WO2014113921A1 - Method and network device for security authentication of mobile communication system - Google Patents

Method and network device for security authentication of mobile communication system Download PDF

Info

Publication number
WO2014113921A1
WO2014113921A1 PCT/CN2013/070841 CN2013070841W WO2014113921A1 WO 2014113921 A1 WO2014113921 A1 WO 2014113921A1 CN 2013070841 W CN2013070841 W CN 2013070841W WO 2014113921 A1 WO2014113921 A1 WO 2014113921A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
access network
sgsn
umts
hss
Prior art date
Application number
PCT/CN2013/070841
Other languages
French (fr)
Chinese (zh)
Inventor
陈璟
靳维生
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2013/070841 priority Critical patent/WO2014113921A1/en
Publication of WO2014113921A1 publication Critical patent/WO2014113921A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/04Key management, e.g. by generic bootstrapping architecture [GBA]
    • H04W12/0403Key management, e.g. by generic bootstrapping architecture [GBA] using a trusted network node as anchor
    • H04W12/04031Key distribution, e.g. key pre-distribution or key agreement

Abstract

Disclosed are a method and a network device for security authentication of a mobile communication system. The method for security authentication of a mobile communication system comprises: an HSS receiving a request for a special authentication vector sent by a network element of an access network, wherein the request for a special authentication vector is sent by the network element of the access network after receiving a request for an authentication vector sent by an SGSN; the HSS generating a special authentication vector according to the request for a special authentication vector; and the HSS sending the special authentication vector to the network element of the access network, so that the network element of the access network, the SGSN, and an LTE UE complete security authentication. The disclosed method and network device for security authentication of a mobile communication system enable an LTE UE to use a 2G/3G network.

Description

 Mobile communication system security method and network device

Technical field

 Embodiments of the present invention relate to the field of communications, and in particular, to a method and a network device for secure authentication of a mobile communication system.

BACKGROUND OF THE INVENTION Long Term Evolution (Long Term Evolution) is a system organization evolution (System Architecture Evolution, "SAE") is a standard organization 3rd Generation Partnership Project (3rd Generation Partnership Project) A new mobile communication system for "3GPP". Such a network will be an existing Wideband Code Division Multiple Access (WCDMA) network, Time Division-Synchronous Code Division Multiple Access (Time Division-Synchronous Code Division Multiple Access) "TD-SCDMA") The next evolution direction of 3G networks such as network and Code Division Multiple Access 2000 ("CDMA Division"). Currently in some countries, commercial deployments of LTE/SAE networks are in operation. Security is an indispensable feature of the commercial operation of mobile communication systems. Authentication is an important feature in security features. The Universal Mobile Telecommunication System (UMTS) network and the LTE/SAE network have developed an Authentication and Key Agreement ("AKA") mechanism to perform UE and network. Two-way authentication. The two-way authentication mechanism of the UMTS network is called UMTS AKA, and the two-way authentication mechanism of the LTE/SAE network is called an Evolved Packet System ("EPS") AKA. In some special scenarios, there is a case where an LTE user equipment (User Equipment, called "UE") accesses a 2G/3G core network through an LTE access network. Since the 2G/3G core network can only obtain UMTS AV from the HSS, the LTE UE refuses to use the UMTS AV for authentication when accessing through the LTE network. Therefore, the LTE UE cannot access the 2G/3G core network through the LTE access network. . Summary of the invention

In view of this, the embodiments of the present invention provide a method and a network device for secure authentication of a mobile communication system, which enable an LTE UE to use a 2G/3G network. In a first aspect, a method for secure authentication of a mobile communication system is provided, including:

The HSS receives a request for a special authentication vector sent by the network element of the access network, and the request for the special authentication vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN;

 The HSS generates a special authentication vector according to the request for the special authentication vector;

 The HSS sends the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

 In a first possible implementation manner, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is the access network element The attach request message is converted, and the attach request message is sent by the LTE UE.

In a second possible implementation, in combination with the first aspect or the first possible implementation manner of the first aspect, the access network element, the SGSN, and the LTE UE complete the security authentication, including: the access network The network element sends the special authentication vector to the SGSN, where the SGSN sends a UMTS AKA authentication challenge to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the challenge to the LTE. After the LTE UE verifies and generates the RES and the key K ASME according to the LTE AKA authentication challenge, the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network The SGSN and the LTE UE further complete the security authentication.

 In a third possible implementation, in combination with the first aspect or the first to the second possible implementation manner of the first aspect, the special authentication vector includes XRES, CK, and IK;

And the SG AKA authentication response is converted into a UMTS The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates according to the CK and or IK. K ASME , the access network element and the The LTE UE shares the K ASME .

 In a fourth possible implementation manner, in combination with the third possible implementation manner of the first aspect, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.

 In a fifth possible implementation, in combination with the first aspect or the first to the fourth possible implementation manners of the first aspect, the request for the special authentication vector is sent by the access network element to the SGSN. The request for the authentication vector after the request is sent includes:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 In a sixth possible implementation, in combination with the first aspect or the first to fifth possible implementation manners of the first aspect, the HSS generates a special authentication vector according to the request for the special authentication vector:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 In a seventh possible implementation, in combination with the sixth possible implementation of the first aspect, the HSS converting the EPS AV into the UMTS AV format includes:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

In an eighth possible implementation, in combination with the third to the seventh possible implementation manners of the foregoing aspect, the access network element generating the K ASME according to the CK and or the 包括 includes:

The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK KASME.

 In a second aspect, a method for secure authentication of a mobile communication system is provided, including:

 The SGSN receives the UMTS attach request message, and the UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE; the SGSN sends the request authentication vector to the access network element. Requesting, after the access network element receives the request for the authentication vector, sending a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, and then sends the request to the HSS. Access network element;

 After receiving the special authentication vector from the access network element, the SGSN sends a UMTS AKA authentication challenge to the access network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.

 In a first possible implementation, the SGSN, the access network element, and the LTE UE complete the security authentication, including:

After the UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

 In a second possible implementation manner, in combination with the second aspect or the first possible implementation manner of the second aspect, the special authentication vector includes XRES, CK, and IK;

And the SG AKA authentication response is converted into a UMTS The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates according to the CK and or IK. K ASME , the access network element and the LTE UE share the K ASME . In a third possible implementation, the second possible implementation of the second aspect,

Whether the SGSN compares the RES and the XRES is the same or not, when the comparison result is different, the security authentication is suspended.

 In a fourth possible implementation, in combination with the second aspect or any one of the first to third possible implementation manners of the second aspect, the access network element receives the request for the authentication vector Requests to send a request for a special authentication vector to the HSS include:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 In a fifth possible implementation, in combination with the second aspect or the first to fourth possible implementation manners of the second aspect, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 In a sixth possible implementation, in combination with the fifth possible implementation of the second aspect, the HSS converting the EPS AV into the UMTS AV format includes:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

In a seventh possible implementation manner, in combination with the second to sixth possible implementation manners of the second aspect, the access network element generating the K ASME according to the CK and or the 包括 includes:

The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK

KASME. The third aspect provides a security authentication method for a mobile communication system, including: the access network element converts an attach request message from the LTE UE into a UMTS attach request message;

 The access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the access network element after receiving the UMTS attach request message;

 After receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS can perform the special authentication. The vector is sent to the access network element network element;

 The access network element receives the UMTS AKA authentication challenge, and the UMTS AKA authentication challenge is sent by the SGSN to the SGSN by the access network element sending the special authentication vector to the SGSN;

 The access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

 In a first possible implementation manner, the security authentication of the access network element, the SGSN, and the LTE UE is performed by:

After the LTE UE verifies the LTE AKA authentication challenge, the RES and the key K ASME are generated;

 The access network element receives the LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

 In a second possible implementation manner, in combination with the third aspect or the first possible implementation manner of the third aspect, the special authentication vector includes XRES, CK, and IK;

 The LTE AKA authentication response including the RES is converted into a UMTS AKA authentication response including the RES, where the access network element, the SGSN, and the LTE UE further perform security authentication, the access network element: The network element sends the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the SGSN. Network access network element;

The access network element generates K ASME according to the CK and or IK, the access network element and the LTE UE A total of KASME °

 In a third possible implementation manner, in combination with the second possible implementation manner of the third aspect, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.

 In a fourth possible implementation, in combination with the third aspect or the first to the third possible implementation manners of the third aspect, the access network element receives the request for the authentication vector and sends a request for a special request. The request for the authentication vector to the HSS includes:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 In a fifth possible implementation, in combination with the third aspect or the first to fourth possible implementation manners of the third aspect, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the third aspect, the HSS converting the EPS AV into the UMTS AV format includes:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

In a seventh possible implementation, in combination with the second to the sixth possible implementation manners of the third aspect, the access network element generating the K ASME according to the CK and or the 包括 includes:

The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK KASME.

