3G核心网, 完成安全认证并使用 2G或 3G核心网资源。 图 9示出了根据本发明实施例的移动通信系统的安全认证的 GPRS服务支撑 节点 900的示意性框图。 图 9及其说明所揭示的装置, 可基于本发明实施例图 1 至图 4以及基于本发明实施例图 1至图 4所揭示的方法, 也可以基于本发明实 施例图 5以及图 8所揭示的装置。如图 9所示,该 GPRS服务支撑节点 SGSN900 包括: 接收器 910; 发送器 920; The access network element in accordance with the generation rule K ASME = CKIIIK, which generates based on the K ASME and CK or IK. ΊΓ indicates concatenation, IK is added after CK. In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the network element of the access network, and the network element of the access network identifies that the LTE UE accesses the network element through the access network. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and the security authentication between the LTE UE and the network is completed by the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can pass the access network element in this embodiment. Access 2G or 3G core network, complete security authentication and use 2G or 3G core network resources. FIG. 9 shows a schematic block diagram of a GPRS service support node 900 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 9 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiment of the present invention, FIG. 5 and FIG. Revealed device. As shown in Figure 9, the GPRS service support node SGSN900 includes: a receiver 910; a transmitter 920;
该接收器 910用于接收接入网网元发送的 UMTS attach request消息, 该 The receiver 910 is configured to receive a UMTS attach request message sent by an access network element, where the
UMTS attach request消息是该接入网网元将 LTE UE发送的 attach request消 息转换所得; The UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE;
该发送器 920用于向该接入网网元发送要求认证向量的请求, 以便该接 入网网元接收到该要求认证向量的请求后,向 HSS发送要求特殊认证向量的 请求,进而以便该 HSS根据该要求特殊认证向量的请求生成该特殊认证向量 后发送给该接入网网元;  The transmitter 920 is configured to send a request for the authentication vector to the access network element, so that after receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so as to The HSS generates the special authentication vector according to the request for the special authentication vector, and sends the special authentication vector to the access network element;
该接收器 910还用于接收来自于该接入网网元的该特殊认证向量, 该发 送器 920还用于该接收器 910接收到该特殊认证向量后发送 UMTS AKA认 证挑战给该接入网网元, 以便该 SGSN、 该接入网网元和该 LTE UE完成安 全认证。  The receiver 910 is further configured to receive the special authentication vector from the network element of the access network, where the transmitter 920 is further configured to send the UMTS AKA authentication challenge to the access network after the receiver 910 receives the special authentication vector. The network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.
在本发明实施例中, 通过接入网网元识别出 LTE UE接入 2G或 3G网络的 场景后, 接入网网元向 HSS请求获取特殊认证向量, HSS根据该请求生成特 殊认证向量, 使 SGSN、 接入网网元和该 LTE UE完成安全认证, 实现不需要 对 LTEUE进行修改的条件下使 LTE UE使用 2G或 3G核心网。  In the embodiment of the present invention, after the network element of the access network identifies the scenario in which the LTE UE accesses the 2G or 3G network, the access network element requests the HSS to obtain a special authentication vector, and the HSS generates a special authentication vector according to the request. The SGSN, the access network element, and the LTE UE complete the security authentication, and enable the LTE UE to use the 2G or 3G core network without modifying the LTE UE.
可选地,该以便该 SGSN、该接入网网元和该 LTE UE完成安全认证包括: 该接入网网元将该 UMTS AKA认证挑战转换成 LTE AKA认证挑战后发 送给该 LTE UE,该 LTE UE根据该 LTE AKA认证挑战进行验证并生成 RES 和密钥 KASME后, 该 LTE UE将包含该 RES的 LTE AKA认证响应发送给该 接入网网元, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认 证。 Optionally, the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE. After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security recognition Certificate.
可选地, 该 SGSN还包括处理器 930;  Optionally, the SGSN further includes a processor 930;
可选地, 该特殊认证向量包含 XRES、 CK、 IK;  Optionally, the special authentication vector includes XRES, CK, and IK;
可选地, 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全 认证包括:  Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:
该接入网网元将该 LTE ΑΚΑ认证响应转换为 UMTS AKA认证响应并将 该 UMTS AKA认证响应发送给该接收器 910 ,该处理器 930用于比较该 RES 和该 XRES是否相同, 当该比较结果为相同时, 该发送器 920将该 CK和或 IK发送给该接入网网元, 该接入网网元才艮据该 CK和或 IK生成 KASME , 该 CK和或 IK由该发送器 920发送,该接入网网元和该 LTE UE共享该 KASMEThe access network element converts the LTE ΑΚΑ authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiver 910, the processor 930 is configured to compare whether the RES and the XRES are the same, when the comparison When the result is the same, the transmitter 920 sends the CK and or IK to the access network element, and the access network element generates the K ASME according to the CK and or IK, and the CK and or IK are sent by the The 920 is sent, and the access network element and the LTE UE share the K ASME .
可选地, 该处理器 930用于比较该 RES和该 XRES是否相同还包括, 当 该比较结果为不相同时, 中止进行安全认证。  Optionally, the processor 930 is configured to compare whether the RES and the XRES are the same. Further, when the comparison result is different, the security authentication is suspended.
可选地, 该以便该接入网网元接收到该要求认证向量的请求后, 向 HSS 发送要求特殊认证向量的请求包括:  Optionally, after the request for the access network element to receive the request for the authentication vector, the request for sending the special authentication vector to the HSS includes:
该接入网网元接收该 SGSN发送的该要求认证向量的请求;  Receiving, by the access network element, the request for the authentication vector sent by the SGSN;
该接入网网元识别出是 LTE UE接入 2G或 3G网络;  The access network element identifies that the LTE UE accesses the 2G or 3G network;
该接入网网元在该认证向量中加入指示信息生成该要求特殊认证向量的 请求, 该指示信息用于指示该 HSS生成该特殊认证向量。  The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
可选地, 该以便该 HSS根据该要求特殊认证向量的请求生成该特殊认证 向量包括:  Optionally, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:
该 HSS为该 LTE UE生成 EPS AV;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
可选地, 该 HSS将该 EPS AV转换成 UMTS AV格式 包括:  Optionally, the HSS converts the EPS AV into a UMTS AV format, including:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN, 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME拆 分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, and the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, the HSS the EPS AV The XRES in the XRES is the XRES of the UMTS AV, and the HSS splits the K ASME in the EPS AV into two parts, respectively as the CK and the IK of the UMTS AV.
可选地, 该接入网网元才艮据该 CK和或 ΙΚ生成 KASME包括: Optionally, the access network element generates the K ASME according to the CK and or the 包括:
该接入网网元按照生成规则 KASME=CKIIIK , 根据该 CK和或 IK生成该 ASME。 The access network element generates the ASME according to the CK and or IK according to the generation rule K ASME =CKIIIK.
本发明实施例中,通过该接入网网元将 LTE UE所发送的消息转换为适用于 2G或 3G网络的消息, 由 SGSN识别出 LTE UE通过该接入网网元接入 2G或 3G核心网的场景后, HSS生成特殊的认证向量, 通过该接入网网元、 SGSN完 成 LTE UE和网络之间的安全认证。 不需要对 LTE UE做修改, 使得 LTE UE可 以通过本实施例中的接入网网元接入 2G或 3G核心网,完成安全认证并使用 2G 或 3G核心网资源。  In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the SGSN identifies that the LTE UE accesses the 2G or 3G core through the access network element. After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.
图 10 示出了根据本发明实施例的移动通信系统的安全认证的接入网网元 1000的示意性框图。 图 10及其说明所揭示的装置, 可基于本发明实施例图 1至 图 4以及基于本发明实施例图 1至图 4所揭示的方法, 也可以基于本发明实施 例图 5至图 9以及图 5至图 9所揭示的装置。 如图 10所示, 该接入网网元 1000 包括: 接收器 1010 , 处理器 1020 , 发送器 1030;  FIG. 10 shows a schematic block diagram of an access network element 1000 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 10 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 based on the embodiment of the present invention may also be based on the embodiments of the present invention and FIGS. 5 to 9 and The apparatus disclosed in Figures 5-9. As shown in FIG. 10, the access network element 1000 includes: a receiver 1010, a processor 1020, and a transmitter 1030.
