WO2015135278A1 - Procédé et système d'authentification, entité fonctionnelle prose et ue - Google Patents

Procédé et système d'authentification, entité fonctionnelle prose et ue Download PDF

Info

Publication number
WO2015135278A1
WO2015135278A1 PCT/CN2014/083049 CN2014083049W WO2015135278A1 WO 2015135278 A1 WO2015135278 A1 WO 2015135278A1 CN 2014083049 W CN2014083049 W CN 2014083049W WO 2015135278 A1 WO2015135278 A1 WO 2015135278A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
functional entity
service
prose functional
request
Prior art date
Application number
PCT/CN2014/083049
Other languages
English (en)
Chinese (zh)
Inventor
游世林
梁爽
蔡继燕
林兆骥
彭锦
李阳
朱李
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015135278A1 publication Critical patent/WO2015135278A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications

Definitions

  • the present invention relates to the field of mobile communications, and specifically relates to a method and system for authenticating authentication, a functional entity based on distance (ProSe), and a user equipment (UE, User Equipment). Background technique
  • the third generation The 3GPP, 3rd Generation Partnership Project (Standard Working Group) is working on the Evolved Packet System (EPS).
  • the entire EPS includes an E-UTRAN (Evolved Universal Terrestrial Radio Access Network) and an Evolved Packet Core Networking (EPC), where the EPC includes a Home Subscriber Server (HSS), mobility.
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • EPC Evolved Packet Core Networking
  • HSS Home Subscriber Server
  • MME Mobility Management Entity
  • SGSN Serving GPRS Support Node
  • PCRF Policy and Charging Rule Function
  • S-GW Serving Gateway
  • P-GW Packet Data Gateway
  • PDN Gateway Packet Data Network
  • D2D device-to-device
  • ProSe device-to-device
  • the commonly used D2D service has a D2D discovery service, and the communication architecture of the D2D discovery service is as shown in FIG. 1.
  • the two UEs accessed by the D2D can only access the EPC through the E-UTRAN, and both UEs can belong to one public land mobile.
  • the network (PLMN, Public Land Mobile Network) is divided into two PLMNs; for one UE, the PLMN can be divided into the belonging PLMNs.
  • HPLMN Home PLMN
  • VPLMN Visited PLMN
  • LLMN local public land mobile networks
  • the D2D discovery service not only the EPS is deployed on the carrier side, but also the ProSe application server that deploys the D2D discovery service.
  • the ProSe application server can be provided by the service provider that operates the D2D service, or can be provided by the network operator that operates the EPS, and the ProSe Function Entity (ProSe Function) is also deployed in different PLMNs.
  • the ProSe Function Entity ProSe Function
  • the interface with the ProSe application server is a PC1 interface, and the related authentication function is provided.
  • the interface between the UE and the UE is PC5, which is used for mutual direct discovery and communication between the UEs, and the interface between the UE and the ProSe functional entity is PC3, which is used for discovery and authentication through the network.
  • the interface between the ProSe functional entity and the existing EPC is PC4, which includes a user plane interface with the P-GW and a control plane interface with the HSS for D2D discovery service discovery authentication.
  • the interface between the ProSe functional entity and the ProSe application server is PC2, which is used for application implementation of the D2D discovery service.
  • ProSe p r0 Se functional entity functional entities respectively PC6 and PC7 interfaces, respectively, for both cases the UE roaming and non-roaming, the UE is roaming interfaces PC7, the UE is not roaming PC6 interfaces, two interfaces
  • the information interaction between two ProSe functional entities is performed when the UE performs the D2D discovery service.
  • Step 201 When a UE needs to initiate a D2D discovery service to another one or more discovered UEs, the UE first needs to go to its own HPLMN.
  • the ProSe function entity performs the D2D discovery service authentication. Specifically, after the UE and the ProSe functional entity under the HPLMN establish a secure connection, the UE sends a discovery service request message to the ProSe functional entity under the HPLMN, where the discovery service request message includes the discovery service type and the user.
  • the user identifier is an International Mobile Subscriber Identification Number (IMSI) or a Mobile Station International ISDN Number (MSISDN), where the ISDN is an Integrated Services Digital Network. ;
  • IMSI International Mobile Subscriber Identification Number
  • MSISDN Mobile Station International ISDN Number
  • the discovery service type includes: an announce, that is, a discovery request initiated by the UE; a monitor, that is, a discovery request initiated by the UE; a match, that is, the UE is found to be sent to the discoverable ProSe functional entity. Match the report.