 In a fourth aspect, an HSS is provided, including: a receiving module, a processing module, and a sending module; the receiving module is configured to receive a request for a special authentication vector sent by an access network element, where the request for the special authentication vector is requested by the The access network element receives the request for the authentication vector sent by the SGSN and sends the request;

 The processing module is configured to generate a special authentication vector according to the request for the special authentication vector; the sending module is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE The UE completes the security certification.

 In a first possible implementation manner, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is the access network element The attach request message is converted, and the attach request message is sent by the LTE UE.

 In a second possible implementation, in combination with the fourth aspect or the first possible implementation manner of the fourth aspect, the access network element, the SGSN, and the LTE UE complete the security authentication, including: the access network The network element sends the special authentication vector to the SGSN, and the SGSN sends the UMTS.

The AKA authentication challenge is performed to the access network element, and the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge, and then sends the LTE UE to the LTE UE, and the LTE UE verifies and generates the RES according to the LTE AKA authentication challenge. After the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

 In a third possible implementation, in combination with the fourth aspect or the first to the second possible implementation manner of the fourth aspect, the special authentication vector includes XRES, CK, and IK;

And the SG AKA authentication response is converted into a UMTS The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access. The network element, the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .

 In a fourth possible implementation manner, in combination with the third possible implementation manner of the fourth aspect, the comparing, by the SGSN, whether the RES and the XRES are the same include: when the comparison result is different, the security authentication is suspended.

 In a fifth possible implementation, in combination with the fourth or fourth possible implementation manner of the fourth aspect, the request for the special authentication vector is sent by the access network element to the SGSN. The request for the authentication vector after the request is sent includes:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 In a sixth possible implementation, in combination with the fourth aspect or the first to fifth possible implementation manners of the fourth aspect, the processing module is configured to generate a special authentication vector according to the request for the special authentication vector Includes:

 The processing module is configured to generate an EPS AV for the LTE UE;

 The processing module is configured to convert the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 In a seventh possible implementation, in combination with the sixth possible implementation manner of the fourth aspect, the processing module is configured to convert the EPS AV into the UMTS AV format, including:

The processing module is configured to use RAND in the EPS AV as the RAND of the UMTS AV, and the processing module is configured to use the AUTN in the EPS AV as the AUTN of the UMTS AV, and the processing module is used to use the XRES in the EPS AV As the XRES of the UMTS AV, the processing module is configured to split the K ASME in the EPS AV into two parts, respectively, as the CK and the IK of the UMTS AV.

In an eighth possible implementation, combining any of the third to seventh aspects of the fourth aspect In an implementation manner, the access network element generates a K ASME according to the CK and or IK, including:

The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK

KASME.

 In a fifth aspect, an SGSN is provided, including: a receiving module; a sending module;

 The receiving module is configured to receive a UMTS attach request message sent by an access network element, where the

The UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE;

 The sending module is configured to send a request for the authentication vector to the access network element, so that after receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so that the HSS Generating the special authentication vector according to the request for the special authentication vector, and then sending the special authentication vector to the access network element;

 The receiving module is further configured to receive the special authentication vector from the network element of the access network, where the sending module is further configured to send the UMTS AKA authentication challenge to the access network element after the receiving module receives the special authentication vector, So that the SGSN, the access network element, and the LTE UE complete the security authentication.

 In a first possible implementation, the SGSN, the access network element, and the LTE are used.

The UE completes the security certification including:

After the UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

 In a second possible implementation manner, in combination with the fifth aspect or the first possible implementation manner of the fifth aspect, the SGSN further includes a processing module;

 The special authentication vector contains XRES, CK, IK;

The further completing the security authentication for the access network element, the SGSN and the LTE UE comprises: the access network element converting the LTE AKA authentication response into a UMTS AKA authentication response and The UMTS AKA authentication response is sent to the receiving module, and the processing module is configured to compare whether the RES and the XRES are the same. When the comparison result is the same, the sending module sends the CK and or IK to the access network element. The access network element generates K ASME according to the CK and or IK, and the CK and or IK are sent by the sending module, and the access network element and the LTE UE share the K ASME .

 In a third possible implementation manner, the second possible implementation manner of the fifth aspect, the processing module is configured to compare whether the RES and the XRES are the same, and further includes: when the comparison result is different, the suspension is performed. safety certificate.

 In a fourth possible implementation manner, in combination with the fifth aspect or any one of the first to third possible implementation manners of the fifth aspect, the access network element receives the request for the authentication vector Requests to send a request for a special authentication vector to the HSS include:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 In a fifth possible implementation, in combination with the fifth aspect or the first to fourth possible implementation manners of the fifth aspect, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the fifth aspect, the HSS converting the EPS AV into the UMTS AV format includes:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively. In a seventh possible implementation, in combination with the second to sixth possible implementation manners of the fifth aspect, the access network element generating the K ASME according to the CK and or IK includes:

The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK

KASME.

 A sixth aspect provides an access network element, including: a receiving module, a processing module, and a sending module;

 The receiving module is configured to receive an attach request message from an LTE UE; the processing module is configured to convert the attach request message into a UMTS attach request message;

 The sending module is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the receiving module after receiving the UMTS attach request message; the sending module is further configured to receive the request at the receiving module Requesting a request for the authentication vector to send a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS sends the special authentication vector to the receiving module;

 The receiving module is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the sending module to the SGSN by the sending module, and the processing module is further configured to convert the UMTS AKA authentication challenge into The LTE AKA authentication challenge is to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

 In a first possible implementation, the access network element, the SGSN, and the LTE are used.

The UE completes the security certification including:

After the LTE UE verifies the LTE AKA authentication challenge, the RES and the key K ASME are generated;

 The receiving module is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete security authentication.

In a second possible implementation, in combination with the sixth aspect or the first possible implementation manner of the sixth aspect, the special authentication vector includes XRES, CK, and IK; The processing module is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the sending module further comprises: the processing module further configured to: The SGSN is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the SGSN. Network access network element;

The processing module is further configured to generate a K ASME according to the CK and or IK, the access network element and the LTE UE being the KASME.

 In a third possible implementation manner, in combination with the second possible implementation manner of the sixth aspect, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, the security authentication is suspended.

 In a fourth possible implementation, in combination with the first to third possible implementation manners of the sixth aspect or the sixth aspect, the sending module is further configured to receive, at the receiving module, the request for the authentication vector After sending a request for a special authentication vector to the HSS includes:

 The receiving module is configured to receive the request for the authentication vector sent by the SGSN;

 The processing module is configured to identify that the LTE UE accesses the 2G or 3G network;

 The processing module is further configured to add, in the authentication vector, the indication information to generate the request for the special authentication vector, the indication information is used to instruct the HSS to generate the special authentication vector.

 In a fifth possible implementation, in combination with the sixth aspect or the first to fourth possible implementation manners of the sixth aspect, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the sixth aspect, the HSS converting the EPS AV into the UMTS AV format includes: The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME (256 bits) in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

In a seventh possible implementation, in combination with the second to the sixth possible implementation manners of the sixth aspect, the processing module is further configured to generate the according to the CK and or IK according to the generation rule K ASME =CKIIIK K ASME .

 Through the above scheme, the LTE UE can be used to use the 2G/3G network. DRAWINGS

 In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the embodiments of the present invention will be briefly described. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings may also be obtained from those of ordinary skill in the art in view of the drawings.

 1 is a schematic flowchart of an authentication method of a mobile communication system according to an embodiment of the present invention; FIG. 2 is a schematic flowchart of an authentication method of a mobile communication system according to another embodiment of the present invention;

 3 is a schematic flow chart of an authentication method of a mobile communication system according to another embodiment of the present invention;

 4 is a schematic flow chart of an authentication method of a mobile communication system according to another embodiment of the present invention;

 FIG. 5 is a schematic block diagram of a home subscriber server according to an embodiment of the present invention; FIG.

 6 is a schematic block diagram of a GPRS service supporting node according to an embodiment of the present invention; FIG. 7 is a schematic block diagram of an access network element according to an embodiment of the present invention;

FIG. 8 is a schematic block diagram of a home subscriber server according to another embodiment of the present invention; FIG. 9 is a schematic block diagram of a GPRS service support node according to another embodiment of the present invention; FIG. 10 is a schematic block diagram of an access network element according to another embodiment of the present invention. detailed description

 BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail below with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, rather than all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts shall fall within the scope of the present invention.

 It should be understood that the technical solution of the embodiments of the present invention can be applied to various 2G or 3G communication systems, for example: Global System of Mobile communication ("GSM") system, code division multiple access (Code Division Multiple) Access, called "CDMA" system, Wideband Code Division Multiple Access ("WCDMA") system, General Packet Radio Service (General Packet Radio Service) Universal Mobile Telecommunication System (UMT), Worldwide Interoperability for Microwave Access ("Wireless") communication system, etc.

