WO2015100975A1 - 一种选择认证算法的方法、装置及系统 - Google Patents
一种选择认证算法的方法、装置及系统 Download PDFInfo
- Publication number
- WO2015100975A1 WO2015100975A1 PCT/CN2014/080736 CN2014080736W WO2015100975A1 WO 2015100975 A1 WO2015100975 A1 WO 2015100975A1 CN 2014080736 W CN2014080736 W CN 2014080736W WO 2015100975 A1 WO2015100975 A1 WO 2015100975A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- algorithm
- user equipment
- authentication algorithm
- supported
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Definitions
- the present invention relates to the field of communications technologies, and in particular, to a method, apparatus, and system for selecting an authentication algorithm. Background technique
- the Proximity Service (ProSe) technology mainly establishes a secure communication channel between two user equipments (UEs) that are close to each other, so that the data can be carried out when the two UEs perform end-to-end data transmission. Secure exchange.
- UEs user equipments
- Secure exchange when two UEs establish a communication channel, they need to use a subscription network. The UE needs to pass network authentication to access the network, and then establish a communication channel with other UEs.
- the UE and the Home Subscriber Server mainly use the Milenage algorithm to generate authentication parameters and keys required for authentication.
- Tuak algorithm UEs or HSSs with different authentication capabilities also come into being, including UEs or HSSs that support only one authentication algorithm, or UEs that can support multiple authentication algorithms or
- the HSS is such that when the UE and the HSS combination with different authentication capabilities authenticate the UE, it is impossible to determine which authentication algorithm is used for authentication, or the UE can be authenticated by using the Milenage algorithm.
- the UE and the HSS cannot select the corresponding authentication algorithm to authenticate the UE according to the authentication algorithm supported by the UE or the HSS, or can authenticate the UE by using the Milenage algorithm even if the UE or the HSS supports multiple authentication algorithms.
- the authentication algorithm has a single form, the authentication algorithm is low in selectivity, and the terminal (including the UE or the HSS) has low resource utilization, and the UE authentication user experience is low. Summary of the invention
- the embodiment of the invention provides a method, a device and a system for selecting an authentication algorithm, which can select a corresponding authentication algorithm according to an authentication algorithm supported by a user equipment and a service device, and determine identification information of the authentication algorithm according to the selected authentication algorithm.
- the diversity of authentication algorithm selection and utilization of terminal resources are improved, and the user experience of user equipment authentication is enhanced.
- a first aspect of the embodiments of the present invention provides a method for selecting an authentication algorithm, which may include: a service device receiving an authentication data request message sent by a control device, where the authentication data request message carries information of an authentication algorithm supported by the user equipment;
- the service device selects an authentication algorithm according to the authentication data request message and the information of the authentication algorithm supported by the service device;
- the service device determines the identification information of the authentication algorithm according to the selected authentication algorithm; the service device sends the identification information of the authentication algorithm to the control device, to be sent by the control device to the User equipment.
- the identifier information of the authentication algorithm that is carried in the authentication data request message includes: a Tuak algorithm supported by the user equipment, and/or the user equipment support Milenage algorithm;
- the service device selects an authentication algorithm according to the authentication data request message and the information of the authentication algorithm supported by the service device, including:
- the service device selects an authentication algorithm supported by the user equipment and the service device from an authentication algorithm supported by the user equipment and an authentication algorithm supported by the service device, and sets the authentication algorithm to The selected authentication algorithm;
- the authentication algorithms supported by the service device include: a Tuak algorithm, and/or a Milenage algorithm.
- the information about the authentication algorithm supported by the user equipment carried in the authentication data request message is empty;
- the authentication algorithm information supported by the service device includes: a Tuak algorithm supported by the service device, and/or a Milenage algorithm supported by the service device;
- the service device selects an authentication algorithm according to the authentication data request message and the information of the authentication algorithm supported by the service device, including:
- the service device selects a Milenage algorithm from its supported authentication algorithms and sets the Milenage algorithm to the selected authentication algorithm.
- the identifier information of the authentication algorithm is specifically an authentication vector that is authenticated by the user equipment
- the service device sets the Tuak algorithm to the selected authentication algorithm, Determining, by the service device, the identification information of the authentication algorithm according to the selected authentication algorithm, including: the service device selecting, in a preset authentication management domain AMF parameter, a flag of an authentication algorithm for authenticating the user equipment And setting the flag bit as a first identifier as the identification information of the Tuak algorithm;
- the service device generates an authentication vector that authenticates the user equipment according to the AMF parameter and the Tuak algorithm.
- the identifier information of the authentication algorithm is specifically the authentication of the user equipment authentication.
- the service device determines the identification information of the authentication algorithm according to the selected authentication algorithm, including: the service The device selects a flag bit of the authentication algorithm that is authenticated by the user equipment in a preset AMF parameter, and sets the flag bit as a second identifier, as the identifier information of the Milenage algorithm;
- the service device generates an authentication vector for authenticating the user equipment according to the AMF parameter and the Milenage algorithm.
- a second aspect of the embodiments of the present invention provides a method for selecting an authentication algorithm, which may include: sending, by a user equipment, information about an authentication algorithm supported by the user equipment to a control device;
- the user equipment determines an authentication algorithm according to the user authentication request message, and authenticates the network according to the authentication algorithm.
- the information about the authentication algorithm supported by the user equipment includes: a Tuak algorithm supported by the user equipment, and/or supported by the user equipment.
- Determining, by the user equipment, the authentication algorithm according to the user authentication request message including:
- the user equipment parses the user authentication request message, and obtains identifier information of an authentication algorithm included in the user authentication request message;
- the user equipment determines an authentication algorithm according to the identification information.
- the user authentication request message includes an authentication parameter that is authenticated by the user equipment.
- the authentication parameter that is authenticated by the user equipment includes an AUTN parameter, and the AUTN parameter includes an AMF parameter;
- the identification information of the authentication algorithm includes: a first identifier of the flag bit of the authentication algorithm included in the AMF parameter, or a second identifier.
- the user equipment determines an authentication algorithm according to the identifier information, including:
- the user equipment sets a Tuak algorithm supported by the user equipment as an authentication algorithm
- the user equipment sets the Milenage algorithm it supports as the authentication algorithm.
- the information of the authentication algorithm supported by the user equipment is null
- the determining, by the user equipment, the authentication algorithm according to the user authentication request message includes: the user equipment setting the Milenage algorithm supported by the user equipment as an authentication algorithm according to the user authentication request message.
- a third aspect of the embodiments of the present invention provides a method for selecting an authentication algorithm, which may include: the control device receives information of an authentication algorithm supported by the user equipment and sent by the user equipment; and the control device sends an authentication data request to the service device. a message, where the authentication data request message carries information of an authentication algorithm supported by the user equipment;
- the control device receives the identification information of the authentication algorithm sent by the service device, where the identifier information of the authentication algorithm corresponds to the authentication data request message;
- the control device sends a user authentication request message to the user equipment, where the user authentication request message carries the identification information of the authentication algorithm.
- the information about the authentication algorithm supported by the user equipment includes: a Tuak algorithm supported by the user equipment, and/or supported by the user equipment.
- the identifier information of the authentication algorithm sent by the service device includes: the Tuak selected by the service device The identification information corresponding to the algorithm, and/or the identification information corresponding to the Milenage algorithm selected by the service device, or is empty.
- a fourth aspect of the embodiments of the present invention provides a service device for selecting an authentication algorithm, which may include: a receiving module, configured to receive an authentication data request message sent by a control device, where the authentication data request message carries the authentication supported by the user equipment. Algorithm information;
- a selection module configured to select an authentication algorithm according to the authentication data request message received by the receiving module, and information of an authentication algorithm supported by the service device;
- a processing module configured to determine, according to the authentication algorithm selected by the selection module, identifier information of the authentication algorithm
- a sending module configured to send the identifier information of the authentication algorithm to the control device, to be sent to the user equipment by using the control device.
- the identifier information of the authentication algorithm that is carried in the authentication data request message that is received by the receiving module includes: a Tuak algorithm supported by the user equipment, and/ Or the Milenage algorithm supported by the user equipment;
- the selection module is specifically configured to:
- the authentication algorithms supported by the service device include: a Tuak algorithm, and/or a Milenage algorithm.
- the information about the authentication algorithm supported by the user equipment carried in the authentication data request message received by the receiving module is empty;
- the authentication algorithm information supported by the service device includes: a Tuak algorithm supported by the service device, and/or a Milenage algorithm supported by the service device;
- the selection module is specifically configured to:
- the service device selects a Milenage algorithm from its supported authentication algorithms, and The Milenage algorithm is set to the selected authentication algorithm.
- the identifier information of the authentication algorithm that is determined by the processing module is specifically an authentication vector that is authenticated by the user equipment;
- the processing module is specifically configured to:
- An authentication vector for authenticating the user equipment is generated according to the AMF parameter and the Tuak algorithm.
