WO2015135278A1 - Authentication method and system, prose functional entity, and ue - Google Patents

Authentication method and system, prose functional entity, and ue Download PDF

Info

Publication number
WO2015135278A1
WO2015135278A1 PCT/CN2014/083049 CN2014083049W WO2015135278A1 WO 2015135278 A1 WO2015135278 A1 WO 2015135278A1 CN 2014083049 W CN2014083049 W CN 2014083049W WO 2015135278 A1 WO2015135278 A1 WO 2015135278A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
functional entity
service
prose functional
request
Prior art date
Application number
PCT/CN2014/083049
Other languages
French (fr)
Chinese (zh)
Inventor
游世林
梁爽
蔡继燕
林兆骥
彭锦
李阳
朱李
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015135278A1 publication Critical patent/WO2015135278A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications

Definitions

  • the present invention relates to the field of mobile communications, and specifically relates to a method and system for authenticating authentication, a functional entity based on distance (ProSe), and a user equipment (UE, User Equipment). Background technique
  • the third generation The 3GPP, 3rd Generation Partnership Project (Standard Working Group) is working on the Evolved Packet System (EPS).
  • the entire EPS includes an E-UTRAN (Evolved Universal Terrestrial Radio Access Network) and an Evolved Packet Core Networking (EPC), where the EPC includes a Home Subscriber Server (HSS), mobility.
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • EPC Evolved Packet Core Networking
  • HSS Home Subscriber Server
  • MME Mobility Management Entity
  • SGSN Serving GPRS Support Node
  • PCRF Policy and Charging Rule Function
  • S-GW Serving Gateway
  • P-GW Packet Data Gateway
  • PDN Gateway Packet Data Network
  • D2D device-to-device
  • ProSe device-to-device
  • the commonly used D2D service has a D2D discovery service, and the communication architecture of the D2D discovery service is as shown in FIG. 1.
  • the two UEs accessed by the D2D can only access the EPC through the E-UTRAN, and both UEs can belong to one public land mobile.
  • the network (PLMN, Public Land Mobile Network) is divided into two PLMNs; for one UE, the PLMN can be divided into the belonging PLMNs.
  • HPLMN Home PLMN
  • VPLMN Visited PLMN
  • LLMN local public land mobile networks
  • the D2D discovery service not only the EPS is deployed on the carrier side, but also the ProSe application server that deploys the D2D discovery service.
  • the ProSe application server can be provided by the service provider that operates the D2D service, or can be provided by the network operator that operates the EPS, and the ProSe Function Entity (ProSe Function) is also deployed in different PLMNs.
  • the ProSe Function Entity ProSe Function
  • the interface with the ProSe application server is a PC1 interface, and the related authentication function is provided.
  • the interface between the UE and the UE is PC5, which is used for mutual direct discovery and communication between the UEs, and the interface between the UE and the ProSe functional entity is PC3, which is used for discovery and authentication through the network.
  • the interface between the ProSe functional entity and the existing EPC is PC4, which includes a user plane interface with the P-GW and a control plane interface with the HSS for D2D discovery service discovery authentication.
  • the interface between the ProSe functional entity and the ProSe application server is PC2, which is used for application implementation of the D2D discovery service.
  • ProSe p r0 Se functional entity functional entities respectively PC6 and PC7 interfaces, respectively, for both cases the UE roaming and non-roaming, the UE is roaming interfaces PC7, the UE is not roaming PC6 interfaces, two interfaces
  • the information interaction between two ProSe functional entities is performed when the UE performs the D2D discovery service.
  • Step 201 When a UE needs to initiate a D2D discovery service to another one or more discovered UEs, the UE first needs to go to its own HPLMN.
  • the ProSe function entity performs the D2D discovery service authentication. Specifically, after the UE and the ProSe functional entity under the HPLMN establish a secure connection, the UE sends a discovery service request message to the ProSe functional entity under the HPLMN, where the discovery service request message includes the discovery service type and the user.
  • the user identifier is an International Mobile Subscriber Identification Number (IMSI) or a Mobile Station International ISDN Number (MSISDN), where the ISDN is an Integrated Services Digital Network. ;
  • IMSI International Mobile Subscriber Identification Number
  • MSISDN Mobile Station International ISDN Number
  • the discovery service type includes: an announce, that is, a discovery request initiated by the UE; a monitor, that is, a discovery request initiated by the UE; a match, that is, the UE is found to be sent to the discoverable ProSe functional entity. Match the report.
  • Step 202 The ProSe function entity in the HPLMN performs a discovery service authentication process on the UE.
  • the discovery service authentication of the UE is performed according to the existing technical solution.
  • the process proceeds to step 203 by using the ProSe under the HPLMN.
  • the function entity initiates a corresponding discovery service process for the UE to the other one or more discovered UEs;
  • Step 203 The ProSe functional entity in the HPLMN initiates a corresponding discovery service flow to the ProSe functional entity in the local PLMN of the one or more discovered UEs according to the corresponding service type.
  • the ProSe function entity under the HPLMN When the service type is published, the ProSe function entity under the HPLMN sends a publish request message to the ProSe function entity in the local PLMN of the discovered UE, and the ProSe function entity in the local PLMN of the UE is found to be the ProSe function under the HPLMN.
  • ProSe function entity under the ProSe function under HPLMN The entity sends back the interception response message.
  • the ProSe function entity in the HPLMN sends a match request message to the ProSe function entity in the local PLMN of the discovered UE.
  • the match is successful, and the UE is found locally.
  • the ProSe functional entity under the PLMN sends a matching response message to the ProSe functional entity under the HPLMN.
  • Step 204 After the D2D discovery service is processed, the ProSe function entity in the HPLMN sends a corresponding discovery service request response message to the UE that initiates the discovery service, and the UE completes the related radio resource allocation.
  • the MSISDN parameter is only signed by the HSS and can be downloaded to the control network element of the EPC.
  • the UE generally does not have the signed MSISDN parameter, but the MSISDN parameter in the UE can be arbitrarily configured by the user. In this case, if configured The wrong MSISDN will cause an error in the discovery service request.
  • the IMSI is used for authentication authentication, the IMSI will be exposed in the discovery service request message, which will expose the user's private information and increase the user's attack by the attacker. risks of. Summary of the invention
  • embodiments of the present invention are expected to provide a method and system for authentication authentication, a ProSe functional entity, and a UE.
  • the first ProSe function entity sends a configuration parameter to the UE; the UE initiates an authentication and authentication process to the first ProSe function entity according to the configuration parameter, and the first ProSe function entity successfully authenticates the UE after the authentication is successful. And allocating a D2D service temporary identifier to the UE.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier supported by the UE. List.
  • the The method also includes:
  • the UE determines that the local PLMN identity initiates an authentication authentication request to the second ProSe functional entity in the received PLMN identity list.
  • the UE when the configuration parameters received by the UE include the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the UE is configured according to the configuration parameter. Initiating an authentication and authentication process to the first ProSe functional entity, including:
  • the UE sends an authentication request to the second ProSe function entity, where the authentication authentication request carries the local PLMN identifier and the D2D service temporary identifier received by the UE;
  • the first ProSe functional entity searches for a UE context corresponding to the UE according to the D2D service temporary identifier
  • the first ProSe functional entity When the UE context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns an allocated D2D service temporary identifier to the UE.
  • the first ProSe function entity When the context corresponding to the UE is not found, the first ProSe function entity initiates a UE context acquisition process of the UE to the HSS, and after the UE context is successfully obtained, the first ProSe function entity is used by the UE. The authentication succeeds, and the allocated D2D service temporary identifier is returned to the UE.
  • the UE when the configuration parameter received by the UE includes only the PLMN identifier list supported by the UE, the UE initiates an authentication process to the first ProSe function entity according to the configuration parameter, including:
  • the first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier, and includes:
  • the first ProSe functional entity searches for a UE context corresponding to the UE according to the IMSI or D2D service temporary identifier;
  • the first ProSe functional entity When the UE context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns an allocated D2D service temporary identifier to the UE.
  • the first ProSe functional entity When the context corresponding to the UE is not found, the first ProSe functional entity initiates a UE context acquisition process to the HSS, and after the UE context is successfully obtained, the first ProSe functional entity successfully authenticates the UE, to the The UE returns the assigned D2D service temporary identifier.
  • the method further includes:
  • the UE sends a discovery service request message to the first ProSe function entity;
  • the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the first ProSe functional entity authenticates the discovery request of the UE
  • the first ProSe functional entity After the discovery request is authenticated, the first ProSe functional entity initiates a corresponding discovery service process according to the corresponding service type;
  • the first ProSe function entity After the service processing is completed, the first ProSe function entity sends a discovery service request response message to the UE, where the message carries the D2D service temporary identifier allocated by the first ProSe function entity to the UE.
  • the first ProSe function entity that authenticates the discovery request of the UE includes:
  • the first ProSe functional entity searches for the UE according to the D2D service temporary identifier search UE context, when the UE context corresponding to the UE is found, the UE finds that the request is obtained for authentication;
  • the first ProSe functional entity When the UE context corresponding to the UE is not found, the first ProSe functional entity initiates an acquisition of an IMSI request to the UE; the UE sends back an IMSI response to the first ProSe functional entity, and carries the UE. Corresponding IMSI; the first ProSe function entity queries whether there is a UE context corresponding to the UE according to the IMSI, and when the UE exists, the UE finds that the request is obtained by the UE;
  • the first ProSe functional entity performs discovery service authentication authentication to the HSS, the HSS establishes a new UE context for the UE, and the UE finds that the request is obtained.
  • the first ProSe function entity sends a configuration parameter to the UE; after the first ProSe function entity successfully authenticates the UE, the D2D service temporary identifier is allocated to the UE.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier supported by the UE. List.
  • the first ProSe function entity, the authentication, and the first ProSe function entity receive an authentication authentication request sent by the second ProSe function entity, where the authentication authentication request carries the local PLMN. And the identifier and the temporary identifier of the D2D service received by the UE;
  • the first ProSe functional entity searches for a UE context corresponding to the UE according to the D2D service temporary identifier
  • the first ProSe functional entity When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns a D2D service temporary identifier to the UE.
  • the first ProSe function entity When the context corresponding to the UE is not found, the first ProSe function entity initiates a UE context acquisition process to the HSS, and after the UE context is successfully obtained, the first ProSe function The energy entity successfully authenticates the UE, and returns an allocated D2D service temporary identifier to the UE.
  • the first ProSe performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the performing the UE authentication and authentication process includes:
  • the first ProSe functional entity When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns a D2D service temporary identifier to the UE.
  • the first ProSe functional entity When the context corresponding to the UE is not found, the first ProSe functional entity initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe functional entity successfully authenticates the UE. The UE returns an allocated D2D service temporary identifier.
  • the method further includes:
  • the first ProSe function entity receives the discovery service request message sent by the UE;
  • the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the first ProSe functional entity authenticates the discovery request of the UE
  • the first ProSe functional entity After the discovery request is authenticated, the first ProSe functional entity initiates a corresponding discovery service process according to the corresponding service type;
  • the first ProSe function entity After the service processing is completed, the first ProSe function entity sends a discovery service request response message to the UE, where the message carries the D2D service temporary identifier allocated by the first ProSe function entity to the UE.
  • the first ProSe functional entity authenticates the discovery request of the UE, include:
  • the first ProSe function entity searches for a UE context related to the UE according to the D2D service temporary identifier, and when the context corresponding to the UE is found, the UE finds that the request is obtained for authentication;
  • the first ProSe functional entity When the context corresponding to the UE is not found, the first ProSe functional entity initiates an acquisition of an IMSI request to the UE; after the IMSI is successfully obtained, the first ProSe functional entity queries whether the UE exists according to the IMSI. Corresponding UE context, when present, the UE finds that the request is obtained by the authentication;
  • the first ProSe functional entity performs discovery service authentication authentication to the HSS, the HSS establishes a new UE context for the UE, and the UE finds that the request is obtained.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier supported by the UE. List.
  • the method further includes:
  • the UE determines that the local PLMN identity is in the received PLMN identity list, and the UE initiates an authentication authentication request to the second ProSe functional entity.
  • the UE when the configuration parameters received by the UE include the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the UE is configured according to the configuration parameter. Initiating an authentication and authentication process to the first ProSe functional entity, including: Sending, by the UE, an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier received by the UE;
  • the UE When the authentication is successful, the UE receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the UE when the configuration parameter received by the UE includes only the PLMN identifier list supported by the UE, the UE initiates an authentication process to the first ProSe function entity according to the configuration parameter, including:
  • the UE sends an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier.
  • the method further includes:
  • the UE sends a discovery service request message to the first ProSe function entity;
  • the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the UE When the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, the UE receives the acquiring IMSI request sent by the first ProSe functional entity, and obtains the IMSI according to the foregoing. Requesting to return an IMSI response to the first ProSe functional entity, where the acquiring IMSI response carries an IMSI corresponding to the UE;
  • the UE After the service processing is completed, the UE receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • a ProSe functional entity is provided by the embodiment of the present invention, where the ProSe functional entity includes: a configuration parameter sending module, an authentication authentication module, and a temporary identifier assigning module;
  • the configuration parameter sending module is configured to send configuration parameters to the UE
  • the authentication authentication module is configured to perform authentication authentication on the UE, and trigger the temporary identifier allocation module when the authentication authentication succeeds;
  • the temporary identifier allocation module is configured to be triggered by the authentication authentication module, to the The UE sends a temporary identifier of the D2D service.
  • the configuration parameter that is sent by the configuration parameter sending module to the UE includes a PLMN identifier list supported by the UE, and a D2D service temporary identifier allocated by the temporary identifier allocation module to the UE, or the The configuration parameters include only the list of PLMN identifiers supported by the UE.
  • the ProSe functional entity further includes: a discovery request authentication module and a discovery service processing module;
  • the discovery request authentication module is configured to receive the discovery service request of the UE, and perform authentication on the discovery service request of the UE, where the discovery service request includes: a discovery service type and a D2D service temporary identifier; After the discovery service request of the UE is successfully authenticated, the discovery service processing module is triggered;
  • the discovery service processing module is configured to perform discovery service processing for the UE when triggered by the discovery request authentication module, and return a discovery service response message to the UE after the discovery service processing is completed, the discovery service
  • the response message carries the D2D service temporary identifier allocated by the temporary identifier allocation module to the UE.
  • a UE is provided by the embodiment of the present invention, where the UE includes: a configuration parameter receiving module and a authentication authentication request sending module;
  • the configuration parameter receiving module is configured to receive a configuration parameter delivered by the first ProSe functional entity
  • the authentication authentication request sending module is configured to initiate an authentication authentication process to the first ProSe functional entity
  • the configuration parameter receiving module is further configured to: after the authentication of the first ProSe functional entity is successful, receive the D2D service temporary identifier allocated by the first ProSe functional entity.
  • the configuration parameter includes a PLMN identifier list supported by the UE, and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the
  • the set parameters only include the list of PLMN identities supported by the UE.
  • the UE further includes a determining module, where the determining module is configured to determine a local PLMN of the UE before the authentication authentication request sending module initiates an authentication and authentication process to the first ProSe functional entity.
  • the authentication authentication request sending module is triggered to send an authentication authentication request to the second ProSe functional entity.
  • the UE further includes: a discovery service request module and a request processing module;
  • the discovery service requesting module is configured to send a discovery service request message to the first ProSe functional entity; the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the request processing module is configured to: when the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, receive the IMSI request sent by the first ProSe functional entity, and according to the Obtaining an IMSI request to return an IMSI response to the first ProSe, where the acquiring IMSI response carries an IMSI corresponding to the UE;
  • the configuration parameter receiving module is further configured to: after the discovery service processing is completed, receive the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • An authentication authentication system is provided by the embodiment of the present invention, where the system includes: a first ProSe functional entity and a UE;
  • the first ProSe functional entity is configured to send configuration parameters to the UE; and configured to allocate a D2D service temporary identifier to the UE after the UE is successfully authenticated by the UE;
  • the UE is configured to initiate an authentication process to the first ProSe functional entity according to the configuration parameter.
  • the first ProSe function entity sends configuration parameters to the UE, including: the first ProSe function entity, the PLMN identifier list supported by the UE, and the first ProSe function entity being the UE Assigned D2D service temporary identifier, or supported by the UE
  • the PLMN identifier list is sent to the UE as a configuration parameter.
  • the UE is further configured to: when determining that the local PLMN identifier is in the received PLMN identifier list, initiate an authentication authentication request to the first ProSe functional entity.
  • the UE is further configured to send a discovery service request message to the first ProSe function entity, where the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the first ProSe functional entity is further configured to: perform authentication on the discovery request of the UE; after the discovery request is authenticated, initiate a corresponding discovery service process according to the corresponding service type; and after the discovery service processing is completed, the first A ProSe function entity sends a discovery service response message to the UE, where the discovery service response message carries a D2D service temporary identifier allocated by the first ProSe function entity to the UE.
  • a computer storage medium includes a set of instructions, when executed, causing at least one processor to execute the authentication authentication method.
  • the method and system for authentication authentication provided by the embodiment of the present invention, the ProSe functional entity, and the UE, the first ProSe functional entity sends configuration parameters to the UE; the UE initiates authentication to the first ProSe functional entity according to the configuration parameter.
  • the authentication process and after the authentication is successful, the first ProSe functional entity allocates a D2D service temporary identifier to the UE; in this way, before the D2D discovery service of the UE, in the authentication and authentication process for the UE, The UE allocates a D2D service temporary identifier, and the D2D service temporary identifier can be used for authentication authentication when the UE initiates the discovery service.
  • the MSISDN parameter can be avoided when performing authentication authentication. Errors that are prone to occur and the disadvantages of exposing user privacy to discovery services when performing authentication with IMSI.
  • Figure 1 is a diagram of a D2D discovery service communication architecture
  • FIG. 3 is a flowchart 1 of an authentication authentication method according to at least one embodiment of the present invention
  • FIG. 4 is a flowchart 2 of an authentication authentication method according to at least one embodiment of the present invention
  • FIG. FIG. 6 is a flowchart of an authentication authentication method according to at least one embodiment of the present invention
  • FIG. 7 is a flowchart 5 of an authentication authentication method according to at least one embodiment of the present invention
  • FIG. 9 is a basic structural diagram of a ProSe functional entity according to at least one embodiment of the present invention
  • FIG. 10 is a basic structural diagram of a user equipment UE according to at least one embodiment of the present invention
  • FIG. 11 is a basic structural diagram of an authentication authentication system according to at least one embodiment of the present invention.
  • the first ProSe functional entity sends a configuration parameter to the UE; the UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameter, and after the authentication is successful, the first A ProSe functional entity allocates a D2D service temporary identifier to the UE.
  • the first embodiment of the present invention provides an authentication authentication method. As shown in FIG. 3, the method includes the following steps:
  • Step 301 The first ProSe function entity sends configuration parameters to the UE.
  • the first ProSe functional entity refers to a ProSe functional entity under the HPLMN of the UE, and after the UE and the first ProSe functional entity establish a secure connection, the UE Sending a discovery service request message to the first ProSe functional entity;
  • the first ProSe function entity sends a configuration parameter to the UE, where the configuration parameter includes: a PLMN identifier list supported by the UE, and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or
  • the configuration parameter includes only a list of PLMN identifiers supported by the UE;
  • the configuration parameters that are delivered to the UE include: the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the first ProSe function entity will save the location Corresponding relationship between the D2D service temporary identifier sent by the UE and the IMSI of the UE.
  • the D2D service temporary identifier is a temporary identifier that can be used for the D2D discovery service of the UE, and the D2D service temporary identifier may be a ProSe functional entity identifier or may be a parameter corresponding to the UE uniquely.
  • the parameter may use any representation that can be used to uniquely identify a UE.
  • the D2D service temporary identifier may be allocated to the UE in sequence or the D2D service temporary may be randomly allocated to the UE by a mathematical function. logo.
  • Step 302 The UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameter, and after the first ProSe functional entity successfully authenticates the UE, allocates a D2D service to the UE. Identification
  • the UE After the UE obtains the configuration parameter, it first determines whether the local PLMN identifier is in the received PLMN identifier list, and if not, does not perform any operation, and ends the current processing flow;
  • the UE When the local PLMN identity of the UE is in the received PLMN identity list, the UE will initiate an authentication authentication request to the second ProSe functional entity.
  • the second ProSe functional entity refers to the UE.
  • a ProSe functional entity under the LPLMN where there are different authentication authentication procedures for the UEs that receive different configuration parameters in step 301; The following describes the authentication and authentication process of the UE in the above two cases by using FIG. 4 and FIG. 5;
  • Step 401 The UE sends an authentication request to a second ProSe functional entity. Specifically, the UE directly sends a packet to the second ProSe functional entity. a right authentication request, where the authentication authentication request carries the local PLMN identifier and the received D2D service temporary identifier;
  • Step 402 The second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity;
  • the second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a D2D service temporary identifier and a local PLMN identifier.
  • Step 403 The first ProSe function entity determines whether the UE context exists. If yes, continue to perform according to steps 404a to 406a. If not, perform according to steps 404b and 404b. In this step, the first ProSe function entity The UE context corresponding to the UE is searched according to the D2D service temporary identifier, where the UE context includes the IMSI of the UE and the service parameter. Specifically, the first ProSe functional entity has saved the D2D service temporary identifier when the UE sends the temporary identifier to the UE. Corresponding relationship between the D2D service temporary identifier and the IMSI of the UE.
  • the first ProSe function entity may find a corresponding IMSI according to the received D2D service temporary identifier, and then search and locate according to the IMSI.
  • the UE context corresponding to the IMSI when the UE context corresponding to the UE is found, the authentication authentication is passed.
  • the execution is continued according to steps 404a to 406a; if not, the steps are performed according to steps 404b and 404b.
  • Step 404a The first ProSe functional entity allocates a D2D service temporary identifier to the UE.
  • the UE uses the D2D service temporary identifier allocated for the UE to perform the identification.
  • the first ProSe functional entity may re-allocate the D2D service temporary identifier for the UE, and the re-allocated D2D service temporary identifier may be used for authentication authentication when the UE performs the discovery service next time;
  • the D2D service temporary identifier is re-assigned to the UE. This prevents the UE from using the same D2D service temporary identifier to perform multiple authentication authentication. This is because if the UE uses the same long-term.
  • the D2D service temporary identifier is easily acquired and used by an attacker or other users by using an illegal means. Therefore, in the solution according to the first embodiment of the present invention, the UE's D2D service temporary identifier is used each time. After use, it will be dynamically updated, so that the D2D service temporary identifier used each time is different, which can ensure the security of the UE;
  • Step 405a The first ProSe functional entity sends back an authentication authentication response to the second ProSe functional entity.
  • the authentication authentication response carries a D2D service temporary identifier allocated by the first ProSe functional entity to the UE and a UE context corresponding to the UE, where the UE context includes an authentication vector parameter group.
  • Step 406a The second ProSe functional entity sends back an authentication authentication request response message to the UE.
  • the authentication authentication request response message carries a D2D service temporary identifier and an authentication authentication parameter that are re-allocated by the first ProSe functional entity to the UE, and the UE saves the D2D service temporary identifier; the D2D The service temporary identifier may be used for authentication authentication of the D2D discovery service of the subsequent UE; ending the current process;
  • the first ProSe function entity sends a context acquisition request message to the HSS; specifically, the context acquisition request carries the IMSI of the UE;
  • the HSS searches for a UE corresponding to the UE according to an IMSI of the UE.
  • the context retrieval response message is sent back to the first ProSe function entity, where the context acquisition response message carries the UE context corresponding to the UE, and the UE context includes a UE authentication vector group; the first ProSe functional entity After obtaining the UE context, returning to step 403, the first ProSe functional entity passes the UE authentication and authentication according to the UE context, and is performed according to steps 404a to 405a;
  • the authentication authentication process between the UE and the first ProSe functional entity includes two cases: in the first case, the The UE is a UE that has not been assigned a temporary identifier of the D2D service. In the second case, the UE is a UE that has been assigned a temporary identifier of the D2D service.
  • Step 501 The UE determines whether there is an allocated D2D service temporary identifier, if not, step 502a, if yes, step 502c;
  • the UE may determine whether it has an allocated D2D service temporary identifier by detecting the value of the D2D service temporary identifier field; specifically, if the UE detects that the D2D service temporary identifier field is empty or is not a D2D service temporary If the identified field (such as the case of all bits 1 or 0), it may be determined that there is no allocated D2D service temporary identifier, and at this time, the processing is performed according to the first case; if the UE detects its own D2D service If the temporary identifier field is not empty and is a normal D2D service temporary identifier, it may be determined that the existing D2D service temporary identifier exists. At this time, the processing is performed according to the second case;
  • Step 502a The UE sends an authentication authentication request to the second ProSe functional entity.
  • the authentication authentication request carries a local PLMN identifier and an IMSI, and the D2D service temporary identifier in the authentication authentication request is Empty or a field temporarily identified by a non-D2D service (such as when all bits are 1 or 0);
  • Step 503a The second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity.
  • Step 504a The first ProSe functional entity determines whether the UE context exists, if yes, step 505a, if not, step 505b;
  • the first ProSe function entity searches for a corresponding UE context according to the IMSI, and the UE context includes a service parameter corresponding to the UE, and searching for a corresponding UE context according to the IMSI of the UE belongs to the prior art, where the If the corresponding UE context is found, step 505a-step 507a is performed; if not found, step 505b, 506b is performed;
  • Step 505b The first ProSe function entity sends a UE context acquisition request message to the HSS, where the UE context acquisition request message carries the IMSI of the UE;
  • Step 506b After the HSS authenticates the UE successfully, the HSS sends an authentication authentication response to the first ProSe functional entity.
  • the HSS finds the UE context corresponding to the UE, it sends a context acquisition response message to the first ProSe function entity, where the context acquisition response message carries the authentication vector parameter group corresponding to the user;
  • the process returns to step 503b, the first ProSe functional entity passes the authentication authentication of the UE according to the UE context, and is performed according to steps 504a-505a;
  • Step 505a The first ProSe functional entity allocates a D2D service temporary identifier to the UE.
  • the first ProSe functional entity allocates a D2D service temporary identifier to the UE, and the allocated D2D service temporary identifier may be used by the UE to perform D2D discovery for the next time. Authentication at the time of business;
  • Step 506a The first ProSe functional entity sends back an authentication authentication response to the second ProSe functional entity.
  • the authentication authentication response carries a D2D service temporary identifier allocated by the first ProSe functional entity to the UE, and a UE context corresponding to the UE, where the UE
  • the context includes an authentication vector parameter set.
  • Step 507a The second ProSe function entity sends an authentication authentication response message to the UE, where the authentication authentication response message carries the D2D service temporary identifier and the authentication authentication parameter that are re-allocated by the first ProSe functional entity to the UE.
  • the UE saves the D2D service temporary identifier; the D2D service temporary identifier may be used for authentication authentication when the UE performs the D2D discovery service next time; and ends the current process.
  • Step 502c The UE sends an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier.
  • the configuration parameter delivered by the first ProSe functional entity to the UE does not include the D2D service temporary identifier, and the D2D service temporary identifier herein is actually the UE.