该接收器 1010用于接收来自 LTE UE的 attach request消息; 该处理器 1020用于将该 attach request消息转换为 UMTS attach request消息;  The receiver 1010 is configured to receive an attach request message from an LTE UE, where the processor 1020 is configured to convert the attach request message into a UMTS attach request message.
该发送器 1030用于将该 UMTS attach request消息发送给 SGSN, 以便该 SGSN收到该 UMTS attach request消息后发送要求认证向量的请求给该接收 器 1010; 该发送器 1030还用于在该接收器 1010收到该要求认证向量的请求 后发送要求特殊认证向量的请求给该 HSS ,以便该 HSS根据要求特殊认证向 量的请求生成该特殊认证向量,进而以便该 HSS将该特殊认证向量发送给该 接收器 1010;  The transmitter 1030 is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the receiver 1010 after receiving the UMTS attach request message; the transmitter 1030 is also used in the receiver. After receiving the request for the authentication vector, 1010 sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS sends the special authentication vector to the receiving. 1010;
该接收器 1010还用于接收 UMTS AKA认证挑战, 该 UMTS AKA认证 挑战为该发送器 1030将该特殊认证向量发送给该 SGSN后由该 SGSN发送; 该处理器 1020还用于将该 UMTS AKA认证挑战转换成 LTE AKA认证挑战, 该发送器 1030还用于将该 LTE AKA认证挑战发送给该 LTE UE, 以便该接 入网网元、 该 SGSN和该 LTE UE完成安全认证。 The receiver 1010 is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the SGSN after the transmitter 1030 sends the special authentication vector to the SGSN; The processor 1020 is further configured to convert the UMTS AKA authentication challenge into an LTE AKA authentication challenge, where the transmitter 1030 is further configured to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the SGSN The LTE UE completes the security authentication.
在本发明实施例中, 通过接入网网元将 LTE UE发送的信息转换为适用于 2G或 3G网络系统的信息, 由接入网网元识别出为 LTE UE接入 2G或 3G网络 的场景, 通过 HSS生成特殊的认证向量, 使接入网网元、 SGSN和 LTE UE能 够完成安全认证, 使得 LTE UE可以使用现有 2G或 3G核心网。  In the embodiment of the present invention, the information sent by the LTE UE is converted into the information applicable to the 2G or 3G network system by the access network element, and the access network element identifies the scenario that the LTE UE accesses the 2G or 3G network. The HSS generates a special authentication vector, so that the access network element, the SGSN, and the LTE UE can complete the security authentication, so that the LTE UE can use the existing 2G or 3G core network.
可选地, 该接入网网元、 该 SGSN和该 LTE UE完成安全认证包括: 该 LTE UE验证该 LTE AKA认证挑战后生成 RES和密钥 KASME; Optionally, the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K ASME ;
该接收器 1010用于接收该 LTE UE发送的包含该 RES的 LTE AKA认证 响应, 以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认证。  The receiver 1010 is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete security authentication.
可选地, 该特殊认证向量包含 XRES、 CK和 IK;  Optionally, the special authentication vector includes XRES, CK, and IK;
可选地, 该以便该接入网网元、 该 SGSN和该 LTE UE进一步完成安全认 证包括:  Optionally, the access network element, the SGSN, and the LTE UE further complete the security authentication, including:
该处理器 1020还用于将包含该 RES的 LTE AKA认证响应转换为包含该 The processor 1020 is further configured to convert the LTE AKA authentication response including the RES to include the
RES的 UMTS AKA认证响应, 该发送器 1030还用于将该包含该 RES的 UMTS AKA认证响应发送给该 SGSN ,以便该 SGSN比较该 RES和该 XRES 是否相同, 当该比较结果为相同时, 该 SGSN将该 CK和或 IK发送给该接入 网网元; The UMTS AKA authentication response of the RES, the transmitter 1030 is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same, when the comparison result is the same, The SGSN sends the CK and or IK to the access network element;
该处理器 1020还用于才艮据该 CK和或 IK生成 KASME, 该接入网网元和 该 LTE UE共享该 KASMEThe processor 1020 is further configured to generate a K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
可选地, 该 SGSN比较该 RES和该 XRES是否相同还包括, 当该比较结 果为不相同时, 中止进行安全认证。  Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.
可选地, 该发送器 1030还用于在该接收器 1010收到该要求认证向量的 请求后发送要求特殊认证向量的请求给该 HSS包括:  Optionally, the transmitter 1030 is further configured to: after the receiver 1010 receives the request for the authentication vector, send a request for the special authentication vector to the HSS, including:
该接收器 1010用于接收该 SGSN发送的该要求认证向量的请求; 该处理器 1020用于识别出是 LTE UE接入 2G或 3G网络; 该处理器 1020还用于在该认证向量中加入指示信息生成该要求特殊认 证向量的请求, 该指示信息用于指示该 HSS生成该特殊认证向量。 The receiver 1010 is configured to receive the request for the authentication vector sent by the SGSN. The processor 1020 is configured to identify that the LTE UE accesses the 2G or 3G network. The processor 1020 is further configured to add, in the authentication vector, the indication information to generate the request for the special authentication vector, where the indication information is used to indicate the HSS. Generate this special authentication vector.
可选地, 该以便该 HSS根据要求特殊认证向量的请求生成该特殊认证向 量包括:  Optionally, the special authentication vector generated by the HSS according to the request for the special authentication vector includes:
该 HSS为该 LTE UE生成 EPS AV;  The HSS generates EPS AV for the LTE UE;
该 HSS将该 EPS AV转换成 UMTS AV格式, 该转换为 UMTS AV格式 的 EPS AV为该特殊认证向量。  The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
可选地, 该 HSS将该 EPS AV转换成 UMTS AV格式 包括:  Optionally, the HSS converts the EPS AV into a UMTS AV format, including:
该 HSS将该 EPS AV中的 RAND作为该 UMTS AV的 RAND , 该 HSS 将该 EPS AV中的 AUTN作为该 UMTS AV的 AUTN, 该 HSS将该 EPS AV 中的 XRES作为该 UMTS AV的 XRES , 该 HSS将该 EPS AV中的 KASME ( 256bits ) 拆分为两部分, 分别作为该 UMTS AV的该 CK和该 IK。 The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME (256 bits) in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.
可选地, 该处理器 1020进一步用于按照生成规则 KASME=CKIIIK , 根据 该 CK和或 IK生成该 KASME。 ΊΓ 表示串联, 即将 IK加在 CK后面。 Alternatively, the processor 1020 is further used for generating rules according to K ASME = CKIIIK, which generates based on the K ASME and CK or IK. ΊΓ indicates concatenation, IK is added after CK.
本发明实施例中,通过该接入网网元将 LTE UE所发送的消息转换为适用于 2G或 3G网络的消息, 由接入网网元识别出 LTE UE通过该接入网网元接入 2G 或 3G网络的场景后, HSS生成特殊的认证向量, 通过该接入网网元、 SGSN完 成 LTE UE和网络之间的安全认证。 不需要对 LTE UE做修改, 使得 LTE UE可 以通过本实施例中的接入网网元接入 2G或 3G核心网,完成安全认证并使用 2G 或 3G核心网资源。 通过以上的实施方式的描述, 所属领域的技术人员可以清楚地了解到本 发明可以用硬件实现, 或固件实现, 或它们的组合方式来实现。 当使用软件 实现时, 可以将上述功能存储在计算机可读介质中或作为计算机可读介质上 的一个或多个指令或代码进行传输。 计算机可读介质包括计算机存储介质和 通信介质, 其中通信介质包括便于从一个地方向另一个地方传送计算机程序 的任何介质。 存储介质可以是计算机能够存取的任何可用介质。 以此为例但 不限于: 计算机可读介质可以包括 RAM、 ROM, EEPROM、 CD-ROM或其 他光盘存储、 磁盘存储介质或者其他磁存储设备、 或者能够用于携带或存储 具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他 介质。 此外。 任何连接可以适当的成为计算机可读介质。 例如, 如果软件是 使用同轴电缆、 光纤光缆、 双绞线、 数字用户线 (DSL ) 或者诸如红外线、 无线电和微波之类的无线技术从网站、 服务器或者其他远程源传输的, 那么 同轴电缆、 光纤光缆、 双绞线、 DSL或者诸如红外线、 无线和微波之类的无 线技术包括在所属介质的定影中。 如本发明所使用的, 盘( Disk )和碟( disc ) 包括压缩光碟(CD ) 、 激光碟、 光碟、 数字通用光碟(DVD ) 、 软盘和蓝光 光碟, 其中盘通常磁性的复制数据, 而碟则用激光来光学的复制数据。 上面 的组合也应当包括在计算机可读介质的保护范围之内。 总之, 以上所述仅为本发明技术方案的较佳实施例而已, 并非用于限定 本发明的保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同 替换、 改进等, 均应包含在本发明的保护范围之内。 In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources. Through the description of the above embodiments, it will be apparent to those skilled in the art that the present invention can be implemented in hardware, firmware implementation, or a combination thereof. When implemented in software, the functions described above may be stored in or transmitted as one or more instructions or code on a computer readable medium. Computer readable media includes computer storage media and Communication medium, wherein the communication medium includes any medium that facilitates the transfer of a computer program from one location to another. A storage medium may be any available media that can be accessed by a computer. By way of example and not limitation, computer readable media may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, disk storage media or other magnetic storage device, or can be used for carrying or storing in the form of an instruction or data structure. The desired program code and any other medium that can be accessed by the computer. Also. Any connection may suitably be a computer readable medium. For example, if the software is transmitted from a website, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable , fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, wireless, and microwaves are included in the fixing of the associated media. As used in the present invention, a disk and a disc include a compact disc (CD), a laser disc, a compact disc, a digital versatile disc (DVD), a floppy disc, and a Blu-ray disc, wherein the disc is usually magnetically copied, and the disc is The laser is used to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media. In summary, the above description is only a preferred embodiment of the technical solution of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 Rights request