- the identifier information of the authentication algorithm determined by the processing module is specifically An authentication vector for user equipment authentication
- the processing module is specifically configured to:
- An authentication vector for authenticating the user equipment is generated according to the AMF parameter and the Milenage algorithm.
- a fifth aspect of the embodiments of the present invention provides a user equipment for selecting an authentication algorithm, which may include: a sending module, configured to send, to a control device, information about an authentication algorithm supported by the user equipment; and a receiving module, configured to receive the Controlling a user authentication request message sent by the device;
- a processing module configured to determine an authentication algorithm according to the user authentication request message, and authenticate the network according to the authentication algorithm.
- the information about the authentication algorithm supported by the user equipment that is sent by the sending module includes: a Tuak algorithm supported by the user equipment, and/or the user equipment supports Milenage algorithm;
- the processing module is specifically configured to:
- An authentication algorithm is determined based on the identification information.
- the user authentication request message received by the receiving module includes an authentication parameter that is authenticated by the user equipment
- the authentication parameter that is received by the receiving module and that is authenticated by the user equipment includes
- AUTN parameter where the AUTN parameter includes an AMF parameter
- the identification information of the authentication algorithm includes: a first identifier of the flag bit of the authentication algorithm included in the AMF parameter, or a second identifier.
- the processing module is specifically configured to:
- the Tuak algorithm supported by the user equipment is set as an authentication algorithm
- the Milenage algorithm supported by the user equipment is set as an authentication algorithm.
- the information about the authentication algorithm supported by the user equipment sent by the sending module is empty;
- the processing module is specifically configured to:
- a sixth aspect of the embodiments of the present invention provides a control device for selecting an authentication algorithm, which may include: a receiving module, configured to receive, by a user equipment, information about an authentication algorithm supported by the user equipment;
- a sending module configured to send an authentication data request message to the service device, where the authentication data request message carries information of an authentication algorithm supported by the user equipment;
- the receiving module is configured to receive identifier information of an authentication algorithm sent by the service device, where the identifier information of the authentication algorithm corresponds to the authentication data request message;
- the sending module is configured to send a user authentication request message to the user equipment, where the user authentication request message carries the identifier information of the authentication algorithm.
- the information about the authentication algorithm supported by the user equipment that is received by the receiving module includes: a Tuak algorithm supported by the user equipment, and/or the user equipment supports The Milenage algorithm, or null.
- the identifier information of the authentication algorithm that is received by the receiving module includes: the Tuak selected by the service device The identification information corresponding to the algorithm, and/or the identification information corresponding to the Milenage algorithm selected by the service device, or is empty.
- a seventh aspect of the embodiments of the present invention provides a system for selecting an authentication algorithm, which may include: the service device provided by the fourth aspect of the embodiment of the present invention, the user equipment provided by the fifth aspect of the foregoing embodiment of the present invention, and the foregoing A control device provided by a sixth aspect of the invention.
- the authentication algorithm supported by the user equipment and the service device is used to select a corresponding authentication algorithm to generate information such as an authentication vector required for authentication, thereby improving diversity of authentication algorithm selection and utilization of terminal resources, and enhancing user equipment authentication.
- FIG. 1 is a schematic flow chart of a first embodiment of a method for selecting an authentication algorithm according to an embodiment of the present invention
- FIG. 2 is a first interaction diagram of a method for selecting an authentication algorithm according to an embodiment of the present invention
- FIG. 3 is a second interaction diagram of a method for selecting an authentication algorithm according to an embodiment of the present invention
- FIG. 5 is a schematic flowchart diagram of a second embodiment of a method for selecting an authentication algorithm according to an embodiment of the present invention
- FIG. 6 is a schematic flow chart of a third embodiment of a method for selecting an authentication algorithm according to an embodiment of the present invention.
- FIG. 7 is a fourth interaction diagram of a method for selecting an authentication algorithm according to an embodiment of the present invention.
- FIG. 8 is a fifth interaction diagram of a method for selecting an authentication algorithm according to an embodiment of the present invention;
- FIG. 9 is a sixth interaction diagram of a method for selecting an authentication algorithm according to an embodiment of the present invention.
- FIG. 11 is a schematic structural diagram of an embodiment of a user equipment for selecting an authentication algorithm according to an embodiment of the present invention.
- FIG. 12 is a schematic structural diagram of an embodiment of a control device for selecting an authentication algorithm according to an embodiment of the present invention.
- FIG. 13 is a schematic structural diagram of an embodiment of a system for selecting an authentication algorithm according to an embodiment of the present invention. detailed description
- the service device described in the embodiment of the present invention may include a Home Location Register (HLR) in a 3G communication system, or a Home Subscriber Server (HSS) in a 4G communication system, below.
- HLR Home Location Register
- HSS Home Subscriber Server
- the method, device and system for selecting an authentication algorithm described in the embodiments of the present invention will be specifically described by taking the HSS as an example.
- the user equipment described in the embodiment of the present invention may include a mobile subscriber (MS) in a 3G communication system, or a UE in a 4G communication system. The following is a description of the UE in the embodiment of the present invention.
- the method, device and system for selecting an authentication algorithm are specifically described.
- control device described in the embodiment of the present invention may include a Visitor Location Register (VLR) and a Serving GPRS Support Node (SGSN) in a 3G communication system, or a mobile in a 4G communication system.
- VLR Visitor Location Register
- SGSN Serving GPRS Support Node
- a method, an apparatus, and a system for selecting an authentication algorithm described in the embodiments of the present invention are specifically described below by using an MME as an example.
- FIG. 1 is a schematic flowchart diagram of a first embodiment of a method for selecting an authentication algorithm according to an embodiment of the present invention.
- the method for selecting an authentication algorithm described in this embodiment includes the following steps: S101.
- the service device receives an authentication data request message sent by the control device.
- the service device selects an authentication algorithm according to the authentication data request message and information of an authentication algorithm supported by the service device.
- the authentication data request message received by the HSS from the MME carries the information of the authentication algorithm supported by the user equipment, where the information of the authentication algorithm supported by the user equipment may include: a Tuak algorithm supported by the UE, or The Milenage algorithm supported by the UE, and the like.
- the HSS when the authentication data request message received by the HSS from the MME includes the information of the authentication algorithm supported by the UE, and the HSS supports the authentication algorithm selection (that is, the HSS can support the Tuak algorithm and the Milenage algorithm), the HSS may be based on the foregoing authentication data.
- the information of the authentication algorithm supported by the UE included in the request message the authentication algorithm supported by the HSS (that is, the authentication algorithm supported by the UE and the HSS) is selected, and the selected authentication algorithm is set as the authentication for the UE authentication.
- the authentication algorithm supported by the HSS that is, the authentication algorithm supported by the UE and the HSS
- the HSS may be based on the authentication algorithm supported by the HSS.
- the authentication algorithm supported by the HSS is selected as the authentication algorithm for the UE authentication.
- the HSS can select the Tuak algorithm from the UE-supported authentication algorithm as the authentication for the UE authentication.
- Algorithm When the HSS supports the Milenage algorithm, the HSS can select the Milenage algorithm as the authentication algorithm for UE authentication from the authentication algorithms supported by the UE; when the HSS supports the Tuak algorithm and also supports the Milenage algorithm, the HSS can be authenticated from the UE. Any one of the algorithms is used as an authentication algorithm for UE authentication.
- the HSS does not support the authentication algorithm selection (that is, the HSS only supports the Milenage algorithm)
- the HSS receives the authentication data request message from the MME, the information about the authentication algorithm supported by the UE is included (including the UE supporting Tuak).
- the algorithm and the Milenage algorithm the HSS selects the default authentication algorithm as the authentication algorithm for UE authentication, that is, the HSS defaults to the Milenage algorithm, and sets the above-mentioned Milenage algorithm as the authentication algorithm for UE authentication, as shown in FIG.
- the HSS selects the Milenage algorithm and sets the above-mentioned Milenage algorithm as an authentication algorithm for UE authentication. That is, as shown in Figure 4, if the HSS supports authentication algorithm selection (ie, the HSS can support the Tuak algorithm and the Milenage algorithm), then the HSS receives the authentication from the MME.
- the information of the authentication algorithm supported by the UE carried in the data request message is empty, and the HSS selects a default authentication algorithm, that is, the HSS selects the Milenage algorithm as the authentication algorithm for UE authentication.
- the service device determines identification information of the authentication algorithm according to the selected authentication algorithm.
- the selected authentication algorithm may be set in an Authentication Management Field (AMF) parameter of the sub-device.