 The access network element in the embodiment of the present invention is an enhanced access network element for supporting the LTE UE to access the 2G/3G core network. In all the embodiments of the present invention, the access network element may have the following functions: The function of the LTE eNB, the LTE UE may access the 2G/3G core network through the access network element without modification, and the LTE UE considers that The LTE network is being accessed, instead of the 2G/3G core network; the access network element in the embodiment of the present invention can also implement the function of a Mobility Management Entity (called "ΜΜΕ"). Such as the security protection function of NAS signaling.

 1 shows a schematic flow diagram of a method 100 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. As shown in FIG. 1, the method 100 includes:

S110. The HSS receives a request for a special authentication vector sent by the network element of the access network, where the request for the special authentication vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN. S120. The HSS generates a special authentication vector according to the request for the special authentication vector.

S130. The HSS sends the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

 In the embodiment of the present invention, in order to enable the LTE UE to use the 2G or 3G network, after the access network element identifies that the LTE UE accesses the 2G/3G network, the HSS generates a special authentication vector for the LTE UE, so that the SGSN The access network element and the LTE UE complete the security authentication, so that the LTE UE can use the 2G or 3G core network.

 Optionally, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message by the access network element. The attach request message is sent by the LTE UE.

Optionally, the obtaining, by the access network element, the SGSN, and the LTE UE, the security authentication includes: sending, by the access network element, the special authentication vector to the SGSN, where the SGSN sends a UMTS AKA authentication challenge to the access The network element, the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge, and sends the LTE UE to the LTE UE. After the LTE UE performs verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , The LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

 Optionally, the special authentication vector includes XRES, CK, and IK;

 Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the The SGSN sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, the access network element and the

The LTE UE shares the K ASME .

Optionally, the SGSN compares whether the RES and the XRES are the same, and includes, when the comparison is If the results are different, the safety certification is suspended.

 Optionally, the request for the special authentication vector is sent by the access network element after receiving the request for the authentication vector sent by the SGSN, and the sending includes:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 Optionally, the HSS generates a special authentication vector according to the request for the special authentication vector:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

Optionally, the access network element generates the K ASME according to the CK and or the 包括:

The access network element generates the K A SME according to the CK and or IK according to the generation rule K ASME =CKIIIK.

In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources. 2 shows a schematic flow diagram of a method 200 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 2 and its description of the disclosed method may be based on the embodiment of the present invention and the method disclosed in FIG. 1 based on an embodiment of the present invention. As shown in FIG. 2, the method 200 includes:

 S210, the SGSN receives the UMTS attach request message, where the UMTS attach request is that the access network element converts the attach request message sent by the LTE UE, and S220, the SGSN sends a request to the access network element. The request for the authentication vector, so that the access network element receives the request for the authentication vector, and sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector. Send to the access network element;

 S230. The SGSN receives the special authentication vector from the network element of the access network, and sends the

The UMTS AKA authentication challenge is applied to the access network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.

 In the embodiment of the present invention, after the LTE UE accesses the 2G or 3G core network, the access network element requests the HSS to obtain a special authentication vector, and the HSS generates a special authentication according to the request of the SGSN. The SGSN, the access network element, and the LTE UE complete the security authentication, and enable the LTE UE to use the 2G or 3G core network without modifying the LTE UE.

Optionally, the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE. After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security authentication.

 Optionally, the special authentication vector includes XRES, CK, and IK;

 Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and The UMTS AKA authentication response is sent to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, the access network. The network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .

 Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.

 Optionally, after the request for the access network element to receive the request for the authentication vector, the request for sending the special authentication vector to the HSS includes:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector. Optionally, generating the special authentication vector according to the request for the H S S according to the request for the special authentication vector includes:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

Optionally, the access network element generates the K ASME according to the CK and or the 包括:

The access network element generates the KASME according to the CK and or IK according to the generation rule K ASME =CKI IIK.

 In the embodiment of the present invention, the message sent by the LTE UE is converted to be applicable to the network element of the access network.

The message of the 2G or 3G network is identified by the access network element. The LTE UE accesses the 2G through the access network element. After the scenario of the 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.

 3 shows a schematic flow diagram of a method 300 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. The method disclosed in Figure 3 and its description may be based on the embodiments of Figures 1 through 2 of the present invention and the methods disclosed in Figures 1 through 2 of the present invention. As shown in FIG. 3, the method 300 includes: S310. The access network element converts an attach request message from the LTE UE into a UMTS attach request message.

 S320, the access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the access network element after receiving the UMTS attach request message;

 S330. After receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS can The special authentication vector is sent to the access network element network element;

 S340, the access network element receives the UMTS AKA authentication challenge, and the UMTS AKA authentication challenge is sent by the SGSN to the SGSN by the access network element sending the special authentication vector to the SGSN;

S350. The access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

 In the embodiment of the present invention, the information sent by the LTE UE is converted into the information applicable to the 2G or 3G network system by the access network element, and the access network element identifies the scenario that the LTE UE accesses the 2G or 3G network. The HSS generates a special authentication vector, so that the access network element, the SGSN, and the LTE UE can complete the security authentication, so that the LTE UE can use the existing 2G or 3G core network.

Optionally, the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K ASME ; The access network element receives the LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

 Optionally, the special authentication vector includes XRES, CK, and IK;

 Optionally, the access network element, the SGSN, and the LTE UE further complete the security authentication, including:

 The access network element converts the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, and the access network element sends the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN Comparing whether the RES and the XRES are the same, when the comparison result is the same, the SGSN sends the CK and or IK to the access network element;

The access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE jointly have the KASME °

 Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication. Optionally, the request, by the access network element, after receiving the request for the authentication vector, sending a request for the special authentication vector to the HSS includes:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 Optionally, the special authentication vector generated by the HSS according to the request for the special authentication vector includes:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, and the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, the HSS the EPS AV The XRES in the XRES is the XRES of the UMTS AV, and the HSS splits the K ASME in the EPS AV into two parts, respectively as the CK and the IK of the UMTS AV.

Optionally, the access network element generates the K ASME according to the CK and or the 包括:

The access network element generates the ASME according to the CK and or IK according to the generation rule K ASME =CKIIIK.

 In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element. After the scenario of the 2G or 3G core network, the HSS generates a special authentication vector, and the security authentication between the LTE UE and the network is completed through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.

 4 shows a schematic flow diagram of a method 400 of secure authentication of a mobile communication system in accordance with an embodiment of the present invention. FIG. 1 to FIG. 3 and the method disclosed in FIG. 3 and FIG. 3 based on the embodiment of the present invention, and the method disclosed in FIG. 4 and FIG. . As shown in FIG. 4, the method 400 includes:

 Optionally, the LTE UE accesses the 2G/3G core network through the access network element, and an RRC connection is established between the LTE UE and the access network element.

 The LTE UE sends an attach request message to the access network element, and the access network element converts the attach request message received from the LTE UE into a UMTS attach request message identifiable by the SGSN of the 2G/3G core network in the UMTS system. The network access NE sends the converted UMTS attach request message to the SGSN.

 The SGSN sends a request for the authentication vector to the access network element, and the access network element receives the request for the authentication vector sent by the SGSN;

The access network element identifies that the LTE UE accesses the 2G or 3G network. Further, the access network element can identify the UE type that passes through the access network element, that is, the access network element can identify the LTE. The UE accesses the 2G or 3G network;

 The access network element adds the indication information to the authentication vector to generate the request for the special authentication vector, and the indication information is used to indicate that the HSS generates the special authentication vector. The HSS identifies the scenario in which the LTE UE accesses the 2G/3G network according to the indication information in the request of the special authentication vector sent by the access network element. The HSS generates the special authentication vector, including:

 Optionally, the HSS generates EPS AV for the LTE UE;

 further,

 HSS sets the 0th bit in the authentication management domain AMF to 1 to indicate that this authentication vector is EPS.

AV;

 HSS generates RAND, AUTN, CK, IK and XRES;

The HSS derives KASME based on CK and IK. The deduction rule can be K ASME =KDF ( CK, IK ) and KDF is the key derivation function;

EPS AV consists of K ASME , AUTN , XRES , RAND , where the 0th bit of the AMF parameter in the AUTN has a value of 1.

Optionally, the HSS converts the EPS AV into a UMTS AV format format such that the EPS AV can be sent to the SGSN through an existing UMTS authentication response. The method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits). After the EPS AV is converted into the UMTS AV format, the value of the 0th bit of the AMF in the AUTN is still 1. The vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector.

 The HSS transmits the special authentication vector to the access network element, and the access network element sends the special authentication vector to the SGSN;

The SGSN performs a UMTS AKA authentication procedure based on the special authentication vector received from the access network element. The SGSN sends the UMTS AKA authentication 4 to the access network element. The UMTS AKA authentication challenge includes RAND and AUTNo. The access network element converts the received UMTS AKA authentication challenge into an LTE AKA authentication challenge. The RAND and AUTN in the UMTS AKA authentication challenge are sent to the LTE UE in the LTE AKA authentication challenge.