  • the D2D service temporary identifier allocated by the first ProSe functional entity to the UE after the last authentication authentication process is performed, and the D2D service temporary identifier itself may be used for the next authentication and authentication process of the UE; That is, before the process according to the first embodiment of the present invention starts, the allocated D2D service temporary identifier may already exist in the UE; therefore, the first ProSe functional entity is in the current process flow to the UE.
  • the configuration parameter that is delivered does not include the temporary ID of the D2D service allocated to the UE. It is also considered that for the UE that has obtained the temporary identifier of the D2D service in the last authentication and authentication process, if it is in this authentication, It is not necessary to directly allocate new D2D service temporary identifiers, and it will cause waste of resources;
  • Step 503c The second ProSe functional entity sends the authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier.
  • Step 504c The first ProSe function entity searches for a corresponding UE context according to the D2D service temporary identifier, where the UE context includes a service parameter corresponding to the UE, and if found, the implementation Step 505c, if not found, step 505d;
  • the first ProSe functional entity has saved the correspondence between the temporary identifier of the D2D service and the IMSI of the UE, and the first ProSe is configured to obtain the D2D service temporary identifier.
  • the function entity may find the corresponding IMSI according to the received D2D service temporary identifier, and then search for the UE context corresponding to the IMSI according to the IMSI; if the corresponding UE context is found, perform steps 505c-507c; If not found, follow steps 505d, 506d;
  • Step 505d The first ProSe function entity sends a context acquisition request message to the HSS.
  • the context acquisition request message carries an IMSI of the UE
  • Step 506d After the HSS successfully authenticates the UE, the HSS sends an authentication authentication response to the first ProSe functional entity.
  • the HSS finds the UE context corresponding to the UE, it sends a context acquisition response message to the first ProSe function entity, where the context acquisition response message carries the authentication vector parameter group corresponding to the user;
  • the process returns to step 504c, where the first ProSe function entity passes the authentication authentication of the UE according to the UE context, and then executes according to steps 505c-507c;
  • Step 505c The first ProSe functional entity allocates a D2D service temporary identifier to the UE.
  • Step 506c The first ProSe functional entity sends back an authentication authentication response to the second ProSe functional entity.
  • the authentication authentication response carries a D2D service temporary identifier allocated by the first ProSe functional entity for the UE and a UE context corresponding to the UE, where the UE context includes an authentication vector parameter group.
  • Step 507c The second ProSe functional entity sends back an authentication request to the UE. Message
  • the authentication authentication request response message carries a D2D service temporary identifier and an authentication authentication parameter that are re-allocated by the first ProSe function entity to the UE, where the UE saves the D2D service temporary identifier; Identifying authentication authentication that can be used for subsequent D2D discovery services of the UE; ending the current process.
  • the D2D discovery service may be initiated according to the acquired D2D service temporary identifier, and the D2D discovery service processing flowchart is as shown in FIG. 6
  • the method includes the following steps:
  • Step 601 When the UE needs to initiate the D2D discovery service to the other one or more discovered UEs, the UE first needs to perform D2D discovery service authentication to the ProSe functional entity under the HPLMN, that is, the first ProSe functional entity; After the first ProSe functional entity establishes a secure connection, the first ProSe functional entity sends a discovery service request message, where the discovery service request message includes: a discovery service type and a D2D service temporary identifier.
  • the discovery service type includes: an announce, that is, a discovery request initiated by the UE; a monitor, that is, a discovery request initiated by the UE; a match, that is, the UE is found to be sent to the discoverable ProSe functional entity.
  • the matching report is as follows: the UE is found to be the UE that initiates the discovery service, and the discovered UE refers to the discovery object requested by the UE.
  • Step 602 The first ProSe functional entity searches and describes the D2D service temporary identifier according to the D2D service temporary identifier.
  • step 607 the process is completed according to steps 603-606, and then follow step 607;
  • Step 603 The first ProSe functional entity initiates an acquisition of an IMSI request to the UE.
  • Step 604 The UE sends back an IMSI response to the first ProSe functional entity, where the acquired IMSI response carries the UE Corresponding IMSI;
  • Step 605 The first ProSe functional entity queries whether the UE exists in the upper or lower according to the IMSI. If yes, the service is authenticated. If yes, go directly to step 608 to perform discovery service processing. If not, follow steps 606 and 607 to complete the process.
  • Step 606 The first ProSe functional entity performs authentication service authentication with the HSS, and the HSS establishes a new UE context for the UE, where the UE context includes a subscription parameter of the UE.
  • Step 607 If the request is found to be authenticated, the first ProSe functional entity initiates a corresponding discovery service flow to the ProSe functional entity in the local PLMN of the discovered UE according to the corresponding service type.
  • the first ProSe function entity When the service type is advertised, the first ProSe function entity sends a publish request message to the ProSe function entity under the local PLMN of the discovered UE, and the ProSe function entity under the local PLMN of the UE is found to be the first The ProSe function entity corresponds to the loopback advertisement request message. Similarly, when the service type is the interception, the first ProSe function entity sends a snoop request message to the ProSe function entity in the local PLMN of the discovered UE, and the UE is found. The ProSe function entity in the local PLMN sends a listen request response message to the first ProSe function entity.
  • the first ProSe function entity is sent to the local PLMN of the discovered UE.
  • the ProSe function entity sends a match request message, and the match is successful.
  • the ProSe function entity in the local PLMN of the UE is found to send a match request response message to the first ProSe function entity.
  • Step 608 After the service processing is found to be complete, the first ProSe function entity sends a discovery service request response message to the UE, where the message carries the D2D service temporary identifier allocated by the first ProSe function entity to the UE. After receiving the response, the UE completes the related radio resource allocation.
  • the D2D service temporary identifier may be: a ProSe functional entity identifier or a 32-bit (bit) unique parameter corresponding to one UE, and the parameters may be allocated in order or through a mathematical function. Discretely obtained;
  • the UE is again assigned a new D2D service temporary identifier, which is also an insecure factor that is easy to occur when the UE performs multiple authentication authentication using the same D2D service temporary identifier.
  • the D2D service temporary identifier of the UE is dynamically updated after each use, so that the D2D service temporary identifier used each time is different, and the security of the UE can be ensured.
  • the second embodiment of the present invention provides an authentication authentication method.
  • the method is shown in flowchart 7.
  • the method includes the following steps:
  • Step 701 The first ProSe function entity sends configuration parameters to the UE.
  • the configuration parameter that is sent by the first ProSe function entity to the UE may include a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or
  • the configuration parameter includes only a list of PLMN identifiers supported by the UE;
  • the D2D service temporary identifier may be a ProSe function entity identifier or a parameter corresponding to the UE, and the parameter may use any representation that can be used to uniquely identify a UE. Specifically, the D2D service temporary identifier is actually In the allocation, parameters may be allocated to the UE in order or randomly assigned to the UE by a mathematical function.
  • Step 702 After the first ProSe functional entity successfully authenticates the UE, the D2D service temporary identifier is allocated to the UE.
  • the first ProSe functional entity authenticates the UE, including:
  • the first ProSe function entity receives the authentication request sent by the second ProSe function entity, where the authentication authentication request carries the D2D service temporary identifier sent by the first ProSe function entity to the UE in step 601.
  • the first ProSe function entity searches for the UE context corresponding to the UE according to the D2D service temporary identifier; when the context corresponding to the UE is found, the The first ProSe function entity successfully authenticates the UE, and allocates a new D2D service temporary identifier to the UE, where the D2D service temporary identifier is used for authentication authentication when the UE initiates the next service discovery;
  • the first ProSe function entity initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity successfully authenticates the UE and allocates the UE to the UE. New D2D business temporary identification.
  • the first ProSe function entity that authenticates the UE further includes: the first ProSe function entity receiving an authentication authentication request sent by the second ProSe function entity, where the authentication authentication request is sent When carrying the IMSI or D2D service temporary identifier, the first ProSe performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier;
  • the D2D service temporary identifier in the authentication authentication request is different from the D2D service temporary identifier carried in the configuration parameter sent by the first ProSe function entity to the UE in step 601;
  • the configuration parameter that is sent by the first ProSe function entity to the UE does not carry the D2D service temporary identifier allocated to the UE. Therefore, the D2D service temporary identifier is actually the authentication authentication process before the UE.
  • the D2D service temporary identifier that has been obtained correspondingly, if the UE does not obtain the D2D service temporary identifier before, the UE will initiate an authentication authentication request to the second ProSe functional entity through the IMSI, in this case, When the second ProSe functional entity forwards the authentication authentication request to the ProSe functional entity under the HPLMN, only the IMSI of the UE is carried;
  • the performing, by the first ProSe, the UE authentication and authentication process according to the IMSI or the D2D service temporary identifier includes:
  • the first ProSe functional entity When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and allocates a new D2D service temporary identifier to the UE; In the corresponding context, the first ProSe function entity initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity successfully authenticates the UE, and returns an allocation to the UE. Temporary identification of D2D services;
  • the first ProSe functional entity encapsulates the D2D service temporary identifier in an authentication authentication response and returns the second ProSe functional entity, and the second ProSe functional entity forwards the authentication authentication response to the Said UE.
  • the method further includes:
  • the first ProSe function entity receives the discovery service request message sent by the UE; the discovery service request of the UE may be a discovery service request for one discovered UE, or may be a discovery service request for multiple discovered UEs.
  • the discovery service request message includes: a discovery service type and a D2D service temporary identifier; the first ProSe function entity authenticates the discovery request of the UE; if the request is found to obtain the authentication, the first ProSe function entity according to the corresponding The service type sends a corresponding discovery service flow to the ProSe of the local PLMN of the discovered UE. After the service processing is found, the first ProSe function entity sends a discovery service request response message to the UE, where the discovery service is sent.
  • the request response message carries the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the first ProSe functional entity authenticates the discovery request of the UE, and includes:
  • the first ProSe function entity searches for a UE context related to the UE according to the D2D service temporary identifier, and when the context corresponding to the UE is found, the UE finds that the request is obtained for authentication; when the context corresponding to the UE is not found, the The first ProSe functional entity initiates an acquisition of an IMSI request to the UE; the UE sends back an IMSI response to the first ProSe functional entity, and carries an IMSI corresponding to the UE; the first ProSe functional entity queries according to the IMSI Whether there is a UE context, and when present, the UE finds that the request is obtained by the authentication; If not, the first ProSe functional entity performs discovery service authentication and authentication to the HSS, and establishes a new UE context, and the UE finds that the request is obtained.
  • the third embodiment of the present invention provides an authentication authentication method.
  • the method is shown in Figure 8.
  • the method includes the following steps:
  • Step 801 The UE receives the configuration parameter delivered by the first ProSe functional entity.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier list supported by the UE;
  • the D2D service temporary identifier may be a ProSe function entity identifier or a parameter corresponding to the UE, and the parameter may use any representation that can be used to uniquely identify a UE. Specifically, the D2D service temporary identifier is actually In the allocation, parameters may be allocated to the UE in order or randomly assigned to the UE by a mathematical function.
  • Step 802 The UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameter, and after receiving the authentication, the D2D service temporary identifier allocated by the first ProSe functional entity is received;
  • the method further includes: determining, by the UE, whether the local PLMN identifier is in the received PLMN identifier list, if yes, the UE is in the first
  • the second ProSe functional entity initiates an authentication authentication request.
  • the UE initiates authentication to the first ProSe function entity.
  • Certification request including:
  • the UE Sending, by the UE, an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier received by the UE; when the authentication authentication is successful, the UE receives The D2D allocated by the first ProSe functional entity to the UE Business temporary identification;
  • the UE initiates an authentication authentication request to the first ProSe functional entity, including:
  • the first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the method further includes:
  • the UE When the UE wishes to initiate a discovery request to one or more discovered UEs, the UE sends a discovery service request message to the first ProSe functional entity; the discovery service request message includes: a discovery service type and a D2D service temporary Identification
  • the UE When the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, the UE receives the acquiring IMSI request sent by the first ProSe functional entity, and according to the acquiring the IMSI request, The first ProSe functional entity returns an IMSI response, and the acquiring IMSI response carries an IMSI corresponding to the UE;
  • the UE After the service processing is completed, the UE receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the fourth embodiment of the present invention provides a ProSe functional entity, which is a ProSe functional entity located under the HPLMN of the UE.
  • the basic structure is as shown in FIG. 9.
  • the ProSe functional entity includes: a configuration parameter delivery module. 91.
  • the configuration parameter sending module 91 is configured to send configuration parameters to the UE.
  • the authentication authentication module 92 is configured to perform authentication authentication on the UE, and trigger the temporary identifier allocation module 93 when the authentication authentication is successful. ;
  • the temporary identifier allocation module 93 when configured to be triggered by the authentication and authentication module 92, delivers a D2D service temporary identifier to the UE.
  • the configuration parameter that is sent by the configuration parameter sending module to the UE may include a PLMN identifier list supported by the UE and a temporary identifier of the D2D service allocated by the temporary identifier allocation module 93 to the UE, or
  • the configuration parameter includes only the PLMN identifier list supported by the UE. Therefore, the temporary identifier allocation module 93 is further configured to allocate the configuration parameter to the UE when the configuration parameter sending module 91 sends the configuration parameter to the UE.
  • the D2D service temporary identifier may be a ProSe functional entity identifier or a parameter corresponding to the UE uniquely, and the parameter may use any representation form that can be used to uniquely identify a UE; specifically, In the actual allocation of the D2D service temporary identifier, the parameters may be allocated to the UE in order or randomly allocated to the UE by a mathematical function.
  • the authentication and authentication module 92 performs authentication authentication on the UE, including:
  • the authentication authentication module 92 receives the authentication authentication request sent by the other ProSe functional entity, and the authentication authentication request carries the temporary identification of the D2D service delivered by the temporary identifier allocation module 93 to the UE.
  • the right authentication module 92 searches for the UE context corresponding to the UE according to the D2D service temporary identifier. When the context corresponding to the UE is found, the authentication authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module.
  • the authentication authentication module 92 assigning a new D2D service temporary identifier to the UE, where the D2D service temporary identifier is used for authentication authentication when the UE initiates the next service discovery; when the context corresponding to the UE is not found, the authentication authentication module 92
  • the UE context acquisition process is initiated to the HSS. After the UE context is successfully obtained, the authentication and authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module 93 to allocate a new D2D service temporary identifier to the UE.
  • the other ProSe functional entities may Refers to the ProSe functional entity under the LPLMN of the UE;
  • the authentication and authentication module 92 the authentication authentication of the UE, further includes: the authentication authentication module 92 receives an authentication authentication request sent by the other ProSe functional entity, when the authentication authentication request is When the IMSI or the D2D service temporary identifier is carried, the authentication and authentication module 92 performs the UE authentication and authentication process according to the IMSI or the D2D service temporary identifier.
  • the D2D service temporary identifier and the configuration in the authentication authentication request are performed.
  • the temporary identifier assigning module 93 allocates the D2D service temporary identifier to the UE, and the configuration parameter is sent to the UE.
  • the configuration parameter does not carry the D2D service temporary identifier allocated to the UE. Therefore, the D2D service temporary identifier is actually the temporary identifier of the D2D service that has been obtained in the authentication authentication process before the UE; The UE does not obtain the D2D service temporary identifier before, and the UE will initiate authentication to the ProSe functional entity under other PLMNs through the IMSI.
  • the request in this case, when the other ProSe functional entity forwards the authentication and authentication request to the authentication and authentication module 92, only the IMSI of the UE is carried;
  • the authentication and authentication module 92 performs the UE authentication and authentication process according to the IMSI or the D2D service temporary identifier, and includes:
  • the authentication and authentication module 92 searches for a UE context corresponding to the UE according to the IMSI or D2D service temporary identifier.
  • the authentication and authentication module 92 When the context corresponding to the UE is found, the authentication and authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module 93 to allocate a new D2D service temporary identifier to the UE; In the corresponding context, the authentication and authentication module 92 initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the authentication and authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module 93. Allocating a new D2D service temporary identifier to the UE;
  • the authentication and authentication module 92 encapsulates the D2D service temporary identifier in the authentication.
  • the authentication response is returned to the other ProSe functional entity, and the authentication authentication response is forwarded by the other ProSe functional entity to the UE.
  • the ProSe functional entity further includes: a discovery request authentication module 94 and a discovery service processing module 95;
  • the discovery request authentication module 94 is configured to receive the discovery service request of the UE, and perform authentication on the discovery service request of the UE, where the discovery service request includes: a discovery service type and a D2D service temporary identifier; After the discovery service request of the UE is successfully authenticated, the discovery service processing module 65 is triggered;
  • the discovery service processing module 95 is configured to perform discovery service processing for the UE when triggered by the discovery request authentication module 94, and return a discovery service response message to the UE after the discovery service processing is completed, the discovery service
  • the response message carries the D2D service temporary identifier allocated by the temporary identifier allocation module 93 for the UE.
  • the discovery request authentication module 94 authenticates the discovery service request of the UE, including: the discovery request authentication module 94 searches for a UE context related to the UE according to the D2D service temporary identifier, and when the context corresponding to the UE is found, , requesting that the UE finds that the authentication is successful;
  • the discovery request authentication module 94 initiates an acquisition of the IMSI request to the UE.
  • the discovery request authentication module 94 queries whether the UE exists according to the IMSI carried in the IMSI response returned by the UE. Context, when present, the request for the UE to discover that the authentication is successful;
  • the discovery request authentication module 94 performs discovery service authentication and authentication on the HSS, and establishes a new UE context, and the UE is found to request authentication success.
  • the configuration parameter sending module may be implemented by a transmitter in the ProSe functional entity; the authentication authentication module, the discovery request authentication module, the temporary identifier allocation module, and the discovery service processing module Central processor in the ProSe functional entity (CPU, Central Processing Unit), Digital Signal Processor (DSP) or Field-Programmable Gate Array (FPGA) are implemented in combination with transceivers.
  • CPU Central Processing Unit
  • DSP Digital Signal Processor
  • FPGA Field-Programmable Gate Array
  • the sixth embodiment of the present invention provides a UE.
  • the UE includes: a configuration parameter receiving module 101 and an authentication authentication request sending module 102.
  • the configuration parameter receiving module 101 is configured to receive a configuration parameter that is sent by the first ProSe functional entity; the authentication authentication request sending module 102 is configured to initiate an authentication authentication process to the first ProSe functional entity; The receiving module 101 is further configured to: after the authentication of the first ProSe functional entity is successful, receive the D2D service temporary identifier allocated by the first ProSe functional entity.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only a list of PLMN identifiers supported by the UE. .
  • the UE further includes a determining module 103, where the determining module 103 is configured to determine, before the authentication authentication request sending module 102 initiates an authentication and authentication process to the first ProSe functional entity, Whether the local PLMN identifier exists in the received PLMN identifier list, the trigger authentication authentication request sending module 102 sends an authentication authentication request to the second ProSe functional entity.
  • the authentication authentication request sending module The initiating an authentication process for the first ProSe functional entity, including:
  • the authentication authentication request sending module 102 sends an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and the configuration parameter receiving module The D2D service temporary identifier received by the block 101.
  • the configuration parameter receiving module 101 receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the authentication authentication request sending module 102 initiates an authentication authentication request to the first ProSe functional entity, including:
  • the authentication authentication request sending module 102 sends an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier;
  • the first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the authentication authentication request sending module 102 initiates an authentication authentication request to the first ProSe functional entity.
  • the authentication authentication request sending module 102 first determines whether the existing D2D service temporary identifier exists, and determines the authentication initiated by the first ProSe functional entity according to the specific situation of whether the D2D service temporary identifier exists.
  • the parameter carried in the authentication request specifically, if the existing D2D service temporary identifier does not exist, the authentication request initiated by the first ProSe functional entity carries only the IMSI; if the existing D2D service exists Transmitting the D2D service temporary identifier in the authentication authentication request and sending the identifier to the first ProSe functional entity;
  • the UE further includes: a discovery service requesting module 104 and a request processing module 105.
  • the discovery service requesting module 104 is configured to send a discovery service request message to the first ProSe functional entity; the discovery service request message includes : discovering the service type and the D2D service temporary identifier; the discovery service request message may be a D2D discovery service for one UE. The request may also be a D2D discovery service request for multiple UEs;
  • the request processing module 105 is configured to receive the IMSI request sent by the first ProSe functional entity, and according to The acquiring an IMSI request returns an IMSI response to the first ProSe, where the acquiring an IMSI response carries an IMSI corresponding to the UE;
  • the configuration parameter receiving module 101 receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the configuration parameter receiving module may be implemented by a receiver in the UE; the authentication authentication request sending module and the request processing module may be implemented by a CPU, a DSP or an FPGA in the UE in combination with the transceiver; the determining module may be implemented by the UE.
  • CPU, DSP or FPGA implementation; the discovery service request module can be implemented by a transmitter in the UE.
  • the fifth embodiment of the present invention provides an authentication and authentication system, and the system structure diagram is as shown in FIG. 11.
  • the system includes: a first ProSe functional entity 111 and a user equipment UE 112;
  • the first ProSe functional entity 111 is configured to send configuration parameters to the UE, and is configured to allocate a D2D service temporary identifier to the UE after the UE is successfully authenticated by the UE;
  • the UE 112 is configured to send an authentication authentication process to the first ProSe functional entity 111 according to the configuration parameter.
  • the first ProSe function entity 111 sends configuration parameters to the UE 112, including: the first ProSe function entity 111, the PLMN identifier list supported by the UE 112, and the first ProSe function 111 entity.
  • the D2D service temporary identifier allocated to the UE 112 or the PLMN identifier list supported by the UE 112 is sent to the UE 112 as a configuration parameter.
  • the UE 112 is further configured to: before determining whether the local PLMN identifier exists in the received PLMN identifier list, before the authentication authentication process is initiated to the first ProSe functional entity 111 according to the configuration parameter, Sending to the first ProSe functional entity 111 The authentication request is initiated.
  • the UE 112 When the configuration parameters received by the UE 112 include the PLMN identifier list supported by the UE 112 and the D2D service temporary identifier allocated by the first ProSe function entity 111 to the UE 112, the UE 112 goes to the A ProSe functional entity 111 initiates an authentication process, including:
  • the UE 112 sends an authentication request to the second ProSe functional entity, where the authentication authentication request carries the local PLMN identifier and the D2D service temporary identifier received by the UE 112; the second ProSe functional entity goes to the first The ProSel ll functional entity forwards the authentication authentication request;
  • the first ProSe functional entity 111 searches for a UE context corresponding to the UE 112 according to the D2D service temporary identifier.
  • the first ProSe functional entity 111 When the context corresponding to the UE 112 is found, the first ProSe functional entity 111 successfully authenticates the UE 112, and returns an allocated D2D service temporary identifier to the UE 112.
  • the first ProSe function entity 111 When the context corresponding to the UE 112 is not found, the first ProSe function entity 111 initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity 111 successfully authenticates the UE 112. And returning the allocated D2D service temporary identifier to the UE 112.
  • the UE 112 initiates an authentication process to the first ProS function entity el 11 , including:
  • the UE 112 sends an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier;
  • the second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity 111;
  • the first ProSel functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the UE 112 First, it is determined whether the existing D2D service temporary identifier exists, and the parameter carried in the authentication authentication request initiated by the first ProSe functional entity 111 is determined according to the specific situation of whether the D2D service temporary identifier exists.
  • the authentication request sent to the first ProSe functional entity 111 carries only the IMSI; if the existing D2D service temporary identifier exists, the The D2D service temporary identifier is carried in the authentication authentication request and sent to the first ProSe functional entity 111;
  • the first ProSe functional entity 111 performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier, and includes:
  • the first ProSe functional entity 111 searches for a UE context corresponding to the UE 112 according to the IMSI or D2D service temporary identifier;
  • the first ProSe functional entity When the context corresponding to the UE 112 is found, the first ProSe functional entity successfully authenticates the UE 112, and returns an allocated D2D service temporary identifier to the UE 112; In the context, the first ProSe function entity 111 initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity 111 successfully authenticates the UE 112 and returns an allocation to the UE 112. D2D business temporary identifier.
  • the UE 112 is further configured to send a discovery service request message to the first ProSe functional entity 111;
  • the message may be a D2D discovery service request for one UE, or may be a D2D discovery service request for multiple UEs; the discovery service
  • the request message includes: a discovery service type and a temporary identifier of the D2D service;
  • the first ProSe functional entity 111 is further configured to authenticate the discovery request of the UE 112; if it is found that the authentication is requested, the first ProSe functional entity 111 according to the corresponding service type to the ProSe under the local PLMN of the discovered UE. Initiating a corresponding discovery service process; the first ProSe function entity 111 sends a discovery service response message to the UE 112, and the message carries the first ProSe function entity 111 as the UE 112.
  • the assigned D2D service temporary identifier is further configured to authenticate the discovery request of the UE 112; if it is found that the authentication is requested, the first ProSe functional entity 111 according to the corresponding service type to the ProSe under the local PLMN of the discovered UE. Initiating a corresponding discovery service process; the first ProSe function entity 111 sends a discovery service response message to the UE 112, and the message carries the first ProSe function entity 111 as the UE 112.
  • the first ProSe functional entity 111 authenticates the discovery request of the UE 112, including:
  • the first ProSe functional entity 111 searches for a UE context related to the UE 112 according to the D2D service temporary identifier, and when the context corresponding to the UE 112 is found, the UE 112 finds that the request is obtained for authentication;
  • the first ProSe functional entity 111 initiates an acquisition of an IMSI request to the UE 112; the UE 112 returns an acquisition IMSI response to the first ProSe functional entity 111, and obtains an IMSI response. Carrying the IMSI corresponding to the UE 112; the first ProSe function entity 111 queries whether the UE context exists according to the IMSI, and when present, the UE 112 finds that the request is obtained for authentication;
  • the first ProSe functional entity 111 performs discovery service authentication authentication to the HSS, and establishes a new UE context, and the UE 112 finds that the request is obtained for authentication.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment of a combination of software and hardware. Moreover, the invention can be embodied in the form of a computer program product embodied on one or more computer usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the present invention is directed to a method, apparatus (system), and computer program in accordance with an embodiment of the present invention.
  • the flow chart and/or block diagram of the product is described. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a general purpose computer, a special purpose computer, an embedded processor or other programmable data processing device processor to produce a machine such that a flow or a block diagram of a flow or a block diagram or A device that has multiple functions specified in the box.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed is an authentication method. The method comprises: a first proximity-based service (ProSe) functional entity delivering a configuration parameter to a user equipment (UE); and the UE initiating an authentication process to the first ProSe functional entity according to the configuration parameter, and after the first ProSe functional entity successfully authenticates the UE, the first ProSe functional entity allocating a D2D service temporary identifier to the UE. Also disclosed are an authentication system, the UE, and the ProSe functional entity.