  • Step 202 The ProSe function entity in the HPLMN performs a discovery service authentication process on the UE.
  • the discovery service authentication of the UE is performed according to the existing technical solution.
  • the process proceeds to step 203 by using the ProSe under the HPLMN.
  • the function entity initiates a corresponding discovery service process for the UE to the other one or more discovered UEs;
  • Step 203 The ProSe functional entity in the HPLMN initiates a corresponding discovery service flow to the ProSe functional entity in the local PLMN of the one or more discovered UEs according to the corresponding service type.
  • the ProSe function entity under the HPLMN When the service type is published, the ProSe function entity under the HPLMN sends a publish request message to the ProSe function entity in the local PLMN of the discovered UE, and the ProSe function entity in the local PLMN of the UE is found to be the ProSe function under the HPLMN.
  • ProSe function entity under the ProSe function under HPLMN The entity sends back the interception response message.
  • the ProSe function entity in the HPLMN sends a match request message to the ProSe function entity in the local PLMN of the discovered UE.
  • the match is successful, and the UE is found locally.
  • the ProSe functional entity under the PLMN sends a matching response message to the ProSe functional entity under the HPLMN.
  • Step 204 After the D2D discovery service is processed, the ProSe function entity in the HPLMN sends a corresponding discovery service request response message to the UE that initiates the discovery service, and the UE completes the related radio resource allocation.
  • the MSISDN parameter is only signed by the HSS and can be downloaded to the control network element of the EPC.
  • the UE generally does not have the signed MSISDN parameter, but the MSISDN parameter in the UE can be arbitrarily configured by the user. In this case, if configured The wrong MSISDN will cause an error in the discovery service request.
  • the IMSI is used for authentication authentication, the IMSI will be exposed in the discovery service request message, which will expose the user's private information and increase the user's attack by the attacker. risks of. Summary of the invention
  • embodiments of the present invention are expected to provide a method and system for authentication authentication, a ProSe functional entity, and a UE.
  • the first ProSe function entity sends a configuration parameter to the UE; the UE initiates an authentication and authentication process to the first ProSe function entity according to the configuration parameter, and the first ProSe function entity successfully authenticates the UE after the authentication is successful. And allocating a D2D service temporary identifier to the UE.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier supported by the UE. List.
  • the The method also includes:
  • the UE determines that the local PLMN identity initiates an authentication authentication request to the second ProSe functional entity in the received PLMN identity list.
  • the UE when the configuration parameters received by the UE include the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the UE is configured according to the configuration parameter. Initiating an authentication and authentication process to the first ProSe functional entity, including:
  • the UE sends an authentication request to the second ProSe function entity, where the authentication authentication request carries the local PLMN identifier and the D2D service temporary identifier received by the UE;
  • the first ProSe functional entity searches for a UE context corresponding to the UE according to the D2D service temporary identifier
  • the first ProSe functional entity When the UE context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns an allocated D2D service temporary identifier to the UE.
  • the first ProSe function entity When the context corresponding to the UE is not found, the first ProSe function entity initiates a UE context acquisition process of the UE to the HSS, and after the UE context is successfully obtained, the first ProSe function entity is used by the UE. The authentication succeeds, and the allocated D2D service temporary identifier is returned to the UE.
  • the UE when the configuration parameter received by the UE includes only the PLMN identifier list supported by the UE, the UE initiates an authentication process to the first ProSe function entity according to the configuration parameter, including:
  • the first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier, and includes:
  • the first ProSe functional entity searches for a UE context corresponding to the UE according to the IMSI or D2D service temporary identifier;
  • the first ProSe functional entity When the UE context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns an allocated D2D service temporary identifier to the UE.
  • the first ProSe functional entity When the context corresponding to the UE is not found, the first ProSe functional entity initiates a UE context acquisition process to the HSS, and after the UE context is successfully obtained, the first ProSe functional entity successfully authenticates the UE, to the The UE returns the assigned D2D service temporary identifier.