1. 一种移动通信系统的安全认证方法, 其特征在于, 包括: 1. A security authentication method for a mobile communication system, characterized by including:
归属用户服务器 HSS接收接入网网元发送的要求特殊认证向量的请求, 所述要求特殊认证向量的请求由所述接入网网元接收到 GPRS服务支撑节点 SGSN发送的要求认证向量的请求后发送; The home user server HSS receives a request for a special authentication vector sent by the access network element. The request for a special authentication vector is received by the access network element after the access network element receives a request for an authentication vector sent by the GPRS service support node SGSN. send;
所述 HSS根据所述要求特殊认证向量的请求, 生成特殊认证向量; 所述 HSS 将所述特殊认证向量发送给所述接入网网元, 以便所述接入 网网元、 所述 SGSN和 LTE UE完成安全认证。 The HSS generates a special authentication vector according to the request for a special authentication vector; the HSS sends the special authentication vector to the access network element, so that the access network element, the SGSN and LTE UE completes security certification.
2. 根据权利要求 1 所述的方法, 其特征在于, 所述要求认证向量的请 求是所述 SGSN在接收到所述接入网网元发送的 UMTS attach request消息后 发送, 所述 UMTS附着请求 attach request消息是所述接入网网元将附着请 求 attach request消息转换所得,所述 attach request消息由所述 LTE UE发送。 2. The method according to claim 1, characterized in that, the request for an authentication vector is sent by the SGSN after receiving a UMTS attach request message sent by the access network element, and the UMTS attach request The attach request message is obtained by converting the attach request message by the access network element, and the attach request message is sent by the LTE UE.
3. 根据权利要求 1或 2所述的方法, 其特征在于, 所述以便所述接入 网网元、 所述 SGSN和 LTE UE完成安全认证包括: 3. The method according to claim 1 or 2, wherein the step of enabling the access network element, the SGSN and the LTE UE to complete security authentication includes:
所述接入网网元将所述特殊认证向量发送给所述 SGSN, 所述 SGSN发 送 UMTS AKA认证挑战给所述接入网网元, 所述接入网网元将所述 UMTS AKA认证挑战转换成 LTE AKA认证挑战后发送给所述 LTE UE, 所述 LTE 述 LTE UE将包含所述 RES的 LTE AKA认证响应发送给所述接入网网元, 以便所述接入网网元、 所述 SGSN和所述 LTE UE进一步完成安全认证。 The access network element sends the special authentication vector to the SGSN, the SGSN sends a UMTS AKA authentication challenge to the access network element, and the access network element sends the UMTS AKA authentication challenge After being converted into an LTE AKA authentication challenge, it is sent to the LTE UE. The LTE UE sends the LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete security authentication.
4. 根据权利要求 1至 3任一项所述的方法, 其特征在于, 4. The method according to any one of claims 1 to 3, characterized in that,
所述特殊认证向量中包含 XRES、 CK、 IK; The special authentication vector contains XRES, CK, and IK;
所述以便所述接入网网元、所述 SGSN和所述 LTE UE进一步完成安全 认证包括: The steps for the access network element, the SGSN and the LTE UE to further complete security authentication include:
所述接入网网元将所述 LTE AKA认证响应转换为 UMTS AKA认证响 应并将所述 UMTS AKA认证响应发送给所述 SGSN , 所述 SGSN比较所述 RES和所述 XRES是否相同, 当所述比较结果为相同时, 所述 SGSN将所述 CK和或 IK发送给所述接入网网元, 所述接入网网元根据所述 CK和或 IK 生成 KASME, 所述接入网网元和所述 LTE UE共享所述 KASME The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, and the SGSN compares the Whether the RES and the XRES are the same, and when the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element determines whether the CK or IK is the same. IK generates KASME , and the access network element and the LTE UE share the KASME .
5. 根据权利要求 4所述的方法,其特征在于,所述 SGSN比较所述 RES 和所述 XRES是否相同还包括, 当所述比较结果为不相同时, 中止进行安全 认证。 5. The method according to claim 4, wherein the SGSN comparing whether the RES and the XRES are the same also includes, when the comparison result is not the same, suspending security authentication.
6. 根据权利要求 1至 5任一项所述的方法, 其特征在于, 所述要求特 殊认证向量的请求由所述接入网网元接收到 SGSN发送的要求认证向量的 请求后发送包括: 6. The method according to any one of claims 1 to 5, wherein the request for a special authentication vector is sent by the access network element after the access network element receives the request for an authentication vector sent by the SGSN, including:
所述接入网网元接收所述 SGSN发送的所述要求认证向量的请求; 所述接入网网元识别出是 LTE UE接入 2G或 3G网络; The access network element receives the request for an authentication vector sent by the SGSN; the access network element identifies that the LTE UE is accessing the 2G or 3G network;
所述接入网网元在所述认证向量中加入指示信息生成所述要求特殊认 证向量的请求, 所述指示信息用于指示所述 HSS生成所述特殊认证向量。 The access network element adds indication information to the authentication vector to generate the request for a special authentication vector, and the indication information is used to instruct the HSS to generate the special authentication vector.
7. 根据权利要求 1至 6任一项所述的方法, 其特征在于, 所述 HSS根 据所述要求特殊认证向量的请求, 生成特殊认证向量包括: 7. The method according to any one of claims 1 to 6, characterized in that, the HSS generating a special authentication vector according to the request for a special authentication vector includes:
所述 HSS为所述 LTE UE生成 EPS AV; The HSS generates EPS AV for the LTE UE;
所述 HSS将所述 EPS AV转换成 UMTS AV格式,所述转换为 UMTS AV 格式的 EPS AV为所述特殊认证向量。 The HSS converts the EPS AV into the UMTS AV format, and the EPS AV converted into the UMTS AV format is the special authentication vector.
8. 根据权利要求 7所述的方法, 其特征在于, 所述 HSS将所述 EPS AV 转换成 UMTS AV格式包括: 8. The method according to claim 7, wherein the HSS converting the EPS AV into the UMTS AV format includes:
所述 HSS将所述 EPS AV中的 RAND作为所述 UMTS AV的 RAND, 所述 HSS将所述 EPS AV中的 AUTN作为所述 UMTS AV的 AUTN, 所述 HSS将所述 EPS AV中的 XRES作为所述 UMTS AV的 XRES ,所述 HSS将 所述 EPS AV中的 KASME拆分为两部分,分别作为所述 UMTS AV的所述 CK 和所述 IK。 The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV and the HSS split the KASME in the EPS AV into two parts, which are respectively used as the CK and the IK of the UMTS AV.
9. 根据权利要求 4至 8任一项所述的方法, 其特征在于, 所述接入网网 元根据所述 CK和或 IK生成 KASME包括: 9. The method according to any one of claims 4 to 8, characterized in that, the access network Elements to generate K based on the CK and or IK ASME include:
所述接入网网元按照生成规则 KASME=CKIIIK ,根据所述 CK和或 IK生 成所述 KASME O The access network element generates the KASME O according to the generation rule KASME =CKIIIK according to the CK and or IK
10. 一种移动通信系统的安全认证方法, 其特征在于, 包括: 10. A security authentication method for a mobile communication system, characterized by including:
SGSN接收接入网网元发送 UMTS attach request消息,所述 UMTS attach request消息是所述接入网网元将 LTE UE发送的 attach request消息转换所 付; The SGSN receives the UMTS attach request message sent by the access network element, and the UMTS attach request message is the result of the access network element converting the attach request message sent by the LTE UE;