- AMF Authentication Management Field
- the identifier information of the selected authentication algorithm may be set in the preset AMF parameter, and Calculating an authentication vector for UE authentication according to the AMF parameter and the selected authentication algorithm, wherein the authentication code calculated by the HSS according to the selected authentication algorithm includes an authentication parameter AUTN, MAC, XRES and a key for UE authentication. CK, IK, ⁇ , etc.
- the HSS may select the Xth bit as the flag for UE authentication in the preset AMF parameters, and then set the Xth bit of the AMF parameter to 1 (ie, the first identifier), used as identification information of the Tuak algorithm for UE authentication; when the HSS selects the Milenage algorithm as the authentication algorithm for UE authentication, the HSS may select the Xth bit in the preset AMF parameter.
- the Xth bit of the AMF parameter may be set to 0 (ie, the second identifier), which is used as identification information of an authentication algorithm for UE authentication, where the X of the AMF parameter is The bit can be any of the 8 bits that are free in the AMF parameter, ie 1 X 7.
- the HSS does not support the authentication algorithm selection, after the HSS selects the authentication algorithm for the UE authentication, the HSS does not set the identifier of the UE authentication authentication algorithm for the preset AMF parameter. Information, the HSS may calculate an authentication vector for UE authentication according to a preset AMF parameter and a selected authentication algorithm. As shown in Figure 3, since the HSS does not support the authentication algorithm selection, the identification information of the authentication algorithm for the UE authentication cannot be set in the AMF parameter.
- the HSS may calculate the authentication vector for the UE authentication according to the preset AMF parameter and the above-mentioned Milenage algorithm, where the Xth bit of the AMF parameter in the above authentication vector is The default value is 0, and the default value of the Xth bit of the above AMF is used as the identification information of the Milenage algorithm for UE authentication.
- the service device sends the identifier information of the authentication algorithm to the control device.
- the foregoing authentication algorithm may be used.
- the identification information (specifically, the authentication vector for UE authentication) is sent to the MME.
- the HSS may send the foregoing authentication vector to the MME by using an authentication data response message, where the authentication vector message sent to the MME includes identification information of the authentication algorithm that is authenticated by the UE. As shown in FIG. 2 or FIG.
- the HSS selects the Tuak algorithm or the Milenage algorithm as the authentication algorithm for UE authentication according to the authentication data request message sent by the MEE, and sets the Tuak algorithm in the Xth bit of the preset AMF parameter.
- the authentication vector for the UE authentication may be determined according to the AMF parameter and the selected authentication algorithm, and further Sending an authentication vector message including the information of the Xth bit of the AMF parameter to the MEE, after receiving the authentication vector message, the MME may save the authentication vector message and send the authentication parameter information of the UE authentication to the authentication vector message.
- UE As shown in FIG.
- the HSS selects the Milenage algorithm as the authentication algorithm for the UE authentication and determines the authentication vector for the UE authentication according to the Milenage algorithm, and then sends the authentication vector to the MME.
- the identifier information of the authentication algorithm for the UE authentication included in the foregoing authentication vector message is the identifier information set by default in the preset AMF parameter, that is, the Xth bit of the AMF parameter in the above authentication vector is set to 0 by default, and the HSS may be Transmitting an authentication vector including the information of the Xth bit of the AMF parameter to the MME.
- the MME may save the authentication vector message and send the authentication parameter information of the authentication vector message to the UE. .
- the HSS when the HSS supports the authentication algorithm selection, the HSS may select the UE and the HSS according to the information of the authentication algorithm supported by the UE carried in the authentication data request message sent by the MME, and the information of the authentication algorithm supported by the HSS.
- the supported authentication algorithm is used as an authentication algorithm for the UE authentication (including the Tuak algorithm or the Milenage algorithm), and sets the value of the Xth bit (including 0 and 1) of the AMF parameter according to the above selected authentication algorithm for UE authentication, and further Determining an authentication vector for UE authentication according to the AMF and the selected authentication algorithm, and including the selected UE authentication
- the authentication vector of the identification information of the authentication algorithm is sent to the MME.
- the HSS selects the Milenage algorithm as the authentication algorithm for UE authentication by default after receiving the authentication data request message sent by the MME, and determines the authentication vector for the UE authentication according to the preset AMF parameter and the above-mentioned Milenage algorithm. And transmitting the above-mentioned UE-authenticated authentication vector to the MME.
- the HSS may select an authentication algorithm supported by the UE and the HSS as an authentication algorithm for UE authentication according to an authentication algorithm supported by the UE and an authentication algorithm supported by the UE, and determine an identifier of the authentication algorithm according to the selected authentication algorithm.
- the information and the authentication vector for the UE authentication are used to notify the UE of the authentication algorithm for the authentication by the identification information of the authentication algorithm, improve the diversity of the selection of the authentication algorithm for the UE authentication, and the resource utilization of the UE and the HSS, and enhance the UE authentication. User experience.
- FIG. 5 it is a schematic flowchart of a second embodiment of a method for selecting an authentication algorithm according to an embodiment of the present invention.
- the method for selecting an authentication algorithm described in this embodiment includes the following steps:
- the user equipment sends, to the control device, information about an authentication algorithm supported by the user equipment.
- the UE may send a request message to the MME, and send the information of the authentication algorithm supported by the UE to the MME by using the foregoing request message; or
- the MME may send a request message to the UE, requesting the UE to send the information of the authentication algorithm supported by the UE to the MME, and after receiving the request sent by the MME, the UE may send the request to the MME.
- the information of the authentication algorithm supported by the UE is sent to the MME by using the foregoing response message.
- the embodiment of the present invention does not specifically limit the sending manner of the information of the authentication algorithm supported by the UE to the MME.
- the sending manner of the information of the authentication algorithm supported by the request message or the response message to the MME is only an example.
- the embodiment of the present invention will be specifically described by taking an example of sending a message of an authentication algorithm supported by a UE to an MME by using a request message.
- the request message sent by the UE to the MME may be an Attach request, or a Tracking Area Update (TAU) request or a registration request, and the like, and the embodiment of the present invention does not limit the message of the request message.
- the request message sent by the UE to the MME may be added to the request message by adding the information of the authentication algorithm supported by the UE to the MME.
- the UE when the UE supports the authentication algorithm selection (that is, the UE can support the Tuak algorithm and the Milenage algorithm), when the UE sends the request message to the MME, the UE may support the authentication algorithm (including the Tuak algorithm or the Milenage algorithm) supported by the UE.
- the request message is sent to the MME, as shown in Figure 2 or Figure 3,
- the request message sent by the UE to the MME carries the information of the Tuak algorithm or the Milenage algorithm supported by the UE.
- the UE does not support the authentication algorithm selection (that is, the UE only supports the Milenage algorithm)
- the UE sends the request message to the MME the UE does not
- the information of the authentication algorithm supported by the UE is sent to the MME, that is, the information of the authentication algorithm supported by the UE carried in the request message sent by the UE to the MME is empty.
- the user equipment receives a user authentication request message sent by the control device.
- the user equipment determines an authentication algorithm according to the user authentication request message, and performs authentication on the network according to the authentication algorithm.
- the MME may send an authentication data request message to the HSS according to the request message sent by the UE, and the HSS may receive the authentication data request message sent by the MME according to the foregoing authentication data request.
- the message selects an authentication algorithm for the UE authentication, and sets the identification information of the authentication algorithm according to the selected authentication algorithm to determine an authentication vector for the UE authentication, and then sends the authentication vector of the identifier information including the foregoing authentication algorithm to the MME through the MME.
- UE may send an authentication data request message to the HSS according to the request message sent by the UE, and the HSS may receive the authentication data request message sent by the MME according to the foregoing authentication data request.
- the MME may save the foregoing identifier information of the UE-authenticated authentication algorithm (specifically, an authentication vector that is authenticated by the UE), and send a user authentication request to the UE.
- the identifier information of the authentication algorithm for the UE authentication is sent to the UE.
- the UE may determine an authentication algorithm for the network to authenticate according to the user authentication request message, and then determine an authentication algorithm according to the authentication algorithm of the network for the authentication (ie, the UE authentication algorithm for network authentication). And authenticating the network according to the authentication algorithm for the network determined above.
- the user authentication request message sent by the UE to the MME includes the authentication parameter for the UE authentication, that is, the parameter included in the authentication vector for the UE authentication set by the HSS according to the request message sent by the UE, including the AUTN, the RAND parameter, and the like.
- the UE when the UE supports the authentication algorithm selection, after the UE adds the information of the authentication algorithm it supports to the request message and sends the information to the MME, when the UE receives the user authentication request message from the MME, the UE The user authentication request message may be parsed, and the identifier information of the network-authenticated authentication algorithm is obtained from the authentication parameters included in the user authentication request message.
- the HSS when the HSS supports the authentication algorithm, and the authentication data request message received by the HSS from the MME carries the information of the authentication algorithm supported by the UE, the HSS may be determined according to the authentication algorithm supported by the UE and the authentication algorithm supported by the UE.