The LTE UE verifies the AUTN. Further, since the value of the 0th bit of the AMF in the AUTN is 1, the LTE UE checks the AMF. The LTE UE generates the RES and the key K ASME .

 The LTE UE sends an LTE AKA authentication response to the access network element, and the LTE AKA authentication response includes the RES.

 The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response, and sends the RES in the LTE AKA authentication response to the SGSN in the UMTS AKA authentication response.

 The SGSN compares whether the RES and the XRES are the same.

 Optionally, if the comparison result is that the RES is different from the XRES, then the security authentication is suspended;

 Optionally, if the comparison result is that the RES and the XRES are the same, the SGSN initiates a security mode process, in which CK and or IK are sent to the access network element.

Optionally, the access network element generates K ASME according to CK and or IK. Optionally, the access network element generates K ASME according to CK and or IK. The generation rule is K ASME =CKIIIK, and "II" indicates concatenation, that is, IK is added after CK.

The access network element and the LTE UE share the key K ASME .

 Optionally, the LTE NAS SMC process and the LTE AS SMC process are performed between the access network element and the LTE UE to establish an LTE air interface security.

In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the SGSN identifies that the LTE UE accesses the 2G or 3G core through the access network element. After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources. FIG. 5 shows a schematic block diagram of a home subscriber server 500 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 5 and its description of the disclosed apparatus may be based on the embodiments of the present invention, FIGS. 1 through 4, and the methods disclosed in FIGS. 1 through 4 of the present invention. As shown in FIG. 5, the home subscriber server HSS 500 includes: a receiving module 510, a processing module 520, and a sending module 530. The receiving module 510 is configured to receive a request for a special authentication vector sent by an access network element, where the special authentication is required. The request of the vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN;

 The processing module 520 is configured to generate a special authentication vector according to the request for the special authentication vector;

 The sending module 530 is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

 In the embodiment of the present invention, in order to enable the LTE UE to use the 2G or 3G network, after the access network element identifies that the LTE UE accesses the 2G/3G core network, the HSS generates a special authentication vector for the LTE UE, so that the The SGSN, the access network element, and the LTE UE complete the security authentication, so that the LTE UE can use the 2G or 3G core network.

 Optionally, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message by the access network element. The attach request message is sent by the LTE UE.

 Optionally,

The SGSN sends the UMTS AKA authentication challenge to the access network element, and the SGSN sends the UMTS AKA authentication challenge to the SGSN. After the UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication. Optionally, the special authentication vector includes XRES, CK, and IK;

 Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:

The access network element converts the LTE ΑΚΑ authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, where the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, The SGSN sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .

 Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.

 Optionally, the request for the special authentication vector is sent by the access network element after receiving the request for the authentication vector sent by the SGSN, including:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 Optionally, the processing module 520 is configured to generate a special authentication vector according to the request for the special authentication vector, including:

 The processing module 520 is configured to generate EPS AV for the LTE UE;

 further,

 The processing module 520 is configured to set the 0th bit in the authentication management domain AMF to 1 to indicate that the authentication vector is EPS AV;

 The processing module 520 is configured to generate RAND, AUTN, CK, IK, and XRES;

The processing module 520 is configured to derive KASME according to CK and IK, and the derivation rule may be K ASME =KDF ( CK, IK ), and KDF is a key derivation function;

EPS AV consists of K ASME , AUTN, XRES, RAND, of which AMF in AUTN The 0th bit of the parameter has a value of 1.

Optionally, the processing module 520 is configured to convert the EPS AV into a UMTS AV format format, so that the EPS AV can be sent to the SGSN by using an existing UMTS authentication response. The method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits). After the EPS AV is converted into the UMTS AV format, the value of the 0th bit of the AMF in the AUTN is still 1. The vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector. Optionally, the access network element generates the K ASME according to the CK and or IK, including:

The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK

K ASME . ΊΓ indicates concatenation, IK is added after CK. In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the network element of the access network, and the network element of the access network identifies that the LTE UE accesses the network element through the access network. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and the security authentication between the LTE UE and the network is completed by the access network element and the SGSN. The LTE UE is not required to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.

 Figure 6 shows a schematic block diagram of a GPRS service support node 600 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 6 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiment of the present invention and FIG. 5 and FIG. Revealed device. As shown in Figure 6, the GPRS service support node SGSN600 includes: a receiving module 610; a sending module 620;

 The receiving module 610 is configured to receive a UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message sent by the LTE UE by the access network element;

The sending module 620 is configured to send a request for the authentication vector to the access network element, so that the access network element sends the request for the authentication vector, and then sends a request for the special authentication vector to the HSS. The request, and then the HSS generates the special authentication vector according to the request for the special authentication vector, and sends the special authentication vector to the access network element;

 The receiving module 610 is further configured to receive the special authentication vector from the network element of the access network, where the sending module 620 is further configured to send the UMTS AKA authentication challenge to the access network after the receiving module 610 receives the special authentication vector. The network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.

 In the embodiment of the present invention, after the network element of the access network identifies the scenario in which the LTE UE accesses the 2G or 3G network, the access network element requests the HSS to obtain a special authentication vector, and the HSS generates a special authentication vector according to the request. The SGSN, the access network element, and the LTE UE complete the security authentication, and enable the LTE UE to use the 2G or 3G core network without modifying the LTE UE.

Optionally, the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE. After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security authentication.

 Optionally, the SGSN further includes a processing module 630;

 Optionally, the special authentication vector includes XRES, CK, and IK;

 Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiving module 610, where the processing module 630 is configured to compare whether the RES and the XRES are the same, when the comparison is performed. When the result is the same, the sending module 620 sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, and the CK and or IK are sent by the sending module 620. Sending, the access network element and the LTE UE share the KASME. Optionally, the processing module 630 is configured to compare whether the RES and the XRES are the same. Further, when the comparison result is different, the security authentication is suspended.

 Optionally, after the request for the access network element to receive the request for the authentication vector, the request for sending the special authentication vector to the HSS includes:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 Optionally, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

Optionally, the access network element generates the K ASME according to the CK and or the 包括:

The access network element generates the base according to the CK and or IK according to the generation rule K ASME =CKIIIK

KASME.

In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the SGSN identifies that the LTE UE accesses the 2G or 3G core through the access network element. After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE is not required to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in the embodiment to complete the security authentication and use the 2G. Or 3G core network resources.

 FIG. 7 shows a schematic block diagram of an access network element 700 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 7 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiments of the present invention and FIGS. 5 to 6 and The apparatus disclosed in Figures 5-6. As shown in FIG. 7, the access network element 700 includes: a receiving module 710, a processing module 720, and a sending module 730;

 The receiving module 710 is configured to receive an attach request message from an LTE UE; the processing module 720 is configured to convert the attach request message into a UMTS attach request message;

 The sending module 730 is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the receiving module 710 after receiving the UMTS attach request message, and the sending module 730 is further used in the receiving module. After receiving the request for the authentication vector, the 710 sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS sends the special authentication vector to the receiving. Module 710;

 The receiving module 710 is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the sending module 730 to the SGSN by the sending module 730, and the processing module 720 is further configured to authenticate the UMTS AKA. The challenge is converted into an LTE AKA authentication challenge, and the sending module 730 is further configured to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.

 In the embodiment of the present invention, the information sent by the LTE UE is converted to be applicable to the network element of the access network.

The information of the 2G or 3G network system is identified by the access network element as a scenario in which the LTE UE accesses the 2G or 3G network, and the HSS generates a special authentication vector to enable the access network element, the SGSN, and the LTE UE to complete the security. Authentication enables LTE UEs to use existing 2G or 3G core networks.

Optionally, the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K ASME ; the receiving module 710 is configured to receive the LTE UE. The LTE AKA that sent the RES The response is such that the access network element, the SGSN, and the LTE UE further complete the security authentication. Optionally, the special authentication vector includes XRES, CK, and IK;

 Optionally, the access network element, the SGSN, and the LTE UE further complete the security authentication, including:

 The processing module 720 is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the sending module 730 is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that The SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element.

The processing module 720 is further configured to generate a K ASME according to the CK and or IK, where the access network element and the LTE UE share the K ASME .

 Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.

 Optionally, the sending module 730 is further configured to: after the receiving module 710 receives the request for the authentication vector, send a request for the special authentication vector to the HSS, including:

 The receiving module 710 is configured to receive the request for the authentication vector that is sent by the SGSN. The processing module 720 is configured to identify that the LTE UE accesses the 2G or 3G network.