所述 SGSN向所述接入网网元发送要求认证向量的请求, 以便所述接入 网网元接收到所述要求认证向量的请求后, 向 HSS发送要求特殊认证向量 的请求, 进而以便所述 HSS根据所述要求特殊认证向量的请求生成所述特 殊认证向量后发送给所述接入网网元; The SGSN sends a request for an authentication vector to the access network element, so that after receiving the request for an authentication vector, the access network element sends a request for a special authentication vector to the HSS, so that the access network element The HSS generates the special authentication vector according to the request for a special authentication vector and sends it to the access network element;
所述 SGSN接收来自于所述接入网网元的所述特殊认证向量后, 发送 UMTS AKA认证挑战给所述接入网网元, 以便所述 SGSN、所述接入网网元 和所述 LTE UE完成安全认证。 After receiving the special authentication vector from the access network element, the SGSN sends a UMTS AKA authentication challenge to the access network element, so that the SGSN, the access network element and the LTE UE completes security certification.
11. 根据权利要求 10所述的方法, 其特征在于, 所述以便所述 SGSN、 所述接入网网元和所述 LTE UE完成安全认证包括: 11. The method according to claim 10, wherein the step of enabling the SGSN, the access network element and the LTE UE to complete security authentication includes:
所述接入网网元将所述 UMTS AKA认证挑战转换成 LTE AKA认证挑 验证并生成 RES和密钥 KASME后,所述 LTE UE将包含所述 RES的 LTE AKA 认证响应发送给所述接入网网元, 以便所述接入网网元、 所述 SGSN和所述 LTE UE进一步完成安全认证。 After the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and verifies it and generates the RES and key K ASME , the LTE UE sends the LTE AKA authentication response containing the RES to the access network element. Access network element, so that the access network element, the SGSN and the LTE UE further complete security authentication.
12. 根据权利要求 10或 11所述的方法, 其特征在于, 12. The method according to claim 10 or 11, characterized in that,
所述特殊认证向量包含 XRES、 CK、 IK; The special authentication vector includes XRES, CK, and IK;
所述以便所述接入网网元、所述 SGSN和所述 LTE UE进一步完成安全 认证包括: The steps for the access network element, the SGSN and the LTE UE to further complete security authentication include:
所述接入网网元将所述 LTE AKA认证响应转换为 UMTS AKA认证响 应并将所述 UMTS AKA认证响应发送给所述 SGSN , 所述 SGSN比较所述 RES和所述 XRES是否相同, 当所述比较结果为相同时, 所述 SGSN将所述 CK和或 IK发送给所述接入网网元, 所述接入网网元根据所述 CK和或 IK 生成 KASME, 所述接入网网元和所述 LTE UE共享所述 KASME The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response. The UMTS AKA authentication response should be sent to the SGSN. The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the SGSN. The access network element generates KASME according to the CK and or IK, and the access network element and the LTE UE share the KASME .
13. 根据权利要求 12所述的方法, 其特征在于, 所述 SGSN比较所述 13. The method according to claim 12, characterized in that the SGSN compares the
RES和所述 XRES是否相同还包括, 当所述比较结果为不相同时, 中止进行 安全认证。 Whether the RES and the XRES are the same also includes: when the comparison result is not the same, the security authentication is suspended.
14. 根据权利要求 10至 13任一项所述的方法, 其特征在于, 所述以便 所述接入网网元接收到所述要求认证向量的请求后, 向 HSS发送要求特殊 认证向量的请求包括: 14. The method according to any one of claims 10 to 13, characterized in that, after receiving the request for an authentication vector, the access network element sends a request for a special authentication vector to the HSS. include:
所述接入网网元接收所述 SGSN发送的所述要求认证向量的请求; 所述接入网网元识别出是 LTE UE接入 2G或 3G网络; The access network element receives the request for an authentication vector sent by the SGSN; the access network element identifies that the LTE UE is accessing the 2G or 3G network;
所述接入网网元在所述认证向量中加入指示信息生成所述要求特殊认 证向量的请求, 所述指示信息用于指示所述 HSS生成所述特殊认证向量。 The access network element adds indication information to the authentication vector to generate the request for a special authentication vector, and the indication information is used to instruct the HSS to generate the special authentication vector.
15. 根据权利要求 10至 14任一项所述的方法, 其特征在于, 所述以便 所述 HSS根据所述要求特殊认证向量的请求生成所述特殊认证向量包括: 所述 HSS为所述 LTE UE生成 EPS AV; 15. The method according to any one of claims 10 to 14, characterized in that, causing the HSS to generate the special authentication vector according to the request for a special authentication vector includes: the HSS is the LTE UE generates EPS AV;
所述 HSS将所述 EPS AV转换成 UMTS AV格式,所述转换为 UMTS AV 格式的 EPS AV为所述特殊认证向量。 The HSS converts the EPS AV into the UMTS AV format, and the EPS AV converted into the UMTS AV format is the special authentication vector.
16. 根据权利要求 15所述的方法,其特征在于,所述 HSS将所述 EPS AV 转换成 UMTS AV格式包括: 16. The method according to claim 15, wherein the HSS converting the EPS AV into the UMTS AV format includes:
所述 HSS将所述 EPS AV中的 RAND作为所述 UMTS AV的 RAND, 所述 HSS将所述 EPS AV中的 AUTN作为所述 UMTS AV的 AUTN, 所述 HSS将所述 EPS AV中的 XRES作为所述 UMTS AV的 XRES ,所述 HSS将 所述 EPS AV中的 KASME拆分为两部分,分别作为所述 UMTS AV的所述 CK 和所述 IK。 The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV and the HSS split the KASME in the EPS AV into two parts, which are respectively used as the CK and the IK of the UMTS AV.
17. 根据权利要求 12至 16任一项所述的方法, 其特征在于, 所述接入 网网元根据所述 CK和或 IK生成 KASME包括: 17. The method according to any one of claims 12 to 16, characterized in that, the access network element generating KASME according to the CK and or IK includes:
所述接入网网元按照生成规则 KASME=CKIIIK ,根据所述 CK和或 IK生 成所述 KASME O The access network element generates the KASME O according to the generation rule KASME =CKIIIK according to the CK and or IK
18. 一种移动通信系统的安全认证方法, 其特征在于, 包括: 18. A security authentication method for a mobile communication system, characterized by including:
接入网网元将来自于 LTE UE的 attach request消息转换为 UMTS attach request消息; The access network element converts the attach request message from the LTE UE into a UMTS attach request message;
所述接入网网元将所述 UMTS attach request消息发送给 SGSN, 以便所 述 SGSN收到所述 UMTS attach request消息后发送要求认证向量的请求给所 述接入网网元; The access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for an authentication vector to the access network element after receiving the UMTS attach request message;
所述接入网网元收到所述要求认证向量的请求后发送要求特殊认证向 量的请求给所述 HSS , 以便所述 HSS根据所述要求特殊认证向量的请求生 成所述特殊认证向量, 进而以便所述 HSS将所述特殊认证向量发送给所述 接入网网网元; After receiving the request for an authentication vector, the access network element sends a request for a special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for a special authentication vector, and then So that the HSS sends the special authentication vector to the access network element;
所述接入网网元接收 UMTS AKA认证挑战,所述 UMTS AKA认证挑战 为所述接入网网元将所述特殊认证向量发送给所述 SGSN后由所述 SGSN发 送; The access network element receives a UMTS AKA authentication challenge, and the UMTS AKA authentication challenge is sent by the SGSN after the access network element sends the special authentication vector to the SGSN;
所述接入网网元将所述 UMTS AKA认证挑战转换成 LTE AKA认证挑 战后发送给所述 LTE UE, 以便所述接入网网元、所述 SGSN和所述 LTE UE 完成安全认证。 The access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends it to the LTE UE, so that the access network element, the SGSN and the LTE UE complete security authentication.
19. 根据权利要求 18所述的方法, 其特征在于, 所述以便所述接入网网 元、 所述 SGSN和所述 LTE UE完成安全认证包括: 19. The method according to claim 18, wherein the step of enabling the access network element, the SGSN and the LTE UE to complete security authentication includes:
所述 LTE UE验证所述 LTE AKA认证挑战后生成 RES和密钥 KASME; 所述接入网网元接收所述 LTE UE发送的包含所述 RES的 LTE AKA认 证响应, 以便所述接入网网元、 所述 SGSN和所述 LTE UE进一步完成安全 认证。 The LTE UE generates RES and key K ASME after verifying the LTE AKA authentication challenge; the access network element receives the LTE AKA authentication response containing the RES sent by the LTE UE, so that the access network The network element, the SGSN and the LTE UE further complete security authentication.
20. 根据权利要求 18或 19所述的方法, 其特征在于, 20. The method according to claim 18 or 19, characterized in that,
所述特殊认证向量包含 XRES、 CK和 IK; The special authentication vector includes XRES, CK and IK;
所述以便所述接入网网元、 所述 SGSN和所述 LTE UE进一步完成安全 认证包括: The steps for the access network element, the SGSN and the LTE UE to further complete the security authentication include:
所述接入网网元将包含所述 RES的 LTE AKA认证响应转换为包含所述 The access network element converts the LTE AKA authentication response containing the RES into an LTE AKA authentication response containing the RES.