- the AMF parameter of the information is calculated to obtain an authentication vector for UE authentication.
- the MME may send the authentication parameter for UE authentication in the above authentication vector to the UE.
- the UE may parse the authentication parameter included in the user authentication request message, and obtain, from the foregoing authentication parameter, identifier information of the network-to-UE authentication algorithm, where the network is used by the UE.
- the identification information of the authenticated authentication algorithm includes: a first identifier (for example, 1) or a second identifier (for example, 0) of a flag bit of the authentication algorithm for the UE authentication in the AMF parameter (ie, the Xth bit in the AMF parameter). ).
- the UE may analyze the Xth bit of the AMF parameter in the user authentication request message, and obtain the identifier of the authentication algorithm from the Xth bit of the AMF parameter.
- the information (including 0 or 1) determines the authentication algorithm for the network to authenticate according to the obtained identification information, and then determines the authentication algorithm for authenticating the network (consistent with the authentication algorithm of the network for its authentication).
- the UE when the UE obtains the value of the Xth bit of the AMF from the AMF parameter that is 1 (ie, the first identifier), it may be determined that the authentication algorithm for the network authentication is the Tuak algorithm, and the UE determines that the network authenticates the network. After the authentication algorithm, it can be determined that the authentication algorithm for the network authentication is the Tuak algorithm, and then the network can be authenticated according to the Tuak algorithm; when the UE obtains the AMF parameter from the AMF parameter, the value of the Xth bit of the AMF is 0 ( That is, when the second identifier is used, it can be determined that the authentication algorithm for the network authentication is the Milenage algorithm. After the UE determines the authentication algorithm for the network authentication, the UE can determine that the authentication algorithm for the network authentication is the Milenage algorithm, and then The above Milenage algorithm authenticates the network.
- the UE when the UE does not support the authentication algorithm selection, the UE sends the information of the authentication algorithm supported by the UE carried in the request message to the MME to be empty, and the UE carried by the HSS through the authentication data request message received by the MME The information of the supported authentication algorithm is also empty.
- the HSS selects the default authentication algorithm (Milenage algorithm), and the identification information of the authentication algorithm for the UE authentication included in the authentication vector determined by the HSS according to the selected authentication algorithm is the AMF parameter.
- the second identifier (0) of the X bit as shown in Figure 4.
- the UE After receiving the user authentication request sent by the MME, the UE authenticates the network according to the default authentication algorithm (ie, the Milenage algorithm), that is, the authentication algorithm of the network authentication for the UE and the authentication algorithm for the network authentication by the UE are both the Milenage algorithm.
- the information about the network authentication authentication algorithm may be sent to the MME by using the user authentication response, so that the UE completes the network authentication of the UE by using the MME, and allows the UE to Access to the network.
- the PDCCH after receiving the information included in the request message sent by the UE, determines the identifier of the authentication algorithm and the authentication algorithm that is authenticated by the UE according to the information, and sends the identifier information of the authentication algorithm and the like by using the MME.
- the PDCCH determines the identifier of the authentication algorithm and the authentication algorithm that is authenticated by the UE according to the information, and sends the identifier information of the authentication algorithm and the like by using the MME.
- the UE when the UE supports the authentication algorithm selection, the UE may send the authentication algorithm supported by the UE to the MME through the request message, and may also obtain the information of the authentication algorithm authenticated by the network according to the user authentication request sent by the MME.
- the authentication algorithm for the network is set as its authentication algorithm for network authentication, and the network is authenticated according to the above authentication algorithm.
- the UE sends a request message to the MME, and the network receives the request message. After the request message is sent, the default Milenage algorithm is selected as the authentication algorithm for the UE authentication.
- the default algorithm Milenage algorithm can be set as the authentication algorithm for the network authentication, thereby implementing The authentication algorithm is unified, and the UE is authenticated by the MME, and the UE is allowed to access the network.
- the embodiment of the invention improves the diversity of the authentication algorithm selected by the UE and the resource utilization of the terminal, and enhances the user experience of the UE authentication.
- FIG. 6 is a schematic flowchart diagram of a third embodiment of a method for selecting an authentication algorithm according to an embodiment of the present invention.
- the method for selecting an authentication algorithm described in this embodiment includes the following steps:
- the control device receives information about an authentication algorithm supported by the user equipment sent by the user equipment.
- S302 The control device sends an authentication data request message to the service device.
- the control device receives the identifier information of the authentication algorithm sent by the service device.
- S304 The control device sends a user authentication request message to the user equipment.
- the UE when the UE needs to send the information of the authentication algorithm supported by the UE to the MME, the UE may send a request message to the MME, and send the information of the authentication algorithm supported by the UE to the MME by using the foregoing request message; or
- the MME may send a request message to the UE, requesting the UE to send the information of the authentication algorithm supported by the UE to the MME, and after receiving the request sent by the MME, the UE may send the request to the MME.
- the information of the authentication algorithm supported by the UE is sent to the MME by using the foregoing response message.
- the embodiment of the present invention does not specifically limit the sending manner of the information of the authentication algorithm supported by the UE to the MME, and the foregoing sends the information of the authentication algorithm supported by the request message or the response message to the MME.
- the manner of sending the MME is only an example, and is not exhaustive.
- the embodiment of the present invention will be specifically described by taking the sending manner of the information of the authentication algorithm supported by the UE to the MME by using the request message.
- the information about the authentication algorithm supported by the UE includes: a Tuak algorithm supported by the UE, or a Milenage algorithm supported by the UE, or is null.
- the MME when the UE supports the authentication algorithm selection (that is, the UE supports the Tuak algorithm and the Milenage algorithm), when the UE sends the request message to the MME, the information of the authentication algorithm supported by the UE may be sent to the MME through the foregoing request message; when the UE does not support the authentication algorithm selection When the UE only supports the Milenage algorithm, the information of the authentication algorithm supported by the UE carried in the request message sent by the UE to the MME is empty. After receiving the request message sent by the UE, the MME may send an authentication data request message to the HSS according to the request message.
- the authentication algorithm selection that is, the UE supports the Tuak algorithm and the Milenage algorithm
- the MME may send the information of the authentication algorithm supported by the UE to the HSS through the foregoing authentication data request message;
- the information of the authentication algorithm supported by the UE carried in the request message is empty, when the MME sends an authentication data request message to the HSS, the information of the authentication algorithm supported by the UE carried in the authentication data request message is empty.
- the HSS may determine an authentication algorithm for the UE authentication according to the foregoing authentication data request message, and calculate an authentication algorithm for the UE authentication according to the determined authentication algorithm.
- Identification information (specifically, an authentication vector for UE authentication).
- the HSS may send the authentication vector to the MME by using the authentication data response message.
- the MME may save the authentication vector included in the authentication data response message, and then send a user authentication request message to the UE, and authenticate the UE that is included in the authentication message that is authenticated by the UE.
- the authentication parameters are sent to the UE, as shown in Figure 2, Figure 3 or Figure 4.
- the UE may obtain information such as an authentication parameter that the network authenticates, and then determine an authentication algorithm for the network authentication according to the foregoing authentication parameter.
- the method for determining the authentication algorithm and the authentication vector for the UE to be authenticated by the HSS according to the authentication data request message sent by the MME, and transmitting the information such as the authentication vector to the MME by using the authentication data response message may be referred to the embodiment of the present invention.
- the first embodiment of the method for selecting an authentication algorithm is provided, and details are not described herein again.
- the foregoing UE sends a request message to the MME, and determines a pair according to the user authentication request sent by the MME.
- the second embodiment of the method for selecting an authentication algorithm provided by the embodiment of the present invention, and details are not described herein again.
- the MME when the MME supports the saving and forwarding of the information of the authentication algorithm supported by the UE , if the request message sent by the UE to the MME carries the information of the authentication algorithm supported by the UE (that is, the UE supports the Tuak algorithm and the Milenage algorithm). After receiving the request message sent by the UE, the MME may save the information of the authentication algorithm supported by the UE, and send the information of the authentication algorithm supported by the UE to the HSS through the authentication data request message, as shown in FIG. 2 or FIG. 3; The information of the authentication algorithm supported by the UE carried in the request message sent to the MME is empty.
- the MME may send an authentication data request message to the HSS, where the authentication algorithm supported by the UE carried in the authentication data request message is The information is empty, as shown in Figure 4.
- the MME does not support the information of the authentication algorithm supported by the UE, if the request message sent by the UE to the MME carries the information of the authentication algorithm supported by the UE (that is, the UE supports the Tuak algorithm and the Milenage algorithm), the MME receives the UE and sends the message. After the request message, the information of the authentication algorithm supported by the UE cannot be saved.