Description

一种鉴权认证方法和系统、 ProSe功能实体以及 UE 技术领域  Authentication authentication method and system, ProSe functional entity and UE technical field
本发明涉及移动通信领域, 具体涉及一种鉴权认证的方法和系统、 基 于距离的业务( ProSe, Proximity-based Services ) 功能实体以及用户设备 ( UE, User Equipment ) 。 背景技术  The present invention relates to the field of mobile communications, and specifically relates to a method and system for authenticating authentication, a functional entity based on distance (ProSe), and a user equipment (UE, User Equipment). Background technique
为了保持第三代移动通信系统在通信领域的竟争力, 并为用户提供速 率更快、 时延更低、 更加个性化的移动通信服务, 同时, 为了降低运营商 的运营成本,第三代合作伙伴计划( 3GPP, 3rd Generation Partnership Project ) 标准工作组正致力于演进分组系统( EPS, Evolved Packet System )的研究。 整个 EPS包括无线接入网 ( E-UTRAN, Evolved Universal Terrestrial Radio Access Network )和移动核心网 ( EPC, Evolved Packet Core Networking ) , 其中, EPC包含了归属用户服务器(HSS, Home Subscriber Server )、 移动 性管理实体 ( MME, Mobility Management Entity ) 、 服务 GPRS支持节点 ( SGSN, Serving GPRS Support Node ) , 策略计费规则功能( PCRF, Policy and Charging Rule Function )、 月良务网关( S-GW, Serving Gateway )、 分组 数据网关 (P-GW, PDN Gateway ) 和分组数据网络(PDN, Packet Data Network ) 。  In order to maintain the competitiveness of the third generation mobile communication system in the field of communication, and to provide users with faster, less delayed, more personalized mobile communication services, and at the same time, in order to reduce the operator's operating costs, the third generation The 3GPP, 3rd Generation Partnership Project (Standard Working Group) is working on the Evolved Packet System (EPS). The entire EPS includes an E-UTRAN (Evolved Universal Terrestrial Radio Access Network) and an Evolved Packet Core Networking (EPC), where the EPC includes a Home Subscriber Server (HSS), mobility. Management entity (MME, Mobility Management Entity), Serving GPRS Support Node (SGSN), Policy and Charging Rule Function (PCRF, Policy and Charging Rule Function), S-GW, Serving Gateway , Packet Data Gateway (P-GW, PDN Gateway) and Packet Data Network (PDN).
当两个 UE通过 EPS进行通信时, 两个 UE需要分别与 EPS建立承载。 但是考虑到 UE以及各种移动互联网业务的快速发展,很多业务希望能够发 现临近的 UE 并且进行通信, 因此催生了设备到设备(D2D, Device to Device ) 业务, D2D业务还被称为 ProSe。 在 D2D业务中, 当两个 UE位 置比较接近的时候, 可以直接通信, 其连接的数据路径可以不绕回到核心 网, 这样, 一方面可以减少数据路由的迂回, 另一方面也能够减少网络数 据负荷。 因此, D2D业务已得到了很多运营商的重视。 When two UEs communicate through the EPS, the two UEs need to establish bearers with the EPS respectively. However, considering the rapid development of the UE and various mobile Internet services, many services hope to discover neighboring UEs and communicate with each other, thus spawning a device-to-device (D2D) service, which is also called ProSe. In the D2D service, when the two UEs are relatively close, they can communicate directly, and the connected data path can be bypassed to the core. Network, in this way, on the one hand can reduce the detour of data routing, on the other hand can also reduce the network data load. Therefore, D2D services have received the attention of many operators.
目前, 常用的 D2D业务有 D2D发现业务, D2D发现业务的通信架构 如图 1所示, D2D接入的两个 UE只能通过 E-UTRAN接入 EPC, 两个 UE 可以都属于一个公用陆地移动网络( PLMN, Public Land Mobile Network ) 或者分属于两个 PLMN; 对于一个 UE, PLMN 可以分为归属的 PLMN At present, the commonly used D2D service has a D2D discovery service, and the communication architecture of the D2D discovery service is as shown in FIG. 1. The two UEs accessed by the D2D can only access the EPC through the E-UTRAN, and both UEs can belong to one public land mobile. The network (PLMN, Public Land Mobile Network) is divided into two PLMNs; for one UE, the PLMN can be divided into the belonging PLMNs.
( HPLMN, Home PLMN )和当该 UE 从其它的 PLMN接入时的拜访的 PLMN ( VPLMN, Visited PLMN ) ; 对于 UE当前所处区域的 PLMN可以 统称为本地的公用陆地移动网络( LPLMN, Local PLMN ), 无论该本地的 PLMN是 HPLMN还是 VPLMN。 为了实现 D2D发现业务, 在运营商侧不 仅仅部署了 EPS , 还包括部署 D2D 发现业务的 ProSe 应用服务器(HPLMN, Home PLMN) and visited PLMN (VPLMN, Visited PLMN) when the UE accesses from other PLMNs; PLMNs for the region in which the UE is currently located may be collectively referred to as local public land mobile networks (LPLMN, Local PLMN) ), whether the local PLMN is HPLMN or VPLMN. In order to implement the D2D discovery service, not only the EPS is deployed on the carrier side, but also the ProSe application server that deploys the D2D discovery service.
( Application Server ), ProSe应用服务器可以由运营 D2D业务的业务提供 商提供, 也可以由运营 EPS 的网络运营商提供, 在不同 PLMN还部署了 ProSe功能实体( ProSe Function ) 。 (Application Server), the ProSe application server can be provided by the service provider that operates the D2D service, or can be provided by the network operator that operates the EPS, and the ProSe Function Entity (ProSe Function) is also deployed in different PLMNs.
在 D2D发现业务通信架构中, 由于 UE提供相关的 ProSe应用 (APP, Application ), 其和 ProSe应用服务器的接口为 PC1接口, 提供相关认证功 能。 UE与 UE之间的接口为 PC5, 用于 UE之间的相互直接发现和通信, 而 UE与 ProSe功能实体之间的接口是 PC3, 用于通过网络的发现认证。  In the D2D discovery service communication architecture, since the UE provides the related ProSe application (APP, Application), the interface with the ProSe application server is a PC1 interface, and the related authentication function is provided. The interface between the UE and the UE is PC5, which is used for mutual direct discovery and communication between the UEs, and the interface between the UE and the ProSe functional entity is PC3, which is used for discovery and authentication through the network.
ProSe功能实体与现有 EPC之间的接口是 PC4, 包含与 P-GW的用户面接 口和与 HSS的控制面接口, 用于 D2D发现业务发现认证。 ProSe功能实体 与 ProSe应用服务器的接口为 PC2, 用于 D2D发现业务的应用实现。 ProSe 功能实体与 pr0Se功能实体分别有 PC6和 PC7接口, 分别用于 UE在漫游 和非漫游的两种情况, UE漫游时为 PC7接口, UE非漫游时是为 PC6接口, 这两个接口用于 UE进行 D2D发现业务时执行两个 ProSe功能实体之间的 信息交互。 图 2为现有技术中 UE实现 D2D发现业务的流程图, 包括以下步骤: 步骤 201、当 UE需要向其它一个或者多个被发现 UE发起 D2D发现业 务时, UE首先需要向自身的 HPLMN下的 ProSe功能实体进行 D2D发现 业务认证; 具体的, UE和 HPLMN下的 ProSe功能实体建立安全连接后, 向 HPLMN下的 ProSe功能实体发送发现业务请求消息,所述发现业务请求 消息包含发现业务类型以及用户标识, 所述用户标识为国际移动用户识别 码 ( IMSI, International Mobile Subscriber Identification Number )或者移动 台国际 ISDN号码( MSISDN, Mobile Station international ISDN number ) , 其中 ISDN为综合业务数字网 ( Integrated Services Digital Network ) ; The interface between the ProSe functional entity and the existing EPC is PC4, which includes a user plane interface with the P-GW and a control plane interface with the HSS for D2D discovery service discovery authentication. The interface between the ProSe functional entity and the ProSe application server is PC2, which is used for application implementation of the D2D discovery service. ProSe p r0 Se functional entity functional entities respectively PC6 and PC7 interfaces, respectively, for both cases the UE roaming and non-roaming, the UE is roaming interfaces PC7, the UE is not roaming PC6 interfaces, two interfaces The information interaction between two ProSe functional entities is performed when the UE performs the D2D discovery service. 2 is a flowchart of a D2D discovery service implemented by a UE in the prior art, including the following steps: Step 201: When a UE needs to initiate a D2D discovery service to another one or more discovered UEs, the UE first needs to go to its own HPLMN. The ProSe function entity performs the D2D discovery service authentication. Specifically, after the UE and the ProSe functional entity under the HPLMN establish a secure connection, the UE sends a discovery service request message to the ProSe functional entity under the HPLMN, where the discovery service request message includes the discovery service type and the user. The user identifier is an International Mobile Subscriber Identification Number (IMSI) or a Mobile Station International ISDN Number (MSISDN), where the ISDN is an Integrated Services Digital Network. ;
所述发现业务类型有: 公布( announce ), 即被发现 UE发起的发现请 求; 监听(monitor ) , 即发现 UE发起的发现请求; 匹配 (match ) , 即发 现 UE向能够发现的 ProSe功能实体发送匹配报告。  The discovery service type includes: an announce, that is, a discovery request initiated by the UE; a monitor, that is, a discovery request initiated by the UE; a match, that is, the UE is found to be sent to the discoverable ProSe functional entity. Match the report.
步骤 202、 HPLMN下的 ProSe功能实体对 UE执行发现业务认证流程, 这里, 按照现有的技术方案执行 UE的发现业务认证; 当 UE的发现请求获 得认证后,转至步骤 203由 HPLMN下的 ProSe功能实体为 UE向其它一个 或者多个被发现 UE发起对应的发现业务流程;  Step 202: The ProSe function entity in the HPLMN performs a discovery service authentication process on the UE. Here, the discovery service authentication of the UE is performed according to the existing technical solution. After the discovery request of the UE is obtained, the process proceeds to step 203 by using the ProSe under the HPLMN. The function entity initiates a corresponding discovery service process for the UE to the other one or more discovered UEs;
步骤 203、 HPLMN下的 ProSe功能实体根据对应的业务类型向一个或 者多个被发现 UE的本地的 PLMN下的 ProSe功能实体发起对应的发现业 务流程。  Step 203: The ProSe functional entity in the HPLMN initiates a corresponding discovery service flow to the ProSe functional entity in the local PLMN of the one or more discovered UEs according to the corresponding service type.
当业务类型为公布时,则 HPLMN下的 ProSe功能实体向被发现 UE的 本地的 PLMN下的 ProSe功能实体发送公布请求消息, 被发现 UE的本地 的 PLMN下的 ProSe功能实体向 HPLMN下的 ProSe功能实体对应的回送 公布响应消息; 同理; 当业务类型为监听时, 则 HPLMN下的 ProSe功能实 体向被发现 UE的本地的 PLMN下的 ProSe功能实体发送监听请求消息, 被发现 UE的本地的 PLMN下的 ProSe功能实体向 HPLMN下的 ProSe功能 实体回送监听响应消息;同理,当业务类型为匹配时,则 HPLMN下的 ProSe 功能实体向被发现 UE的本地的 PLMN下的 ProSe功能实体发送匹配请求 消息,匹配成功,被发现 UE的本地的 PLMN下的 ProSe功能实体向 HPLMN 下的 ProSe功能实体回送匹配响应消息。 When the service type is published, the ProSe function entity under the HPLMN sends a publish request message to the ProSe function entity in the local PLMN of the discovered UE, and the ProSe function entity in the local PLMN of the UE is found to be the ProSe function under the HPLMN. The echo response advertisement message corresponding to the entity; the same; when the service type is the interception, the ProSe functional entity under the HPLMN sends a snoop request message to the ProSe functional entity under the local PLMN of the discovered UE, and the local PLMN of the UE is found. ProSe function entity under the ProSe function under HPLMN The entity sends back the interception response message. Similarly, when the service type is matched, the ProSe function entity in the HPLMN sends a match request message to the ProSe function entity in the local PLMN of the discovered UE. The match is successful, and the UE is found locally. The ProSe functional entity under the PLMN sends a matching response message to the ProSe functional entity under the HPLMN.
步骤 204、 当 D2D发现业务处理完成后, HPLMN下的 ProSe功能实体 向发起发现业务的 UE回送相应的发现业务请求响应消息,所述 UE完成相 关的无线资源分配。  Step 204: After the D2D discovery service is processed, the ProSe function entity in the HPLMN sends a corresponding discovery service request response message to the UE that initiates the discovery service, and the UE completes the related radio resource allocation.
在现有技术中, MSISDN参数仅仅由 HSS签约, 可以下载到 EPC的控 制网元, UE中一般没有签约的 MSISDN参数, 但是 UE中的 MSISDN参 数可以由用户随意配置, 这种情况下, 如果配置了错误的 MSISDN, 将导 致发现业务请求出错; 另外, 如果釆用 IMSI实现认证鉴权, 则会使 IMSI 暴露在发现业务请求消息中, 这将导致用户的隐私信息暴露, 增加用户被 攻击者攻击的风险。 发明内容  In the prior art, the MSISDN parameter is only signed by the HSS and can be downloaded to the control network element of the EPC. The UE generally does not have the signed MSISDN parameter, but the MSISDN parameter in the UE can be arbitrarily configured by the user. In this case, if configured The wrong MSISDN will cause an error in the discovery service request. In addition, if the IMSI is used for authentication authentication, the IMSI will be exposed in the discovery service request message, which will expose the user's private information and increase the user's attack by the attacker. risks of. Summary of the invention
为了解决现有技术存在的问题, 本发明实施例期望提供一种鉴权认证 的方法和系统、 ProSe功能实体以及 UE。  In order to solve the problems in the prior art, embodiments of the present invention are expected to provide a method and system for authentication authentication, a ProSe functional entity, and a UE.
本发明实施例的技术方案是这样实现的:  The technical solution of the embodiment of the present invention is implemented as follows:
本发明实施例提供的一种鉴权认证方法, 所述方法包括:  An authentication authentication method provided by an embodiment of the present invention includes:
第一 ProSe功能实体向 UE下发配置参数; 所述 UE根据所述配置参数 向所述第一 ProSe功能实体发起鉴权认证过程,所述第一 ProSe功能实体对 所述 UE鉴权认证成功后, 向所述 UE分配 D2D业务临时标识。  The first ProSe function entity sends a configuration parameter to the UE; the UE initiates an authentication and authentication process to the first ProSe function entity according to the configuration parameter, and the first ProSe function entity successfully authenticates the UE after the authentication is successful. And allocating a D2D service temporary identifier to the UE.
上述方案中, 所述配置参数包括所述 UE支持的 PLMN标识列表和所 述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识, 或者所述配 置参数仅包括所述 UE支持的 PLMN标识列表。  In the above solution, the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier supported by the UE. List.
上述方案中, 所述第一 ProSe功能实体对所述 UE鉴权认证之前, 所述 方法还包括: In the above solution, before the first ProSe functional entity authenticates the UE, the The method also includes:
所述 UE确定本地 PLMN标识在接收到的 PLMN标识列表中, 向第二 ProSe功能实体发起鉴权认证请求。  The UE determines that the local PLMN identity initiates an authentication authentication request to the second ProSe functional entity in the received PLMN identity list.
上述方案中, 当所述 UE收到的配置参数包括所述 UE支持的 PLMN 标识列表以及所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标 识时,所述 UE根据所述配置参数向所述第一 ProSe功能实体发起鉴权认证 过程, 包括:  In the above solution, when the configuration parameters received by the UE include the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the UE is configured according to the configuration parameter. Initiating an authentication and authentication process to the first ProSe functional entity, including:
所述 UE向第二 ProSe功能实体发送鉴权认证请求,所述鉴权认证请求 携带本地 PLMN标识以及所述 UE收到的 D2D业务临时标识;  The UE sends an authentication request to the second ProSe function entity, where the authentication authentication request carries the local PLMN identifier and the D2D service temporary identifier received by the UE;
所述第二 ProSe功能实体向所述第一 ProSe功能实体转发所述鉴权认证 请求;  Transmitting, by the second ProSe functional entity, the authentication authentication request to the first ProSe functional entity;
所述第一 ProSe功能实体根据所述 D2D业务临时标识查找所述 UE对 应的 UE上下文;  The first ProSe functional entity searches for a UE context corresponding to the UE according to the D2D service temporary identifier;
当查找到所述 UE对应的 UE上下文时, 所述第一 ProSe功能实体对所 述 UE鉴权认证成功, 向所述 UE返回分配的 D2D业务临时标识;  When the UE context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns an allocated D2D service temporary identifier to the UE.
当没有查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体向 HSS发起所述 UE的 UE上下文获取过程, 所述 UE上下文获取成功后, 所 述第一 ProSe功能实体对所述 UE鉴权认证成功, 向所述 UE返回分配的 D2D业务临时标识。  When the context corresponding to the UE is not found, the first ProSe function entity initiates a UE context acquisition process of the UE to the HSS, and after the UE context is successfully obtained, the first ProSe function entity is used by the UE. The authentication succeeds, and the allocated D2D service temporary identifier is returned to the UE.
上述方案中, 当所述 UE收到的配置参数仅包括所述 UE支持的 PLMN 标识列表时,所述 UE根据所述配置参数向所述第一 ProSe功能实体发起鉴 权认证过程, 包括:  In the above solution, when the configuration parameter received by the UE includes only the PLMN identifier list supported by the UE, the UE initiates an authentication process to the first ProSe function entity according to the configuration parameter, including:
所述 UE向第二 ProSe功能实体发送鉴权认证请求,所述鉴权认证请求 携带国际移动用户识别码 IMSI或 D2D业务临时标识;  Sending, by the UE, an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries an international mobile subscriber identity code IMSI or a D2D service temporary identifier;
所述第二 ProSe 功能实体将所述鉴权认证请求转发给所述第一 ProSe 功能实体; Transmitting, by the second ProSe functional entity, the authentication authentication request to the first ProSe Functional entity
所述第一 ProSe功能实体根据所述 IMSI或 D2D业务临时标识执行 UE 鉴权认证过程。  The first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
上述方案中, 所述第一 ProSe功能实体根据所述 IMSI或 D2D业务临 时标识执行 UE鉴权认证过程, 包括:  In the above solution, the first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier, and includes:
所述第一 ProSe功能实体根据所述 IMSI或 D2D业务临时标识查找与 所述 UE相对应的 UE上下文;  The first ProSe functional entity searches for a UE context corresponding to the UE according to the IMSI or D2D service temporary identifier;
当查找到所述 UE对应的 UE上下文时, 所述第一 ProSe功能实体对所 述 UE鉴权认证成功, 向所述 UE返回分配的 D2D业务临时标识;  When the UE context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns an allocated D2D service temporary identifier to the UE.
当没有查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体向 HSS发起 UE上下文获取过程, UE上下文获取成功后, 所述第一 ProSe功 能实体对 UE鉴权认证成功, 向所述 UE返回分配的 D2D业务临时标识。  When the context corresponding to the UE is not found, the first ProSe functional entity initiates a UE context acquisition process to the HSS, and after the UE context is successfully obtained, the first ProSe functional entity successfully authenticates the UE, to the The UE returns the assigned D2D service temporary identifier.
上述方案中, 所述第一 ProSe功能实体向 UE分配 D2D业务临时标识 后, 所述方法还包括:  In the foregoing solution, after the first ProSe function entity allocates the D2D service temporary identifier to the UE, the method further includes:
所述 UE向所述第一 ProSe功能实体发送发现业务请求消息;所述发现 业务请求消息包括: 发现业务类型和 D2D业务临时标识;  The UE sends a discovery service request message to the first ProSe function entity; the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
所述第一 ProSe功能实体对所述 UE的发现请求进行认证;  The first ProSe functional entity authenticates the discovery request of the UE;
发现请求获得认证后,所述第一 ProSe功能实体根据对应的业务类型发 起对应的发现业务流程;  After the discovery request is authenticated, the first ProSe functional entity initiates a corresponding discovery service process according to the corresponding service type;
当发现业务处理完成后,所述第一 ProSe功能实体向所述 UE回送发现 业务请求响应消息,所述消息携带所述第一 ProSe功能实体为所述 UE分配 的 D2D业务临时标识。  After the service processing is completed, the first ProSe function entity sends a discovery service request response message to the UE, where the message carries the D2D service temporary identifier allocated by the first ProSe function entity to the UE.
上述方案中,所述第一 ProSe功能实体对所述 UE的发现请求进行认证, 包括:  In the foregoing solution, the first ProSe function entity that authenticates the discovery request of the UE includes:
所述第一 ProSe功能实体根据 D2D业务临时标识查找与所述 UE相关 的 UE上下文, 当查找到 UE对应的 UE上下文时, 所述 UE发现请求获得 认证; The first ProSe functional entity searches for the UE according to the D2D service temporary identifier search UE context, when the UE context corresponding to the UE is found, the UE finds that the request is obtained for authentication;
当没有查找到所述 UE对应的 UE上下文时, 所述第一 ProSe功能实体 向所述 UE发起获取 IMSI请求; 所述 UE向所述第一 ProSe功能实体回送 获取 IMSI响应, 并携带所述 UE对应的 IMSI; 所述第一 ProSe功能实体根 据 IMSI查询是否存在与所述 UE对应的 UE上下文, 存在时, 所述 UE发 现请求获得认证;  When the UE context corresponding to the UE is not found, the first ProSe functional entity initiates an acquisition of an IMSI request to the UE; the UE sends back an IMSI response to the first ProSe functional entity, and carries the UE. Corresponding IMSI; the first ProSe function entity queries whether there is a UE context corresponding to the UE according to the IMSI, and when the UE exists, the UE finds that the request is obtained by the UE;
如果不存在,所述第一 ProSe功能实体向 HSS进行发现业务认证鉴权, 所述 HSS为所述 UE建立新的 UE上下文, 所述 UE发现请求获得认证。  If not present, the first ProSe functional entity performs discovery service authentication authentication to the HSS, the HSS establishes a new UE context for the UE, and the UE finds that the request is obtained.
本发明实施例提供的一种鉴权认证方法, 所述方法包括:  An authentication authentication method provided by an embodiment of the present invention includes:
第一 ProSe功能实体向 UE下发配置参数; 所述第一 ProSe功能实体对 所述 UE鉴权认证成功后, 向所述 UE分配 D2D业务临时标识。  The first ProSe function entity sends a configuration parameter to the UE; after the first ProSe function entity successfully authenticates the UE, the D2D service temporary identifier is allocated to the UE.
上述方案中, 所述配置参数包括所述 UE支持的 PLMN标识列表和所 述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识, 或者所述配 置参数仅包括所述 UE支持的 PLMN标识列表。  In the above solution, the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier supported by the UE. List.
上述方案中, 所述第一 ProSe功能实体对所述 UE鉴权认证, 包括: 所述第一 ProSe功能实体接收第二 ProSe功能实体发送的鉴权认证请 求, 所述鉴权认证请求携带本地 PLMN标识以及所述 UE收到的 D2D业务 临时标 i只;  In the foregoing solution, the first ProSe function entity, the authentication, and the first ProSe function entity receive an authentication authentication request sent by the second ProSe function entity, where the authentication authentication request carries the local PLMN. And the identifier and the temporary identifier of the D2D service received by the UE;
所述第一 ProSe功能实体根据所述 D2D业务临时标识查找所述 UE对 应的 UE上下文;  The first ProSe functional entity searches for a UE context corresponding to the UE according to the D2D service temporary identifier;
当查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体对所述 UE鉴权认证成功, 向所述 UE返回分配 D2D业务临时标识;  When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns a D2D service temporary identifier to the UE.
当没有查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体向 HSS发起 UE上下文获取过程, UE上下文获取成功后, 所述第一 ProSe功 能实体对所述 UE鉴权认证成功, 向所述 UE返回分配 D2D业务临时标识。 上述方案中, 所述第一 ProSe功能实体对所述 UE鉴权认证, 包括: 所述第一 ProSe功能实体接收第二 ProSe功能实体发送的鉴权认证请 求, 所述鉴权认证请求携带 IMSI或 D2D业务临时标识; When the context corresponding to the UE is not found, the first ProSe function entity initiates a UE context acquisition process to the HSS, and after the UE context is successfully obtained, the first ProSe function The energy entity successfully authenticates the UE, and returns an allocated D2D service temporary identifier to the UE. In the foregoing solution, the first ProSe functional entity, the authentication, the authentication, the first ProSe functional entity, the authentication request sent by the second ProSe functional entity, where the authentication authentication request carries the IMSI or Temporary identification of D2D services;
所述第一 ProSe根据所述 IMSI或 D2D业务临时标识执行 UE鉴权认证 过程。  The first ProSe performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
上述方案中, 所述执行 UE鉴权认证过程, 包括:  In the foregoing solution, the performing the UE authentication and authentication process includes:
所述第一 ProSe根据所述 IMSI或 D2D业务临时标识查找与所述 UE相 对应的 UE上下文;  Determining, by the first ProSe, a UE context corresponding to the UE according to the IMSI or D2D service temporary identifier;
当查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体对所述 UE鉴权认证成功, 向所述 UE返回分配 D2D业务临时标识;  When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns a D2D service temporary identifier to the UE.
当没有查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体向 HSS发起 UE上下文获取过程, UE上下文获取成功后, 所述第一 ProSe功 能实体对所述 UE鉴权认证成功, 向所述 UE返回分配 D2D业务临时标识。  When the context corresponding to the UE is not found, the first ProSe functional entity initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe functional entity successfully authenticates the UE. The UE returns an allocated D2D service temporary identifier.
上述方案中, 所述第一 ProSe功能实体向所述 UE分配 D2D业务临时 标识后, 所述方法还包括:  In the above solution, after the first ProSe functional entity allocates the D2D service temporary identifier to the UE, the method further includes:
所述第一 ProSe功能实体接收所述 UE发送的发现业务请求消息;所述 发现业务请求消息包括: 发现业务类型和 D2D业务临时标识;  The first ProSe function entity receives the discovery service request message sent by the UE; the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
所述第一 ProSe功能实体对所述 UE的发现请求进行认证;  The first ProSe functional entity authenticates the discovery request of the UE;
发现请求获得认证后,所述第一 ProSe功能实体根据对应的业务类型发 起对应的发现业务流程;  After the discovery request is authenticated, the first ProSe functional entity initiates a corresponding discovery service process according to the corresponding service type;
当发现业务处理完成后,所述第一 ProSe功能实体向所述 UE回送发现 业务请求响应消息, 所述消息携带第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识。  After the service processing is completed, the first ProSe function entity sends a discovery service request response message to the UE, where the message carries the D2D service temporary identifier allocated by the first ProSe function entity to the UE.
上述方案中,所述第一 ProSe功能实体对所述 UE的发现请求进行认证, 包括: In the above solution, the first ProSe functional entity authenticates the discovery request of the UE, include:
所述第一 ProSe功能实体根据 D2D业务临时标识查找与所述 UE相关 的 UE上下文, 当查找到所述 UE对应的上下文时, 所述 UE发现请求获得 认证;  The first ProSe function entity searches for a UE context related to the UE according to the D2D service temporary identifier, and when the context corresponding to the UE is found, the UE finds that the request is obtained for authentication;
当没有查找到所述 UE对应的上下文时,所述第一 ProSe功能实体向所 述 UE发起获取 IMSI请求; IMSI获取成功后, 所述第一 ProSe功能实体根 据所述 IMSI查询是否存在所述 UE对应的 UE上下文, 存在时, 所述 UE 发现请求获得认证;  When the context corresponding to the UE is not found, the first ProSe functional entity initiates an acquisition of an IMSI request to the UE; after the IMSI is successfully obtained, the first ProSe functional entity queries whether the UE exists according to the IMSI. Corresponding UE context, when present, the UE finds that the request is obtained by the authentication;
如果不存在,所述第一 ProSe功能实体向 HSS进行发现业务认证鉴权, 所述 HSS为所述 UE建立新的 UE上下文, 所述 UE发现请求获得认证。  If not present, the first ProSe functional entity performs discovery service authentication authentication to the HSS, the HSS establishes a new UE context for the UE, and the UE finds that the request is obtained.
本发明实施例提供的一种鉴权认证方法, 所述方法包括:  An authentication authentication method provided by an embodiment of the present invention includes:
UE接收第一 ProSe功能实体下发的配置参数; 所述 UE根据所述配置 参数向所述第一 ProSe功能实体发起鉴权认证过程, 并在鉴权认证成功后, 接收所述第一 ProSe功能实体分配的 D2D业务临时标识。  Receiving, by the UE, a configuration parameter that is sent by the first ProSe function entity; the UE initiating an authentication and authentication process to the first ProSe function entity according to the configuration parameter, and receiving the first ProSe function after the authentication and authentication succeeds The temporary ID of the D2D service assigned by the entity.
上述方案中, 所述配置参数包括所述 UE支持的 PLMN标识列表和所 述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识, 或者所述配 置参数仅包括所述 UE支持的 PLMN标识列表。  In the above solution, the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier supported by the UE. List.
上述方案中, 所述 UE向所述第一 ProSe功能实体鉴权认证之前, 所述 方法还包括:  In the above solution, before the UE authenticates the first ProSe functional entity, the method further includes:
所述 UE确定本地 PLMN标识在接收到的 PLMN标识列表中,所述 UE 向第二 ProSe功能实体发起鉴权认证请求。  The UE determines that the local PLMN identity is in the received PLMN identity list, and the UE initiates an authentication authentication request to the second ProSe functional entity.
上述方案中, 当所述 UE收到的配置参数包括所述 UE支持的 PLMN 标识列表以及所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标 识时,所述 UE根据所述配置参数向所述第一 ProSe功能实体发起鉴权认证 过程, 包括: 所述 UE向所述第一 ProSe功能实体发送鉴权认证请求,所述鉴权认证 请求携带本地 PLMN标识以及所述 UE收到的 D2D业务临时标识; In the above solution, when the configuration parameters received by the UE include the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the UE is configured according to the configuration parameter. Initiating an authentication and authentication process to the first ProSe functional entity, including: Sending, by the UE, an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier received by the UE;
当鉴权认证成功时, 所述 UE接收所述第一 ProSe功能实体为所述 UE 分配的 D2D业务临时标识。  When the authentication is successful, the UE receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
上述方案中, 当所述 UE收到的配置参数仅包括所述 UE支持的 PLMN 标识列表时,所述 UE根据所述配置参数向所述第一 ProSe功能实体发起鉴 权认证过程, 包括:  In the above solution, when the configuration parameter received by the UE includes only the PLMN identifier list supported by the UE, the UE initiates an authentication process to the first ProSe function entity according to the configuration parameter, including:
所述 UE向所述第一 ProSe功能实体发送鉴权认证请求,所述鉴权认证 请求携带 IMSI或 D2D业务临时标识。  The UE sends an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier.
上述方案中, 所述 UE接收到所述第一 ProSe功能实体分配的 D2D业 务临时标识后, 所述方法还包括:  In the foregoing solution, after the UE receives the D2D service temporary identifier that is allocated by the first ProSe function entity, the method further includes:
所述 UE向所述第一 ProSe功能实体发送发现业务请求消息;所述发现 业务请求消息包括: 发现业务类型和 D2D业务临时标识;  The UE sends a discovery service request message to the first ProSe function entity; the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
当所述第一 ProSe功能实体没有根据 D2D业务临时标识查找到所述 UE 对应的 UE上下文时, 所述 UE接收所述所述第一 ProSe功能实体发送的获 取 IMSI请求, 并根据所述获取 IMSI请求向所述第一 ProSe功能实体返回 获取 IMSI响应, 所述获取 IMSI响应携带 UE对应的 IMSI;  When the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, the UE receives the acquiring IMSI request sent by the first ProSe functional entity, and obtains the IMSI according to the foregoing. Requesting to return an IMSI response to the first ProSe functional entity, where the acquiring IMSI response carries an IMSI corresponding to the UE;