RES的 UMTS AKA认证响应, 所述接入网网元将所述包含所述 RES的 UMTS AKA认证响应发送给所述 SGSN, 以便所述 SGSN比较所述 RES和 所述 XRES是否相同, 当所述比较结果为相同时, 所述 SGSN将所述 CK和 或 IK发送给所述接入网网元; UMTS AKA authentication response of RES. The access network element sends the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same. When the When the comparison results are the same, the SGSN sends the CK and or IK to the access network element;
所述接入网网元才艮据所述 CK和或 IK生成 KASME,所述接入网网元和所 述 LTE UE共享所述 KASME The access network element generates KASME based on the CK and or IK, and the access network element and the LTE UE share the KASME .
21. 根据权利要求 20所述的方法, 其特征在于, 所述 SGSN比较所述 RES和所述 XRES是否相同还包括, 当所述比较结果为不相同时, 中止进行 安全认证。 21. The method according to claim 20, wherein the SGSN comparing whether the RES and the XRES are the same also includes, when the comparison result is not the same, suspending the security authentication.
22. 根据权利要求 18至 21任一项所述的方法, 其特征在于, 所述接入 网网元收到所述要求认证向量的请求后发送要求特殊认证向量的请求给所 述 HSS包括: 22. The method according to any one of claims 18 to 21, characterized in that, after the access network element receives the request for an authentication vector, sending a request for a special authentication vector to the HSS includes:
所述接入网网元接收所述 SGSN发送的所述要求认证向量的请求; 所述接入网网元识别出是 LTE UE接入 2G或 3G网络; The access network element receives the request for an authentication vector sent by the SGSN; the access network element identifies that the LTE UE is accessing the 2G or 3G network;
所述接入网网元在所述认证向量中加入指示信息生成所述要求特殊认 证向量的请求, 所述指示信息用于指示所述 HSS生成所述特殊认证向量。 The access network element adds indication information to the authentication vector to generate the request for a special authentication vector, and the indication information is used to instruct the HSS to generate the special authentication vector.
23. 根据权利要求 18至 22任一项所述的方法, 其特征在于, 所述以便 所述 HSS根据要求特殊认证向量的请求生成所述特殊认证向量包括: 23. The method according to any one of claims 18 to 22, wherein the step of generating the special authentication vector according to a request for a special authentication vector by the HSS includes:
所述 HSS为所述 LTE UE生成 EPS AV; The HSS generates EPS AV for the LTE UE;
所述 HSS将所述 EPS AV转换成 UMTS AV格式,所述转换为 UMTS AV 格式的 EPS AV为所述特殊认证向量。 The HSS converts the EPS AV into the UMTS AV format, and the EPS AV converted into the UMTS AV format is the special authentication vector.
24. 根据权利要求 23所述的方法,其特征在于,所述 HSS将所述 EPS AV 转换成 UMTS AV格式包括: 24. The method according to claim 23, wherein the HSS converting the EPS AV into the UMTS AV format includes:
所述 HSS将所述 EPS AV中的 RAND作为所述 UMTS AV的 RAND, 所述 HSS将所述 EPS AV中的 AUTN作为所述 UMTS AV的 AUTN, 所述 HSS将所述 EPS AV中的 XRES作为所述 UMTS AV的 XRES ,所述 HSS将 所述 EPS AV中的 KASME拆分为两部分,分别作为所述 UMTS AV的所述 CK 和所述 IK。 The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV and the HSS split the KASME in the EPS AV into two parts, which are respectively used as the CK and the IK of the UMTS AV.
25. 根据权利要求 20至 24任一项所述的方法, 其特征在于, 所述接入 网网元根据所述 CK和或 ΙΚ生成 KASME包括: 25. The method according to any one of claims 20 to 24, wherein the access network element generating K ASME based on the CK and or IK includes:
所述接入网网元按照生成规则 KASME=CKIIIK ,根据所述 CK和或 IK生 成所述 KASME O The access network element generates the KASME O according to the generation rule KASME =CKIIIK according to the CK and or IK
26. 一种 HSS , 其特征在于, 包括: 接收模块, 处理模块, 发送模块; 所述接收模块用于接收接入网网元发送的要求特殊认证向量的请求, 所 述要求特殊认证向量的请求由所述接入网网元接收到 SGSN 发送的要求认 证向量的请求后发送; 26. An HSS, characterized in that it includes: a receiving module, a processing module, and a sending module; the receiving module is used to receive a request for a special authentication vector sent by an access network element, and the request for a special authentication vector is The access network element sends the request after receiving the request for the authentication vector sent by the SGSN;
所述处理模块用于根据所述要求特殊认证向量的请求, 生成特殊认证向 量; The processing module is configured to generate a special authentication vector according to the request for a special authentication vector;
所述发送模块用于将所述特殊认证向量发送给所述接入网网元, 以便所 述接入网网元、 所述 SGSN和 LTE UE完成安全认证。 The sending module is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN and the LTE UE complete security authentication.
27. 根据权利要求 26所述的 HSS , 其特征在于, 所述要求认证向量的 请求是所述 SGSN在接收到所述接入网网元发送的 UMTS attach request消息 后发送, 所述 UMTS attach request消息是所述接入网网元将 attach request 消息转换所得, 所述 attach request消息由所述 LTE UE发送。 27. The HSS according to claim 26, wherein the request for an authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, and the UMTS attach request The message is obtained by converting the attach request message by the access network element, and the attach request message is sent by the LTE UE.
28. 根据权利要求 26或 27所述的 HSS , 其特征在于, 所述以便所述接 入网网元、 所述 SGSN和 LTE UE完成安全认证包括: 28. The HSS according to claim 26 or 27, wherein the step of enabling the access network element, the SGSN and the LTE UE to complete security authentication includes:
所述接入网网元将所述特殊认证向量发送给所述 SGSN, 所述 SGSN发 送 UMTS AKA认证挑战给所述接入网网元, 所述接入网网元将所述 UMTS AKA认证挑战转换成 LTE AKA认证挑战后发送给所述 LTE UE, 所述 LTE 述 LTE UE将包含所述 RES的 LTE AKA认证响应发送给所述接入网网元, 以便所述接入网网元、 所述 SGSN和所述 LTE UE进一步完成安全认证。 The access network element sends the special authentication vector to the SGSN, and the SGSN sends Send a UMTS AKA authentication challenge to the access network element. The access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends it to the LTE UE. The LTE UE will include The LTE AKA authentication response of the RES is sent to the access network element, so that the access network element, the SGSN and the LTE UE further complete security authentication.
29. 根据权利要求 26至 28任一项所述的 HSS , 其特征在于, 29. The HSS according to any one of claims 26 to 28, characterized in that,
所述特殊认证向量中包含 XRES、 CK、 IK; The special authentication vector contains XRES, CK, and IK;
所述以便所述接入网网元、所述 SGSN和所述 LTE UE进一步完成安全 认证包括: The steps for the access network element, the SGSN and the LTE UE to further complete security authentication include:
所述接入网网元将所述 LTE AKA认证响应转换为 UMTS AKA认证响 应并将所述 UMTS AKA认证响应发送给所述 SGSN , 所述 SGSN比较所述 RES和所述 XRES是否相同, 当所述比较结果为相同时, 所述 SGSN将所述 CK和或 IK发送给所述接入网网元, 所述接入网网元根据所述 CK和或 IK 生成 KASME, 所述接入网网元和所述 LTE UE共享所述 KASME The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN. The SGSN compares the RES and the XRES to see whether they are the same. When the comparison results are the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates KASME according to the CK and or IK. The access network The network element and the LTE UE share the KASME .
30. 根据权利要求 29所述的 HSS , 其特征在于, 所述 SGSN比较所述 30. The HSS according to claim 29, characterized in that the SGSN compares the
RES和所述 XRES是否相同还包括, 当所述比较结果为不相同时, 中止进行 安全认证。 Whether the RES and the XRES are the same also includes: when the comparison result is not the same, the security authentication is suspended.
31. 根据权利要求 26至 30任一项所述的 HSS , 其特征在于, 所述要求 特殊认证向量的请求由所述接入网网元接收到 SGSN发送的要求认证向量 的请求后发送包括: 31. The HSS according to any one of claims 26 to 30, wherein the request for a special authentication vector is sent by the access network element after the access network element receives the request for an authentication vector sent by the SGSN and includes:
所述接入网网元接收所述 SGSN发送的所述要求认证向量的请求; 所述接入网网元识别出是 LTE UE接入 2G或 3G网络; The access network element receives the request for an authentication vector sent by the SGSN; the access network element identifies that the LTE UE is accessing the 2G or 3G network;
所述接入网网元在所述认证向量中加入指示信息生成所述要求特殊认 证向量的请求, 所述指示信息用于指示所述 HSS生成所述特殊认证向量。 The access network element adds indication information to the authentication vector to generate the request for a special authentication vector, and the indication information is used to instruct the HSS to generate the special authentication vector.