- the MME sends the authentication data request message to the HSS the information of the authentication algorithm supported by the UE carried in the authentication data request message is empty, as shown in FIG.
- the MME may send an authentication data request message to the HSS after receiving the request message sent by the UE, where the authentication data request message is sent.
- the information of the authentication algorithm supported by the UE carried in the space is empty, as shown in FIG. 9.
- the MME may also obtain the user authentication response message from the UE, and complete the authentication of the UE according to the authentication vector of the UE authentication sent by the saved HSS, and further Allow the UE to access the network.
- the MME may receive the information of the authentication algorithm supported by the UE and send the authentication data request message to the HSS according to the information of the authentication algorithm supported by the UE, and obtain the HSS from the HSS according to the foregoing authentication data request message.
- the information of the authentication information of the UE authentication authentication algorithm (specifically, the authentication vector for the UE authentication) is sent to the UE, and the user authentication request is sent to the UE, and the identifier information of the authentication algorithm of the HSS is sent to the UE.
- the MME may also obtain the user authentication response message from the UE, and complete the authentication of the UE access network by combining the information such as the authentication vector of the UE authentication sent by the HSS, thereby allowing the UE to access the UE.
- Network MME can also be configured according to its own (ie whether it supports UE-supported authentication)
- the information of the algorithm is saved and forwarded.
- the authentication data request message is sent to the HSS, which enriches the diversity of the authentication algorithm of the UE authentication, improves the terminal utilization rate of the UE authentication, and enhances the user experience of the UE authentication.
- FIG. 10 is a schematic structural diagram of an embodiment of a service device for selecting an authentication algorithm according to an embodiment of the present invention.
- the service device described in this embodiment includes:
- the receiving module 10 is configured to receive an authentication data request message sent by the control device, where the authentication data request message carries information of an authentication algorithm supported by the user equipment.
- the selecting module 20 is configured to select an authentication algorithm according to the authentication data request message received by the receiving module and the information of the authentication algorithm supported by the service device.
- the processing module 30 is configured to determine identification information of the authentication algorithm according to the authentication algorithm selected by the selection module.
- the sending module 40 is configured to send the identifier information of the authentication algorithm to the control device, to be sent to the user equipment by using the control device.
- the identifier information of the authentication algorithm carried in the authentication data request message received by the receiving module 10 includes: a Tuak algorithm supported by the user equipment, and/or supported by the user equipment. Milenage algorithm;
- the selection module 20 is specifically configured to:
- the authentication algorithms supported by the service device include: a Tuak algorithm, and/or a Milenage algorithm.
- the information about the authentication algorithm supported by the user equipment carried in the authentication data request message received by the receiving module 10 is empty;
- the authentication algorithm information supported by the service device includes: a Tuak algorithm supported by the service device, and/or a Milenage algorithm supported by the service device;
- the selection module 20 is specifically configured to:
- the service device selects a Milenage algorithm from its supported authentication algorithms and sets the Milenage algorithm to the selected authentication algorithm.
- the information about the authentication algorithm supported by the user equipment is included in the authentication data request message received by the receiving module 10 of the HSS, where the information about the authentication algorithm supported by the user equipment may include: Tuak algorithm, or UE-supported Milenage algorithm.
- the selecting module 20 may And selecting an authentication algorithm supported by the HSS (that is, an authentication algorithm supported by the UE and the HSS) according to the information of the authentication algorithm supported by the UE included in the authentication data request message, and setting the selected authentication algorithm to be the pair.
- UE authentication authentication algorithm For example, as shown in FIG.
- the selection module 20 may be based on the HSS.
- the supported authentication algorithm selects the authentication algorithm supported by the HSS as the authentication algorithm for the UE authentication. For example, when the HSS supports the Tuak algorithm, the selection module 20 can select the Tuak algorithm from the authentication algorithms supported by the UE.
- the selection module 20 may select the Milenage algorithm as the authentication algorithm for UE authentication from the authentication algorithms supported by the UE; when the HSS supports the Tuak algorithm and also supports the Milenage algorithm, The selection module 20 may select one of the authentication algorithms supported by the UE as an authentication algorithm for UE authentication.
- the HSS does not support the authentication algorithm selection (that is, the HSS only supports the Milenage algorithm)
- the receiving module 10 receives the authentication data request message from the MME
- the information about the authentication algorithm supported by the UE is included.
- the selection module 20 selects the default authentication algorithm as the authentication algorithm for the UE authentication, that is, the selection module 20 selects the Milenage algorithm by default, and sets the above-mentioned Milenage algorithm as the authentication algorithm for the UE authentication, as shown in the figure. 3.
- the information of the authentication algorithm supported by the UE that is carried in the authentication data request message received by the receiving module 10 from the MME is empty, that is, the authentication data request message does not include the authentication algorithm information supported by the UE.
- the selection module 20 selects the Milenage algorithm and sets the above-described Milenage algorithm as an authentication algorithm for UE authentication. That is, as shown in FIG.
- the selection module 20 selects a default authentication algorithm, that is, the selection module 20 selects the Milenage algorithm as the authentication algorithm for UE authentication.
- the receiving, by the receiving module and the selecting module of the HSS, according to the received authentication data request message sent by the MME, the specific implementation process of the authentication algorithm for the UE authentication may be referred to the first implementation of the selective authentication algorithm provided by the embodiment of the present invention. Steps S101-S102 of the example are not described herein again.
- the identifier information of the authentication algorithm determined by the processing module 30 is specifically an authentication vector that is authenticated by the user equipment.
- the processing module 30 is specifically configured to:
- An authentication vector for authenticating the user equipment is generated according to the AMF parameter and the Tuak algorithm.
- the identifier information of the authentication algorithm determined by the processing module 30 is specifically an authentication vector that is authenticated by the user equipment.
- the processing module 30 is specifically configured to:
- An authentication vector for authenticating the user equipment is generated according to the AMF parameter and the Milenage algorithm.
- the processing module 30 may set the selected authentication in the preset AMF parameter.
- the processing module 30 may set the selected authentication algorithm in the preset AMF parameter.
- the processing module 30 includes the authentication vector calculated according to the authentication algorithm selected by the selection module 20 Authentication parameters AUTN, MAC, XRES and keys CK, ⁇ , ⁇ , etc. for UE authentication. For example, when the selection module 20 of the HSS selects the Tuak algorithm as the authentication algorithm for the UE authentication, the processing module 30 of the HSS may select the Xth bit in the preset AMF parameter as the flag for the UE authentication, and then the AMF.
- the Xth bit of the parameter is set to 1 (ie, the first identifier) for use as identification information of the Tuak algorithm for UE authentication; when the selection module 20 of the HSS selects the Milenage algorithm as the authentication algorithm for UE authentication, the HSS
- the processing module 30 may select the Xth bit as the flag for UE authentication in the preset AMF parameter, and further set the Xth bit of the AMF parameter to 0 (ie, the second identifier), as the Milenage algorithm.
- Identification information wherein the Xth bit of the above AMF parameter may be any one of the 8 bits that are free in the AMF parameter, that is, 1 X 7.
- the processing module 30 of the HSS does not set the preset AMF parameter.
- the processing module 30 of the HSS may calculate the authentication vector for the UE authentication according to the preset AMF parameter and the selected authentication algorithm. As shown in FIG. 3, the HSS does not support the authentication algorithm selection, and the processing module 30 cannot set the identifier information of the authentication algorithm for the UE authentication in the AMF parameter.
- the processing module 30 of the HSS can calculate the authentication vector for the UE authentication according to the preset AMF parameter and the above-mentioned Milenage algorithm.
- the Xth bit of the AMF parameter is the default value of 0, and the default value of the Xth bit of the above AMF is used as the identification information of the Milenage algorithm for UE authentication.
- the processing module 30 of the HSS determines the authentication algorithm for UE authentication according to the authentication data request message sent by the MME received by the receiving module 10, and determines the authentication of the UE authentication according to the selected authentication algorithm.
- the sending module 40 may send the authentication vector determined by the processing module 30 to the MME.
- the authentication data response message sent by the sending module 40 that the HSS can send to the MME sends the authentication vector to the MME, and the authentication vector message sent by the sending module 40 to the MME includes the identification information of the authentication algorithm that is authenticated by the UE. As shown in FIG. 2 or FIG.
- the processing module 30 may determine the authentication vector for the UE authentication according to the AMF parameter and the selected authentication algorithm, and further include the information of the Xth bit of the AMF parameter by using the sending module 40.
- the authentication vector message is sent to the MEE.
- the MME may save the authentication vector message and send the authentication parameter information for the UE authentication in the authentication vector message to the UE.
- the selection module 20 of the HSS selects the Milenage algorithm as the authentication algorithm for the UE authentication by default and determines the authentication vector for the UE authentication by the processing module 30 according to the Milenage algorithm selected by the selection module 20.