 The processing module 720 is further configured to add, in the authentication vector, the indication information to generate the request for the special authentication vector, where the indication information is used to indicate that the HSS generates the special authentication vector.

 Optionally, the special authentication vector generated by the HSS according to the request for the special authentication vector includes:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, the HSS The AUTN in the EPS AV is used as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, and the HSS splits the K ASME (256 bits) in the EPS AV into two parts, respectively The CK and the IK as the UMTS AV.

Alternatively, the processing module 720 is further configured in accordance with rules to generate K ASME = CKIIIK, which generates based on the K ASME and CK or IK. ΊΓ indicates concatenation, IK is added after CK.

 In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.

 FIG. 8 shows a schematic block diagram of a user home server 800 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 8 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 based on the embodiment of the present invention, and FIG. 5 to FIG. 7 based on the embodiment of the present invention and based on The apparatus disclosed in Figures 5 to 7 of the embodiment of the present invention. As shown in FIG. 8, the user home server HSS800 includes: a receiver 810, a processor 820, and a transmitter 830;

 The receiver 810 is configured to receive a request for a special authentication vector sent by the network element of the access network, where the request for the special authentication vector is sent by the network element of the access network after receiving the request for the authentication vector sent by the SGSN;

 The processor 820 is configured to generate a special authentication vector according to the request for the special authentication vector. The transmitter 830 is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN And the LTE UE completes the security certification.

In the embodiment of the present invention, in order to enable the LTE UE to use the 2G or 3G network, after the access network element identifies that the LTE UE accesses the 2G/3G core network, the HSS generates a special authentication vector for the LTE UE, so that the The SGSN, the access network element, and the LTE UE complete the security authentication, so that the LTE UE can use the 2G or 3G core network. Optionally, the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, where the UMTS attach request message is obtained by converting the attach request message by the access network element. The attach request message is sent by the LTE UE.

 Optionally,

The SGSN sends the UMTS AKA authentication challenge to the access network element, and the SGSN sends the UMTS AKA authentication challenge to the SGSN. After the UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, the access network element is sent to the LTE UE, and after the LTE UE performs verification according to the LTE AKA authentication challenge and generates a RES and a key K ASME , the LTE UE will The LTE AKA authentication response including the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.

 Optionally, the special authentication vector includes XRES, CK, and IK;

 Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:

The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, and the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the The SGSN sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .

 Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.

 Optionally, the request for the special authentication vector is sent by the access network element after receiving the request for the authentication vector sent by the SGSN, including:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

The access network element adds the indication information to the authentication vector to generate the required special authentication vector. The request information is used to instruct the HSS to generate the special authentication vector.

 Optionally, the processor 820 is configured to generate a special authentication vector according to the request for the special authentication vector, including:

 The processor 820 is configured to generate an EPS AV for the LTE UE;

 further,

 The processor 820 is configured to set the 0th bit in the authentication management domain AMF to 1 to indicate that the authentication vector is EPS AV;

 The processor 820 is configured to generate RAND, AUTN, CK, IK and XRES;

 The processor 820 is configured to derive KASME according to CK and IK, and the derivation rule may be KASME = KDF (CK, IK), and KDF is a key derivation function;

EPS AV consists of K ASME , AUTN , XRES , RAND , where the 0th bit of the AMF parameter in the AUTN has a value of 1.

Optionally, the processor 820 is configured to convert the EPS AV into a UMTS AV format format, so that the EPS AV can be sent to the SGSN by using an existing UMTS authentication response. The method of converting EPS AV into UMTS AV format includes: using RAND, AUTN and XRES in EPS AV as RAND, AUTN and XRES of UMTS AV, and splitting K ASME (256bits) in EPS AV into two parts, respectively as UMTS AV's CK (128bits) and IK (128bits). After the EPS AV is converted into the UMTS AV format, the value of the 0th bit of the AMF in the AUTN is still 1. The vector obtained by converting the EPS AV into the UMTS AV format is the special authentication vector. Optionally, the access network element generates the K ASME according to the CK and or IK, including:

The access network element in accordance with the generation rule K ASME = CKIIIK, which generates based on the K ASME and CK or IK. ΊΓ indicates concatenation, IK is added after CK. In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the network element of the access network, and the network element of the access network identifies that the LTE UE accesses the network element through the access network. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and the security authentication between the LTE UE and the network is completed by the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can pass the access network element in this embodiment. Access 2G or 3G core network, complete security authentication and use 2G or 3G core network resources. FIG. 9 shows a schematic block diagram of a GPRS service support node 900 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 9 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 according to the embodiment of the present invention may also be based on the embodiment of the present invention, FIG. 5 and FIG. Revealed device. As shown in Figure 9, the GPRS service support node SGSN900 includes: a receiver 910; a transmitter 920;

 The receiver 910 is configured to receive a UMTS attach request message sent by an access network element, where the

The UMTS attach request message is obtained by the access network element converting the attach request message sent by the LTE UE;

 The transmitter 920 is configured to send a request for the authentication vector to the access network element, so that after receiving the request for the authentication vector, the access network element sends a request for the special authentication vector to the HSS, so as to The HSS generates the special authentication vector according to the request for the special authentication vector, and sends the special authentication vector to the access network element;

 The receiver 910 is further configured to receive the special authentication vector from the network element of the access network, where the transmitter 920 is further configured to send the UMTS AKA authentication challenge to the access network after the receiver 910 receives the special authentication vector. The network element, so that the SGSN, the access network element, and the LTE UE complete the security authentication.

 In the embodiment of the present invention, after the network element of the access network identifies the scenario in which the LTE UE accesses the 2G or 3G network, the access network element requests the HSS to obtain a special authentication vector, and the HSS generates a special authentication vector according to the request. The SGSN, the access network element, and the LTE UE complete the security authentication, and enable the LTE UE to use the 2G or 3G core network without modifying the LTE UE.

Optionally, the SGSN, the access network element, and the LTE UE complete the security authentication, where the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication challenge and sends the LTE UE to the LTE UE. After the LTE UE performs the verification according to the LTE AKA authentication challenge and generates the RES and the key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element, the The SGSN and the LTE UE further complete the security recognition Certificate.

 Optionally, the SGSN further includes a processor 930;

 Optionally, the special authentication vector includes XRES, CK, and IK;

 Optionally, the security authentication is further performed by the access network element, the SGSN, and the LTE UE, including:

The access network element converts the LTE ΑΚΑ authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the receiver 910, the processor 930 is configured to compare whether the RES and the XRES are the same, when the comparison When the result is the same, the transmitter 920 sends the CK and or IK to the access network element, and the access network element generates the K ASME according to the CK and or IK, and the CK and or IK are sent by the The 920 is sent, and the access network element and the LTE UE share the K ASME .

 Optionally, the processor 930 is configured to compare whether the RES and the XRES are the same. Further, when the comparison result is different, the security authentication is suspended.

 Optionally, after the request for the access network element to receive the request for the authentication vector, the request for sending the special authentication vector to the HSS includes:

 Receiving, by the access network element, the request for the authentication vector sent by the SGSN;

 The access network element identifies that the LTE UE accesses the 2G or 3G network;

 The access network element adds a request message to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.

 Optionally, the generating, by the HSS, the special authentication vector according to the request for the special authentication vector includes:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

The HSS uses the RAND in the EPS AV as the RAND of the UMTS AV, and the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, the HSS the EPS AV The XRES in the XRES is the XRES of the UMTS AV, and the HSS splits the K ASME in the EPS AV into two parts, respectively as the CK and the IK of the UMTS AV.

Optionally, the access network element generates the K ASME according to the CK and or the 包括:

The access network element generates the ASME according to the CK and or IK according to the generation rule K ASME =CKIIIK.

 In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the SGSN identifies that the LTE UE accesses the 2G or 3G core through the access network element. After the scenario of the network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources.

 FIG. 10 shows a schematic block diagram of an access network element 1000 for secure authentication of a mobile communication system in accordance with an embodiment of the present invention. 10 and its description, the apparatus disclosed in FIG. 1 to FIG. 4 and the method disclosed in FIG. 1 to FIG. 4 based on the embodiment of the present invention may also be based on the embodiments of the present invention and FIGS. 5 to 9 and The apparatus disclosed in Figures 5-9. As shown in FIG. 10, the access network element 1000 includes: a receiver 1010, a processor 1020, and a transmitter 1030.

 The receiver 1010 is configured to receive an attach request message from an LTE UE, where the processor 1020 is configured to convert the attach request message into a UMTS attach request message.

 The transmitter 1030 is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for the authentication vector to the receiver 1010 after receiving the UMTS attach request message; the transmitter 1030 is also used in the receiver. After receiving the request for the authentication vector, 1010 sends a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, so that the HSS sends the special authentication vector to the receiving. 1010;

The receiver 1010 is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the SGSN after the transmitter 1030 sends the special authentication vector to the SGSN; The processor 1020 is further configured to convert the UMTS AKA authentication challenge into an LTE AKA authentication challenge, where the transmitter 1030 is further configured to send the LTE AKA authentication challenge to the LTE UE, so that the access network element, the SGSN, and the SGSN The LTE UE completes the security authentication.