  • the method further includes:
  • the UE sends a discovery service request message to the first ProSe function entity;
  • the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the first ProSe functional entity authenticates the discovery request of the UE
  • the first ProSe functional entity After the discovery request is authenticated, the first ProSe functional entity initiates a corresponding discovery service process according to the corresponding service type;
  • the first ProSe function entity After the service processing is completed, the first ProSe function entity sends a discovery service request response message to the UE, where the message carries the D2D service temporary identifier allocated by the first ProSe function entity to the UE.
  • the first ProSe function entity that authenticates the discovery request of the UE includes:
  • the first ProSe functional entity searches for the UE according to the D2D service temporary identifier search UE context, when the UE context corresponding to the UE is found, the UE finds that the request is obtained for authentication;
  • the first ProSe functional entity When the UE context corresponding to the UE is not found, the first ProSe functional entity initiates an acquisition of an IMSI request to the UE; the UE sends back an IMSI response to the first ProSe functional entity, and carries the UE. Corresponding IMSI; the first ProSe function entity queries whether there is a UE context corresponding to the UE according to the IMSI, and when the UE exists, the UE finds that the request is obtained by the UE;
  • the first ProSe functional entity performs discovery service authentication authentication to the HSS, the HSS establishes a new UE context for the UE, and the UE finds that the request is obtained.
  • the first ProSe function entity sends a configuration parameter to the UE; after the first ProSe function entity successfully authenticates the UE, the D2D service temporary identifier is allocated to the UE.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier supported by the UE. List.
  • the first ProSe function entity, the authentication, and the first ProSe function entity receive an authentication authentication request sent by the second ProSe function entity, where the authentication authentication request carries the local PLMN. And the identifier and the temporary identifier of the D2D service received by the UE;
  • the first ProSe functional entity searches for a UE context corresponding to the UE according to the D2D service temporary identifier
  • the first ProSe functional entity When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns a D2D service temporary identifier to the UE.
  • the first ProSe function entity When the context corresponding to the UE is not found, the first ProSe function entity initiates a UE context acquisition process to the HSS, and after the UE context is successfully obtained, the first ProSe function The energy entity successfully authenticates the UE, and returns an allocated D2D service temporary identifier to the UE.
  • the first ProSe performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the performing the UE authentication and authentication process includes:
  • the first ProSe functional entity When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and returns a D2D service temporary identifier to the UE.
  • the first ProSe functional entity When the context corresponding to the UE is not found, the first ProSe functional entity initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe functional entity successfully authenticates the UE. The UE returns an allocated D2D service temporary identifier.
  • the method further includes:
  • the first ProSe function entity receives the discovery service request message sent by the UE;
  • the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the first ProSe functional entity authenticates the discovery request of the UE
  • the first ProSe functional entity After the discovery request is authenticated, the first ProSe functional entity initiates a corresponding discovery service process according to the corresponding service type;
  • the first ProSe function entity After the service processing is completed, the first ProSe function entity sends a discovery service request response message to the UE, where the message carries the D2D service temporary identifier allocated by the first ProSe function entity to the UE.
  • the first ProSe functional entity authenticates the discovery request of the UE, include:
  • the first ProSe function entity searches for a UE context related to the UE according to the D2D service temporary identifier, and when the context corresponding to the UE is found, the UE finds that the request is obtained for authentication;
  • the first ProSe functional entity When the context corresponding to the UE is not found, the first ProSe functional entity initiates an acquisition of an IMSI request to the UE; after the IMSI is successfully obtained, the first ProSe functional entity queries whether the UE exists according to the IMSI. Corresponding UE context, when present, the UE finds that the request is obtained by the authentication;
  • the first ProSe functional entity performs discovery service authentication authentication to the HSS, the HSS establishes a new UE context for the UE, and the UE finds that the request is obtained.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier supported by the UE. List.
  • the method further includes:
  • the UE determines that the local PLMN identity is in the received PLMN identity list, and the UE initiates an authentication authentication request to the second ProSe functional entity.
  • the UE when the configuration parameters received by the UE include the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the UE is configured according to the configuration parameter. Initiating an authentication and authentication process to the first ProSe functional entity, including: Sending, by the UE, an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier received by the UE;
  • the UE When the authentication is successful, the UE receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the UE when the configuration parameter received by the UE includes only the PLMN identifier list supported by the UE, the UE initiates an authentication process to the first ProSe function entity according to the configuration parameter, including:
  • the UE sends an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier.