- the sending module 40 may send the foregoing authentication vector to the MME, where the identifier information of the authentication algorithm for the UE authentication included in the authentication vector message is the identifier information that is preset by default in the preset AMF parameter, that is, the foregoing authentication vector.
- the X-th bit of the AMF parameter is set to 0 by default, and the sending module 40 of the HSS may send an authentication vector containing the information of the X-th bit of the AMF parameter to the MME, and after receiving the above-mentioned authentication vector message, the MME may save the above.
- the authentication vector message is sent to the UE by the authentication parameter information for the UE authentication in the above authentication vector message.
- the method for selecting the authentication algorithm provided by the processing module and the sending module of the HSS according to the authentication algorithm selected by the selecting module to determine the authentication vector for the UE authentication and sending the authentication vector to the MME may be referred to the method for selecting the authentication algorithm provided by the embodiment of the present invention. Steps S103-S104 in the first embodiment are not described herein again.
- the HSS may select the UE authentication method according to the information of the authentication algorithm supported by the UE carried in the authentication data request message sent by the MME, and the information of the authentication algorithm supported by the UE.
- An authentication algorithm including a Tuak algorithm or a Milenage algorithm
- setting an X-th bit of the AMF parameter including 0 and 1 according to the above-mentioned selected UE-authenticated authentication algorithm, and further according to the AMF and the selected authentication algorithm
- the authentication vector for the UE authentication is determined, and the above-mentioned authentication vector including the selected identification information of the authentication algorithm for the UE authentication is sent to the MME.
- the HSS selects the Milenage algorithm as the authentication algorithm for the UE authentication by default after receiving the authentication data request message sent by the MME, and determines the authentication vector for the UE authentication according to the preset AMF parameter and the above-mentioned Milenage algorithm. Furthermore, the above-mentioned authentication vector for UE authentication is transmitted to the MME.
- the HSS described in the embodiments of the present invention may be based on the UE.
- FIG. 11 is a schematic structural diagram of an embodiment of a user equipment for selecting an authentication algorithm according to an embodiment of the present invention.
- the user equipment described in this embodiment includes:
- the sending module 50 is configured to send, to the control device, information about an authentication algorithm supported by the user equipment.
- the receiving module 60 is configured to receive a user authentication request message sent by the control device.
- the processing module 70 is configured to determine an authentication algorithm according to the user authentication request message, and authenticate the network according to the authentication algorithm.
- the UE when the UE needs to send the information of the authentication algorithm supported by the UE to the MME, the UE may send a request message to the MME, and send the information of the authentication algorithm supported by the UE to the MME by using the foregoing request message; or
- the MME may send a request message to the UE, requesting the UE to send the information of the authentication algorithm supported by the UE to the MME, and after receiving the request sent by the MME, the UE may send the request to the MME.
- the information of the authentication algorithm supported by the UE is sent to the MME by using the foregoing response message.
- the embodiment of the present invention does not specifically limit the sending manner of the information of the authentication algorithm supported by the UE to the MME.
- the sending manner of the information of the authentication algorithm supported by the request message or the response message to the MME is only an example.
- the embodiment of the present invention will be specifically described by taking an example of sending a message of an authentication algorithm supported by a UE to an MME by using a request message.
- the request message sent by the sending module 50 of the UE to the MME may be an Attach request, or a TAU request or a registration request, and the like.
- the embodiment of the present invention does not limit the message type of the request message.
- the request message sent by the UE to the MME may be added to the request message by adding the information of the authentication algorithm supported by the UE to the MME.
- the sending module 50 of the UE can send the request message to the MME to support the authentication algorithm (including the Tuak algorithm or the Milenage algorithm).
- the information is sent to the MME in the above request message, as shown in FIG. 2 or FIG. 3, that is, the sending module 50 of the UE at this time
- the request message sent by the MME carries the information of the Tuak algorithm or the Milenage algorithm supported by the UE.
- the sending module 50 of the UE sends the request message to the MME, it will not The information of the authentication algorithm supported by the UE is sent to the MME, that is, the information of the authentication algorithm supported by the UE carried in the request message sent by the sending module 50 of the UE to the MME is empty.
- the specific implementation process of the sending module of the UE to the MME may be referred to step S201 in the second embodiment of the selective authentication algorithm provided in the embodiment of the present invention, and details are not described herein.
- the information about the authentication algorithm supported by the user equipment sent by the sending module 50 includes: a Tuak algorithm supported by the user equipment, and/or a Milenage algorithm supported by the user equipment;
- the processing module 70 is specifically configured to:
- An authentication algorithm is determined based on the identification information.
- the user authentication request message received by the receiving module 60 includes an authentication parameter that is authenticated by the user equipment.
- the AUTN parameter is included in the authentication parameter that is received by the receiving module 60 for the user equipment, and the AUTN parameter includes an AMF parameter.
- the identification information of the authentication algorithm includes: a first identifier of the flag bit of the authentication algorithm included in the AMF parameter, or a second identifier.
- the processing module 70 is specifically configured to:
- the Tuak algorithm supported by the user equipment is set as an authentication algorithm
- the Milenage algorithm supported by the user equipment is set as an authentication algorithm.
- the information about the authentication algorithm supported by the user equipment sent by the sending module 50 is null;
- the processing module 70 is specifically configured to: The Milenage algorithm it supports is set as an authentication algorithm according to the user authentication request message.
- the MME may send an authentication data request message to the HSS according to the request message sent by the UE, and the HSS may receive the authentication data request message sent by the MME according to the The authentication data request message is used to select an authentication algorithm for the UE authentication, and the identifier information of the authentication algorithm is set according to the selected authentication algorithm, and the authentication vector for the UE authentication is determined, and then the identifier information including the foregoing authentication algorithm is used by the MME.
- the authentication vector is sent to the UE.
- the MME may save the identifier information of the authentication algorithm for the UE authentication.
- the identifier information of the specific authentication algorithm is sent to the UE.
- the receiving module 60 of the UE receives the MME sending.
- the processing module 70 may determine the authentication algorithm for the network authentication according to the user authentication request message received by the receiving module 60, and then determine the authentication algorithm for the network authentication according to the authentication algorithm of the network for its authentication.
- the user authentication request message sent by the MME received by the receiving module of the UE includes the authentication parameter for the UE authentication, that is, the HSS is sent according to the UE.
- the parameters in the authentication vector for UE authentication set by the request message include AUTN, RAND parameters, and the like.
- the sending module 50 of the UE adds the information of the authentication algorithm supported by the UE to the request message and sends the information to the MME, and the receiving module 60 of the UE receives the information from the MME.
- the processing module 70 may parse the user authentication request message received by the receiving module 60, and obtain the identification information of the authentication algorithm that is authenticated by the UE from the authentication parameters included in the user authentication request message.
- the HSS when the HSS supports the authentication algorithm, and the authentication data request message received by the HSS from the MME carries the information of the authentication algorithm supported by the UE, the HSS may be determined according to the authentication algorithm supported by the UE and the authentication algorithm supported by the UE.
- the MME may send the authentication parameter for UE authentication in the above authentication vector to the UE.
- the processing module 70 may parse the user authentication request message, and obtain a network pair from the authentication parameters included in the user authentication request message.
- the identification information of the authentication algorithm of the UE authentication where the identifier information of the authentication algorithm of the UE for the UE authentication includes: the first identifier of the identifier of the UE that is authenticated in the AMF parameter (ie, the Xth bit in the AMF parameter) (eg 1) or a second identifier (eg 0). As shown in FIG.
- the processing module 70 may analyze the Xth bit of the AMF parameter in the user authentication request message, from the Xth of the AMF parameter. Obtaining the identification information of the authentication algorithm (including 0 or 1), determining the authentication algorithm for the network authentication according to the obtained identification information, and determining the authentication algorithm for authenticating the network (the authentication algorithm for authenticating with the network is saved) Consistent).
- the processing module 70 of the UE may determine that the authentication algorithm for the network authentication is the Tuak algorithm, and the processing module After determining the network authentication algorithm for the UE authentication, the UE may determine that the UE authentication algorithm for the network authentication is the Tuak algorithm Tuak; when the processing module 70 obtains the AMF parameter from the AMF parameter, the value of the Xth bit of the AMF is 0 (ie, When the identifier is used, the authentication algorithm of the network authentication for the UE is determined to be the Milenage algorithm. After the processing module 70 determines the authentication algorithm for the UE authentication, the UE may determine that the authentication algorithm of the UE for the network authentication is the Milenage algorithm.
- the sending module 50 of the UE sends the information of the authentication algorithm supported by the UE carried in the request message to the MME, and the HSS receives the authentication data request message through the MME.
- the information of the authentication algorithm supported by the UE carried in the UE is also empty.