当发现业务处理完成后,所述 UE接收所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识。  After the service processing is completed, the UE receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
本发明实施例提供的一种 ProSe功能实体, 所述 ProSe功能实体包括: 配置参数下发模块、 鉴权认证模块以及临时标识分配模块; 其中,  A ProSe functional entity is provided by the embodiment of the present invention, where the ProSe functional entity includes: a configuration parameter sending module, an authentication authentication module, and a temporary identifier assigning module;
所述配置参数下发模块, 配置为向 UE下发配置参数;  The configuration parameter sending module is configured to send configuration parameters to the UE;
所述鉴权认证模块, 配置为对所述 UE执行鉴权认证,并在鉴权认证成 功时触发所述临时标识分配模块;  The authentication authentication module is configured to perform authentication authentication on the UE, and trigger the temporary identifier allocation module when the authentication authentication succeeds;
所述临时标识分配模块, 配置为被所述鉴权认证模块触发时, 向所述 UE下发 D2D业务临时标识。 The temporary identifier allocation module is configured to be triggered by the authentication authentication module, to the The UE sends a temporary identifier of the D2D service.
上述方案中,所述配置参数下发模块向所述 UE下发的配置参数包括所 述 UE支持的 PLMN标识列表和所述临时标识分配模块为所述 UE分配的 D2D业务临时标识、 或者所述配置参数仅包括所述 UE支持的 PLMN标识 列表。  In the foregoing solution, the configuration parameter that is sent by the configuration parameter sending module to the UE includes a PLMN identifier list supported by the UE, and a D2D service temporary identifier allocated by the temporary identifier allocation module to the UE, or the The configuration parameters include only the list of PLMN identifiers supported by the UE.
上述方案中,所述 ProSe功能实体还包括:发现请求认证模块和发现业 务处理模块; 其中,  In the above solution, the ProSe functional entity further includes: a discovery request authentication module and a discovery service processing module;
所述发现请求认证模块, 配置为接收所述 UE的发现业务请求,并对所 述 UE的发现业务请求进行认证,其中所述发现业务请求包括:发现业务类 型和 D2D业务临时标识;还配置为对所述 UE的发现业务请求认证成功后, 触发所述发现业务处理模块;  The discovery request authentication module is configured to receive the discovery service request of the UE, and perform authentication on the discovery service request of the UE, where the discovery service request includes: a discovery service type and a D2D service temporary identifier; After the discovery service request of the UE is successfully authenticated, the discovery service processing module is triggered;
所述发现业务处理模块, 配置为被所述发现请求认证模块触发时, 为 所述 UE执行发现业务处理, 并在发现业务处理完成后, 向所述 UE返回发 现业务响应消息, 所述发现业务响应消息携带所述临时标识分配模块为所 述 UE分配的 D2D业务临时标识。  The discovery service processing module is configured to perform discovery service processing for the UE when triggered by the discovery request authentication module, and return a discovery service response message to the UE after the discovery service processing is completed, the discovery service The response message carries the D2D service temporary identifier allocated by the temporary identifier allocation module to the UE.
本发明实施例提供的一种 UE, 所述 UE包括: 配置参数接收模块及鉴 权认证请求发送模块; 其中,  A UE is provided by the embodiment of the present invention, where the UE includes: a configuration parameter receiving module and a authentication authentication request sending module;
所述配置参数接收模块,配置为接收第一 ProSe功能实体下发的配置参 数;  The configuration parameter receiving module is configured to receive a configuration parameter delivered by the first ProSe functional entity;
所述鉴权认证请求发送模块,配置为向所述第一 ProSe功能实体发起鉴 权认证过程;  The authentication authentication request sending module is configured to initiate an authentication authentication process to the first ProSe functional entity;
所述配置参数接收模块,还配置为向所述第一 ProSe功能实体鉴权认证 成功后, 接收所述第一 ProSe功能实体分配的 D2D业务临时标识。  The configuration parameter receiving module is further configured to: after the authentication of the first ProSe functional entity is successful, receive the D2D service temporary identifier allocated by the first ProSe functional entity.
上述方案中, 所述配置参数包括所述 UE支持的 PLMN标识列表和所 述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识, 或者所述配 置参数仅包括所述 UE支持的 PLMN标识列表。 In the above solution, the configuration parameter includes a PLMN identifier list supported by the UE, and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the The set parameters only include the list of PLMN identities supported by the UE.
上述方案中, 所述 UE还包括判断模块; 所述判断模块, 配置为在所述 鉴权认证请求发送模块向所述第一 ProSe功能实体发起鉴权认证过程之前, 确定所述 UE的本地 PLMN标识在接收到的 PLMN标识列表中时, 触发所 述鉴权认证请求发送模块向第二 ProSe功能实体发送鉴权认证请求。  In the foregoing solution, the UE further includes a determining module, where the determining module is configured to determine a local PLMN of the UE before the authentication authentication request sending module initiates an authentication and authentication process to the first ProSe functional entity. When the identifier is in the received PLMN identifier list, the authentication authentication request sending module is triggered to send an authentication authentication request to the second ProSe functional entity.
上述方案中, 所述 UE还包括: 发现业务请求模块以及请求处理模块; 其中,  In the above solution, the UE further includes: a discovery service request module and a request processing module;
所述发现业务请求模块,配置为向所述第一 ProSe功能实体发送发现业 务请求消息; 所述发现业务请求消息包括: 发现业务类型和 D2D业务临时 标识;  The discovery service requesting module is configured to send a discovery service request message to the first ProSe functional entity; the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
所述请求处理模块, 配置为当所述第一 ProSe功能实体没有根据 D2D 业务临时标识查找到所述 UE对应的 UE上下文时,接收所述第一 ProSe功 能实体发送的获取 IMSI请求,并根据所述获取 IMSI请求向所述第一 ProSe 返回获取 IMSI响应, 所述获取 IMSI响应携带 UE对应的 IMSI;  The request processing module is configured to: when the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, receive the IMSI request sent by the first ProSe functional entity, and according to the Obtaining an IMSI request to return an IMSI response to the first ProSe, where the acquiring IMSI response carries an IMSI corresponding to the UE;
所述配置参数接收模块, 还配置为当发现业务处理完成后, 接收所述 第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识。  The configuration parameter receiving module is further configured to: after the discovery service processing is completed, receive the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
本发明实施例提供的一种鉴权认证系统, 所述系统包括: 第一 ProSe 功能实体和 UE;  An authentication authentication system is provided by the embodiment of the present invention, where the system includes: a first ProSe functional entity and a UE;
所述第一 ProSe功能实体, 配置为向所述 UE下发配置参数; 还配置为 对所述 UE鉴权认证成功后, 向所述 UE分配 D2D业务临时标识;  The first ProSe functional entity is configured to send configuration parameters to the UE; and configured to allocate a D2D service temporary identifier to the UE after the UE is successfully authenticated by the UE;
所述 UE, 配置为根据所述配置参数向所述第一 ProSe功能实体发起鉴 权认证过程。  The UE is configured to initiate an authentication process to the first ProSe functional entity according to the configuration parameter.
上述方案中,所述第一 ProSe功能实体向所述 UE下发配置参数,包括: 所述第一 ProSe 功能实体将所述 UE 支持的 PLMN标识列表和所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识、或者所述 UE支持的 PLMN标识列表作为配置参数下发给 UE。 In the foregoing solution, the first ProSe function entity sends configuration parameters to the UE, including: the first ProSe function entity, the PLMN identifier list supported by the UE, and the first ProSe function entity being the UE Assigned D2D service temporary identifier, or supported by the UE The PLMN identifier list is sent to the UE as a configuration parameter.
上述方案中,所述 UE,还配置为确定本地 PLMN标识在接收到的 PLMN 标识列表中时, 向所述第一 ProSe功能实体发起鉴权认证请求。  In the foregoing solution, the UE is further configured to: when determining that the local PLMN identifier is in the received PLMN identifier list, initiate an authentication authentication request to the first ProSe functional entity.
上述方案中, 所述 UE, 还配置为向所述第一 ProSe功能实体发送发现 业务请求消息; 所述发现业务请求消息包括: 发现业务类型和 D2D业务临 时标识;  In the foregoing solution, the UE is further configured to send a discovery service request message to the first ProSe function entity, where the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
所述第一 ProSe功能实体还配置为对所述 UE的发现请求进行认证;在 发现请求获得认证后, 根据对应的业务类型发起对应的发现业务流程; 并 在发现业务处理完成后,所述第一 ProSe功能实体向所述 UE回送发现业务 响应消息,所述发现业务响应消息携带所述第一 ProSe功能实体为 UE分配 的 D2D业务临时标识。  The first ProSe functional entity is further configured to: perform authentication on the discovery request of the UE; after the discovery request is authenticated, initiate a corresponding discovery service process according to the corresponding service type; and after the discovery service processing is completed, the first A ProSe function entity sends a discovery service response message to the UE, where the discovery service response message carries a D2D service temporary identifier allocated by the first ProSe function entity to the UE.
本发明实施例提供的一种计算机存储介质, 所述计算机存储介质包括 一组指令, 当执行所述指令时, 引起至少一个处理器执行上述的鉴权认证 方法。  A computer storage medium according to an embodiment of the present invention, the computer storage medium includes a set of instructions, when executed, causing at least one processor to execute the authentication authentication method.
本发明实施例所提供的鉴权认证的方法和系统、 ProSe 功能实体以及 UE, 第一 ProSe功能实体向 UE下发配置参数; UE根据所述配置参数向所 述第一 ProSe功能实体发起鉴权认证过程,并在鉴权认证成功后, 由所述第 一 ProSe功能实体为所述 UE分配 D2D业务临时标识; 如此, 能够在 UE 的 D2D发现业务之前, 在对 UE的鉴权认证过程中为 UE分配 D2D业务临 时标识, 所述 D2D业务临时标识可用于 UE发起发现业务时的鉴权认证; 釆用所述 D2D业务临时标识执行鉴权认证时,能够避免釆用 MSISDN参数 执行鉴权认证时容易发生的错误以及釆用 IMSI执行鉴权认证时容易将用户 隐私暴露于发现业务中的缺点。 附图说明  The method and system for authentication authentication provided by the embodiment of the present invention, the ProSe functional entity, and the UE, the first ProSe functional entity sends configuration parameters to the UE; the UE initiates authentication to the first ProSe functional entity according to the configuration parameter. The authentication process, and after the authentication is successful, the first ProSe functional entity allocates a D2D service temporary identifier to the UE; in this way, before the D2D discovery service of the UE, in the authentication and authentication process for the UE, The UE allocates a D2D service temporary identifier, and the D2D service temporary identifier can be used for authentication authentication when the UE initiates the discovery service. When the D2D service temporary identifier is used to perform authentication authentication, the MSISDN parameter can be avoided when performing authentication authentication. Errors that are prone to occur and the disadvantages of exposing user privacy to discovery services when performing authentication with IMSI. DRAWINGS
在附图 (其不一定是按比例绘制的) 中, 相似的附图标记可在不同的 视图中描述相似的部件。 具有不同字母后缀的相似附图标记可表示相似部 件的不同示例。 附图以示例而非限制的方式大体示出了本文中所讨论的各 个实施例。 In the drawings, which are not necessarily to scale, like reference numerals may Similar parts are described in the view. Like reference numerals with different letter suffixes may indicate different examples of similar components. The drawings generally illustrate the various embodiments discussed herein by way of example and not limitation.
图 1为 D2D发现业务通信架构图;  Figure 1 is a diagram of a D2D discovery service communication architecture;
图 2为现有技术中 D2D发现业务实现流程图;  2 is a flowchart of implementing a D2D discovery service in the prior art;
图 3为本发明至少一个实施例提供的鉴权认证方法流程图一; 图 4为本发明至少一个实施例提供的鉴权认证方法流程图二; 图 5为本发明至少一个实施例提供的鉴权认证方法流程图三; 图 6为本发明至少一个实施例提供的鉴权认证方法流程图四; 图 7为本发明至少一个实施例提供的鉴权认证方法流程图五; 图 8为本发明至少一个实施例提供的鉴权认证方法流程图六; 图 9为本发明至少一个实施例提供的 ProSe功能实体基本结构图; 图 10为本发明至少一个实施例提供的用户设备 UE基本结构图; 图 11为本发明至少一个实施例提供的鉴权认证系统基本结构图。 具体实施方式  FIG. 3 is a flowchart 1 of an authentication authentication method according to at least one embodiment of the present invention; FIG. 4 is a flowchart 2 of an authentication authentication method according to at least one embodiment of the present invention; FIG. FIG. 6 is a flowchart of an authentication authentication method according to at least one embodiment of the present invention; FIG. 7 is a flowchart 5 of an authentication authentication method according to at least one embodiment of the present invention; FIG. 9 is a basic structural diagram of a ProSe functional entity according to at least one embodiment of the present invention; FIG. 10 is a basic structural diagram of a user equipment UE according to at least one embodiment of the present invention; FIG. 11 is a basic structural diagram of an authentication authentication system according to at least one embodiment of the present invention. detailed description
本发明实施例中, 第一 ProSe功能实体向 UE下发配置参数; UE根据 所述配置参数向所述第一 ProSe功能实体发起鉴权认证过程,并在鉴权认证 成功后, 由所述第一 ProSe功能实体为所述 UE分配 D2D业务临时标识。  In the embodiment of the present invention, the first ProSe functional entity sends a configuration parameter to the UE; the UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameter, and after the authentication is successful, the first A ProSe functional entity allocates a D2D service temporary identifier to the UE.
下面通过附图及具体实施例对本发明 #丈进一步的详细说明。  Further details of the present invention will be further described below with reference to the accompanying drawings and specific embodiments.
实施例一  Embodiment 1
本发明实施例一提供了一种鉴权认证方法, 如图 3 所示, 该方法包括 以下步骤:  The first embodiment of the present invention provides an authentication authentication method. As shown in FIG. 3, the method includes the following steps:
步骤 301 : 第一 ProSe功能实体向 UE下发配置参数;  Step 301: The first ProSe function entity sends configuration parameters to the UE.
这里, 所述第一 ProSe功能实体是指所述 UE的 HPLMN下的 ProSe功 能实体, 当所述 UE和所述第一 ProSe功能实体建立安全连接后, 所述 UE 向所述第一 ProSe功能实体发送发现业务请求消息; Here, the first ProSe functional entity refers to a ProSe functional entity under the HPLMN of the UE, and after the UE and the first ProSe functional entity establish a secure connection, the UE Sending a discovery service request message to the first ProSe functional entity;
所述第一 ProSe功能实体向所述 UE下发配置参数,所述配置参数包括: 所述 UE支持的 PLMN标识列表以及所述第一 ProSe功能实体为所述 UE 分配的 D2D业务临时标识、或者所述配置参数仅包括所述 UE支持的 PLMN 标识列表;  The first ProSe function entity sends a configuration parameter to the UE, where the configuration parameter includes: a PLMN identifier list supported by the UE, and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or The configuration parameter includes only a list of PLMN identifiers supported by the UE;
当向所述 UE下发的配置参数包括: 所述 UE支持的 PLMN标识列表 以及所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识时, 所 述第一 ProSe功能实体将保存所述下发的 D2D业务临时标识和所述 UE的 IMSI之间的对应关系。  When the configuration parameters that are delivered to the UE include: the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the first ProSe function entity will save the location Corresponding relationship between the D2D service temporary identifier sent by the UE and the IMSI of the UE.
具体地,所述 D2D业务临时标识是一种可用于所述 UE的 D2D发现业 务的临时标识, 这种 D2D业务临时标识可以为 ProSe功能实体标识或者可 以为唯一对应于所述 UE的参数,所述参数可以釆用任何可用于唯一标识一 个 UE的表示形式; 具体地, 在 D2D业务临时标识实际分配中, 可以按照 顺序为 UE分配 D2D业务临时标识或者通过数学函数离散为 UE随机分配 D2D业务临时标识。  Specifically, the D2D service temporary identifier is a temporary identifier that can be used for the D2D discovery service of the UE, and the D2D service temporary identifier may be a ProSe functional entity identifier or may be a parameter corresponding to the UE uniquely. The parameter may use any representation that can be used to uniquely identify a UE. Specifically, in the actual allocation of the D2D service temporary identifier, the D2D service temporary identifier may be allocated to the UE in sequence or the D2D service temporary may be randomly allocated to the UE by a mathematical function. Logo.
步骤 302: 所述 UE根据所述配置参数向所述第一 ProSe功能实体发起 鉴权认证过程, 所述第一 ProSe功能实体对所述 UE鉴权认证成功后, 向所 述 UE分配 D2D业务临时标识;  Step 302: The UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameter, and after the first ProSe functional entity successfully authenticates the UE, allocates a D2D service to the UE. Identification
这一步骤中, 所述 UE获得配置参数后, 首先判断本地 PLMN标识是 否在接收到的 PLMN标识列表中, 如果不存在, 则不作任何操作, 结束当 前处理流程;  In this step, after the UE obtains the configuration parameter, it first determines whether the local PLMN identifier is in the received PLMN identifier list, and if not, does not perform any operation, and ends the current processing flow;
当所述 UE的本地 PLMN标识存在于接收到的 PLMN标识列表中时, 所述 UE将向第二 ProSe功能实体发起鉴权认证请求, 具体地, 所述第二 ProSe功能实体是指所述 UE的 LPLMN下的 ProSe功能实体, 这里, 针对 步骤 301中收到不同配置参数的 UE, 将有不同的鉴权认证过程; 下面通过图 4和图 5对上述两种情况下所述 UE的鉴权认证过程进行说 明; When the local PLMN identity of the UE is in the received PLMN identity list, the UE will initiate an authentication authentication request to the second ProSe functional entity. Specifically, the second ProSe functional entity refers to the UE. a ProSe functional entity under the LPLMN, where there are different authentication authentication procedures for the UEs that receive different configuration parameters in step 301; The following describes the authentication and authentication process of the UE in the above two cases by using FIG. 4 and FIG. 5;
图 4为收到的配置参数包括: 所述 UE支持的 PLMN标识列表以及第 一 ProSe功能实体为所述 UE分配的 D2D业务临时标识时, 所述 UE执行 的鉴权认证过程的流程图, 如图 4所示, 所述鉴权认证过程包括以下步骤: 步骤 401 : 所述 UE向第二 ProSe功能实体发送鉴权认证请求; 具体地, 所述 UE直接向所述第二 ProSe功能实体发送鉴权认证请求, 所述鉴权认证请求携带本地 PLMN标识以及收到的 D2D业务临时标识; 步骤 402: 所述第二 ProSe功能实体向第一 ProSe功能实体转发所述鉴 权认证请求;  4 is a flow chart of the authentication authentication process performed by the UE when the received configuration parameters include: the PLMN identity list supported by the UE and the D2D service temporary identity allocated by the first ProSe function entity to the UE, such as As shown in FIG. 4, the authentication and authentication process includes the following steps: Step 401: The UE sends an authentication request to a second ProSe functional entity. Specifically, the UE directly sends a packet to the second ProSe functional entity. a right authentication request, where the authentication authentication request carries the local PLMN identifier and the received D2D service temporary identifier; Step 402: The second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity;
具体地,所述第二 ProSe功能实体向所述第一 ProSe功能实体转发所述 鉴权认证请求,所述鉴权认证请求携带 D2D业务临时标识和本地 PLMN标 识。  Specifically, the second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a D2D service temporary identifier and a local PLMN identifier.
步骤 403: 所述第一 ProSe功能实体判断 UE上下文是否存在, 如果存在, 按照步骤 404a至 406a继续执行, 如果不存在, 按照步骤 404b、 404b执行; 这一步骤中, 所述第一 ProSe功能实体根据 D2D业务临时标识查找与 所述 UE相对应的 UE上下文, 所述 UE上下文包含 UE的 IMSI以及业务 参数; 具体地, 由于所述第一 ProSe功能实体向 UE下发 D2D业务临时标 识时已经保存了所述 D2D业务临时标识与所述 UE的 IMSI之间的对应关 系, 因此, 所述第一 ProSe功能实体可以根据接收到的 D2D业务临时标识 查找到相应的 IMSI, 之后, 根据 IMSI查找与所述 IMSI相对应的 UE上下 文; 当找到与所述 UE对应的 UE上下文时, 鉴权认证通过, 此时, 按照步 骤 404a至 406a继续执行; 如果未通过, 则按照步骤 404b、 404b执行。  Step 403: The first ProSe function entity determines whether the UE context exists. If yes, continue to perform according to steps 404a to 406a. If not, perform according to steps 404b and 404b. In this step, the first ProSe function entity The UE context corresponding to the UE is searched according to the D2D service temporary identifier, where the UE context includes the IMSI of the UE and the service parameter. Specifically, the first ProSe functional entity has saved the D2D service temporary identifier when the UE sends the temporary identifier to the UE. Corresponding relationship between the D2D service temporary identifier and the IMSI of the UE. Therefore, the first ProSe function entity may find a corresponding IMSI according to the received D2D service temporary identifier, and then search and locate according to the IMSI. The UE context corresponding to the IMSI; when the UE context corresponding to the UE is found, the authentication authentication is passed. At this time, the execution is continued according to steps 404a to 406a; if not, the steps are performed according to steps 404b and 404b.
步骤 404a: 所述第一 ProSe功能实体为 UE分配 D2D业务临时标识; 这一步骤中, 所述 UE使用所述为其分配的 D2D业务临时标识进行鉴 权认证成功后, 所述第一 ProSe功能实体会为所述 UE重新分配 D2D业务 临时标识, 所述重新分配的 D2D业务临时标识可用于所述 UE下一次执行 发现业务时的鉴权认证; 这样, 每次鉴权认证成功后重新为 UE分配 D2D 业务临时标识, 可以杜绝 UE使用同一个 D2D业务临时标识执行多次鉴权 认证时容易出现的不安全因素, 这是因为, 如果 UE长期使用同一个 D2D 业务临时标识的话, 这个 D2D业务临时标识将很容易被攻击者或者其他用 户釆用非法手段获取并使用; 因此, 本发明实施例一所述方案中, UE 的 D2D业务临时标识在每次使用之后会被动态更新, 这样每一次使用的 D2D 业务临时标识都是不一样的, 可以确保 UE的安全性; Step 404a: The first ProSe functional entity allocates a D2D service temporary identifier to the UE. In this step, the UE uses the D2D service temporary identifier allocated for the UE to perform the identification. After the right authentication succeeds, the first ProSe functional entity may re-allocate the D2D service temporary identifier for the UE, and the re-allocated D2D service temporary identifier may be used for authentication authentication when the UE performs the discovery service next time; After the authentication is successful, the D2D service temporary identifier is re-assigned to the UE. This prevents the UE from using the same D2D service temporary identifier to perform multiple authentication authentication. This is because if the UE uses the same long-term. If a D2D service temporary identifier is used, the D2D service temporary identifier is easily acquired and used by an attacker or other users by using an illegal means. Therefore, in the solution according to the first embodiment of the present invention, the UE's D2D service temporary identifier is used each time. After use, it will be dynamically updated, so that the D2D service temporary identifier used each time is different, which can ensure the security of the UE;
步骤 405a: 所述第一 ProSe功能实体向所述第二 ProSe功能实体回送 鉴权认证响应;  Step 405a: The first ProSe functional entity sends back an authentication authentication response to the second ProSe functional entity.
具体地,所述鉴权认证响应携带所述第一 ProSe功能实体为 UE分配的 D2D业务临时标识以及与所述 UE对应的 UE上下文, 其中, 所述 UE上下 文包括鉴权向量参数组。  Specifically, the authentication authentication response carries a D2D service temporary identifier allocated by the first ProSe functional entity to the UE and a UE context corresponding to the UE, where the UE context includes an authentication vector parameter group.
步骤 406a: 所述第二 ProSe功能实体向 UE回送鉴权认证请求响应消 息;  Step 406a: The second ProSe functional entity sends back an authentication authentication request response message to the UE.
具体地,所述鉴权认证请求响应消息携带所述第一 ProSe功能实体为所 述 UE重新分配的 D2D业务临时标识以及鉴权认证参数, 所述 UE保存所 述 D2D业务临时标识;所述 D2D业务临时标识可用于后续所述 UE的 D2D 发现业务的鉴权认证; 结束当前流程;  Specifically, the authentication authentication request response message carries a D2D service temporary identifier and an authentication authentication parameter that are re-allocated by the first ProSe functional entity to the UE, and the UE saves the D2D service temporary identifier; the D2D The service temporary identifier may be used for authentication authentication of the D2D discovery service of the subsequent UE; ending the current process;
404b: 所述第一 ProSe功能实体向 HSS发送上下文获取请求消息; 具体地, 所述上下文获取请求携带 UE的 IMSI;  404b: The first ProSe function entity sends a context acquisition request message to the HSS; specifically, the context acquisition request carries the IMSI of the UE;
405b: 所述 HSS查找到对应的 UE上下文后, 向所述第一 ProSe功能 实体回送上下文获取响应消息;  405b: After the HSS finds the corresponding UE context, sends a context acquisition response message to the first ProSe function entity.
具体地, 所述 HSS根据所述 UE的 IMSI查找到对应于所述 UE的 UE 上下文后, 向所述第一 ProSe功能实体回送上下文获取响应消息,所述上下 文获取响应消息携带所述 UE对应的 UE上下文, 所述 UE上下文包含 UE 鉴权向量组; 所述第一 ProSe功能实体获得 UE上下文后, 返回步骤 403, 所述第一 ProSe功能实体根据所述 UE上下文对 UE鉴权认证通过, 此时按 照步骤 404a-步骤 405a执行; Specifically, the HSS searches for a UE corresponding to the UE according to an IMSI of the UE. After the context, the context retrieval response message is sent back to the first ProSe function entity, where the context acquisition response message carries the UE context corresponding to the UE, and the UE context includes a UE authentication vector group; the first ProSe functional entity After obtaining the UE context, returning to step 403, the first ProSe functional entity passes the UE authentication and authentication according to the UE context, and is performed according to steps 404a to 405a;
当所述 UE收到的配置参数仅包括所述 UE支持的 PLMN标识列表时, 所述 UE与第一 ProSe功能实体之间的鉴权认证过程包括两种情况:第一种 情况下,所述 UE为没有被分配过 D2D业务临时标识的 UE,第二种情况下, 所述 UE为被分配过 D2D业务临时标识的 UE;  When the configuration parameters received by the UE include only the PLMN identifier list supported by the UE, the authentication authentication process between the UE and the first ProSe functional entity includes two cases: in the first case, the The UE is a UE that has not been assigned a temporary identifier of the D2D service. In the second case, the UE is a UE that has been assigned a temporary identifier of the D2D service.
步骤 501 : 所述 UE判断自身是否存在已分配的 D2D业务临时标识, 如果不存在, 执行步骤 502a, 如果存在, 执行步骤 502c;  Step 501: The UE determines whether there is an allocated D2D service temporary identifier, if not, step 502a, if yes, step 502c;
所述 UE可以通过检测自身 D2D业务临时标识字段的值来判断自身是 否存在已分配的 D2D业务临时标识;具体地,如果所述 UE检测到自身 D2D 业务临时标识字段为空或者为非 D2D业务临时标识的字段(比如全部为位 1或者为 0的情况), 则可以确定自身不存在已分配的 D2D业务临时标识, 此时, 按第一种情况执行处理; 如果所述 UE检测到自身 D2D业务临时标 识字段不为空, 且为正常的 D2D业务临时标识, 则可以确定自身存在已分 配的 D2D业务临时标识, 此时, 按第二种情况执行处理;  The UE may determine whether it has an allocated D2D service temporary identifier by detecting the value of the D2D service temporary identifier field; specifically, if the UE detects that the D2D service temporary identifier field is empty or is not a D2D service temporary If the identified field (such as the case of all bits 1 or 0), it may be determined that there is no allocated D2D service temporary identifier, and at this time, the processing is performed according to the first case; if the UE detects its own D2D service If the temporary identifier field is not empty and is a normal D2D service temporary identifier, it may be determined that the existing D2D service temporary identifier exists. At this time, the processing is performed according to the second case;
下面对第一种情况下执行的处理进行介绍:  The following describes the processing performed in the first case:
步骤 502a: 所述 UE向所述第二 ProSe功能实体发送鉴权认证请求; 具体地, 所述鉴权认证请求携带本地 PLMN标识和 IMSI, 且所述鉴权 认证请求中的 D2D业务临时标识为空或者为非 D2D业务临时标识的字段 (比如全部为位 1或者为 0的情况) ;  Step 502a: The UE sends an authentication authentication request to the second ProSe functional entity. Specifically, the authentication authentication request carries a local PLMN identifier and an IMSI, and the D2D service temporary identifier in the authentication authentication request is Empty or a field temporarily identified by a non-D2D service (such as when all bits are 1 or 0);
步骤 503a: 所述第二 ProSe功能实体向所述第一 ProSe功能实体转发 所述鉴权认证请求; 步骤 504a: 所述第一 ProSe功能实体判断 UE上下文是否存在, 如果 存在, 执行步骤 505a, 如果不存在, 执行步骤 505b; Step 503a: The second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity. Step 504a: The first ProSe functional entity determines whether the UE context exists, if yes, step 505a, if not, step 505b;
具体地, 所述第一 ProSe功能实体根据 IMSI查找对应的 UE上下文, 所述 UE上下文包括所述 UE对应的业务参数, 根据所述 UE的 IMSI查找 对应的 UE上下文属于现有技术, 这里不再赘述; 如果查找到对应的 UE上 下文, 则执行步骤 505a-步骤 507a; 如果未查找到, 则按照步骤 505b、 506b 执行;  Specifically, the first ProSe function entity searches for a corresponding UE context according to the IMSI, and the UE context includes a service parameter corresponding to the UE, and searching for a corresponding UE context according to the IMSI of the UE belongs to the prior art, where the If the corresponding UE context is found, step 505a-step 507a is performed; if not found, step 505b, 506b is performed;
步骤 505b: 所述第一 ProSe功能实体向所述 HSS发送 UE上下文获取 请求消息, 所述 UE上下文获取请求消息携带所述 UE的 IMSI;  Step 505b: The first ProSe function entity sends a UE context acquisition request message to the HSS, where the UE context acquisition request message carries the IMSI of the UE;
步骤 506b: 所述 HSS对所述 UE鉴权认证成功后, 向所述第一 ProSe 功能实体回送鉴权认证响应;  Step 506b: After the HSS authenticates the UE successfully, the HSS sends an authentication authentication response to the first ProSe functional entity.
这里, 所述 HSS查找到与所述 UE相对应的 UE上下文后, 向所述第 一 ProSe功能实体回送上下文获取响应消息,所述上下文获取响应消息携带 用户对应的鉴权向量参数组; 获得 UE上下文后, 返回步骤 503b, 所述第 一 ProSe功能实体根据所述 UE上下文对 UE鉴权认证通过, 此时按照步骤 504a-步骤 505a执行;  Here, after the HSS finds the UE context corresponding to the UE, it sends a context acquisition response message to the first ProSe function entity, where the context acquisition response message carries the authentication vector parameter group corresponding to the user; After the context, the process returns to step 503b, the first ProSe functional entity passes the authentication authentication of the UE according to the UE context, and is performed according to steps 504a-505a;
步骤 505a: 所述第一 ProSe功能实体为所述 UE分配 D2D业务临时标 识;  Step 505a: The first ProSe functional entity allocates a D2D service temporary identifier to the UE.
这一步骤中, 所述 UE鉴权认证成功后, 所述第一 ProSe功能实体会为 所述 UE分配 D2D业务临时标识,所述分配的 D2D业务临时标识可用于所 述 UE下一次执行 D2D发现业务时的鉴权认证;  In this step, after the UE authentication and authentication succeeds, the first ProSe functional entity allocates a D2D service temporary identifier to the UE, and the allocated D2D service temporary identifier may be used by the UE to perform D2D discovery for the next time. Authentication at the time of business;