32. 根据权利要求 26至 31任一项所述的 HSS , 其特征在于, 所述处理模块 用于根据所述要求特殊认证向量的请求, 生成特殊认证向量包括: 所述处理模块用于为所述 LTE UE生成 EPS AV; 32. The HSS according to any one of claims 26 to 31, wherein the processing module is configured to generate a special authentication vector according to the request for a special authentication vector, including: The processing module is used to generate EPS AV for the LTE UE;
所述处理模块用于将所述 EPS AV转换成 UMTS AV格式, 所述转换为 UMTS AV格式的 EPS AV为所述特殊认证向量。 The processing module is used to convert the EPS AV into the UMTS AV format, and the EPS AV converted into the UMTS AV format is the special authentication vector.
33. 根据权利要求 32所述的 HSS , 其特征在于, 所述处理模块用于将 所述 EPS AV转换成 UMTS AV格式包括: 33. The HSS according to claim 32, characterized in that the processing module used to convert the EPS AV into the UMTS AV format includes:
所述处理模块用于将所述 EPS AV中的 RAND作为所述 UMTS AV的 RAND , 所述处理模块用于将所述 EPS AV中的 AUTN作为所述 UMTS AV 的 AUTN,所述处理模块用于将所述 EPS AV中的 XRES作为所述 UMTS AV 的 XRES , 所述处理模块用于将所述 EPS AV中的 KASME拆分为两部分, 分 别作为所述 UMTS AV的所述 CK和所述 IK。 The processing module is used to use the RAND in the EPS AV as the RAND of the UMTS AV, the processing module is used to use the AUTN in the EPS AV as the AUTN of the UMTS AV, and the processing module is used to The XRES in the EPS AV is used as the XRES of the UMTS AV, and the processing module is used to split the KASME in the EPS AV into two parts, which are respectively used as the CK and the UMTS AV. IK.
34. 根据权利要求 29至 33任一项所述的 HSS , 其特征在于, 所述接入 网网元根据所述 CK和或 IK生成 KASME包括: 34. The HSS according to any one of claims 29 to 33, wherein the access network element generating KASME according to the CK and or IK includes:
所述接入网网元按照生成规则 KASME=CKIIIK ,根据所述 CK和或 IK生 成所述 KASME O The access network element generates the KASME O according to the generation rule KASME =CKIIIK according to the CK and or IK
35. 一种 SGSN, 其特征在于, 包括: 接收模块; 发送模块; 35. A SGSN, characterized in that it includes: a receiving module; a sending module;
所述接收模块用于接收接入网网元发送的 UMTS attach request消息,所 述 UMTS attach request消息是所述接入网网元将 LTE UE发送的 attach request消息转换所得; The receiving module is used to receive the UMTS attach request message sent by the access network element. The UMTS attach request message is obtained by converting the attach request message sent by the LTE UE by the access network element;
所述发送模块用于向所述接入网网元发送要求认证向量的请求, 以便所 述接入网网元接收到所述要求认证向量的请求后, 向 HSS发送要求特殊认 证向量的请求, 进而以便所述 HSS根据所述要求特殊认证向量的请求生成 所述特殊认证向量后发送给所述接入网网元; The sending module is configured to send a request for an authentication vector to the access network element, so that after the access network element receives the request for an authentication vector, it sends a request for a special authentication vector to the HSS, Further, the HSS generates the special authentication vector according to the request for a special authentication vector and sends it to the access network element;
所述接收模块还用于接收来自于所述接入网网元的所述特殊认证向量, 所述发送模块还用于所述接收模块接收到所述特殊认证向量后发送 UMTS AKA认证挑战给所述接入网网元, 以便所述 SGSN、所述接入网网元和所述 LTE UE完成安全认证。 The receiving module is also configured to receive the special authentication vector from the access network element. The sending module is also configured to send a UMTS AKA authentication challenge to the receiving module after receiving the special authentication vector. The access network element is configured so that the SGSN, the access network element and the LTE UE complete security authentication.
36. 根据权利要求 35所述的 SGSN ,其特征在于,所述以便所述 SGSN、 所述接入网网元和所述 LTE UE完成安全认证包括: 36. The SGSN according to claim 35, wherein the step of enabling the SGSN, the access network element and the LTE UE to complete security authentication includes:
所述接入网网元将所述 UMTS AKA认证挑战转换成 LTE AKA认证挑 验证并生成 RES和密钥 KASME后,所述 LTE UE将包含所述 RES的 LTE AKA 认证响应发送给所述接入网网元, 以便所述接入网网元、 所述 SGSN和所述 LTE UE进一步完成安全认证。 After the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and verifies it and generates the RES and key K ASME , the LTE UE sends the LTE AKA authentication response containing the RES to the access network element. Access network element, so that the access network element, the SGSN and the LTE UE further complete security authentication.
37. 根据权利要求 35或 36所述的 SGSN , 其特征在于, 所述 SGSN还 包括处理模块; 37. The SGSN according to claim 35 or 36, characterized in that the SGSN further includes a processing module;
所述特殊认证向量包含 XRES、 CK、 IK; The special authentication vector includes XRES, CK, and IK;
所述以便所述接入网网元、所述 SGSN和所述 LTE UE进一步完成安全 认证包括: The steps for the access network element, the SGSN and the LTE UE to further complete security authentication include:
所述接入网网元将所述 LTE AKA认证响应转换为 UMTS AKA认证响 应并将所述 UMTS AKA认证响应发送给所述接收模块, 所述处理模块用于 比较所述 RES和所述 XRES是否相同, 当所述比较结果为相同时, 所述发 送模块将所述 CK和或 IK发送给所述接入网网元, 所述接入网网元根据所 述 CK和或 IK生成 KASME , 所述 CK和或 IK由所述发送模块发送, 所述接 入网网元和所述 LTE UE共享所述 KASME。 The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiving module. The processing module is used to compare whether the RES and the XRES are the same, when the comparison results are the same, the sending module sends the CK and or IK to the access network element, and the access network element generates KASME according to the CK and or IK, The CK and or IK are sent by the sending module, and the access network element and the LTE UE share the KASME.
38. 根据权利要求 37所述的 SGSN , 其特征在于, 所述处理模块用于比 较所述 RES和所述 XRES是否相同还包括, 当所述比较结果为不相同时, 中止进行安全认证。 38. The SGSN according to claim 37, wherein the processing module is used to compare whether the RES and the XRES are the same and further includes: when the comparison result is not the same, the security authentication is suspended.
39. 根据权利要求 35至 38任一项所述的 SGSN , 其特征在于, 所述以 便所述接入网网元接收到所述要求认证向量的请求后, 向 HSS发送要求特 殊认证向量的请求包括: 39. The SGSN according to any one of claims 35 to 38, characterized in that, after the access network element receives the request for an authentication vector, it sends a request for a special authentication vector to the HSS. include:
所述接入网网元接收所述 SGSN发送的所述要求认证向量的请求; 所述接入网网元识别出是 LTE UE接入 2G或 3G网络; 所述接入网网元在所述认证向量中加入指示信息生成所述要求特殊认 证向量的请求, 所述指示信息用于指示所述 HSS生成所述特殊认证向量。 The access network element receives the request for an authentication vector sent by the SGSN; the access network element identifies that the LTE UE is accessing the 2G or 3G network; The access network element adds indication information to the authentication vector to generate the request for a special authentication vector, and the indication information is used to instruct the HSS to generate the special authentication vector.
40. 根据权利要求 35至 39任一项所述的 SGSN , 其特征在于, 所述以便所 述 HSS根据所述要求特殊认证向量的请求生成所述特殊认证向量包括: 所述 HSS为所述 LTE UE生成 EPS AV; 40. The SGSN according to any one of claims 35 to 39, characterized in that: causing the HSS to generate the special authentication vector according to the request for a special authentication vector includes: the HSS is the LTE UE generates EPS AV;
所述 HSS将所述 EPS AV转换成 UMTS AV格式,所述转换为 UMTS AV 格式的 EPS AV为所述特殊认证向量。 The HSS converts the EPS AV into the UMTS AV format, and the EPS AV converted into the UMTS AV format is the special authentication vector.
41. 根据权利要求 40所述的 SGSN , 其特征在于, 所述 HSS将所述 EPS AV转换成 UMTS AV格式包括: 41. The SGSN according to claim 40, wherein the HSS converting the EPS AV into the UMTS AV format includes:
所述 HSS将所述 EPS AV中的 RAND作为所述 UMTS AV的 RAND, 所述 HSS将所述 EPS AV中的 AUTN作为所述 UMTS AV的 AUTN, 所述 HSS将所述 EPS AV中的 XRES作为所述 UMTS AV的 XRES ,所述 HSS将 所述 EPS AV中的 KASME拆分为两部分,分别作为所述 UMTS AV的所述 CK 和所述 IK。 The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV and the HSS split the KASME in the EPS AV into two parts, which are respectively used as the CK and the IK of the UMTS AV.