 In the embodiment of the present invention, the information sent by the LTE UE is converted into the information applicable to the 2G or 3G network system by the access network element, and the access network element identifies the scenario that the LTE UE accesses the 2G or 3G network. The HSS generates a special authentication vector, so that the access network element, the SGSN, and the LTE UE can complete the security authentication, so that the LTE UE can use the existing 2G or 3G core network.

Optionally, the access network element, the SGSN, and the LTE UE complete the security authentication, where the LTE UE verifies the LTE AKA authentication challenge, and generates a RES and a key K ASME ;

 The receiver 1010 is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network element, the SGSN, and the LTE UE further complete security authentication.

 Optionally, the special authentication vector includes XRES, CK, and IK;

 Optionally, the access network element, the SGSN, and the LTE UE further complete the security authentication, including:

 The processor 1020 is further configured to convert the LTE AKA authentication response including the RES to include the

The UMTS AKA authentication response of the RES, the transmitter 1030 is further configured to send the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same, when the comparison result is the same, The SGSN sends the CK and or IK to the access network element;

The processor 1020 is further configured to generate a K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .

 Optionally, whether the SGSN compares whether the RES and the XRES are the same further includes: when the comparison result is different, suspending the security authentication.

 Optionally, the transmitter 1030 is further configured to: after the receiver 1010 receives the request for the authentication vector, send a request for the special authentication vector to the HSS, including:

The receiver 1010 is configured to receive the request for the authentication vector sent by the SGSN. The processor 1020 is configured to identify that the LTE UE accesses the 2G or 3G network. The processor 1020 is further configured to add, in the authentication vector, the indication information to generate the request for the special authentication vector, where the indication information is used to indicate the HSS. Generate this special authentication vector.

 Optionally, the special authentication vector generated by the HSS according to the request for the special authentication vector includes:

 The HSS generates EPS AV for the LTE UE;

 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.

 Optionally, the HSS converts the EPS AV into a UMTS AV format, including:

The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as the XRES of the UMTS AV, the HSS The K ASME (256 bits) in the EPS AV is split into two parts, which are the CK and the IK of the UMTS AV, respectively.

Alternatively, the processor 1020 is further used for generating rules according to K ASME = CKIIIK, which generates based on the K ASME and CK or IK. ΊΓ indicates concatenation, IK is added after CK.

In the embodiment of the present invention, the message sent by the LTE UE is converted into a message applicable to the 2G or 3G network by the access network element, and the access network element identifies that the LTE UE accesses through the access network element. After the scenario of the 2G or 3G network, the HSS generates a special authentication vector, and completes the security authentication between the LTE UE and the network through the access network element and the SGSN. The LTE UE does not need to be modified, so that the LTE UE can access the 2G or 3G core network through the access network element in this embodiment, complete the security authentication, and use the 2G or 3G core network resources. Through the description of the above embodiments, it will be apparent to those skilled in the art that the present invention can be implemented in hardware, firmware implementation, or a combination thereof. When implemented in software, the functions described above may be stored in or transmitted as one or more instructions or code on a computer readable medium. Computer readable media includes computer storage media and Communication medium, wherein the communication medium includes any medium that facilitates the transfer of a computer program from one location to another. A storage medium may be any available media that can be accessed by a computer. By way of example and not limitation, computer readable media may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, disk storage media or other magnetic storage device, or can be used for carrying or storing in the form of an instruction or data structure. The desired program code and any other medium that can be accessed by the computer. Also. Any connection may suitably be a computer readable medium. For example, if the software is transmitted from a website, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable , fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, wireless, and microwaves are included in the fixing of the associated media. As used in the present invention, a disk and a disc include a compact disc (CD), a laser disc, a compact disc, a digital versatile disc (DVD), a floppy disc, and a Blu-ray disc, wherein the disc is usually magnetically copied, and the disc is The laser is used to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media. In summary, the above description is only a preferred embodiment of the technical solution of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