步骤 506a: 所述第一 ProSe功能实体向第二 ProSe功能实体回送鉴权 认证响应;  Step 506a: The first ProSe functional entity sends back an authentication authentication response to the second ProSe functional entity.
具体地,所述鉴权认证响应携带所述第一 ProSe功能实体为所述 UE分 配的 D2D业务临时标识以及与所述 UE对应的 UE上下文, 其中, 所述 UE 上下文包括鉴权向量参数组。 Specifically, the authentication authentication response carries a D2D service temporary identifier allocated by the first ProSe functional entity to the UE, and a UE context corresponding to the UE, where the UE The context includes an authentication vector parameter set.
步骤 507a: 所述第二 ProSe功能实体向所述 UE回送鉴权认证响应消 息,所述鉴权认证响应消息携带所述第一 ProSe功能实体为 UE重新分配的 D2D业务临时标识以及鉴权认证参数, 所述 UE保存所述 D2D业务临时标 识;所述 D2D业务临时标识可用于所述 UE下一次执行 D2D发现业务时的 鉴权认证; 结束当前流程。  Step 507a: The second ProSe function entity sends an authentication authentication response message to the UE, where the authentication authentication response message carries the D2D service temporary identifier and the authentication authentication parameter that are re-allocated by the first ProSe functional entity to the UE. The UE saves the D2D service temporary identifier; the D2D service temporary identifier may be used for authentication authentication when the UE performs the D2D discovery service next time; and ends the current process.
下面对第二种情况下执行的处理进行介绍:  The following describes the processing performed in the second case:
步骤 502c: 所述 UE向所述第二 ProSe功能实体发送鉴权认证请求, 所述鉴权认证请求携带本地 PLMN标识以及 D2D业务临时标识;  Step 502c: The UE sends an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier.
需要说明的是, 由于在这一步骤之前,所述第一 ProSe功能实体向所述 UE下发的配置参数中并不包含 D2D业务临时标识, 而这里的 D2D业务临 时标识实际上是所述 UE在上一次执行完鉴权认证过程之后, 由所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识, 这一 D2D业务临时 标识本身可用于所述 UE的下一次鉴权认证过程; 也就是说,在本发明实施 例一所述流程开始之前, 所述 UE中已经可能存在被分配的 D2D业务临时 标识; 因此, 在当前处理流程中所述第一 ProSe功能实体在向所述 UE下发 的配置参数中不包含为 UE分配的 D2D业务临时标识, 也是考虑到对于在 上一次鉴权认证流程中已经获得过 D2D业务临时标识的 UE来说, 如果在 这一次鉴权认证中又直接分配新的 D2D业务临时标识是没有必要的, 而且 会造成资源的浪费;  It should be noted that, before the step, the configuration parameter delivered by the first ProSe functional entity to the UE does not include the D2D service temporary identifier, and the D2D service temporary identifier herein is actually the UE. The D2D service temporary identifier allocated by the first ProSe functional entity to the UE after the last authentication authentication process is performed, and the D2D service temporary identifier itself may be used for the next authentication and authentication process of the UE; That is, before the process according to the first embodiment of the present invention starts, the allocated D2D service temporary identifier may already exist in the UE; therefore, the first ProSe functional entity is in the current process flow to the UE. The configuration parameter that is delivered does not include the temporary ID of the D2D service allocated to the UE. It is also considered that for the UE that has obtained the temporary identifier of the D2D service in the last authentication and authentication process, if it is in this authentication, It is not necessary to directly allocate new D2D service temporary identifiers, and it will cause waste of resources;
步骤 503c: 所述第二 ProSe功能实体向所述第一 ProSe功能实体发送 所述鉴权认证请求,所述鉴权认证请求携带本地 PLMN标识和 D2D业务临 时标识。  Step 503c: The second ProSe functional entity sends the authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier.
步骤 504c: 所述第一 ProSe功能实体根据 D2D业务临时标识查找对应 的 UE上下文, 所述 UE上下文包括 UE对应的业务参数, 如果查找到, 执 行步骤 505c, 如果未查找到, 执行步骤 505d; Step 504c: The first ProSe function entity searches for a corresponding UE context according to the D2D service temporary identifier, where the UE context includes a service parameter corresponding to the UE, and if found, the implementation Step 505c, if not found, step 505d;
具体地, 由于所述 UE在获得 D2D业务临时标识时, 所述第一 ProSe 功能实体已经保存了所述 D2D业务临时标识与所述 UE的 IMSI之间的对应 关系, 因此, 所述第一 ProSe功能实体可以根据接收到的 D2D业务临时标 识查找到相应的 IMSI, 之后, 4艮据 IMSI查找与所述 IMSI相对应的 UE上 下文; 如果查找到对应的 UE上下文, 则执行步骤 505c-步骤 507c; 如果未 查找到, 则按照步骤 505d、 506d执行;  Specifically, the first ProSe functional entity has saved the correspondence between the temporary identifier of the D2D service and the IMSI of the UE, and the first ProSe is configured to obtain the D2D service temporary identifier. The function entity may find the corresponding IMSI according to the received D2D service temporary identifier, and then search for the UE context corresponding to the IMSI according to the IMSI; if the corresponding UE context is found, perform steps 505c-507c; If not found, follow steps 505d, 506d;
步骤 505d: 所述第一 ProSe功能实体向所述 HSS发送上下文获取请求 消息;  Step 505d: The first ProSe function entity sends a context acquisition request message to the HSS.
具体的, 所述上下文获取请求消息携带 UE的 IMSI;  Specifically, the context acquisition request message carries an IMSI of the UE;
步骤 506d: 所述 HSS对所述 UE鉴权认证成功后, 向所述第一 ProSe 功能实体回送鉴权认证响应;  Step 506d: After the HSS successfully authenticates the UE, the HSS sends an authentication authentication response to the first ProSe functional entity.
具体地, 所述 HSS查找到与所述 UE相对应的 UE上下文后, 向所述 第一 ProSe功能实体回送上下文获取响应消息,所述上下文获取响应消息携 带用户对应的鉴权向量参数组; 获得 UE上下文后, 返回步骤 504c, 所述 第一 ProSe功能实体根据所述 UE上下文对 UE鉴权认证通过, 此时按照步 骤 505c-步骤 507c执行;  Specifically, after the HSS finds the UE context corresponding to the UE, it sends a context acquisition response message to the first ProSe function entity, where the context acquisition response message carries the authentication vector parameter group corresponding to the user; After the UE context, the process returns to step 504c, where the first ProSe function entity passes the authentication authentication of the UE according to the UE context, and then executes according to steps 505c-507c;
步骤 505c: 所述第一 ProSe功能实体为所述 UE分配 D2D业务临时标 识;  Step 505c: The first ProSe functional entity allocates a D2D service temporary identifier to the UE.
步骤 506c: 所述第一 ProSe功能实体向第所述二 ProSe功能实体回送 鉴权认证响应;  Step 506c: The first ProSe functional entity sends back an authentication authentication response to the second ProSe functional entity.
具体地,所述鉴权认证响应携带所述第一 ProSe功能实体为所述 UE分 配的 D2D业务临时标识以及与所述 UE对应的 UE上下文, 其中, 所述 UE 上下文包括鉴权向量参数组。  Specifically, the authentication authentication response carries a D2D service temporary identifier allocated by the first ProSe functional entity for the UE and a UE context corresponding to the UE, where the UE context includes an authentication vector parameter group.
步骤 507c: 所述第二 ProSe功能实体向所述 UE回送鉴权认证请求响 应消息; Step 507c: The second ProSe functional entity sends back an authentication request to the UE. Message
具体地, 所述鉴权认证请求响应消息携带所述第一 ProSe 功能实体为 UE重新分配的 D2D业务临时标识以及鉴权认证参数, 所述 UE保存所述 D2D业务临时标识; 所述 D2D业务临时标识可用于后续所述 UE的 D2D 发现业务的鉴权认证; 结束当前流程。  Specifically, the authentication authentication request response message carries a D2D service temporary identifier and an authentication authentication parameter that are re-allocated by the first ProSe function entity to the UE, where the UE saves the D2D service temporary identifier; Identifying authentication authentication that can be used for subsequent D2D discovery services of the UE; ending the current process.
进一步地, 通过本发明实施例一提供的鉴权认证方法获取 D2D业务临 时标识之后,还可以根据所述获取的 D2D业务临时标识发起 D2D发现业务, 所述 D2D发现业务处理流程图如图 6所示, 所述方法包括以下步骤:  After the D2D service temporary identifier is obtained by the authentication and authentication method provided in the first embodiment of the present invention, the D2D discovery service may be initiated according to the acquired D2D service temporary identifier, and the D2D discovery service processing flowchart is as shown in FIG. 6 The method includes the following steps:
步骤 601 :当 UE需要向其它一个或者多个被发现 UE发起 D2D发现业 务时, UE首先需要向自身的 HPLMN下的 ProSe功能实体、 即第一 ProSe 功能实体进行 D2D发现业务认证; 所述 UE和所述第一 ProSe功能实体建 立安全连接后,向第一 ProSe功能实体发送发现业务请求消息,所述发现业 务请求消息包括: 发现业务类型和 D2D业务临时标识。  Step 601: When the UE needs to initiate the D2D discovery service to the other one or more discovered UEs, the UE first needs to perform D2D discovery service authentication to the ProSe functional entity under the HPLMN, that is, the first ProSe functional entity; After the first ProSe functional entity establishes a secure connection, the first ProSe functional entity sends a discovery service request message, where the discovery service request message includes: a discovery service type and a D2D service temporary identifier.
所述发现业务类型有: 公布( announce ), 即被发现 UE发起的发现请 求; 监听(monitor ) , 即发现 UE发起的发现请求; 匹配 (match ) , 即发 现 UE向能够发现的 ProSe功能实体发送匹配报告;这里需要说明的是发现 UE是指发起发现业务的 UE, 被发现 UE是指发现 UE所请求的发现对象; 步骤 602: 所述第一 ProSe功能实体根据 D2D业务临时标识查找与所 述 UE相关的 UE上下文; 如果查找到相关的 UE上下文, 则发现业务请求 获得认证,转至步骤 607执行发现业务处理; 如果未查找到相关的 UE上下 文, 则按照步骤 603-606执行完成后, 再按照步骤 607执行;  The discovery service type includes: an announce, that is, a discovery request initiated by the UE; a monitor, that is, a discovery request initiated by the UE; a match, that is, the UE is found to be sent to the discoverable ProSe functional entity. The matching report is as follows: the UE is found to be the UE that initiates the discovery service, and the discovered UE refers to the discovery object requested by the UE. Step 602: The first ProSe functional entity searches and describes the D2D service temporary identifier according to the D2D service temporary identifier. UE-related UE context; if the relevant UE context is found, the service request is found to be authenticated, and the process proceeds to step 607 to perform the discovery service process; if the relevant UE context is not found, the process is completed according to steps 603-606, and then Follow step 607;
步骤 603: 所述第一 ProSe功能实体向所述 UE发起获取 IMSI请求; 步骤 604: 所述 UE向所述第一 ProSe功能实体回送获取 IMSI响应, 所述获取 IMSI响应中携带与所述 UE相对应的 IMSI;  Step 603: The first ProSe functional entity initiates an acquisition of an IMSI request to the UE. Step 604: The UE sends back an IMSI response to the first ProSe functional entity, where the acquired IMSI response carries the UE Corresponding IMSI;
步骤 605: 所述第一 ProSe功能实体根据 IMSI查询是否存在 UE上下 文, 存在时, 发现业务获得认证, 此时, 直接转至步骤 608执行发现业务 处理; 如果不存在, 则按照步骤 606、 607执行完成后, 继续按照步骤 608 执行; Step 605: The first ProSe functional entity queries whether the UE exists in the upper or lower according to the IMSI. If yes, the service is authenticated. If yes, go directly to step 608 to perform discovery service processing. If not, follow steps 606 and 607 to complete the process.
步骤 606: 所述第一 ProSe功能实体与 HSS进行发现业务认证鉴权, 由所述 HSS为所述 UE建立新的 UE上下文,所述 UE上下文中包含 UE的 订阅参数;  Step 606: The first ProSe functional entity performs authentication service authentication with the HSS, and the HSS establishes a new UE context for the UE, where the UE context includes a subscription parameter of the UE.
步骤 607: 如果发现请求获得认证, 所述第一 ProSe功能实体根据对应 的业务类型向被发现 UE的本地的 PLMN下的 ProSe功能实体发起对应的 发现业务流程。  Step 607: If the request is found to be authenticated, the first ProSe functional entity initiates a corresponding discovery service flow to the ProSe functional entity in the local PLMN of the discovered UE according to the corresponding service type.
当业务类型为公布时,则所述第一 ProSe功能实体向被发现 UE的本地 的 PLMN下的 ProSe 功能实体发送公布请求消息, 被发现 UE 的本地的 PLMN下的 ProSe功能实体向所述第一 ProSe功能实体对应的回送公布请求 消息; 同理, 当业务类型为监听时, 则所述第一 ProSe 功能实体向被发现 UE的本地的 PLMN下的 ProSe功能实体发送监听请求消息,被发现 UE的 本地的 PLMN下的 ProSe功能实体向所述第一 ProSe功能实体回送监听请 求响应消息; 同理, 当业务类型为匹配时, 则所述第一 ProSe功能实体向被 发现 UE的本地的 PLMN下的 ProSe功能实体发送匹配请求消息, 匹配成 功,被发现 UE的本地的 PLMN下的 ProSe功能实体向所述第一 ProSe功能 实体回送匹配请求响应消息。  When the service type is advertised, the first ProSe function entity sends a publish request message to the ProSe function entity under the local PLMN of the discovered UE, and the ProSe function entity under the local PLMN of the UE is found to be the first The ProSe function entity corresponds to the loopback advertisement request message. Similarly, when the service type is the interception, the first ProSe function entity sends a snoop request message to the ProSe function entity in the local PLMN of the discovered UE, and the UE is found. The ProSe function entity in the local PLMN sends a listen request response message to the first ProSe function entity. Similarly, when the service type is matched, the first ProSe function entity is sent to the local PLMN of the discovered UE. The ProSe function entity sends a match request message, and the match is successful. The ProSe function entity in the local PLMN of the UE is found to send a match request response message to the first ProSe function entity.
步骤 608, 当发现业务处理完成后, 所述第一 ProSe 功能实体向所述 UE回送发现业务请求响应消息, 所述消息携带所述第一 ProSe功能实体为 所述 UE分配的 D2D业务临时标识, 所述 UE收到响应后, 完成相关的无 线资源分配。  Step 608: After the service processing is found to be complete, the first ProSe function entity sends a discovery service request response message to the UE, where the message carries the D2D service temporary identifier allocated by the first ProSe function entity to the UE. After receiving the response, the UE completes the related radio resource allocation.
所述 D2D业务临时标识可以为: ProSe功能实体标识或者 32位(bit ) 的、唯一对应一个 UE的参数,该参数可以按照顺序分配或者通过数学函数 离散得到; The D2D service temporary identifier may be: a ProSe functional entity identifier or a 32-bit (bit) unique parameter corresponding to one UE, and the parameters may be allocated in order or through a mathematical function. Discretely obtained;
这里, 在发现业务完成之后, 之所以再次为 UE分配新的 D2D业务临 时标识, 也是为了杜绝 UE使用同一个 D2D业务临时标识执行多次鉴权认 证时容易出现的不安全因素; 本发明实施例一所述方案中, UE的 D2D业 务临时标识在每次使用之后会被动态更新, 这样每一次使用的 D2D业务临 时标识都是不一样的, 可以确保 UE的安全性。  Here, after the discovery service is completed, the UE is again assigned a new D2D service temporary identifier, which is also an insecure factor that is easy to occur when the UE performs multiple authentication authentication using the same D2D service temporary identifier. In a solution, the D2D service temporary identifier of the UE is dynamically updated after each use, so that the D2D service temporary identifier used each time is different, and the security of the UE can be ensured.
实施例二  Embodiment 2
本发明实施例二提供了一种鉴权认证方法, 该方法流程图 7 所示, 该 方法包括以下步骤:  The second embodiment of the present invention provides an authentication authentication method. The method is shown in flowchart 7. The method includes the following steps:
步骤 701 : 第一 ProSe功能实体向 UE下发配置参数;  Step 701: The first ProSe function entity sends configuration parameters to the UE.
具体地,所述第一 ProSe功能实体向所述 UE下发的配置参数可以包括 所述 UE支持的 PLMN标识列表和所述第一 ProSe功能实体为所述 UE分配 的 D2D业务临时标识, 或者所述配置参数仅包括所述 UE支持的 PLMN标 识列表;  Specifically, the configuration parameter that is sent by the first ProSe function entity to the UE may include a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or The configuration parameter includes only a list of PLMN identifiers supported by the UE;
其中, 所述 D2D业务临时标识可以为 ProSe功能实体标识或者唯一对 应于所述 UE的参数,所述参数可以釆用任何可用于唯一标识一个 UE的表 示形式; 具体地, 在 D2D业务临时标识实际分配中, 可以按照顺序向 UE 分配参数或者通过数学函数离散向 UE随机分配参数。  The D2D service temporary identifier may be a ProSe function entity identifier or a parameter corresponding to the UE, and the parameter may use any representation that can be used to uniquely identify a UE. Specifically, the D2D service temporary identifier is actually In the allocation, parameters may be allocated to the UE in order or randomly assigned to the UE by a mathematical function.
步骤 702: 所述第一 ProSe功能实体对所述 UE鉴权认证成功后, 向所 述 UE分配 D2D业务临时标识。  Step 702: After the first ProSe functional entity successfully authenticates the UE, the D2D service temporary identifier is allocated to the UE.
具体地, 所述第一 ProSe功能实体对 UE鉴权认证, 包括:  Specifically, the first ProSe functional entity authenticates the UE, including:
所述第一 ProSe功能实体接收到第二 ProSe功能实体发送的鉴权认证请 求,所述鉴权认证请求携带步骤 601中第一 ProSe功能实体向所述 UE下发 的 D2D业务临时标识时,所述第一 ProSe功能实体根据所述 D2D业务临时 标识查找所述 UE对应的 UE上下文; 当查找到 UE对应的上下文时, 所述 第一 ProSe功能实体对所述 UE鉴权认证成功, 向所述 UE分配新的 D2D 业务临时标识, 所述 D2D业务临时标识可用于所述 UE发起下一次发现业 务时的鉴权认证; 当没有查找到 UE对应的上下文时, 所述第一 ProSe功能 实体向 HSS发起 UE上下文获取过程, UE上下文获取成功后, 所述第一 ProSe功能实体对所述 UE鉴权认证成功,向所述 UE分配新的 D2D业务临 时标识。 The first ProSe function entity receives the authentication request sent by the second ProSe function entity, where the authentication authentication request carries the D2D service temporary identifier sent by the first ProSe function entity to the UE in step 601. The first ProSe function entity searches for the UE context corresponding to the UE according to the D2D service temporary identifier; when the context corresponding to the UE is found, the The first ProSe function entity successfully authenticates the UE, and allocates a new D2D service temporary identifier to the UE, where the D2D service temporary identifier is used for authentication authentication when the UE initiates the next service discovery; When the context corresponding to the UE is found, the first ProSe function entity initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity successfully authenticates the UE and allocates the UE to the UE. New D2D business temporary identification.
具体地, 所述第一 ProSe功能实体对所述 UE鉴权认证, 还包括: 所述第一 ProSe功能实体接收所述第二 ProSe功能实体发送的鉴权认证 请求, 当所述鉴权认证请求携带 IMSI或 D2D业务临时标识时, 所述第一 ProSe根据所述 IMSI或 D2D业务临时标识执行 UE鉴权认证过程;  Specifically, the first ProSe function entity that authenticates the UE, further includes: the first ProSe function entity receiving an authentication authentication request sent by the second ProSe function entity, where the authentication authentication request is sent When carrying the IMSI or D2D service temporary identifier, the first ProSe performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier;
这里, 所述鉴权认证请求中的 D2D业务临时标识与步骤 601中所述第 一 ProSe功能实体向所述 UE下发配置参数中携带的 D2D业务临时标识不 同; 由于在这一步骤中, 所述第一 ProSe功能实体向所述 UE下发的配置参 数中并没有携带为所述 UE分配的 D2D业务临时标识, 因此, 这里的 D2D 业务临时标识其实是所述 UE之前的鉴权认证过程中已经得到的 D2D业务 临时标识; 相应地, 如果所述 UE之前没有获得 D2D业务临时标识, 则所 述 UE将通过 IMSI向所述第二 ProSe功能实体发起鉴权认证请求, 这种情 况下, 所述第二 ProSe功能实体将所述鉴权认证请求转发给 HPLMN下的 ProSe功能实体时, 仅携带所述 UE的 IMSI;  Here, the D2D service temporary identifier in the authentication authentication request is different from the D2D service temporary identifier carried in the configuration parameter sent by the first ProSe function entity to the UE in step 601; The configuration parameter that is sent by the first ProSe function entity to the UE does not carry the D2D service temporary identifier allocated to the UE. Therefore, the D2D service temporary identifier is actually the authentication authentication process before the UE. The D2D service temporary identifier that has been obtained; correspondingly, if the UE does not obtain the D2D service temporary identifier before, the UE will initiate an authentication authentication request to the second ProSe functional entity through the IMSI, in this case, When the second ProSe functional entity forwards the authentication authentication request to the ProSe functional entity under the HPLMN, only the IMSI of the UE is carried;
具体地, 所述第一 ProSe根据所述 IMSI或 D2D业务临时标识执行 UE 鉴权认证过程, 包括:  Specifically, the performing, by the first ProSe, the UE authentication and authentication process according to the IMSI or the D2D service temporary identifier includes:
所述第一 ProSe根据所述 IMSI或 D2D业务临时标识查找与所述 UE相 对应的 UE上下文;  Determining, by the first ProSe, a UE context corresponding to the UE according to the IMSI or D2D service temporary identifier;
当查找到 UE对应的上下文时, 所述第一 ProSe功能实体对所述 UE鉴 权认证成功, 向所述 UE分配新的 D2D业务临时标识; 当没有查找到 UE 对应的上下文时, 所述第一 ProSe功能实体向所述 HSS发起 UE上下文获 取过程, UE上下文获取成功后, 所述第一 ProSe功能实体对所述 UE鉴权 认证成功, 向所述 UE返回分配 D2D业务临时标识; When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and allocates a new D2D service temporary identifier to the UE; In the corresponding context, the first ProSe function entity initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity successfully authenticates the UE, and returns an allocation to the UE. Temporary identification of D2D services;
具体地, 所述第一 ProSe功能实体将所述 D2D业务临时标识封装在鉴 权认证响应中返回给第二 ProSe功能实体,由所述第二 ProSe功能实体将所 述鉴权认证响应转发给所述 UE。  Specifically, the first ProSe functional entity encapsulates the D2D service temporary identifier in an authentication authentication response and returns the second ProSe functional entity, and the second ProSe functional entity forwards the authentication authentication response to the Said UE.
进一步地, 所述第一 ProSe功能实体向所述 UE分配 D2D业务临时标 识后, 所述方法还包括:  After the first ProSe function entity allocates the D2D service temporary identifier to the UE, the method further includes:
所述第一 ProSe功能实体接收所述 UE发送的发现业务请求消息;所述 UE的发现业务请求可以是针对一个被发现 UE的发现业务请求, 也可以是 针对多个被发现 UE的发现业务请求; 所述发现业务请求消息包括: 发现业 务类型和 D2D业务临时标识; 所述第一 ProSe功能实体对所述 UE的发现 请求进行认证;如果发现请求获得认证,所述第一 ProSe功能实体根据对应 的业务类型向被发现 UE的本地的 PLMN下的 ProSe发起对应的发现业务 流程; 当发现业务处理完成后, 所述第一 ProSe功能实体向所述 UE回送发 现业务请求响应消息,所述发现业务请求响应消息携带所述第一 ProSe功能 实体为 UE分配的 D2D业务临时标识。  The first ProSe function entity receives the discovery service request message sent by the UE; the discovery service request of the UE may be a discovery service request for one discovered UE, or may be a discovery service request for multiple discovered UEs. The discovery service request message includes: a discovery service type and a D2D service temporary identifier; the first ProSe function entity authenticates the discovery request of the UE; if the request is found to obtain the authentication, the first ProSe function entity according to the corresponding The service type sends a corresponding discovery service flow to the ProSe of the local PLMN of the discovered UE. After the service processing is found, the first ProSe function entity sends a discovery service request response message to the UE, where the discovery service is sent. The request response message carries the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
具体地, 所述第一 ProSe功能实体对所述 UE的发现请求进行认证, 包 括:  Specifically, the first ProSe functional entity authenticates the discovery request of the UE, and includes:
所述第一 ProSe功能实体根据 D2D业务临时标识查找与所述 UE相关 的 UE上下文, 当查找到 UE对应的上下文时,所述 UE发现请求获得认证; 当没有查找到 UE对应的上下文时, 所述第一 ProSe功能实体向所述 UE发起获取 IMSI请求;所述 UE向所述第一 ProSe功能实体回送获取 IMSI 响应, 并携带所述 UE对应的 IMSI; 所述第一 ProSe功能实体根据 IMSI 查询是否存在 UE上下文, 存在时, 所述 UE发现请求获得认证; 如果不存在,所述第一 ProSe功能实体向 HSS进行发现业务认证鉴权, 并建立新的 UE上下文, 所述 UE发现请求获得认证。 The first ProSe function entity searches for a UE context related to the UE according to the D2D service temporary identifier, and when the context corresponding to the UE is found, the UE finds that the request is obtained for authentication; when the context corresponding to the UE is not found, the The first ProSe functional entity initiates an acquisition of an IMSI request to the UE; the UE sends back an IMSI response to the first ProSe functional entity, and carries an IMSI corresponding to the UE; the first ProSe functional entity queries according to the IMSI Whether there is a UE context, and when present, the UE finds that the request is obtained by the authentication; If not, the first ProSe functional entity performs discovery service authentication and authentication to the HSS, and establishes a new UE context, and the UE finds that the request is obtained.
实施例三  Embodiment 3
本发明实施例三提供了一种鉴权认证方法, 该方法流程图如图 8所示, 该方法包括以下步骤:  The third embodiment of the present invention provides an authentication authentication method. The method is shown in Figure 8. The method includes the following steps:
步骤 801 : UE接收第一 ProSe功能实体下发的配置参数;  Step 801: The UE receives the configuration parameter delivered by the first ProSe functional entity.
具体地, 所述配置参数包括所述 UE 支持的 PLMN标识列表和所述 ProSe功能实体为 UE分配的 D2D业务临时标识, 或者所述配置参数仅包 括所述 UE支持的 PLMN标识列表;  Specifically, the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier list supported by the UE;
其中, 所述 D2D业务临时标识可以为 ProSe功能实体标识或者唯一对 应于所述 UE的参数,所述参数可以釆用任何可用于唯一标识一个 UE的表 示形式; 具体地, 在 D2D业务临时标识实际分配中, 可以按照顺序向 UE 分配参数或者通过数学函数离散向 UE随机分配参数。  The D2D service temporary identifier may be a ProSe function entity identifier or a parameter corresponding to the UE, and the parameter may use any representation that can be used to uniquely identify a UE. Specifically, the D2D service temporary identifier is actually In the allocation, parameters may be allocated to the UE in order or randomly assigned to the UE by a mathematical function.
步骤 802: 所述 UE根据所述配置参数向所述第一 ProSe功能实体发起 鉴权认证过程,并在鉴权认证成功后,接收所述第一 ProSe功能实体分配的 D2D业务临时标识;  Step 802: The UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameter, and after receiving the authentication, the D2D service temporary identifier allocated by the first ProSe functional entity is received;
具体地, 在所述 UE向所述第一 ProSe功能实体鉴权认证之前, 该方法 还包括:所述 UE判断本地 PLMN标识是否在接收到的 PLMN标识列表中, 如果存在, 所述 UE向第二 ProSe功能实体发起鉴权认证请求。  Specifically, before the UE authenticates the first ProSe functional entity, the method further includes: determining, by the UE, whether the local PLMN identifier is in the received PLMN identifier list, if yes, the UE is in the first The second ProSe functional entity initiates an authentication authentication request.
当所述 UE收到的配置参数包括所述 UE支持的 PLMN标识列表以及 所述 ProSe功能实体为所述 UE分配的 D2D业务临时标识时, 所述 UE向 所述第一 ProSe功能实体发起鉴权认证请求, 包括:  When the configuration parameters received by the UE include the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the ProSe function entity to the UE, the UE initiates authentication to the first ProSe function entity. Certification request, including:
所述 UE向所述第一 ProSe功能实体发送鉴权认证请求,所述鉴权认证 请求携带本地 PLMN标识以及所述 UE收到的 D2D业务临时标识; 当鉴权 认证成功时,所述 UE接收所述第一 ProSe功能实体为所述 UE分配的 D2D 业务临时标识; Sending, by the UE, an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier received by the UE; when the authentication authentication is successful, the UE receives The D2D allocated by the first ProSe functional entity to the UE Business temporary identification;
当所述 UE收到的配置参数仅包括所述 UE支持的 PLMN标识列表时, 所述 UE向所述第一 ProSe功能实体发起鉴权认证请求, 包括:  When the configuration parameter received by the UE includes only the PLMN identifier list supported by the UE, the UE initiates an authentication authentication request to the first ProSe functional entity, including:
所述 UE向所述第二 ProSe功能实体发送鉴权认证请求,所述鉴权认证 请求携带 IMSI或 D2D业务临时标识;  Sending, by the UE, an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier;
所述第二 ProSe 功能实体将所述鉴权认证请求转发给所述第一 ProSe 功能实体;  Transmitting, by the second ProSe functional entity, the authentication authentication request to the first ProSe functional entity;
所述第一 ProSe功能实体根据所述 IMSI或 D2D业务临时标识执行 UE 鉴权认证过程。  The first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
进一步地, 所述 UE接收到所述第一 ProSe功能实体分配的 D2D业务 临时标识后, 该方法还包括:  After the UE receives the D2D service temporary identifier that is allocated by the first ProSe function entity, the method further includes:
当所述 UE希望向一个或者多个被发现 UE发起发现请求时, 所述 UE 向所述第一 ProSe功能实体发送发现业务请求消息;所述发现业务请求消息 包括: 发现业务类型和 D2D业务临时标识;  When the UE wishes to initiate a discovery request to one or more discovered UEs, the UE sends a discovery service request message to the first ProSe functional entity; the discovery service request message includes: a discovery service type and a D2D service temporary Identification
当所述第一 ProSe功能实体没有根据 D2D业务临时标识查找到所述 UE 对应的 UE上下文时, 所述 UE接收所述第一 ProSe功能实体发送的获取 IMSI请求,并根据所述获取 IMSI请求向所述第一 ProSe功能实体返回获取 IMSI响应, 所述获取 IMSI响应携带 UE对应的 IMSI;  When the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, the UE receives the acquiring IMSI request sent by the first ProSe functional entity, and according to the acquiring the IMSI request, The first ProSe functional entity returns an IMSI response, and the acquiring IMSI response carries an IMSI corresponding to the UE;
当发现业务处理完成后,所述 UE接收所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识。  After the service processing is completed, the UE receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
实施例四  Embodiment 4
本发明实施例四提供了一种 ProSe功能实体,所述 ProSe功能实体为位 于 UE的 HPLMN下的 ProSe功能实体,其基本结构如图 9所示,所述 ProSe 功能实体包括: 配置参数下发模块 91、鉴权认证模块 92以及临时标识分配 模块 93; 其中, 所述配置参数下发模块 91, 配置为向 UE下发配置参数; 所述鉴权认证模块 92, 配置为对所述 UE执行鉴权认证, 并在鉴权认 证成功时触发临时标识分配模块 93; The fourth embodiment of the present invention provides a ProSe functional entity, which is a ProSe functional entity located under the HPLMN of the UE. The basic structure is as shown in FIG. 9. The ProSe functional entity includes: a configuration parameter delivery module. 91. An authentication module 92 and a temporary identifier allocation module 93; wherein The configuration parameter sending module 91 is configured to send configuration parameters to the UE. The authentication authentication module 92 is configured to perform authentication authentication on the UE, and trigger the temporary identifier allocation module 93 when the authentication authentication is successful. ;
所述临时标识分配模块 93, 配置为被所述鉴权认证模块 92触发时, 向 所述 UE下发 D2D业务临时标识。  The temporary identifier allocation module 93, when configured to be triggered by the authentication and authentication module 92, delivers a D2D service temporary identifier to the UE.