42. 根据权利要求 37至 41任一项所述的 SGSN , 其特征在于, 所述接 入网网元根据所述 CK和或 IK生成 KASME包括: 42. The SGSN according to any one of claims 37 to 41, wherein the access network element generating KASME according to the CK and or IK includes:
所述接入网网元按照生成规则 KASME=CKIIIK ,根据所述 CK和或 IK生 成所述 KASME O The access network element generates the KASME O according to the generation rule KASME =CKIIIK according to the CK and or IK
43. —种接入网网元, 其特征在于, 包括: 接收模块, 处理模块, 发送 模块; 43. An access network element, characterized in that it includes: a receiving module, a processing module, and a sending module;
所述接收模块用于接收来自 LTE UE的 attach request消息; 所述处理模 块用于将所述 attach request消息转换为 UMTS attach request消息; The receiving module is used to receive the attach request message from the LTE UE; the processing module is used to convert the attach request message into a UMTS attach request message;
所述发送模块用于将所述 UMTS attach request消息发送给 SGSN, 以便 所述 SGSN收到所述 UMTS attach request消息后发送要求认证向量的请求给 所述接收模块;所述发送模块还用于在所述接收模块收到所述要求认证向量 的请求后发送要求特殊认证向量的请求给所述 HSS , 以便所述 HSS根据要 求特殊认证向量的请求生成所述特殊认证向量, 进而以便所述 HSS将所述 特殊认证向量发送给所述接收模块; The sending module is used to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for an authentication vector to the receiving module after receiving the UMTS attach request message; the sending module is also used to: After receiving the request for an authentication vector, the receiving module sends a request for a special authentication vector to the HSS, so that the HSS can The request for a special authentication vector generates the special authentication vector, so that the HSS sends the special authentication vector to the receiving module;
所述接收模块还用于接收 UMTS AKA认证挑战,所述 UMTS AKA认证 挑战为所述发送模块将所述特殊认证向量发送给所述 SGSN后由所述 SGSN 发送; 所述处理模块还用于将所述 UMTS AKA认证挑战转换成 LTE AKA 认证挑战, 所述发送模块还用于将所述 LTE AKA认证挑战发送给所述 LTE UE, 以便所述接入网网元、 所述 SGSN和所述 LTE UE完成安全认证。 The receiving module is also used to receive a UMTS AKA authentication challenge, which is sent by the SGSN after the sending module sends the special authentication vector to the SGSN; the processing module is also used to send the UMTS AKA authentication challenge to the SGSN. The UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge. The sending module is also configured to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN and the LTE The UE completes security authentication.
44. 根据权利要求 43所述的接入网网元, 其特征在于, 所述以便所述接 入网网元、 所述 SGSN和所述 LTE UE完成安全认证包括: 44. The access network element according to claim 43, wherein the step of enabling the access network element, the SGSN and the LTE UE to complete security authentication includes:
所述 LTE UE验证所述 LTE AKA认证挑战后生成 RES和密钥 KASME; 所述接收模块用于接收所述 LTE UE发送的包含所述 RES的 LTE AKA 认证响应, 以便所述接入网网元、 所述 SGSN和所述 LTE UE进一步完成安 全认证。 The LTE UE generates RES and key K ASME after verifying the LTE AKA authentication challenge; the receiving module is used to receive the LTE AKA authentication response containing the RES sent by the LTE UE, so that the access network The SGSN and the LTE UE further complete security authentication.
45. 根据权利要求 43或 44所述的接入网网元, 其特征在于, 45. The access network element according to claim 43 or 44, characterized in that,
所述特殊认证向量包含 XRES、 CK和 IK; The special authentication vector includes XRES, CK and IK;
所述以便所述接入网网元、 所述 SGSN和所述 LTE UE进一步完成安全 认证包括: The steps for the access network element, the SGSN and the LTE UE to further complete the security authentication include:
所述处理模块还用于将包含所述 RES的 LTE AKA认证响应转换为包含 所述 RES的 UMTS AKA认证响应, 所述发送模块还用于将所述包含所述 RES的 UMTS AKA认证响应发送给所述 SGSN , 以便所述 SGSN比较所述 RES和所述 XRES是否相同, 当所述比较结果为相同时, 所述 SGSN将所述 CK和或 IK发送给所述接入网网元; The processing module is also used to convert the LTE AKA authentication response containing the RES into a UMTS AKA authentication response containing the RES, and the sending module is also used to send the UMTS AKA authentication response containing the RES to The SGSN is configured to compare whether the RES and the XRES are the same, and when the comparison result is the same, the SGSN sends the CK and or IK to the access network element;
所述处理模块还用于根据所述 CK和或 IK生成 KASME,所述接入网网元 和所述 LTE UE共享所述 KASME The processing module is also configured to generate KASME according to the CK and or IK, and the access network element and the LTE UE share the KASME .
46. 根据权利要求 45所述的接入网网元, 其特征在于, 所述 SGSN比 较所述 RES和所述 XRES是否相同还包括, 当所述比较结果为不相同时, 中止进行安全认证。 46. The access network element according to claim 45, wherein the SGSN comparing whether the RES and the XRES are the same further includes: when the comparison result is not the same, Security authentication is aborted.
47. 根据权利要求 43至 46任一项所述的接入网网元, 其特征在于, 所 述发送模块还用于在所述接收模块收到所述要求认证向量的请求后发送要 求特殊认证向量的请求给所述 HSS包括: 47. The access network element according to any one of claims 43 to 46, wherein the sending module is further configured to send a request for special authentication after the receiving module receives the request for an authentication vector. Vector requests to the HSS include:
所述接收模块用于接收所述 SGSN发送的所述要求认证向量的请求; 所述处理模块用于识别出是 LTE UE接入 2G或 3G网络; The receiving module is used to receive the request for an authentication vector sent by the SGSN; the processing module is used to identify whether the LTE UE is accessing the 2G or 3G network;
所述处理模块还用于在所述认证向量中加入指示信息生成所述要求特 殊认证向量的请求, 所述指示信息用于指示所述 HSS生成所述特殊认证向 量。 The processing module is further configured to add indication information to the authentication vector to generate the request requiring a special authentication vector, and the indication information is used to instruct the HSS to generate the special authentication vector.
48. 根据权利要求 43至 47任一项所述的接入网网元, 其特征在于, 所 述以便所述 HSS根据要求特殊认证向量的请求生成所述特殊认证向量包括: 所述 HSS为所述 LTE UE生成 EPS AV; 48. The access network element according to any one of claims 43 to 47, characterized in that: causing the HSS to generate the special authentication vector according to the request for a special authentication vector includes: the HSS is the The LTE UE generates EPS AV;
所述 HSS将所述 EPS AV转换成 UMTS AV格式,所述转换为 UMTS AV 格式的 EPS AV为所述特殊认证向量。 The HSS converts the EPS AV into the UMTS AV format, and the EPS AV converted into the UMTS AV format is the special authentication vector.
49. 根据权利要求 48所述的接入网网元, 其特征在于, 所述 HSS将所 述 EPS AV转换成 UMTS AV格式包括: 49. The access network element according to claim 48, wherein the HSS converting the EPS AV into the UMTS AV format includes:
所述 HSS将所述 EPS AV中的 RAND作为所述 UMTS AV的 RAND, 所述 HSS将所述 EPS AV中的 AUTN作为所述 UMTS AV的 AUTN, 所述 HSS将所述 EPS AV中的 XRES作为所述 UMTS AV的 XRES ,所述 HSS将 所述 EPS AV中的 KASME ( 256bits )拆分为两部分, 分别作为所述 UMTS AV 的所述 CK和所述 IK。 The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV and the HSS split the KASME (256 bits) in the EPS AV into two parts, which are respectively used as the CK and the IK of the UMTS AV.
50. 根据权利要求 45至 49任一项所述的接入网网元, 其特征在于, 所述处理模块进一步用于按照生成规则 KASME=CKIIIK , 根据所述 CK 和或 IK生成所述 KASME 50. The access network element according to any one of claims 45 to 49, characterized in that the processing module is further configured to generate the K according to the generation rule KASME =CKIIIK according to the CK and or IK ASME .
PCT/CN2013/070841 2013-01-22 2013-01-22 Method and network device for security authentication of mobile communication system WO2014113921A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201380070865.9A CN105075306B (en) 2013-01-22 2013-01-22 The method and the network equipment of the safety certification of mobile communication system
PCT/CN2013/070841 WO2014113921A1 (en) 2013-01-22 2013-01-22 Method and network device for security authentication of mobile communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/070841 WO2014113921A1 (en) 2013-01-22 2013-01-22 Method and network device for security authentication of mobile communication system