Rights request
 A security authentication method for a mobile communication system, comprising:
 The home subscriber server HSS receives a request for a special authentication vector sent by the access network element, and the request for the special authentication vector is received by the access network element after receiving the request for the authentication vector sent by the GPRS service support node SGSN. Send
 The HSS generates a special authentication vector according to the request for the special authentication vector; the HSS sends the special authentication vector to the access network element, so that the access network element, the SGSN, and The LTE UE completes the security authentication.
 The method according to claim 1, wherein the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, the UMTS attach request The attach request message is obtained by the access network element converting the attach request attach request message, and the attach request message is sent by the LTE UE.
 The method according to claim 1 or 2, wherein the performing security authentication for the access network element, the SGSN, and the LTE UE includes:
 The access network element sends the special authentication vector to the SGSN, and the SGSN sends a UMTS AKA authentication challenge to the access network element, where the access network element challenges the UMTS AKA authentication challenge The LTE AKA authentication challenge is sent to the LTE UE, and the LTE LTE UE sends an LTE AKA authentication response including the RES to the access network element, so that the access network element and the network element The SGSN and the LTE UE further complete the security authentication.
 The method according to any one of claims 1 to 3, characterized in that
 The special authentication vector includes XRES, CK, and IK;
 The further completing the security authentication by the access network element, the SGSN, and the LTE UE includes:
The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, the SGSN comparing the Whether the RES and the XRES are the same, when the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element according to the CK and or IK generates K ASME , and the access network element and the LTE UE share the K ASME .
 The method according to claim 4, wherein the comparing, by the SGSN, whether the RES and the XRES are the same further comprises: suspending performing security authentication when the comparison result is different.
 The method according to any one of claims 1 to 5, wherein the request for the special authentication vector is sent by the access network element to the request for the authentication vector sent by the SGSN, and the sending comprises:
 The access network element receives the request for the authentication vector that is sent by the SGSN; the access network element identifies that the LTE UE accesses the 2G or 3G network;
 The access network element adds a request to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
 The method according to any one of claims 1 to 6, wherein the generating, by the HSS, the special authentication vector according to the request for the special authentication vector comprises:
 The HSS generates EPS AV for the LTE UE;
 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
 The method according to claim 7, wherein the converting, by the HSS, the EPS AV into the UMTS AV format comprises:
The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV, the HSS splits the K ASME in the EPS AV into two parts, as the CK and the IK of the UMTS AV, respectively.
The method according to any one of claims 4 to 8, wherein the access network The element generates K ASME according to the CK and or IK, including:
The access network element generates the KASME O according to the CK and or IK according to a generation rule K ASME =CKIIIK
 A security authentication method for a mobile communication system, comprising:
 The SGSN receives the UMTS attach request message, and the UMTS attach request message is that the access network element converts the attach request message sent by the LTE UE;
 Sending, by the SGSN, a request for requesting an authentication vector to the network element of the access network, so that after receiving the request for the authentication vector, the network element of the access network sends a request for requesting a special authentication vector to the HSS, and further The HSS generates the special authentication vector according to the request for the special authentication vector, and then sends the special authentication vector to the access network element;
 After receiving the special authentication vector from the network element of the access network, the SGSN sends a UMTS AKA authentication challenge to the access network element, so that the SGSN, the access network element, and the The LTE UE completes the security authentication.
 The method according to claim 10, wherein the performing the security authentication by the SGSN, the access network element, and the LTE UE comprises:
After the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication pick and generates a RES and a key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the The network element is accessed, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
 12. Method according to claim 10 or 11, characterized in that
 The special authentication vector includes XRES, CK, IK;
 The further completing the security authentication by the access network element, the SGSN, and the LTE UE includes:
The access network element converts the LTE AKA authentication response into a UMTS AKA authentication ring And sending, by the SGSN, the UMTS AKA authentication response to the SGSN, the SGSN comparing whether the RES and the XRES are the same, and when the comparison result is the same, the SGSN sends the CK and or IK to The access network element, the access network element generates a K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
 13. The method according to claim 12, wherein the SGSN compares the method
Whether the RES and the XRES are the same further includes, when the comparison result is different, suspending the security authentication.
 The method according to any one of claims 10 to 13, wherein, after the access network element receives the request for the authentication vector, the request for the special authentication vector is sent to the HSS. Includes:
 The access network element receives the request for the authentication vector that is sent by the SGSN; the access network element identifies that the LTE UE accesses the 2G or 3G network;
 The access network element adds a request to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
 The method according to any one of claims 10 to 14, wherein the generating, by the HSS, the special authentication vector according to the request for the special authentication vector comprises: the HSS being the LTE The UE generates an EPS AV;
 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
 16. The method according to claim 15, wherein the converting, by the HSS, the EPS AV into a UMTS AV format comprises:
The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV, the HSS splits the K ASME in the EPS AV into two parts, as the CK and the IK of the UMTS AV, respectively.
The method according to any one of claims 12 to 16, wherein the generating, by the access network element, the K ASME according to the CK and or IK comprises:
The access network element generates the KASME O according to the CK and or IK according to a generation rule K ASME =CKIIIK
 18. A method for secure authentication of a mobile communication system, comprising:
 The access network element converts the attach request message from the LTE UE into a UMTS attach request message;
 The access network element sends the UMTS attach request message to the SGSN, so that the SGSN sends the request for the authentication vector to the access network element after receiving the UMTS attach request message;
 Receiving, by the access network element, the request for requesting the authentication vector, sending a request for the special authentication vector to the HSS, so that the HSS generates the special authentication vector according to the request for the special authentication vector, and further So that the HSS sends the special authentication vector to the access network element network element;
 The access network element receives the UMTS AKA authentication challenge, and the UMTS AKA authentication challenge is sent by the access network element to the SGSN after the special authentication vector is sent by the SGSN;
 The access network element transmits the UMTS AKA authentication challenge to the LTE AKA authentication challenge and then sends the LTE UE to the LTE UE, so that the access network element, the SGSN, and the LTE UE complete the security authentication.
 The method according to claim 18, wherein the performing the security authentication for the access network element, the SGSN, and the LTE UE comprises:
After the LTE UE verifies the LTE AKA authentication challenge, the RES and the key K ASME are generated; the access network element receives the LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network The network element, the SGSN, and the LTE UE further complete security authentication.
20. A method according to claim 18 or 19, characterized in that
 The special authentication vector includes XRES, CK, and IK;
 The further completing the security authentication by the access network element, the SGSN, and the LTE UE includes:
 The access network element converts an LTE AKA authentication response including the RES to include the
UMTS AKA authentication response of the RES, the access network element transmitting the UMTS AKA authentication response including the RES to the SGSN, so that the SGSN compares whether the RES and the XRES are the same, when When the comparison result is the same, the SGSN sends the CK and or IK to the access network element;
The access network element generates K ASME according to the CK and or IK, and the access network element and the LTE UE share the K ASME .
 The method according to claim 20, wherein the comparing, by the SGSN, whether the RES and the XRES are the same further comprises: suspending performing security authentication when the comparison result is different.
 The method according to any one of claims 18 to 21, wherein the requesting, by the access network element, the request for requesting the authentication vector to send the request for the special authentication vector to the HSS includes:
 The access network element receives the request for the authentication vector that is sent by the SGSN; the access network element identifies that the LTE UE accesses the 2G or 3G network;
 The access network element adds a request to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
 The method according to any one of claims 18 to 22, wherein the generating, by the HSS, the special authentication vector according to a request for a special authentication vector comprises:
 The HSS generates EPS AV for the LTE UE;
The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
24. The method of claim 23, wherein converting the EPS AV to the UMTS AV format by the HSS comprises:
The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV, the HSS splits the K ASME in the EPS AV into two parts, as the CK and the IK of the UMTS AV, respectively.
The method according to any one of claims 20 to 24, wherein the generating, by the access network element, the K ASME according to the CK and/or the:
The access network element generates the KASME O according to the CK and or IK according to a generation rule K ASME =CKIIIK
 An HSS, comprising: a receiving module, a processing module, and a sending module; the receiving module is configured to receive a request for a special authentication vector sent by an access network element, where the request for a special authentication vector is requested Receiving, by the access network element, a request for requesting an authentication vector sent by the SGSN, and sending the request;
 The processing module is configured to generate a special authentication vector according to the request for the special authentication vector;
 The sending module is configured to send the special authentication vector to the access network element, so that the access network element, the SGSN, and the LTE UE complete security authentication.
 The HSS according to claim 26, wherein the request for the authentication vector is sent by the SGSN after receiving the UMTS attach request message sent by the access network element, the UMTS attach request The message is that the access network element converts the attach request message, and the attach request message is sent by the LTE UE.
 The HSS according to claim 26 or 27, wherein the performing security authentication for the access network element, the SGSN, and the LTE UE includes:
Transmitting, by the access network element, the special authentication vector to the SGSN, where the SGSN sends Sending a UMTS AKA authentication challenge to the access network element, the access network element converting the UMTS AKA authentication challenge into an LTE AKA authentication challenge, and transmitting the challenge to the LTE UE, where the LTE LTE UE includes The LTE AKA authentication response of the RES is sent to the access network element, so that the access network element, the SGSN, and the LTE UE further complete security authentication.
 The HSS according to any one of claims 26 to 28, characterized in that
 The special authentication vector includes XRES, CK, and IK;
 The further completing the security authentication by the access network element, the SGSN, and the LTE UE includes:
The access network element converts the LTE AKA authentication response into a UMTS AKA authentication response and sends the UMTS AKA authentication response to the SGSN, where the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element, and the access network element generates a K ASME according to the CK and or IK, the access network The network element and the LTE UE share the K ASME .
 30. The HSS of claim 29, wherein the SGSN compares the
Whether the RES and the XRES are the same further includes, when the comparison result is different, suspending the security authentication.
 The HSS according to any one of claims 26 to 30, wherein the request for the special authentication vector is sent by the access network element to the request for the authentication vector sent by the SGSN, and the request includes:
 The access network element receives the request for the authentication vector that is sent by the SGSN; the access network element identifies that the LTE UE accesses the 2G or 3G network;
The access network element adds a request to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector. The HSS according to any one of claims 26 to 31, wherein the processing module is configured to generate a special authentication vector according to the request for the special authentication vector: The processing module is configured to generate an EPS AV for the LTE UE;
 The processing module is configured to convert the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
 The HSS according to claim 32, wherein the processing module is configured to convert the EPS AV into a UMTS AV format, including:
The processing module is configured to use RAND in the EPS AV as the RAND of the UMTS AV, and the processing module is configured to use the AUTN in the EPS AV as the AUTN of the UMTS AV, where the processing module is used. Using XRES in the EPS AV as the XRES of the UMTS AV, the processing module is configured to split the K ASME in the EPS AV into two parts, respectively as the CK of the UMTS AV and the IK.
The HSS according to any one of claims 29 to 33, wherein the access network element generates a K ASME according to the CK and or IK, including:
The access network element generates the KASME O according to the CK and or IK according to a generation rule K ASME =CKIIIK
 35. An SGSN, comprising: a receiving module; a sending module;
 The receiving module is configured to receive a UMTS attach request message sent by an access network element, where the UMTS attach request message is obtained by converting, by the access network element, an attach request message sent by the LTE UE;
 The sending module is configured to send a request for the authentication vector to the access network element, so that the access network element sends a request for the special authentication vector to the HSS after receiving the request for the authentication vector, And the HSS is sent to the access network element according to the request for the special authentication vector to generate the special authentication vector;
The receiving module is further configured to receive the special authentication vector from the network element of the access network, where the sending module is further configured to send the UMTS AKA authentication challenge to the receiving module after receiving the special authentication vector. The access network element is configured, so that the SGSN, the access network element, and the LTE UE complete security authentication.
The SGSN according to claim 35, wherein the performing the security authentication for the SGSN, the access network element, and the LTE UE comprises:
After the access network element converts the UMTS AKA authentication challenge into an LTE AKA authentication pick and generates a RES and a key K ASME , the LTE UE sends an LTE AKA authentication response including the RES to the The network element is accessed, so that the access network element, the SGSN, and the LTE UE further complete the security authentication.
 The SGSN according to claim 35 or 36, wherein the SGSN further includes a processing module;
 The special authentication vector includes XRES, CK, IK;
 The further completing the security authentication by the access network element, the SGSN, and the LTE UE includes:
Transmitting, by the access network element, the LTE AKA authentication response into a UMTS AKA authentication response, and transmitting the UMTS AKA authentication response to the receiving module, where the processing module is configured to compare whether the RES and the XRES are compared Similarly, when the comparison result is the same, the sending module sends the CK and or IK to the access network element, and the access network element generates K ASME according to the CK and or IK. The CK and or IK are sent by the sending module, and the access network element and the LTE UE share the KASME.
 The SGSN according to claim 37, wherein the processing module is configured to compare whether the RES and the XRES are the same or not, and when the comparison result is different, suspend the security authentication.
 The SGSN according to any one of claims 35 to 38, wherein, after the access network element receives the request for the authentication vector, the request for the special authentication vector is sent to the HSS. Includes:
Receiving, by the access network element, the request for requesting the authentication vector sent by the SGSN; the access network element identifying that the LTE UE accesses the 2G or 3G network; The access network element adds a request to the authentication vector to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector. The SGSN according to any one of claims 35 to 39, wherein the generating, by the HSS, the special authentication vector according to the request for the special authentication vector comprises: the HSS being the LTE The UE generates an EPS AV;
 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
 The SGSN according to claim 40, wherein the converting, by the HSS, the EPS AV into a UMTS AV format comprises:
The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV, the HSS splits the K ASME in the EPS AV into two parts, as the CK and the IK of the UMTS AV, respectively.
The SGSN according to any one of claims 37 to 41, wherein the generating, by the access network element, the K ASME according to the CK and or IK includes:
The access network element generates the KASME O according to the CK and or IK according to a generation rule K ASME =CKIIIK
 43. An access network element, comprising: a receiving module, a processing module, and a sending module;
 The receiving module is configured to receive an attach request message from an LTE UE, where the processing module is configured to convert the attach request message into a UMTS attach request message;
The sending module is configured to send the UMTS attach request message to the SGSN, so that the SGSN sends a request for an authentication vector to the receiving module after receiving the UMTS attach request message; the sending module is further configured to Receiving, by the receiving module, the request for requesting the authentication vector, sending a request for the special authentication vector to the HSS, so that the HSS is required according to the Requesting a special authentication vector to generate the special authentication vector, so that the HSS sends the special authentication vector to the receiving module;
 The receiving module is further configured to receive a UMTS AKA authentication challenge, where the UMTS AKA authentication challenge is sent by the sending module to the SGSN by sending the special authentication vector to the SGSN; the processing module is further configured to: The UMTS AKA authentication challenge is converted into an LTE AKA authentication challenge, and the sending module is further configured to send the LTE AKA authentication challenge to the LTE UE, where the access network element, the SGSN, and the LTE are used. The UE completes the security certification.
 The access network element according to claim 43, wherein the performing the security authentication for the access network element, the SGSN, and the LTE UE comprises:
After the LTE UE verifies the LTE AKA authentication challenge, the RES and the key K ASME are generated; the receiving module is configured to receive an LTE AKA authentication response that is sent by the LTE UE and includes the RES, so that the access network The SGSN and the LTE UE further complete security authentication.
 45. The access network element according to claim 43 or 44, characterized in that
 The special authentication vector includes XRES, CK, and IK;
 The further completing the security authentication by the access network element, the SGSN, and the LTE UE includes:
 The processing module is further configured to convert the LTE AKA authentication response including the RES into a UMTS AKA authentication response including the RES, where the sending module is further configured to send the UMTS AKA authentication response including the RES to The SGSN, so that the SGSN compares whether the RES and the XRES are the same. When the comparison result is the same, the SGSN sends the CK and or IK to the access network element;
The processing module is further configured to generate a K ASME according to the CK and or IK, where the access network element and the LTE UE share the K ASME .
The access network element according to claim 45, wherein the comparing, by the SGSN, whether the RES and the XRES are the same further includes: when the comparison result is different, Suspension of safety certification.
 The access network element according to any one of claims 43 to 46, wherein the sending module is further configured to send a special authentication after the receiving module receives the request for the authentication vector The request for the vector to the HSS includes:
 The receiving module is configured to receive the request for the authentication vector that is sent by the SGSN, where the processing module is configured to identify that the LTE UE accesses the 2G or 3G network;
 The processing module is further configured to add, by using the indication information, the request to generate the request for the special authentication vector, where the indication information is used to instruct the HSS to generate the special authentication vector.
 The access network element according to any one of claims 43 to 47, wherein the generating, by the HSS, the special authentication vector according to a request for a special authentication vector comprises: the HSS is Said LTE UE generates EPS AV;
 The HSS converts the EPS AV into a UMTS AV format, and the EPS AV converted to the UMTS AV format is the special authentication vector.
 The access network element according to claim 48, wherein the converting, by the HSS, the EPS AV into the UMTS AV format comprises:
The HSS uses RAND in the EPS AV as the RAND of the UMTS AV, the HSS uses the AUTN in the EPS AV as the AUTN of the UMTS AV, and the HSS uses the XRES in the EPS AV as The XRES of the UMTS AV, the HSS splits the K ASME (256 bits) in the EPS AV into two parts, respectively as the CK and the IK of the UMTS AV.
The access network element according to any one of claims 45 to 49, wherein the processing module is further configured to generate the K according to the CK and or IK according to a generation rule K ASME =CKIIIK ASME .
PCT/CN2013/070841 2013-01-22 2013-01-22 Method and network device for security authentication of mobile communication system WO2014113921A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/070841 WO2014113921A1 (en) 2013-01-22 2013-01-22 Method and network device for security authentication of mobile communication system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201380070865.9A CN105075306B (en) 2013-01-22 2013-01-22 The method and the network equipment of the safety certification of mobile communication system
PCT/CN2013/070841 WO2014113921A1 (en) 2013-01-22 2013-01-22 Method and network device for security authentication of mobile communication system