具体地,所述配置参数下发模块向所述 UE下发的配置参数可以包括所 述 UE支持的 PLMN标识列表和所述临时标识分配模块 93为所述 UE分配 的 D2D业务临时标识, 或者所述配置参数仅包括所述 UE支持的 PLMN标 识列表; 因此, 所述临时标识分配模块 93, 还配置为所述配置参数下发模 块 91向所述 UE下发配置参数时, 为所述 UE分配 D2D业务临时标识; 其中, 所述 D2D业务临时标识可以为 ProSe功能实体标识或者唯一对 应于所述 UE的参数,所述参数可以釆用任何可用于唯一标识一个 UE的表 示形式; 具体地, 在 D2D业务临时标识实际分配中, 可以按照顺序向 UE 分配参数或者通过数学函数离散向 UE随机分配参数。  Specifically, the configuration parameter that is sent by the configuration parameter sending module to the UE may include a PLMN identifier list supported by the UE and a temporary identifier of the D2D service allocated by the temporary identifier allocation module 93 to the UE, or The configuration parameter includes only the PLMN identifier list supported by the UE. Therefore, the temporary identifier allocation module 93 is further configured to allocate the configuration parameter to the UE when the configuration parameter sending module 91 sends the configuration parameter to the UE. a D2D service temporary identifier, where the D2D service temporary identifier may be a ProSe functional entity identifier or a parameter corresponding to the UE uniquely, and the parameter may use any representation form that can be used to uniquely identify a UE; specifically, In the actual allocation of the D2D service temporary identifier, the parameters may be allocated to the UE in order or randomly allocated to the UE by a mathematical function.
具体地, 所述鉴权认证模块 92对 UE执行鉴权认证, 包括:  Specifically, the authentication and authentication module 92 performs authentication authentication on the UE, including:
所述鉴权认证模块 92接收到其它 ProSe功能实体发送的鉴权认证请求, 所述鉴权认证请求携带所述临时标识分配模块 93向所述 UE下发的 D2D业 务临时标识时, 所述鉴权认证模块 92根据所述 D2D业务临时标识查找所 述 UE对应的 UE上下文; 当查找到 UE对应的上下文时, 所述鉴权认证模 块 92对 UE鉴权认证成功,触发所述临时标识分配模块 93向 UE分配新的 D2D业务临时标识, 所述 D2D业务临时标识可用于所述 UE发起下一次发 现业务时的鉴权认证; 当没有查找到 UE对应的上下文时,所述鉴权认证模 块 92向 HSS发起 UE上下文获取过程, UE上下文获取成功后, 所述鉴权 认证模块 92对所述 UE鉴权认证成功,触发所述临时标识分配模块 93向所 述 UE分配新的 D2D业务临时标识; 这里, 所述其它 ProSe功能实体可以 是指 UE的 LPLMN下的 ProSe功能实体; The authentication authentication module 92 receives the authentication authentication request sent by the other ProSe functional entity, and the authentication authentication request carries the temporary identification of the D2D service delivered by the temporary identifier allocation module 93 to the UE. The right authentication module 92 searches for the UE context corresponding to the UE according to the D2D service temporary identifier. When the context corresponding to the UE is found, the authentication authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module. And assigning a new D2D service temporary identifier to the UE, where the D2D service temporary identifier is used for authentication authentication when the UE initiates the next service discovery; when the context corresponding to the UE is not found, the authentication authentication module 92 The UE context acquisition process is initiated to the HSS. After the UE context is successfully obtained, the authentication and authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module 93 to allocate a new D2D service temporary identifier to the UE. Here, the other ProSe functional entities may Refers to the ProSe functional entity under the LPLMN of the UE;
具体地, 所述鉴权认证模块 92对所述 UE鉴权认证, 还包括: 所述鉴权认证模块 92接收到所述其它 ProSe功能实体发送的鉴权认证 请求, 当所述鉴权认证请求携带 IMSI或 D2D业务临时标识时, 所述鉴权 认证模块 92根据所述 IMSI或 D2D业务临时标识执行 UE鉴权认证过程; 这里, 所述鉴权认证请求中的 D2D业务临时标识与所述配置参数下发模块 91向所述 UE下发配置参数时, 所述临时标识分配模块 93为 UE分配 D2D 业务临时标识不同; 由于在这一步骤中, 配置参数下发模块 91向所述 UE 下发的配置参数中并没有携带为所述 UE分配的 D2D业务临时标识,因此, 这里的 D2D业务临时标识其实是所述 UE之前的鉴权认证过程中已经得到 的 D2D业务临时标识; 相应地, 如果所述 UE之前没有获得 D2D业务临时 标识, 则所述 UE将通过 IMSI向其它 PLMN下的 ProSe功能实体发起鉴权 认证请求,这种情况下,所述其它 ProSe功能实体将所述鉴权认证请求转发 给所述鉴权认证模块 92时, 仅携带所述 UE的 IMSI;  Specifically, the authentication and authentication module 92, the authentication authentication of the UE, further includes: the authentication authentication module 92 receives an authentication authentication request sent by the other ProSe functional entity, when the authentication authentication request is When the IMSI or the D2D service temporary identifier is carried, the authentication and authentication module 92 performs the UE authentication and authentication process according to the IMSI or the D2D service temporary identifier. Here, the D2D service temporary identifier and the configuration in the authentication authentication request are performed. When the parameter sending module 91 sends the configuration parameter to the UE, the temporary identifier assigning module 93 allocates the D2D service temporary identifier to the UE, and the configuration parameter is sent to the UE. The configuration parameter does not carry the D2D service temporary identifier allocated to the UE. Therefore, the D2D service temporary identifier is actually the temporary identifier of the D2D service that has been obtained in the authentication authentication process before the UE; The UE does not obtain the D2D service temporary identifier before, and the UE will initiate authentication to the ProSe functional entity under other PLMNs through the IMSI. The request, in this case, when the other ProSe functional entity forwards the authentication and authentication request to the authentication and authentication module 92, only the IMSI of the UE is carried;
具体地, 所述鉴权认证模块 92根据所述 IMSI或 D2D业务临时标识执 行 UE鉴权认证过程, 包括:  Specifically, the authentication and authentication module 92 performs the UE authentication and authentication process according to the IMSI or the D2D service temporary identifier, and includes:
所述鉴权认证模块 92根据所述 IMSI或 D2D业务临时标识查找与所述 UE相对应的 UE上下文;  The authentication and authentication module 92 searches for a UE context corresponding to the UE according to the IMSI or D2D service temporary identifier.
当查找到 UE对应的上下文时, 所述鉴权认证模块 92对所述 UE鉴权 认证成功,触发所述临时标识分配模块 93向所述 UE分配新的 D2D业务临 时标识; 当没有查找到 UE对应的上下文时, 所述鉴权认证模块 92向 HSS 发起 UE上下文获取过程, UE上下文获取成功后, 所述鉴权认证模块 92 对所述 UE鉴权认证成功, 触发所述临时标识分配模块 93向所述 UE分配 新的 D2D业务临时标识;  When the context corresponding to the UE is found, the authentication and authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module 93 to allocate a new D2D service temporary identifier to the UE; In the corresponding context, the authentication and authentication module 92 initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the authentication and authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module 93. Allocating a new D2D service temporary identifier to the UE;
具体地, 所述鉴权认证模块 92将所述 D2D业务临时标识封装在鉴权 认证响应中返回给其它 ProSe功能实体,由所述其它 ProSe功能实体将所述 鉴权认证响应转发给所述 UE。 Specifically, the authentication and authentication module 92 encapsulates the D2D service temporary identifier in the authentication. The authentication response is returned to the other ProSe functional entity, and the authentication authentication response is forwarded by the other ProSe functional entity to the UE.
进一步地, 所述 ProSe功能实体还包括: 发现请求认证模块 94和发现 业务处理模块 95; 其中,  Further, the ProSe functional entity further includes: a discovery request authentication module 94 and a discovery service processing module 95;
所述发现请求认证模块 94, 配置为接收所述 UE的发现业务请求, 并 对所述 UE的发现业务请求进行认证,其中所述发现业务请求包括: 发现业 务类型和 D2D业务临时标识;并在对所述 UE的发现业务请求认证成功后, 触发所述发现业务处理模块 65;  The discovery request authentication module 94 is configured to receive the discovery service request of the UE, and perform authentication on the discovery service request of the UE, where the discovery service request includes: a discovery service type and a D2D service temporary identifier; After the discovery service request of the UE is successfully authenticated, the discovery service processing module 65 is triggered;
所述发现业务处理模块 95, 配置为被发现请求认证模块 94触发时, 为 所述 UE执行发现业务处理, 并在发现业务处理完成后, 向所述 UE返回发 现业务响应消息, 所述发现业务响应消息携带所述临时标识分配模块 93为 UE分配的 D2D业务临时标识。  The discovery service processing module 95 is configured to perform discovery service processing for the UE when triggered by the discovery request authentication module 94, and return a discovery service response message to the UE after the discovery service processing is completed, the discovery service The response message carries the D2D service temporary identifier allocated by the temporary identifier allocation module 93 for the UE.
所述发现请求认证模块 94对所述 UE的发现业务请求进行认证,包括: 所述发现请求认证模块 94根据 D2D业务临时标识查找与所述 UE相关 的 UE上下文, 当查找到 UE对应的上下文时, 对所述 UE发现请求认证成 功;  The discovery request authentication module 94 authenticates the discovery service request of the UE, including: the discovery request authentication module 94 searches for a UE context related to the UE according to the D2D service temporary identifier, and when the context corresponding to the UE is found, , requesting that the UE finds that the authentication is successful;
当没有查找到 UE对应的上下文时, 所述发现请求认证模块 94向所述 UE发起获取 IMSI请求; 所述发现请求认证模块 94根据所述 UE返回的获 取 IMSI响应中携带的 IMSI查询是否存在 UE上下文, 存在时, 对所述 UE 发现请求认证成功;  When the context corresponding to the UE is not found, the discovery request authentication module 94 initiates an acquisition of the IMSI request to the UE. The discovery request authentication module 94 queries whether the UE exists according to the IMSI carried in the IMSI response returned by the UE. Context, when present, the request for the UE to discover that the authentication is successful;
如果不存在,所述发现请求认证模块 94向 HSS进行发现业务认证鉴权, 并建立新的 UE上下文, 对所述 UE发现请求认证成功。  If not, the discovery request authentication module 94 performs discovery service authentication and authentication on the HSS, and establishes a new UE context, and the UE is found to request authentication success.
实际应用时,所述配置参数下发模块可由所述 ProSe功能实体中的发射 机实现; 所述鉴权认证模块、 所述发现请求认证模块、 所述临时标识分配 模块及所述发现业务处理模块可由所述 ProSe 功能实体中的中央处理器 ( CPU, Central Processing Unit ) 、 数字信号处理器(DSP, Digital Signal Processor )或可编程逻辑阵列 ( FPGA, Field - Programmable Gate Array ) 结合收发机实现。 In actual application, the configuration parameter sending module may be implemented by a transmitter in the ProSe functional entity; the authentication authentication module, the discovery request authentication module, the temporary identifier allocation module, and the discovery service processing module Central processor in the ProSe functional entity (CPU, Central Processing Unit), Digital Signal Processor (DSP) or Field-Programmable Gate Array (FPGA) are implemented in combination with transceivers.
实施例五  Embodiment 5
本发明实施例六提供了一种 UE, 如图 10所示, 所述 UE包括: 配置 参数接收模块 101及鉴权认证请求发送模块 102; 其中,  The sixth embodiment of the present invention provides a UE. As shown in FIG. 10, the UE includes: a configuration parameter receiving module 101 and an authentication authentication request sending module 102.
所述配置参数接收模块 101, 配置为接收第一 ProSe功能实体下发的配 置参数; 所述鉴权认证请求发送模块 102, 配置为向第一 ProSe功能实体发 起鉴权认证过程; 所述配置参数接收模块 101, 还配置为向所述第一 ProSe 功能实体鉴权认证成功后, 接收所述第一 ProSe功能实体分配的 D2D业务 临时标 i只。  The configuration parameter receiving module 101 is configured to receive a configuration parameter that is sent by the first ProSe functional entity; the authentication authentication request sending module 102 is configured to initiate an authentication authentication process to the first ProSe functional entity; The receiving module 101 is further configured to: after the authentication of the first ProSe functional entity is successful, receive the D2D service temporary identifier allocated by the first ProSe functional entity.
具体地, 所述配置参数包括所述 UE支持的 PLMN标识列表和所述第 一 ProSe功能实体为所述 UE分配的 D2D业务临时标识, 或者所述配置参 数仅包括所述 UE支持的 PLMN标识列表。  Specifically, the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only a list of PLMN identifiers supported by the UE. .
进一步地, 所述 UE还包括判断模块 103, 所述判断模块 103, 配置为 在所述鉴权认证请求发送模块 102向所述第一 ProSe功能实体发起鉴权认证 过程之前,判断所述 UE的本地 PLMN标识是否在接收到的 PLMN标识列 表中,存在时,触发鉴权认证请求发送模块 102向第二 ProSe功能实体发送 鉴权认证请求。  Further, the UE further includes a determining module 103, where the determining module 103 is configured to determine, before the authentication authentication request sending module 102 initiates an authentication and authentication process to the first ProSe functional entity, Whether the local PLMN identifier exists in the received PLMN identifier list, the trigger authentication authentication request sending module 102 sends an authentication authentication request to the second ProSe functional entity.
当所述配置参数接收模块 101 收到的配置参数包括所述 UE 支持的 PLMN标识列表以及所述第一 ProSe功能实体为所述 UE分配的 D2D业务 临时标识时,所述鉴权认证请求发送模块 102向所述第一 ProSe功能实体发 起鉴权认证过程, 包括:  When the configuration parameter received by the configuration parameter receiving module 101 includes the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the authentication authentication request sending module The initiating an authentication process for the first ProSe functional entity, including:
所述鉴权认证请求发送模块 102向所述第一 ProSe功能实体发送鉴权认 证请求, 所述鉴权认证请求携带本地 PLMN标识以及所述配置参数接收模 块 101收到的 D2D业务临时标识; 当鉴权认证成功时, 所述配置参数接收 模块 101接收所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标 识。 The authentication authentication request sending module 102 sends an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and the configuration parameter receiving module The D2D service temporary identifier received by the block 101. When the authentication authentication is successful, the configuration parameter receiving module 101 receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
当所述配置参数接收模块 101 收到的配置参数仅包括所述 UE支持的 PLMN标识列表时, 所述鉴权认证请求发送模块 102向所述第一 ProSe功 能实体发起鉴权认证请求, 包括:  When the configuration parameter received by the configuration parameter receiving module 101 includes only the PLMN identity list supported by the UE, the authentication authentication request sending module 102 initiates an authentication authentication request to the first ProSe functional entity, including:
所述鉴权认证请求发送模块 102向所述第二 ProSe功能实体发送鉴权认 证请求, 所述鉴权认证请求携带 IMSI或 D2D业务临时标识;  The authentication authentication request sending module 102 sends an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier;
所述第二 ProSe 功能实体将所述鉴权认证请求转发给所述第一 ProSe 功能实体;  Transmitting, by the second ProSe functional entity, the authentication authentication request to the first ProSe functional entity;
所述第一 ProSe功能实体根据所述 IMSI或 D2D业务临时标识执行 UE 鉴权认证过程。  The first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
具体地, 当所述配置参数接收模块 101收到的配置参数仅包括所述 UE 支持的 PLMN标识列表时, 所述鉴权认证请求发送模块 102 向所述第一 ProSe功能实体发起鉴权认证请求之前,所述鉴权认证请求发送模块 102会 首先判断自身是否存在已分配的 D2D业务临时标识,并根据自身 D2D业务 临时标识的是否存在的具体情况,决定向第一 ProSe功能实体发起的鉴权认 证请求中携带的参数; 具体地, 如果自身不存在已分配的 D2D业务临时标 识, 则向所述第一 ProSe功能实体发起的鉴权认证请求中仅携带 IMSI; 如 果自身存在已分配的 D2D业务临时标识,则将所述 D2D业务临时标识携带 在鉴权认证请求中发送给所述第一 ProSe功能实体;  Specifically, when the configuration parameter received by the configuration parameter receiving module 101 includes only the PLMN identity list supported by the UE, the authentication authentication request sending module 102 initiates an authentication authentication request to the first ProSe functional entity. The authentication authentication request sending module 102 first determines whether the existing D2D service temporary identifier exists, and determines the authentication initiated by the first ProSe functional entity according to the specific situation of whether the D2D service temporary identifier exists. The parameter carried in the authentication request; specifically, if the existing D2D service temporary identifier does not exist, the authentication request initiated by the first ProSe functional entity carries only the IMSI; if the existing D2D service exists Transmitting the D2D service temporary identifier in the authentication authentication request and sending the identifier to the first ProSe functional entity;
所述 UE还包括:发现业务请求模块 104以及请求处理模块 105;其中, 所述发现业务请求模块 104, 配置为向所述第一 ProSe功能实体发送发 现业务请求消息; 所述发现业务请求消息包括: 发现业务类型和 D2D业务 临时标识; 所述发现业务请求消息可以是针对一个 UE的 D2D发现业务请 求, 也可以是针对多个 UE的 D2D发现业务请求; The UE further includes: a discovery service requesting module 104 and a request processing module 105. The discovery service requesting module 104 is configured to send a discovery service request message to the first ProSe functional entity; the discovery service request message includes : discovering the service type and the D2D service temporary identifier; the discovery service request message may be a D2D discovery service for one UE. The request may also be a D2D discovery service request for multiple UEs;
当所述第一 ProSe功能实体没有根据 D2D业务临时标识查找到所述 UE 对应的 UE上下文时, 所述请求处理模块 105, 配置为接收所述第一 ProSe 功能实体发送的获取 IMSI请求, 并根据所述获取 IMSI请求向所述第一 ProSe返回获取 IMSI响应, 所述获取 IMSI响应携带 UE对应的 IMSI;  When the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, the request processing module 105 is configured to receive the IMSI request sent by the first ProSe functional entity, and according to The acquiring an IMSI request returns an IMSI response to the first ProSe, where the acquiring an IMSI response carries an IMSI corresponding to the UE;
当发现业务处理完成后, 所述配置参数接收模块 101 接收所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识。  After the service processing is completed, the configuration parameter receiving module 101 receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
实际应用时, 所述配置参数接收模块可由 UE中的接收机实现; 鉴权认 证请求发送模块及所述请求处理模块可由 UE中的 CPU、 DSP或 FPGA结 合收发机实现; 所述判断模块可由 UE中的 CPU、 DSP或 FPGA实现; 所 述发现业务请求模块可由 UE中的发射机实现。  In actual application, the configuration parameter receiving module may be implemented by a receiver in the UE; the authentication authentication request sending module and the request processing module may be implemented by a CPU, a DSP or an FPGA in the UE in combination with the transceiver; the determining module may be implemented by the UE. CPU, DSP or FPGA implementation; the discovery service request module can be implemented by a transmitter in the UE.
实施例六  Embodiment 6
本发明实施例五提供了一种鉴权认证系统, 所述系统结构图如图 11所 示, 所述系统包括: 第一 ProSe功能实体 111和用户设备 UE 112;  The fifth embodiment of the present invention provides an authentication and authentication system, and the system structure diagram is as shown in FIG. 11. The system includes: a first ProSe functional entity 111 and a user equipment UE 112;
所述第一 ProSe功能实体 111, 配置为向 UE下发配置参数; 还配置为 对 UE鉴权认证成功后, 向所述 UE分配 D2D业务临时标识;  The first ProSe functional entity 111 is configured to send configuration parameters to the UE, and is configured to allocate a D2D service temporary identifier to the UE after the UE is successfully authenticated by the UE;
所述 UE 112, 配置为根据所述配置参数向第一 ProSe功能实体 111发 起鉴权认证过程。  The UE 112 is configured to send an authentication authentication process to the first ProSe functional entity 111 according to the configuration parameter.
具体地, 所述第一 ProSe功能实体 111向所述 UE 112下发配置参数, 包括:所述第一 ProSe功能实体 111将所述 UE 112支持的 PLMN标识列表 和所述第一 ProSe功能 111实体为所述 UE 112分配的 D2D业务临时标识、 或者所述 UE 112支持的 PLMN标识列表作为配置参数下发给所述 UE 112。  Specifically, the first ProSe function entity 111 sends configuration parameters to the UE 112, including: the first ProSe function entity 111, the PLMN identifier list supported by the UE 112, and the first ProSe function 111 entity. The D2D service temporary identifier allocated to the UE 112 or the PLMN identifier list supported by the UE 112 is sent to the UE 112 as a configuration parameter.
进一步地, 所述 UE 112, 还配置为在根据所述配置参数向所述第一 ProSe功能实体 111发起鉴权认证过程之前, 判断本地 PLMN标识是否在 接收到的 PLMN标识列表中, 存在时, 向所述第一 ProSe功能实体 111发 起鉴权认证请求。 Further, the UE 112 is further configured to: before determining whether the local PLMN identifier exists in the received PLMN identifier list, before the authentication authentication process is initiated to the first ProSe functional entity 111 according to the configuration parameter, Sending to the first ProSe functional entity 111 The authentication request is initiated.
当所述 UE 112收到的配置参数包括所述 UE 112支持的 PLMN标识列 表以及所述第一 ProSe功能实体 111为所述 UE 112分配的 D2D业务临时标 识时, 所述 UE 112向所述第一 ProSe功能实体 111发起鉴权认证过程, 包 括:  When the configuration parameters received by the UE 112 include the PLMN identifier list supported by the UE 112 and the D2D service temporary identifier allocated by the first ProSe function entity 111 to the UE 112, the UE 112 goes to the A ProSe functional entity 111 initiates an authentication process, including:
所述 UE 112向第二 ProSe功能实体发送鉴权认证请求, 所述鉴权认证 请求携带本地的 PLMN标识以及所述 UE 112收到的 D2D业务临时标识; 第二 ProSe功能实体向所述第一 ProSel l l功能实体转发所述鉴权认证 请求;  The UE 112 sends an authentication request to the second ProSe functional entity, where the authentication authentication request carries the local PLMN identifier and the D2D service temporary identifier received by the UE 112; the second ProSe functional entity goes to the first The ProSel ll functional entity forwards the authentication authentication request;
所述第一 ProSe功能实体 111根据所述 D2D业务临时标识查找所述 UE 112对应的 UE上下文;  The first ProSe functional entity 111 searches for a UE context corresponding to the UE 112 according to the D2D service temporary identifier.
当查找到所述 UE 112对应的上下文时, 所述第一 ProSe功能实体 111 对所述 UE 112鉴权认证成功, 向所述 UE 112返回分配的 D2D业务临时标 识;  When the context corresponding to the UE 112 is found, the first ProSe functional entity 111 successfully authenticates the UE 112, and returns an allocated D2D service temporary identifier to the UE 112.
当没有查找到所述 UE 112对应的上下文时, 所述第一 ProSe功能实体 111向 HSS发起 UE上下文获取过程, UE上下文获取成功后,所述第一 ProSe 功能实体 111对 UE 112鉴权认证成功, 向所述 UE 112返回分配的 D2D业 务临时标识。  When the context corresponding to the UE 112 is not found, the first ProSe function entity 111 initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity 111 successfully authenticates the UE 112. And returning the allocated D2D service temporary identifier to the UE 112.
当所述 UE 112收到的配置参数仅包括所述 UE112支持的 PLMN标识 列表时, 所述 UE 112向所述第一 ProS功能实体 el 11发起鉴权认证过程, 包括:  When the configuration parameter received by the UE 112 includes only the PLMN identity list supported by the UE 112, the UE 112 initiates an authentication process to the first ProS function entity el 11 , including:
所述 UE 112向第二 ProSe功能实体发送鉴权认证请求, 所述鉴权认证 请求携带 IMSI或 D2D业务临时标识;  The UE 112 sends an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier;
所述第二 ProSe 功能实体将所述鉴权认证请求转发给所述第一 ProSe 功能实体 111 ; 所述第一 ProSel l l功能实体根据所述 IMSI或 D2D业务临时标识执行 UE鉴权认证过程。 The second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity 111; The first ProSel functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
具体地, 当所述 UE 112收到的配置参数仅包括所述 UE 112支持的 PLMN标识列表时, 所述 UE 112向所述第一 ProSe功能实体 111发起鉴权 认证请求之前, 所述 UE 112会首先判断自身是否存在已分配的 D2D业务 临时标识, 并根据自身 D2D业务临时标识的是否存在的具体情况, 决定向 所述第一 ProSe功能实体 111发起的鉴权认证请求中携带的参数; 具体地, 如果自身不存在已分配的 D2D业务临时标识, 则向所述第一 ProSe功能实 体 111发起的鉴权认证请求中仅携带 IMSI;如果自身存在已分配的 D2D业 务临时标识, 则将所述 D2D业务临时标识携带在鉴权认证请求中发送给所 述第一 ProSe功能实体 111 ;  Specifically, when the configuration parameter received by the UE 112 includes only the PLMN identity list supported by the UE 112, before the UE 112 initiates an authentication authentication request to the first ProSe functional entity 111, the UE 112 First, it is determined whether the existing D2D service temporary identifier exists, and the parameter carried in the authentication authentication request initiated by the first ProSe functional entity 111 is determined according to the specific situation of whether the D2D service temporary identifier exists. If the existing D2D service temporary identifier is not present, the authentication request sent to the first ProSe functional entity 111 carries only the IMSI; if the existing D2D service temporary identifier exists, the The D2D service temporary identifier is carried in the authentication authentication request and sent to the first ProSe functional entity 111;
具体地, 所述第一 ProSe功能实体 111根据所述 IMSI或 D2D业务临 时标识执行 UE鉴权认证过程, 包括:  Specifically, the first ProSe functional entity 111 performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier, and includes:
所述第一 ProSe功能实体 111根据所述 IMSI或 D2D业务临时标识查 找与所述 UE 112相对应的 UE上下文;  The first ProSe functional entity 111 searches for a UE context corresponding to the UE 112 according to the IMSI or D2D service temporary identifier;
当查找到 UE 112对应的上下文时, 所述第一 ProSe功能实体对所述 UE 112鉴权认证成功, 向所述 UE 112返回分配的 D2D业务临时标识; 当没有查找到所述 UE 112对应的上下文时, 所述第一 ProSe功能实体 111向 HSS发起 UE上下文获取过程, UE上下文获取成功后,所述第一 ProSe 功能实体 111对所述 UE 112鉴权认证成功, 向所述 UE 112返回分配 D2D 业务临时标识。  When the context corresponding to the UE 112 is found, the first ProSe functional entity successfully authenticates the UE 112, and returns an allocated D2D service temporary identifier to the UE 112; In the context, the first ProSe function entity 111 initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity 111 successfully authenticates the UE 112 and returns an allocation to the UE 112. D2D business temporary identifier.
进一步地, 所述第一 ProSe功能实体 111向所述 UE 112分配 D2D业 务临时标识后, 所述 UE 112还配置为向所述第一 ProSe功能实体 111发送 发现业务请求消息; 所述发现业务请求消息可以是针对一个 UE的 D2D发 现业务请求, 也可以是针对多个 UE的 D2D发现业务请求; 所述发现业务 请求消息包括: 发现业务类型和 D2D业务临时标识; Further, after the first ProSe functional entity 111 allocates the D2D service temporary identifier to the UE 112, the UE 112 is further configured to send a discovery service request message to the first ProSe functional entity 111; The message may be a D2D discovery service request for one UE, or may be a D2D discovery service request for multiple UEs; the discovery service The request message includes: a discovery service type and a temporary identifier of the D2D service;
所述第一 ProSe功能实体 111还配置为对 UE 112的发现请求进行认证; 如果发现请求获得认证,所述第一 ProSe功能实体 111根据对应的业务 类型向被发现 UE的本地的 PLMN下的 ProSe发起对应的发现业务流程; 当发现业务处理完成后, 所述第一 ProSe功能实体 111向所述 UE 112 回送发现业务响应消息,所述消息携带所述第一 ProSe功能实体 111为所述 UE 112分配的 D2D业务临时标识。  The first ProSe functional entity 111 is further configured to authenticate the discovery request of the UE 112; if it is found that the authentication is requested, the first ProSe functional entity 111 according to the corresponding service type to the ProSe under the local PLMN of the discovered UE. Initiating a corresponding discovery service process; the first ProSe function entity 111 sends a discovery service response message to the UE 112, and the message carries the first ProSe function entity 111 as the UE 112. The assigned D2D service temporary identifier.
具体地,所述第一 ProSe功能实体 111对 UE 112的发现请求进行认证, 包括:  Specifically, the first ProSe functional entity 111 authenticates the discovery request of the UE 112, including:
所述第一 ProSe功能实体 111根据 D2D业务临时标识查找与所述 UE 112相关的 UE上下文,当查找到所述 UE 112对应的上下文时,所述 UE 112 发现请求获得认证;  The first ProSe functional entity 111 searches for a UE context related to the UE 112 according to the D2D service temporary identifier, and when the context corresponding to the UE 112 is found, the UE 112 finds that the request is obtained for authentication;
当没有查找到所述 UE 112对应的上下文时, 所述第一 ProSe功能实体 111向所述 UE 112发起获取 IMSI请求; 所述 UE 112向第一 ProSe功能实 体 111返回获取 IMSI响应,获取 IMSI响应携带所述 UE 112对应的 IMSI; 所述第一 ProSe功能实体 111根据 IMSI查询是否存在 UE上下文,存在时, 所述 UE 112发现请求获得认证;  When the context corresponding to the UE 112 is not found, the first ProSe functional entity 111 initiates an acquisition of an IMSI request to the UE 112; the UE 112 returns an acquisition IMSI response to the first ProSe functional entity 111, and obtains an IMSI response. Carrying the IMSI corresponding to the UE 112; the first ProSe function entity 111 queries whether the UE context exists according to the IMSI, and when present, the UE 112 finds that the request is obtained for authentication;
如果不存在, 所述第一 ProSe功能实体 111向 HSS进行发现业务认证 鉴权, 并建立新的 UE上下文, 所述 UE 112发现请求获得认证。  If not present, the first ProSe functional entity 111 performs discovery service authentication authentication to the HSS, and establishes a new UE context, and the UE 112 finds that the request is obtained for authentication.
本领域内的技术人员应明白, 本发明的实施例可提供为方法、 系统、 或计算机程序产品。 因此, 本发明可釆用硬件实施例、 软件实施例、 或结 合软件和硬件方面的实施例的形式。 而且, 本发明可釆用在一个或多个其 中包含有计算机可用程序代码的计算机可用存储介质 (包括但不限于磁盘 存储器和光学存储器等 )上实施的计算机程序产品的形式。  Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment of a combination of software and hardware. Moreover, the invention can be embodied in the form of a computer program product embodied on one or more computer usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、 设备(系统)、 和计算机程序 产品的流程图和 /或方框图来描述的。 应理解可由计算机程序指令实现流程 图和 /或方框图中的每一流程和 /或方框、以及流程图和 /或方框图中的流程和 /或方框的结合。 可提供这些计算机程序指令到通用计算机、 专用计算机、 嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器, 使得 在流程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功 能的装置。 The present invention is directed to a method, apparatus (system), and computer program in accordance with an embodiment of the present invention. The flow chart and/or block diagram of the product is described. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a general purpose computer, a special purpose computer, an embedded processor or other programmable data processing device processor to produce a machine such that a flow or a block diagram of a flow or a block diagram or A device that has multiple functions specified in the box.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理 设备以特定方式工作的计算机可读存储器中, 使得存储在该计算机可读存 储器中的指令产生包括指令装置的制造品, 该指令装置实现在流程图一个 流程或多个流程和 /或方框图一个方框或多个方框中指定的功能。  The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备 上, 使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机 实现的处理, 从而在计算机或其他可编程设备上执行的指令提供用于实现 在流程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功 能的步骤。  These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims

权利要求书 claims
1、 一种鉴权认证方法, 所述方法包括: 1. An authentication method, the method includes:
第一基于距离的业务 ProSe功能实体向用户设备 UE下发配置参数; 所述 UE根据所述配置参数向所述第一 ProSe功能实体发起鉴权认证过 程, 所述第一 ProSe功能实体对所述 UE鉴权认证成功后, 向所述 UE分配 The first distance-based service ProSe functional entity delivers configuration parameters to the user equipment UE; the UE initiates an authentication process to the first ProSe functional entity according to the configuration parameters, and the first ProSe functional entity After the UE authentication is successful, allocate to the UE
D2D业务临时标识。 D2D business temporary identification.
2、 根据权利要求 1所述的方法, 其中, 所述配置参数包括所述 UE支 持的 PLMN标识列表和所述第一 ProSe功能实体为所述 UE分配的 D2D业 务临时标识, 或者所述配置参数仅包括所述 UE支持的 PLMN标识列表。 2. The method according to claim 1, wherein the configuration parameters include a list of PLMN identities supported by the UE and a D2D service temporary identity allocated by the first ProSe functional entity to the UE, or the configuration parameters Only the list of PLMN identities supported by the UE is included.
3、 根据权利要求 2所述的方法, 其中, 所述第一 ProSe功能实体对所 述 UE鉴权认证之前, 所述方法还包括: 3. The method according to claim 2, wherein before the first ProSe functional entity authenticates the UE, the method further includes:
所述 UE确定本地 PLMN标识在接收到的 PLMN标识列表中, 向第二 ProSe功能实体发起鉴权认证请求。 The UE determines that the local PLMN identity is in the received PLMN identity list, and initiates an authentication request to the second ProSe functional entity.
4、 根据权利要求 2所述的方法, 其中, 当所述 UE收到的配置参数包 括所述 UE支持的 PLMN标识列表以及所述第一 ProSe功能实体为所述 UE 分配的 D2D业务临时标识时,所述 UE才艮据所述配置参数向所述第一 ProSe 功能实体发起鉴权认证过程, 包括: 4. The method according to claim 2, wherein when the configuration parameters received by the UE include a list of PLMN identities supported by the UE and a D2D service temporary identity allocated by the first ProSe functional entity to the UE , the UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameters, including:
所述 UE向第二 ProSe功能实体发送鉴权认证请求,所述鉴权认证请求 携带本地 PLMN标识以及所述 UE收到的 D2D业务临时标识; The UE sends an authentication and authentication request to the second ProSe functional entity, where the authentication and authentication request carries the local PLMN identity and the D2D service temporary identity received by the UE;
所述第二 ProSe功能实体向所述第一 ProSe功能实体转发所述鉴权认证 请求; The second ProSe functional entity forwards the authentication request to the first ProSe functional entity;
所述第一 ProSe功能实体根据所述 D2D业务临时标识查找所述 UE对 应的 UE上下文; The first ProSe functional entity searches the UE context corresponding to the UE according to the D2D service temporary identifier;
当查找到所述 UE对应的 UE上下文时, 所述第一 ProSe功能实体对所 述 UE鉴权认证成功, 向所述 UE返回分配的 D2D业务临时标识; 当没有查找到所述 UE对应的上下文时,所述第一 ProSe功能实体向归 属用户服务器 HSS发起所述 UE的 UE上下文获取过程,所述 UE上下文获 取成功后, 所述第一 ProSe功能实体对所述 UE鉴权认证成功, 向所述 UE 返回分配的 D2D业务临时标识。 When the UE context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE and returns the assigned D2D service temporary identifier to the UE; When the context corresponding to the UE is not found, the first ProSe functional entity initiates the UE context acquisition process of the UE to the home user server HSS. After the UE context acquisition is successful, the first ProSe functional entity If the UE authentication is successful, the assigned D2D service temporary identifier is returned to the UE.
5、 根据权利要求 2所述的方法, 其中, 当所述 UE收到的配置参数仅 包括所述 UE支持的 PLMN标识列表时, 所述 UE根据所述配置参数向所 述第一 ProSe功能实体发起鉴权认证过程, 包括: 5. The method according to claim 2, wherein when the configuration parameters received by the UE only include a PLMN identity list supported by the UE, the UE sends a request to the first ProSe functional entity according to the configuration parameters. Initiate the authentication process, including:
所述 UE向第二 ProSe功能实体发送鉴权认证请求,所述鉴权认证请求 携带国际移动用户识别码 IMSI或 D2D业务临时标识; The UE sends an authentication and authentication request to the second ProSe functional entity, and the authentication and authentication request carries the International Mobile Subscriber Identity IMSI or the D2D service temporary identifier;
所述第二 ProSe 功能实体将所述鉴权认证请求转发给所述第一 ProSe 功能实体; The second ProSe functional entity forwards the authentication request to the first ProSe functional entity;
所述第一 ProSe功能实体根据所述 IMSI或 D2D业务临时标识执行 UE 鉴权认证过程。 The first ProSe functional entity performs the UE authentication process according to the IMSI or D2D service temporary identifier.
6、 根据权利要求 5所述的方法, 其中, 所述第一 ProSe功能实体根据 所述 IMSI或 D2D业务临时标识执行 UE鉴权认证过程, 包括: 6. The method according to claim 5, wherein the first ProSe functional entity performs a UE authentication process based on the IMSI or D2D service temporary identity, including:
所述第一 ProSe功能实体根据所述 IMSI或 D2D业务临时标识查找与 所述 UE相对应的 UE上下文; The first ProSe functional entity searches for the UE context corresponding to the UE according to the IMSI or D2D service temporary identifier;
当查找到所述 UE对应的 UE上下文时, 所述第一 ProSe功能实体对所 述 UE鉴权认证成功, 向所述 UE返回分配的 D2D业务临时标识; When the UE context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE and returns the allocated D2D service temporary identity to the UE;
当没有查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体向 HSS发起 UE上下文获取过程, UE上下文获取成功后, 所述第一 ProSe功 能实体对 UE鉴权认证成功, 向所述 UE返回分配的 D2D业务临时标识。 When the context corresponding to the UE is not found, the first ProSe functional entity initiates a UE context acquisition process to the HSS. After the UE context acquisition is successful, the first ProSe functional entity successfully authenticates the UE and reports to the HSS. The UE returns the assigned D2D service temporary identifier.
7、根据权利要求 1至 6其中任一项所述的方法,其中,所述第一 ProSe 功能实体向 UE分配 D2D业务临时标识后, 所述方法还包括: 7. The method according to any one of claims 1 to 6, wherein after the first ProSe functional entity allocates the D2D service temporary identity to the UE, the method further includes:
所述 UE向所述第一 ProSe功能实体发送发现业务请求消息;所述发现 业务请求消息包括: 发现业务类型和 D2D业务临时标识; The UE sends a discovery service request message to the first ProSe functional entity; the discovery The service request message includes: discovered service type and D2D service temporary identifier;
所述第一 ProSe功能实体对所述 UE的发现请求进行认证; The first ProSe functional entity authenticates the discovery request of the UE;
发现请求获得认证后,所述第一 ProSe功能实体根据对应的业务类型发 起对应的发现业务流程; After the discovery request is authenticated, the first ProSe functional entity initiates the corresponding discovery service process according to the corresponding service type;
当发现业务处理完成后,所述第一 ProSe功能实体向所述 UE回送发现 业务请求响应消息,所述消息携带所述第一 ProSe功能实体为所述 UE分配 的 D2D业务临时标识。 After the discovery service processing is completed, the first ProSe functional entity returns a discovery service request response message to the UE, and the message carries the D2D service temporary identity assigned by the first ProSe functional entity to the UE.
8、 根据权利要求 7所述的方法, 其中, 所述第一 ProSe功能实体对所 述 UE的发现请求进行认证, 包括: 8. The method according to claim 7, wherein the first ProSe functional entity authenticates the discovery request of the UE, including:
所述第一 ProSe功能实体根据 D2D业务临时标识查找与所述 UE相关 的 UE上下文, 当查找到 UE对应的 UE上下文时, 所述 UE发现请求获得 认证; The first ProSe functional entity searches for the UE context related to the UE according to the D2D service temporary identifier. When the UE context corresponding to the UE is found, the UE discovery request is authenticated;
当没有查找到所述 UE对应的 UE上下文时, 所述第一 ProSe功能实体 向所述 UE发起获取 IMSI请求; 所述 UE向所述第一 ProSe功能实体回送 获取 IMSI响应, 并携带所述 UE对应的 IMSI; 所述第一 ProSe功能实体根 据 IMSI查询是否存在与所述 UE对应的 UE上下文, 存在时, 所述 UE发 现请求获得认证; When the UE context corresponding to the UE is not found, the first ProSe functional entity initiates an IMSI acquisition request to the UE; the UE sends back an IMSI acquisition response to the first ProSe functional entity and carries the UE Corresponding IMSI; The first ProSe functional entity queries whether there is a UE context corresponding to the UE according to the IMSI. If it exists, the UE discovers and requests to obtain authentication;
如果不存在,所述第一 ProSe功能实体向 HSS进行发现业务认证鉴权, 所述 HSS为所述 UE建立新的 UE上下文, 所述 UE发现请求获得认证。 If it does not exist, the first ProSe functional entity performs discovery service authentication and authentication on the HSS, the HSS establishes a new UE context for the UE, and the UE discovery request is authenticated.
9、 一种鉴权认证方法, 所述方法包括: 9. An authentication method, the method includes:
第一 ProSe功能实体向 UE下发配置参数; The first ProSe functional entity delivers configuration parameters to the UE;
所述第一 ProSe功能实体对所述 UE鉴权认证成功后, 向所述 UE分配 D2D业务临时标识。 After the first ProSe functional entity successfully authenticates the UE, it allocates a D2D service temporary identifier to the UE.
10、 根据权利要求 9 所述的方法, 其中, 所述配置参数包括所述 UE 支持的 PLMN标识列表和所述第一 ProSe功能实体为所述 UE分配的 D2D 业务临时标识,或者所述配置参数仅包括所述 UE支持的 PLMN标识列表。 10. The method according to claim 9, wherein the configuration parameters include a PLMN identity list supported by the UE and a D2D D2D identifier allocated by the first ProSe functional entity to the UE. The service temporary identifier, or the configuration parameter only includes a list of PLMN identifiers supported by the UE.
11、 根据权利要求 10所述的方法, 其中, 所述第一 ProSe功能实体对 所述 UE鉴权认证, 包括: 11. The method according to claim 10, wherein the first ProSe functional entity authenticates and authenticates the UE, including:
所述第一 ProSe功能实体接收第二 ProSe功能实体发送的鉴权认证请 求, 所述鉴权认证请求携带本地 PLMN标识以及所述 UE收到的 D2D业务 临时标 i只; The first ProSe functional entity receives an authentication and authentication request sent by the second ProSe functional entity, and the authentication and authentication request carries the local PLMN identifier and the D2D service temporary identifier received by the UE;
所述第一 ProSe功能实体根据所述 D2D业务临时标识查找所述 UE对 应的 UE上下文; The first ProSe functional entity searches the UE context corresponding to the UE according to the D2D service temporary identifier;
当查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体对所述 UE鉴权认证成功, 向所述 UE返回分配 D2D业务临时标识; When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE and returns the allocated D2D service temporary identity to the UE;
当没有查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体向 HSS发起 UE上下文获取过程, UE上下文获取成功后, 所述第一 ProSe功 能实体对所述 UE鉴权认证成功, 向所述 UE返回分配 D2D业务临时标识。 When the context corresponding to the UE is not found, the first ProSe functional entity initiates a UE context acquisition process to the HSS. After the UE context acquisition is successful, the first ProSe functional entity successfully authenticates the UE and sends a request to the HSS. The UE returns the assigned D2D service temporary identifier.
12、 根据权利要求 10所述的方法, 其中, 所述第一 ProSe功能实体对 所述 UE鉴权认证, 包括: 12. The method according to claim 10, wherein the first ProSe functional entity authenticates and authenticates the UE, including:
所述第一 ProSe功能实体接收第二 ProSe功能实体发送的鉴权认证请 求, 所述鉴权认证请求携带 IMSI或 D2D业务临时标识; The first ProSe functional entity receives an authentication and authentication request sent by the second ProSe functional entity, and the authentication and authentication request carries IMSI or D2D service temporary identifier;
所述第一 ProSe根据所述 IMSI或 D2D业务临时标识执行 UE鉴权认证 过程。 The first ProSe performs a UE authentication process based on the IMSI or D2D service temporary identifier.
13、根据权利要求 12所述的方法, 其中, 所述执行 UE鉴权认证过程, 包括: 13. The method according to claim 12, wherein the performing the UE authentication process includes:
所述第一 ProSe根据所述 IMSI或 D2D业务临时标识查找与所述 UE相 对应的 UE上下文; The first ProSe searches for the UE context corresponding to the UE according to the IMSI or D2D service temporary identifier;
当查找到所述 UE对应的上下文时, 所述第一 ProSe功能实体对所述 UE鉴权认证成功, 向所述 UE返回分配 D2D业务临时标识; 当没有查找到 UE对应的上下文时, 所述第一 ProSe功能实体向 HSS 发起 UE上下文获取过程, UE上下文获取成功后, 所述第一 ProSe功能实 体对所述 UE鉴权认证成功, 向所述 UE返回分配 D2D业务临时标识。 When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE and returns the assigned D2D service temporary identifier to the UE; When the context corresponding to the UE is not found, the first ProSe functional entity initiates a UE context acquisition process to the HSS. After the UE context acquisition is successful, the first ProSe functional entity successfully authenticates the UE and reports to the HSS. The UE returns and allocates a D2D service temporary identifier.
14、根据权利要求 9至 13其中任一项所述的方法,其中,所述第一 ProSe 功能实体向所述 UE分配 D2D业务临时标识后, 所述方法还包括: 14. The method according to any one of claims 9 to 13, wherein after the first ProSe functional entity allocates the D2D service temporary identity to the UE, the method further includes:
所述第一 ProSe功能实体接收所述 UE发送的发现业务请求消息;所述 发现业务请求消息包括: 发现业务类型和 D2D业务临时标识; The first ProSe functional entity receives the discovery service request message sent by the UE; the discovery service request message includes: discovery service type and D2D service temporary identifier;
所述第一 ProSe功能实体对所述 UE的发现请求进行认证; The first ProSe functional entity authenticates the discovery request of the UE;
发现请求获得认证后,所述第一 ProSe功能实体根据对应的业务类型发 起对应的发现业务流程; After the discovery request is authenticated, the first ProSe functional entity initiates the corresponding discovery service process according to the corresponding service type;
当发现业务处理完成后,所述第一 ProSe功能实体向所述 UE回送发现 业务请求响应消息, 所述消息携带第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识。 After the discovery service processing is completed, the first ProSe functional entity returns a discovery service request response message to the UE, and the message carries the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
15、 根据权利要求 14所述的方法, 其中, 所述第一 ProSe功能实体对 所述 UE的发现请求进行认证, 包括: 15. The method according to claim 14, wherein the first ProSe functional entity authenticates the discovery request of the UE, including:
所述第一 ProSe功能实体根据 D2D业务临时标识查找与所述 UE相关 的 UE上下文, 当查找到所述 UE对应的上下文时, 所述 UE发现请求获得 认证; The first ProSe functional entity searches for the UE context related to the UE according to the D2D service temporary identifier. When the context corresponding to the UE is found, the UE discovery request is authenticated;
当没有查找到所述 UE对应的上下文时,所述第一 ProSe功能实体向所 述 UE发起获取 IMSI请求; IMSI获取成功后, 所述第一 ProSe功能实体根 据所述 IMSI查询是否存在所述 UE对应的 UE上下文, 存在时, 所述 UE 发现请求获得认证; When the context corresponding to the UE is not found, the first ProSe functional entity initiates an IMSI acquisition request to the UE; after the IMSI is successfully obtained, the first ProSe functional entity queries whether the UE exists according to the IMSI. When the corresponding UE context exists, the UE discovers that the request is authenticated;
如果不存在,所述第一 ProSe功能实体向 HSS进行发现业务认证鉴权, 所述 HSS为所述 UE建立新的 UE上下文, 所述 UE发现请求获得认证。 If it does not exist, the first ProSe functional entity performs discovery service authentication and authentication on the HSS, the HSS establishes a new UE context for the UE, and the UE discovery request is authenticated.
16、 一种鉴权认证方法, 所述方法包括: UE接收第一 ProSe功能实体下发的配置参数; 所述 UE根据所述配置 参数向所述第一 ProSe功能实体发起鉴权认证过程, 并在鉴权认证成功后, 接收所述第一 ProSe功能实体分配的 D2D业务临时标识。 16. An authentication method, the method includes: The UE receives the configuration parameters issued by the first ProSe functional entity; the UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameters, and after the authentication and authentication is successful, receives the first ProSe function D2D service temporary ID assigned by the entity.
17、 根据权利要求 16所述的方法, 其中, 所述配置参数包括所述 UE 支持的 PLMN标识列表和所述第一 ProSe功能实体为所述 UE分配的 D2D 业务临时标识,或者所述配置参数仅包括所述 UE支持的 PLMN标识列表。 17. The method according to claim 16, wherein the configuration parameters include a list of PLMN identities supported by the UE and a D2D service temporary identity allocated by the first ProSe functional entity to the UE, or the configuration parameters Only the list of PLMN identities supported by the UE is included.
18、 根据权利要求 17所述的方法, 其中, 所述 UE向所述第一 ProSe 功能实体鉴权认证之前, 所述方法还包括: 18. The method according to claim 17, wherein before the UE authenticates to the first ProSe functional entity, the method further includes:
所述 UE确定本地 PLMN标识在接收到的 PLMN标识列表中,所述 UE 向第二 ProSe功能实体发起鉴权认证请求。 The UE determines that the local PLMN identity is in the received PLMN identity list, and the UE initiates an authentication request to the second ProSe functional entity.
19、 根据权利要求 16所述的方法, 其中, 当所述 UE收到的配置参数 包括所述 UE支持的 PLMN标识列表以及所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识时, 所述 UE根据所述配置参数向所述第一 ProSe功能实体发起鉴权认证过程, 包括: 19. The method according to claim 16, wherein when the configuration parameters received by the UE include a list of PLMN identities supported by the UE and a D2D service temporary identity allocated by the first ProSe functional entity to the UE , the UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameters, including:
所述 UE向所述第一 ProSe功能实体发送鉴权认证请求,所述鉴权认证 请求携带本地 PLMN标识以及所述 UE收到的 D2D业务临时标识; The UE sends an authentication and authentication request to the first ProSe functional entity, and the authentication and authentication request carries the local PLMN identity and the D2D service temporary identity received by the UE;
当鉴权认证成功时, 所述 UE接收所述第一 ProSe功能实体为所述 UE 分配的 D2D业务临时标识。 When the authentication is successful, the UE receives the D2D service temporary identity allocated by the first ProSe functional entity to the UE.
20、 根据权利要求 16所述的方法, 其中, 当所述 UE收到的配置参数 仅包括所述 UE支持的 PLMN标识列表时, 所述 UE根据所述配置参数向 所述第一 ProSe功能实体发起鉴权认证过程, 包括: 20. The method according to claim 16, wherein when the configuration parameters received by the UE only include a PLMN identity list supported by the UE, the UE sends a request to the first ProSe functional entity according to the configuration parameters. Initiate the authentication process, including:
所述 UE向所述第一 ProSe功能实体发送鉴权认证请求,所述鉴权认证 请求携带 IMSI或 D2D业务临时标识。 The UE sends an authentication and authentication request to the first ProSe functional entity, and the authentication and authentication request carries IMSI or D2D service temporary identification.
21、 根据权利要求 16至 20其中任一项所述的方法, 其中, 所述 UE 接收到所述第一 ProSe功能实体分配的 D2D业务临时标识后, 所述方法还 包括: 21. The method according to any one of claims 16 to 20, wherein, after the UE receives the D2D service temporary identity allocated by the first ProSe functional entity, the method further include:
所述 UE向所述第一 ProSe功能实体发送发现业务请求消息;所述发现 业务请求消息包括: 发现业务类型和 D2D业务临时标识; The UE sends a discovery service request message to the first ProSe functional entity; the discovery service request message includes: discovery service type and D2D service temporary identifier;
当所述第一 ProSe功能实体没有根据 D2D业务临时标识查找到所述 UE 对应的 UE上下文时, 所述 UE接收所述所述第一 ProSe功能实体发送的获 取 IMSI请求, 并根据所述获取 IMSI请求向所述第一 ProSe功能实体返回 获取 IMSI响应, 所述获取 IMSI响应携带 UE对应的 IMSI; When the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, the UE receives the obtain IMSI request sent by the first ProSe functional entity, and obtains the IMSI according to the Request to return an obtain IMSI response to the first ProSe functional entity, where the obtain IMSI response carries the IMSI corresponding to the UE;
当发现业务处理完成后,所述 UE接收所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识。 After the discovery service processing is completed, the UE receives the D2D service temporary identity assigned to the UE by the first ProSe functional entity.
22、 一种 ProSe功能实体, 所述 ProSe功能实体包括: 配置参数下发模 块、 鉴权认证模块以及临时标识分配模块; 其中, 22. A ProSe functional entity, the ProSe functional entity includes: a configuration parameter delivery module, an authentication and authentication module, and a temporary identity allocation module; wherein,
所述配置参数下发模块, 配置为向 UE下发配置参数; The configuration parameter delivery module is configured to deliver configuration parameters to the UE;
所述鉴权认证模块, 配置为对所述 UE执行鉴权认证,并在鉴权认证成 功时触发所述临时标识分配模块; The authentication and authentication module is configured to perform authentication and authentication on the UE, and trigger the temporary identity allocation module when the authentication and authentication is successful;
所述临时标识分配模块, 配置为被所述鉴权认证模块触发时, 向所述 The temporary identity allocation module is configured to send a message to the authentication module when triggered by the authentication and authentication module.
UE下发 D2D业务临时标识。 The UE delivers the D2D service temporary identifier.
23、 根据权利要求 22所述的 ProSe功能实体, 其中, 所述配置参数下 发模块向所述 UE下发的配置参数包括所述 UE支持的 PLMN标识列表和 所述临时标识分配模块为所述 UE分配的 D2D业务临时标识, 或者所述配 置参数仅包括所述 UE支持的 PLMN标识列表。 23. The ProSe functional entity according to claim 22, wherein the configuration parameters delivered by the configuration parameter delivery module to the UE include a PLMN identity list supported by the UE and the temporary identity allocation module is the The D2D service temporary identity allocated by the UE, or the configuration parameters only include a list of PLMN identities supported by the UE.
24、 根据权利要求 23所述的 ProSe功能实体, 其中, 所述 ProSe功能 实体还包括: 发现请求认证模块和发现业务处理模块; 其中, 24. The ProSe functional entity according to claim 23, wherein the ProSe functional entity further includes: a discovery request authentication module and a discovery service processing module; wherein,
所述发现请求认证模块, 配置为接收所述 UE的发现业务请求,并对所 述 UE的发现业务请求进行认证,其中所述发现业务请求包括:发现业务类 型和 D2D业务临时标识;还配置为对所述 UE的发现业务请求认证成功后, 触发所述发现业务处理模块; The discovery request authentication module is configured to receive the discovery service request of the UE and authenticate the discovery service request of the UE, wherein the discovery service request includes: a discovery service type and a D2D service temporary identifier; and is also configured to After the discovery service request authentication for the UE is successful, Trigger the discovery service processing module;
所述发现业务处理模块, 配置为被所述发现请求认证模块触发时, 为 所述 UE执行发现业务处理, 并在发现业务处理完成后, 向所述 UE返回发 现业务响应消息, 所述发现业务响应消息携带所述临时标识分配模块为所 述 UE分配的 D2D业务临时标识。 The discovery service processing module is configured to perform discovery service processing for the UE when triggered by the discovery request authentication module, and after the discovery service processing is completed, return a discovery service response message to the UE, the discovery service The response message carries the D2D service temporary identity allocated by the temporary identity allocation module to the UE.
25、 一种 UE, 所述 UE包括: 配置参数接收模块及鉴权认证请求发送 模块; 其中, 25. A UE, the UE includes: a configuration parameter receiving module and an authentication and authentication request sending module; wherein,
所述配置参数接收模块,配置为接收第一 ProSe功能实体下发的配置参 数; The configuration parameter receiving module is configured to receive the configuration parameters issued by the first ProSe functional entity;
所述鉴权认证请求发送模块,配置为向所述第一 ProSe功能实体发起鉴 权认证过程; The authentication and authentication request sending module is configured to initiate an authentication and authentication process to the first ProSe functional entity;
所述配置参数接收模块,还配置为向所述第一 ProSe功能实体鉴权认证 成功后, 接收所述第一 ProSe功能实体分配的 D2D业务临时标识。 The configuration parameter receiving module is further configured to receive the D2D service temporary identity assigned by the first ProSe functional entity after the authentication to the first ProSe functional entity is successful.
26、 根据权利要求 25 所述的 UE, 其中, 所述配置参数包括所述 UE 支持的 PLMN标识列表和所述第一 ProSe功能实体为所述 UE分配的 D2D 业务临时标识,或者所述配置参数仅包括所述 UE支持的 PLMN标识列表。 26. The UE according to claim 25, wherein the configuration parameters include a list of PLMN identities supported by the UE and a D2D service temporary identity allocated by the first ProSe functional entity to the UE, or the configuration parameters Only the list of PLMN identities supported by the UE is included.
27、 根据权利要求 26所述的 UE, 其中, 所述 UE还包括判断模块; 所述判断模块,配置为在所述鉴权认证请求发送模块向所述第一 ProSe功能 实体发起鉴权认证过程之前, 确定所述 UE的本地 PLMN标识在接收到的 PLMN标识列表中时, 触发所述鉴权认证请求发送模块向第二 ProSe功能 实体发送鉴权认证请求。 27. The UE according to claim 26, wherein the UE further includes a judgment module; the judgment module is configured to initiate an authentication and authentication process to the first ProSe functional entity in the authentication and authentication request sending module. Previously, when it is determined that the local PLMN identity of the UE is in the received PLMN identity list, the authentication and authentication request sending module is triggered to send an authentication and authentication request to the second ProSe functional entity.
28、 根据权利要求 25至 27其中任一项所述的 UE, 其中, 所述 UE还 包括: 发现业务请求模块以及请求处理模块; 其中, 28. The UE according to any one of claims 25 to 27, wherein the UE further includes: a discovery service request module and a request processing module; wherein,
所述发现业务请求模块,配置为向所述第一 ProSe功能实体发送发现业 务请求消息; 所述发现业务请求消息包括: 发现业务类型和 D2D业务临时 标识; The discovery service request module is configured to send a discovery service request message to the first ProSe functional entity; the discovery service request message includes: discovery service type and D2D service temporary logo;
所述请求处理模块, 配置为当所述第一 ProSe功能实体没有根据 D2D 业务临时标识查找到所述 UE对应的 UE上下文时,接收所述第一 ProSe功 能实体发送的获取 IMSI请求,并根据所述获取 IMSI请求向所述第一 ProSe 返回获取 IMSI响应, 所述获取 IMSI响应携带 UE对应的 IMSI; The request processing module is configured to receive an IMSI acquisition request sent by the first ProSe functional entity when the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, and based on the The Get IMSI request returns an Get IMSI response to the first ProSe, and the Get IMSI response carries the IMSI corresponding to the UE;
所述配置参数接收模块, 还配置为当发现业务处理完成后, 接收所述 第一 ProSe功能实体为所述 UE分配的 D2D业务临时标识。 The configuration parameter receiving module is further configured to receive the D2D service temporary identifier allocated by the first ProSe functional entity to the UE after the discovery service processing is completed.
29、 一种鉴权认证系统, 所述系统包括: 第一 ProSe功能实体和 UE; 所述第一 ProSe功能实体, 配置为向所述 UE下发配置参数; 还配置为 对所述 UE鉴权认证成功后, 向所述 UE分配 D2D业务临时标识; 29. An authentication and authentication system, the system includes: a first ProSe functional entity and a UE; the first ProSe functional entity is configured to deliver configuration parameters to the UE; and is also configured to authenticate the UE. After successful authentication, allocate a D2D service temporary identifier to the UE;
所述 UE, 配置为根据所述配置参数向所述第一 ProSe功能实体发起鉴 权认证过程。 The UE is configured to initiate an authentication and authentication process to the first ProSe functional entity according to the configuration parameters.
30、 根据权利要求 29所述的系统, 其中, 所述第一 ProSe功能实体向 所述 UE下发配置参数, 包括: 所述第一 ProSe功能实体将所述 UE支持的 PLMN标识列表和所述第一 ProSe功能实体为所述 UE分配的 D2D业务临 时标识、或者所述 UE支持的 PLMN标识列表作为配置参数下发给所述 UE。 30. The system according to claim 29, wherein the first ProSe functional entity delivers configuration parameters to the UE, including: the first ProSe functional entity combines the PLMN identification list supported by the UE and the The D2D service temporary identity allocated by the first ProSe functional entity to the UE or the PLMN identity list supported by the UE is delivered to the UE as a configuration parameter.
31、 根据权利要求 30所述的系统, 其中, 所述 UE, 还配置为确定本 地 PLMN标识在接收到的 PLMN标识列表中时, 向所述第一 ProSe功能实 体发起鉴权认证请求。 31. The system according to claim 30, wherein the UE is further configured to initiate an authentication request to the first ProSe functional entity when it is determined that the local PLMN identity is in the received PLMN identity list.
32、 根据权利要求 30所述的系统, 其中, 所述 UE, 还配置为向所述 第一 ProSe功能实体发送发现业务请求消息; 所述发现业务请求消息包括: 发现业务类型和 D2D业务临时标识; 32. The system according to claim 30, wherein the UE is further configured to send a discovery service request message to the first ProSe functional entity; the discovery service request message includes: a discovery service type and a D2D service temporary identifier. ;
所述第一 ProSe功能实体还配置为对所述 UE的发现请求进行认证;在 发现请求获得认证后, 根据对应的业务类型发起对应的发现业务流程; 并 在发现业务处理完成后, 向所述 UE回送发现业务响应消息,所述发现业务 响应消息携带所述第一 ProSe功能实体为所述 UE分配的 D2D业务临时标 识。 The first ProSe functional entity is also configured to authenticate the discovery request of the UE; after the discovery request is authenticated, initiate a corresponding discovery service process according to the corresponding service type; and after the discovery service processing is completed, The UE sends back a discovery service response message. The discovery service The response message carries the D2D service temporary identity allocated by the first ProSe functional entity to the UE.
33、 一种计算机存储介质, 所述计算机存储介质包括一组指令, 当执 行所述指令时, 引起至少一个处理器执行如权利要求 1至 8任一项所述的 鉴权认证方法, 或者执行如权利要求 9至 15任一项所述的鉴权认证方法, 或者执行如权利要求 16至 21任一项所述的鉴权认证方法。 33. A computer storage medium, the computer storage medium includes a set of instructions that, when executed, cause at least one processor to execute the authentication method according to any one of claims 1 to 8, or execute The authentication and authentication method as described in any one of claims 9 to 15, or the authentication and authentication method as described in any one of claims 16 to 21.
PCT/CN2014/083049 2014-03-12 2014-07-25 Authentication method and system, prose functional entity, and ue WO2015135278A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410091463.3 2014-03-12
CN201410091463.3A CN104918246A (en) 2014-03-12 2014-03-12 Authentication method and system, ProSe (Proximity-based Service) functional entities and UE (User Equipment)