- the HSS selects a default authentication algorithm (Milenage algorithm), and the identifier information of the authentication algorithm for the UE authentication included in the authentication vector determined by the HSS according to the selected authentication algorithm is The second identifier (0) of the Xth bit of the AMF parameter, as shown in FIG.
- the processing module 70 determines the authentication algorithm for the network authentication according to the default authentication algorithm (ie, the Milenage algorithm), that is, the network-to-UE authentication algorithm and the UE-to-network.
- the authentication algorithms for authentication are all Milenage algorithms.
- the processing module 70 determines the authentication algorithm for the network authentication, the information about the network authentication authentication algorithm may be sent to the MME by using the user authentication response, so that the network completes the UE authentication by the MME, and allows the UE to access. The internet.
- the MME determines an authentication algorithm and an authentication vector for authenticating the UE according to the foregoing information, and sends the information such as the authentication vector to the UE through the MME.
- the selection authentication calculation provided by the embodiment of the present invention can be referred to. The first embodiment of the method will not be described herein.
- the receiving module and the processing module of the UE receiving the user authentication request sent by the MME, and determining the specific implementation process of the network authentication authentication algorithm according to the receiving user authentication request refer to the selection authentication algorithm provided by the embodiment of the present invention. Steps S202-S203 in the second embodiment are not described herein again.
- the UE may send the authentication algorithm supported by the UE to the MME through the request message, and may also obtain the information of the authentication algorithm authenticated by the network according to the user authentication request sent by the MME. Then, the authentication algorithm of the network is set to its authentication algorithm for network authentication; if the UE does not support the authentication algorithm selection, the UE sends a request message to the MME, and the network selects the default Milenage after receiving the request message sent by the network.
- the algorithm may set the default algorithm Milenage algorithm to the network authentication authentication algorithm, thereby implementing the unification of the authentication algorithm, and completing the UE by using the MME. Authentication, allowing the UE to access the network.
- the embodiment of the invention improves the diversity of the authentication algorithm selected by the UE and the resource utilization of the terminal, and enhances the user experience of the UE authentication.
- FIG. 12 it is a schematic structural diagram of an embodiment of a control device for selecting an authentication algorithm according to an embodiment of the present invention.
- the control device described in this embodiment includes:
- the receiving module 80 is configured to receive information about an authentication algorithm supported by the user equipment sent by the user equipment.
- the sending module 90 is configured to send an authentication data request message to the service device, where the authentication data request message carries information of an authentication algorithm supported by the user equipment.
- the receiving module 80 is configured to receive identifier information of an authentication algorithm sent by the service device, where the identifier information of the authentication algorithm corresponds to the authentication data request message.
- the sending module 90 is configured to send a user authentication request message to the user equipment, where the user authentication request message carries the identifier information of the authentication algorithm.
- the information about the authentication algorithm supported by the user equipment received by the receiving module 80 includes: a Tuak algorithm supported by the user equipment, and/or a Milenage algorithm supported by the user equipment, or is empty.
- the identifier information of the authentication algorithm received by the receiving module 80 includes: identifier information corresponding to the Tuak algorithm selected by the service device, and/or a Milenage algorithm selected by the service device. Corresponding identification information, or empty.
- the UE when the UE needs to send the information of the authentication algorithm supported by the UE to the MME, the UE may send a request message to the MME, and send the information of the authentication algorithm supported by the UE to the MME by using the foregoing request message; or
- the MME may send a request message to the UE, requesting the UE to send the information of the authentication algorithm supported by the UE to the MME, and after receiving the request sent by the MME, the UE may send the request to the MME.
- the information of the authentication algorithm supported by the UE is sent to the MME by using the foregoing response message.
- the embodiment of the present invention does not specifically limit the sending manner of the information of the authentication algorithm supported by the UE to the MME.
- the sending manner of the information of the authentication algorithm supported by the request message or the response message to the MME is only an example.
- the embodiment of the present invention will be specifically described by taking an example of sending a message of an authentication algorithm supported by a UE to an MME by using a request message.
- the request message sent by the UE received by the UE from the UE may include information about the authentication algorithm supported by the UE, including: a Tuak algorithm supported by the UE, or a Milenage algorithm supported by the UE, or is null.
- the UE when the UE supports the authentication algorithm selection (that is, the UE supports the Tuak algorithm and the Milenage algorithm), when the UE sends the request message to the MME, the information of the authentication algorithm supported by the UE may be sent to the MME through the foregoing request message; when the UE does not support the authentication algorithm selection When the UE only supports the Milenage algorithm, the information of the authentication algorithm supported by the UE carried in the request message sent by the UE to the MME is empty.
- the sending module 90 may send an authentication data request message to the HSS according to the request message received by the receiving module 80.
- the request message sent by the UE carries the information of the authentication algorithm supported by the UE
- the sending module 90 of the MME sends the authentication data request message to the HSS
- the information of the authentication algorithm supported by the UE may be sent to the HSS through the foregoing authentication data request message.
- the information of the authentication algorithm supported by the UE carried in the request message sent by the UE is empty
- the sending module 90 of the MME sends the authentication data request message to the HSS
- the information of the authentication algorithm supported by the UE carried in the authentication data request message is It is empty.
- the HSS may determine the authentication algorithm for the UE authentication according to the foregoing authentication data request message. And obtaining an authentication vector for UE authentication according to the authentication algorithm determined above. After determining the authentication algorithm for the UE authentication according to the authentication data request message sent by the MME, and determining the authentication vector for the UE authentication according to the foregoing authentication algorithm, the HSS may send the authentication vector to the MME by using the authentication data response message.
- the MME may save the authentication vector included in the authentication data response message, and then send a user authentication request message to the UE through the sending module 90, and perform the above authentication on the UE authentication.
- the authentication parameters for UE authentication included in the vector are sent to the UE, as shown in Figure 2, Figure 3 or Figure 4.
- the UE may obtain information such as an authentication parameter that the network authenticates, and then determine an authentication algorithm for the network authentication according to the foregoing authentication parameter.
- the method for determining the authentication algorithm and the authentication vector for the UE to be authenticated by the HSS according to the authentication data request message sent by the MME, and transmitting the information such as the authentication vector to the MME by using the authentication data response message may be referred to the embodiment of the present invention.
- the first embodiment of the method for selecting an authentication algorithm is provided, and details are not described herein again.
- a second embodiment of the method for selecting an authentication algorithm according to the embodiment of the present invention is described in the foregoing example, and the method for sending the request message to the MME and determining the authentication algorithm for the network authentication according to the user authentication request sent by the MME may be omitted. .
- the MME when the MME supports the saving and forwarding of the information of the authentication algorithm supported by the UE , if the request message sent by the UE to the MME carries the information of the authentication algorithm supported by the UE (that is, the UE supports the Tuak algorithm and the Milenage algorithm).
- the receiving module 80 of the MME may save the information of the authentication algorithm supported by the UE, and send the information of the authentication algorithm supported by the UE to the HSS through the sending module 90, such as FIG. 2 or FIG.
- the receiving module 80 of the MME may send the authentication data request to the HSS through the sending module 90 after receiving the request message.
- the message, wherein the information of the authentication algorithm supported by the UE carried in the foregoing authentication data request message is empty, as shown in FIG.
- the MME does not support the saving and forwarding of the information of the authentication algorithm supported by the UE, if the request message sent by the UE to the MME carries the information of the authentication algorithm supported by the UE (that is, the UE supports the Tuak algorithm and the Milenage algorithm), the MME passes the receiving module 80.
- the sending module 90 of the MME sends the authentication data request message to the HSS
- the information of the authentication algorithm supported by the UE carried in the authentication data request message is Empty, as shown in Figure 7 or Figure 8; if the UE sends to the MME
- the sending module 90 may send an authentication data request message to the HSS, where the authentication data request is sent.
- the information of the authentication algorithm supported by the UE carried in the message is empty, as shown in FIG. 9.
- the specific implementation process of the control device in the embodiment of the present invention may be referred to the steps S301-S304 in the third embodiment of the method for selecting an authentication algorithm provided by the embodiment of the present invention, and details are not described herein again.
- the MME may also obtain the user authentication response message from the UE, and complete the authentication of the UE according to the authentication vector of the UE authentication sent by the saved HSS, and further Allow the UE to access the network.
- the MME may receive the request message sent by the UE, send an authentication data request message to the HSS according to the request message sent by the UE, and obtain an authentication vector for the UE authentication determined by the HSS according to the authentication data request message, and the like.
- the information is sent to the UE, and the information about the authentication vector and the UE is sent to the UE for the UE to determine the authentication algorithm for the network authentication.
- the MME may also obtain the user authentication response message from the UE.
- the information such as the authentication vector of the UE authentication sent by the HSS completes the authentication of the UE accessing the network, thereby allowing the UE to access the network.