Publications (1)

Publication Number Publication Date
WO2014113921A1 true WO2014113921A1 (en) 2014-07-31

Family

ID=51226806

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/070841 WO2014113921A1 (en) 2013-01-22 2013-01-22 Method and network device for security authentication of mobile communication system

Country Status (2)

Country Link
CN (1) CN105075306B (en)
WO (1) WO2014113921A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105075306A (en) * 2013-01-22 2015-11-18 华为技术有限公司 Method and network device for security authentication of mobile communication system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098221A (en) * 2006-06-26 2008-01-02 华为技术有限公司 Network layer safety authentication method in wireless cellular network
CN101600205A (en) * 2009-07-10 2009-12-09 华为技术有限公司 Method and related device for accessing SIM card user equipment to evolution network
CN102238544A (en) * 2010-05-06 2011-11-09 中兴通讯股份有限公司 Mobile network authentication method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101155126A (en) * 2006-09-25 2008-04-02 华为技术有限公司 System, device and method for implementing mobility management
US8094817B2 (en) * 2006-10-18 2012-01-10 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographic key management in communication networks
ES2375594T3 (en) * 2007-10-29 2012-03-02 Nokia Corporation System and procedure for the authentication of a context transfer.
CN105075306B (en) * 2013-01-22 2019-05-28 华为技术有限公司 The method and the network equipment of the safety certification of mobile communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098221A (en) * 2006-06-26 2008-01-02 华为技术有限公司 Network layer safety authentication method in wireless cellular network
CN101600205A (en) * 2009-07-10 2009-12-09 华为技术有限公司 Method and related device for accessing SIM card user equipment to evolution network
CN102238544A (en) * 2010-05-06 2011-11-09 中兴通讯股份有限公司 Mobile network authentication method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105075306A (en) * 2013-01-22 2015-11-18 华为技术有限公司 Method and network device for security authentication of mobile communication system
CN105075306B (en) * 2013-01-22 2019-05-28 华为技术有限公司 The method and the network equipment of the safety certification of mobile communication system

Also Published As

Publication number Publication date
CN105075306A (en) 2015-11-18
CN105075306B (en) 2019-05-28

Similar Documents

Publication Publication Date Title
US9510375B2 (en) Method and apparatus for accelerated link setup
US8713320B2 (en) Security authentication method, apparatus, and system
US20120284785A1 (en) Method for facilitating access to a first access nework of a wireless communication system, wireless communication device, and wireless communication system
EP2549785B1 (en) Method and network side entity for authenticating communication devices
KR101048560B1 (en) Network device, user equipment, and computer readable media for generating protection keys in next generation mobile networks
EP2663107A1 (en) Key generating method and apparatus
JP2014509162A (en) Remote station authentication method using secure element
JP2008530879A (en) Method and apparatus for providing a bootstrapping procedure in a communication network
EP2139175B3 (en) Method, system and apparatus for negotiating the security ability when a terminal is moving
ES2393577T3 (en) Security for non-3GPP access to an evolved package system
JP5882474B2 (en) Wireless communication with parallel re-authentication and connection setup
JP2010514288A (en) User access management in communication networks
DK2137925T3 (en) User profile, guideline and pmip key distribution in a wireless communication network
CN101854625A (en) Selective processing method and device of security algorithm, network entity and communication system
CN105379190B (en) The system and method for being used to indicate service set identifier
CN105432103A (en) Access network assisted bootstrapping
US8929865B2 (en) Optimizing user device context for mobility management entity (MME) resiliency
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
CN106465120B (en) Method and node for integrating a network
JP2014116961A (en) Methods and apparatuses facilitating synchronization of security configurations
US9060268B2 (en) Negotiating security capabilities during movement of UE
US8526617B2 (en) Method of handling security configuration in wireless communications system and related communication device
KR20100054178A (en) Security method and apparatus related mobile terminal security capability in mobile telecommunication system
CN101926151B (en) Method and communication network system for establishing security conjunction
WO2009030164A1 (en) A method, system and device for preventing the degradation attack while terminal is moving

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201380070865.9

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13872854

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13872854

Country of ref document: EP

Kind code of ref document: A1