Publications (1)

Publication Number Publication Date
WO2015135278A1 true WO2015135278A1 (en) 2015-09-17

Family

ID=54070860

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/083049 WO2015135278A1 (en) 2014-03-12 2014-07-25 Authentication method and system, prose functional entity, and ue

Country Status (2)

Country Link
CN (1) CN104918246A (en)
WO (1) WO2015135278A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106792428B (en) * 2016-05-09 2020-02-11 北京展讯高科通信技术有限公司 Base station, near field service functional entity and communication resource allocation and scheduling method
CN110809892B (en) * 2017-06-30 2021-12-14 华为技术有限公司 Authentication method, terminal and network equipment
CN108134991B (en) * 2017-12-22 2020-10-16 杭州清创微品智能科技有限公司 Method and system for reducing D2D equipment switching

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1867164A (en) * 2005-05-19 2006-11-22 华为技术有限公司 Method for user terminal obtaining BSF as distributed conversation affair mark
CN101488945A (en) * 2008-01-14 2009-07-22 北京大唐高鸿数据网络技术有限公司 Authentication method oriented to SIP
US20120204027A1 (en) * 2011-02-09 2012-08-09 Samsung Electronics Co. Ltd. Authentication method and apparatus in a communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022651B (en) * 2006-02-13 2012-05-02 华为技术有限公司 Combined right-discriminating construction and realizing method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1867164A (en) * 2005-05-19 2006-11-22 华为技术有限公司 Method for user terminal obtaining BSF as distributed conversation affair mark
CN101488945A (en) * 2008-01-14 2009-07-22 北京大唐高鸿数据网络技术有限公司 Authentication method oriented to SIP
US20120204027A1 (en) * 2011-02-09 2012-08-09 Samsung Electronics Co. Ltd. Authentication method and apparatus in a communication system

Also Published As

Publication number Publication date
CN104918246A (en) 2015-09-16

Similar Documents

Publication Publication Date Title
CN110800331B (en) Network verification method, related equipment and system
AU2021221761B2 (en) Selection of ip version
CN102724102B (en) Method and apparatus for establishing connection with network management system and communication system
US9179289B2 (en) Method and system for remotely accessing
US9794785B2 (en) Communication system, connection control apparatus, mobile terminal, base station control method, service request method, and program
WO2009000206A1 (en) Method and system for access control of home node b
KR101885043B1 (en) Establishing and configuring dynamic subscriptions
WO2015165149A1 (en) Configuration method, prose key management functional entity, terminal, system, and storage medium
US9713176B2 (en) Telecommunication method and telecommunication system
US10863555B2 (en) Access method, apparatus, device, and system
WO2014183260A1 (en) Method, device and system for processing data service under roaming scenario
CN108616805B (en) Emergency number configuration and acquisition method and device
WO2016000395A1 (en) D2d service authorizing method and device and home near field communication server
JP2015503304A (en) Access method, mobility management device, and user equipment
EP3182762B1 (en) Near field communication discovery method, apparatus and system
WO2015135278A1 (en) Authentication method and system, prose functional entity, and ue
WO2015154426A1 (en) Method and device for prose temporary identifier notification and update
WO2013067744A1 (en) Serving gateway selection method and system for terminal group
WO2015135269A1 (en) Service discovery and authentication method, device, terminal, system, and computer storage medium
WO2016034018A1 (en) Method, device and home subscriber server for device to device service recovery
CN106688259B (en) Authentication method and device for user equipment
WO2016065696A1 (en) Sim card application method, allocation method, apparatus, terminal and server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14885264

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14885264

Country of ref document: EP

Kind code of ref document: A1