- the MME may also configure according to its own configuration (ie, whether to support the information of the authentication algorithm supported by the UE. Forwarding)
- the authentication data request message is sent to the HSS, which enriches the diversity of the authentication algorithm of the UE authentication, improves the terminal utilization rate of the UE authentication, and enhances the user experience of the UE authentication.
- FIG. 13 is a schematic structural diagram of an embodiment of a system for selecting an authentication algorithm according to an embodiment of the present invention.
- the system for selecting an authentication algorithm described in this embodiment includes:
- the user equipment 100 that selects the authentication algorithm provided by the embodiment of the present invention the control device 200 that selects the authentication algorithm provided in the foregoing embodiment of the present invention, and the service device 300 that selects the authentication algorithm provided by the foregoing embodiment of the present invention.
- the specific interaction process of the foregoing user equipment 100, the control device 200, and the service device 300 in the process of selecting an authentication algorithm may refer to the first embodiment and the second embodiment of the method for selecting an authentication algorithm provided by the embodiment of the present invention.
- the specific implementation process described in the third embodiment is not described herein again.
- the readable storage medium when executed, may include the flow of an embodiment of the methods as described above.
- the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Control Of Transmission Device (AREA)
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP14876188.5A EP3079392A1 (en) | 2013-12-31 | 2014-06-25 | Method, apparatus and system for selecting authentication algorithm |
KR1020167020662A KR20160103115A (ko) | 2013-12-31 | 2014-06-25 | 인증 알고리즘을 선택하는 방법, 장치 및 시스템 |
US15/197,343 US20160316368A1 (en) | 2013-12-31 | 2016-06-29 | Method, apparatus, and system for selecting authentication algorithm |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310754492.9 | 2013-12-31 | ||
CN201310754492.9A CN104754577B (zh) | 2013-12-31 | 2013-12-31 | 一种选择认证算法的方法、装置及系统 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/197,343 Continuation US20160316368A1 (en) | 2013-12-31 | 2016-06-29 | Method, apparatus, and system for selecting authentication algorithm |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015100975A1 true WO2015100975A1 (zh) | 2015-07-09 |
Family
ID=53493111
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2014/080736 WO2015100975A1 (zh) | 2013-12-31 | 2014-06-25 | 一种选择认证算法的方法、装置及系统 |
Country Status (5)
Country | Link |
---|---|
US (1) | US20160316368A1 (zh) |
EP (1) | EP3079392A1 (zh) |
KR (1) | KR20160103115A (zh) |
CN (1) | CN104754577B (zh) |
WO (1) | WO2015100975A1 (zh) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10390224B2 (en) | 2014-05-20 | 2019-08-20 | Nokia Technologies Oy | Exception handling in cellular authentication |
CN106465109A (zh) * | 2014-05-20 | 2017-02-22 | 诺基亚技术有限公司 | 蜂窝网络认证 |
US10785645B2 (en) * | 2015-02-23 | 2020-09-22 | Apple Inc. | Techniques for dynamically supporting different authentication algorithms |
CN110891270B (zh) * | 2018-09-10 | 2021-08-27 | 大唐移动通信设备有限公司 | 一种鉴权算法的选择方法和装置 |
US11539684B2 (en) * | 2020-03-16 | 2022-12-27 | Microsoft Technology Licensing, Llc | Dynamic authentication scheme selection in computing systems |
CN114245376A (zh) * | 2020-09-07 | 2022-03-25 | 中国移动通信有限公司研究院 | 一种数据传输方法、用户设备、相关网络设备和存储介质 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102083064A (zh) * | 2009-11-26 | 2011-06-01 | 大唐移动通信设备有限公司 | 用于增强密钥推衍算法灵活性的方法和系统 |
CN102256234A (zh) * | 2010-05-19 | 2011-11-23 | 电信科学技术研究院 | 一种对用户鉴权过程进行处理的方法及设备 |
US20130013923A1 (en) * | 2011-07-08 | 2013-01-10 | Motorola Solutions, Inc. | Methods for obtaining authentication credentials for attaching a wireless device to a foreign 3gpp wireless domain |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2394143B (en) * | 2002-10-08 | 2006-04-05 | Ipwireless Inc | System and method for use of internet authentication technology to provide umts authentication |
CN1767430B (zh) * | 2004-10-27 | 2010-04-21 | 华为技术有限公司 | 鉴权方法 |
CN101247356B (zh) * | 2007-02-13 | 2011-02-16 | 华为技术有限公司 | Dhcp消息传送的方法及系统 |
CN101378591B (zh) * | 2007-08-31 | 2010-10-27 | 华为技术有限公司 | 终端移动时安全能力协商的方法、系统及装置 |
CN101605324B (zh) * | 2008-06-13 | 2011-06-01 | 华为技术有限公司 | 算法协商的方法、装置及系统 |
-
2013
- 2013-12-31 CN CN201310754492.9A patent/CN104754577B/zh active Active
-
2014
- 2014-06-25 EP EP14876188.5A patent/EP3079392A1/en not_active Withdrawn
- 2014-06-25 WO PCT/CN2014/080736 patent/WO2015100975A1/zh active Application Filing
- 2014-06-25 KR KR1020167020662A patent/KR20160103115A/ko not_active Application Discontinuation
-
2016
- 2016-06-29 US US15/197,343 patent/US20160316368A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102083064A (zh) * | 2009-11-26 | 2011-06-01 | 大唐移动通信设备有限公司 | 用于增强密钥推衍算法灵活性的方法和系统 |
CN102256234A (zh) * | 2010-05-19 | 2011-11-23 | 电信科学技术研究院 | 一种对用户鉴权过程进行处理的方法及设备 |
US20130013923A1 (en) * | 2011-07-08 | 2013-01-10 | Motorola Solutions, Inc. | Methods for obtaining authentication credentials for attaching a wireless device to a foreign 3gpp wireless domain |
Also Published As
Publication number | Publication date |
---|---|
EP3079392A4 (en) | 2016-10-12 |
US20160316368A1 (en) | 2016-10-27 |
EP3079392A1 (en) | 2016-10-12 |
KR20160103115A (ko) | 2016-08-31 |
CN104754577A (zh) | 2015-07-01 |
CN104754577B (zh) | 2019-05-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11272365B2 (en) | Network authentication method, and related device and system | |
US10313449B2 (en) | Online signup provisioning techniques for hotspot connections | |
US9386004B2 (en) | Peer based authentication | |
KR101475349B1 (ko) | 이동 통신 시스템에서 단말 보안 능력 관련 보안 관리 방안및 장치 | |
US9439069B2 (en) | Subscriber identity module provider apparatus for over-the-air provisioning of subscriber identity module containers and methods | |
US10798082B2 (en) | Network authentication triggering method and related device | |
WO2015100975A1 (zh) | 一种选择认证算法的方法、装置及系统 | |
WO2019017837A1 (zh) | 网络安全管理的方法及装置 | |
WO2017024671A1 (zh) | 一种网络切换方法及终端 | |
KR20130029103A (ko) | 통신 시스템들에서 가입자 인증과 디바이스 인증을 바인딩하는 방법 및 장치 | |
JP2024029170A (ja) | 通信システムにおける統合サブスクリプション識別子管理 | |
JP6962432B2 (ja) | 通信方法、コントロールプレーン装置、コントロールプレーン装置もしくは通信端末のための方法、及び通信端末 | |
WO2015100974A1 (zh) | 一种终端认证的方法、装置及系统 | |
US20190274039A1 (en) | Communication system, network apparatus, authentication method, communication terminal, and security apparatus | |
JP2015502701A (ja) | ワイヤレスリンクのセットアップのために鍵のライフタイムへのアクセスを可能にすること | |
KR101460766B1 (ko) | 무선 네트워크 시스템에서 클러스터 기능을 이용한 보안설정 시스템 및 그 제어방법 | |
WO2013152740A1 (zh) | 用户设备的认证方法、装置及系统 | |
EP3637815B1 (en) | Data transmission method, and device and system related thereto | |
JP2017513412A (ja) | Sim及びsipクライアントが同じモバイル機器に配置されていることを判断する方法及びシステム | |
KR101485801B1 (ko) | 이동 통신 시스템의 인증과 비계층 프로토콜 보안 운영을 효율적으로 지원하는 관리 방법 및 시스템 | |
KR20130033691A (ko) | 네트워크 접속 보안 강화 시스템을 위한 단말장치 및 인증지원장치 | |
WO2020208295A1 (en) | Establishing secure communication paths to multipath connection server with initial connection over private network | |
EP4203392A1 (en) | Authentication support for an electronic device to connect to a telecommunications network | |
WO2022067827A1 (zh) | 一种密钥推衍方法及其装置、系统 | |
WO2024067619A1 (zh) | 通信方法和通信装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14876188 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2014876188 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2014876188 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 20167020662 Country of ref document: KR Kind code of ref document: A |