Publications (1)

Publication Number Publication Date
WO2014113921A1 true WO2014113921A1 (en) 2014-07-31

Family

ID=51226806

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/070841 WO2014113921A1 (en) 2013-01-22 2013-01-22 Method and network device for security authentication of mobile communication system

Country Status (2)

Country Link
CN (1) CN105075306B (en)
WO (1) WO2014113921A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105075306A (en) * 2013-01-22 2015-11-18 华为技术有限公司 Method and network device for security authentication of mobile communication system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108809903B (en) * 2017-05-02 2021-08-10 中国移动通信有限公司研究院 Authentication method, device and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098221A (en) * 2006-06-26 2008-01-02 华为技术有限公司 Network layer safety authentication method in wireless cellular network
CN101600205A (en) * 2009-07-10 2009-12-09 华为技术有限公司 The method and the relevant device of SIM card subscriber equipment cut-in evolution network
CN102238544A (en) * 2010-05-06 2011-11-09 中兴通讯股份有限公司 Mobile network authentication method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101155126A (en) * 2006-09-25 2008-04-02 华为技术有限公司 System, device and method for implementing mobility management
US8094817B2 (en) * 2006-10-18 2012-01-10 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographic key management in communication networks
TWI489839B (en) * 2007-10-29 2015-06-21 Nokia Corp System and method of authenticating a context transfer from mme towards a legacy 3gpp system
WO2014113921A1 (en) * 2013-01-22 2014-07-31 华为技术有限公司 Method and network device for security authentication of mobile communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098221A (en) * 2006-06-26 2008-01-02 华为技术有限公司 Network layer safety authentication method in wireless cellular network
CN101600205A (en) * 2009-07-10 2009-12-09 华为技术有限公司 The method and the relevant device of SIM card subscriber equipment cut-in evolution network
CN102238544A (en) * 2010-05-06 2011-11-09 中兴通讯股份有限公司 Mobile network authentication method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105075306A (en) * 2013-01-22 2015-11-18 华为技术有限公司 Method and network device for security authentication of mobile communication system
CN105075306B (en) * 2013-01-22 2019-05-28 华为技术有限公司 The method and the network equipment of the safety certification of mobile communication system

Also Published As

Publication number Publication date
CN105075306B (en) 2019-05-28
CN105075306A (en) 2015-11-18

Similar Documents

Publication Publication Date Title
US9538373B2 (en) Method and device for negotiating security capability when terminal moves
CN109587688B (en) Security in inter-system mobility
US11553381B2 (en) Method and apparatus for multiple registrations
JP6727294B2 (en) User equipment UE access method, access device, and access system
JP6732095B2 (en) Unified authentication for heterogeneous networks
US11582602B2 (en) Key obtaining method and device, and communications system
WO2018201946A1 (en) Anchor key generation method, device and system
US10588015B2 (en) Terminal authenticating method, apparatus, and system
RU2665064C1 (en) Wireless communication, including framework for detecting fast initial communication lines, fils, for network signaling
CN112219415A (en) User authentication in a first network using a subscriber identity module for a second, old network
JP2014116961A (en) Methods and apparatuses facilitating synchronization of security configurations
WO2020221324A1 (en) Registration method and communication apparatus
WO2013078858A1 (en) Method and device for processing srvcc switch, and terminal therefor
WO2013152740A1 (en) Authentication method, device and system for user equipment
WO2014113922A1 (en) Method and network device for security authentication of mobile communication system
WO2014113921A1 (en) Method and network device for security authentication of mobile communication system
US10390224B2 (en) Exception handling in cellular authentication
WO2014113920A1 (en) Method and network device for security authentication of mobile communication system
JP2021524167A (en) Methods and devices for multiple registrations
WO2014113918A1 (en) Method and network device for security authentication of mobile communication system
US20230231708A1 (en) Method and apparatus for multiple registrations
CN111670587B (en) Method and apparatus for multiple registrations

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201380070865.9

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13872854

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13872854

Country of ref document: EP

Kind code of ref document: A1