  • the method further includes:
  • the UE sends a discovery service request message to the first ProSe function entity;
  • the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the UE When the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, the UE receives the acquiring IMSI request sent by the first ProSe functional entity, and obtains the IMSI according to the foregoing. Requesting to return an IMSI response to the first ProSe functional entity, where the acquiring IMSI response carries an IMSI corresponding to the UE;
  • the UE After the service processing is completed, the UE receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • a ProSe functional entity is provided by the embodiment of the present invention, where the ProSe functional entity includes: a configuration parameter sending module, an authentication authentication module, and a temporary identifier assigning module;
  • the configuration parameter sending module is configured to send configuration parameters to the UE
  • the authentication authentication module is configured to perform authentication authentication on the UE, and trigger the temporary identifier allocation module when the authentication authentication succeeds;
  • the temporary identifier allocation module is configured to be triggered by the authentication authentication module, to the The UE sends a temporary identifier of the D2D service.
  • the configuration parameter that is sent by the configuration parameter sending module to the UE includes a PLMN identifier list supported by the UE, and a D2D service temporary identifier allocated by the temporary identifier allocation module to the UE, or the The configuration parameters include only the list of PLMN identifiers supported by the UE.
  • the ProSe functional entity further includes: a discovery request authentication module and a discovery service processing module;
  • the discovery request authentication module is configured to receive the discovery service request of the UE, and perform authentication on the discovery service request of the UE, where the discovery service request includes: a discovery service type and a D2D service temporary identifier; After the discovery service request of the UE is successfully authenticated, the discovery service processing module is triggered;
  • the discovery service processing module is configured to perform discovery service processing for the UE when triggered by the discovery request authentication module, and return a discovery service response message to the UE after the discovery service processing is completed, the discovery service
  • the response message carries the D2D service temporary identifier allocated by the temporary identifier allocation module to the UE.
  • a UE is provided by the embodiment of the present invention, where the UE includes: a configuration parameter receiving module and a authentication authentication request sending module;
  • the configuration parameter receiving module is configured to receive a configuration parameter delivered by the first ProSe functional entity
  • the authentication authentication request sending module is configured to initiate an authentication authentication process to the first ProSe functional entity
  • the configuration parameter receiving module is further configured to: after the authentication of the first ProSe functional entity is successful, receive the D2D service temporary identifier allocated by the first ProSe functional entity.
  • the configuration parameter includes a PLMN identifier list supported by the UE, and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the
  • the set parameters only include the list of PLMN identities supported by the UE.
  • the UE further includes a determining module, where the determining module is configured to determine a local PLMN of the UE before the authentication authentication request sending module initiates an authentication and authentication process to the first ProSe functional entity.
  • the authentication authentication request sending module is triggered to send an authentication authentication request to the second ProSe functional entity.
  • the UE further includes: a discovery service request module and a request processing module;
  • the discovery service requesting module is configured to send a discovery service request message to the first ProSe functional entity; the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the request processing module is configured to: when the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, receive the IMSI request sent by the first ProSe functional entity, and according to the Obtaining an IMSI request to return an IMSI response to the first ProSe, where the acquiring IMSI response carries an IMSI corresponding to the UE;
  • the configuration parameter receiving module is further configured to: after the discovery service processing is completed, receive the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • An authentication authentication system is provided by the embodiment of the present invention, where the system includes: a first ProSe functional entity and a UE;
  • the first ProSe functional entity is configured to send configuration parameters to the UE; and configured to allocate a D2D service temporary identifier to the UE after the UE is successfully authenticated by the UE;
  • the UE is configured to initiate an authentication process to the first ProSe functional entity according to the configuration parameter.
  • the first ProSe function entity sends configuration parameters to the UE, including: the first ProSe function entity, the PLMN identifier list supported by the UE, and the first ProSe function entity being the UE Assigned D2D service temporary identifier, or supported by the UE
  • the PLMN identifier list is sent to the UE as a configuration parameter.
  • the UE is further configured to: when determining that the local PLMN identifier is in the received PLMN identifier list, initiate an authentication authentication request to the first ProSe functional entity.
  • the UE is further configured to send a discovery service request message to the first ProSe function entity, where the discovery service request message includes: a discovery service type and a D2D service temporary identifier;
  • the first ProSe functional entity is further configured to: perform authentication on the discovery request of the UE; after the discovery request is authenticated, initiate a corresponding discovery service process according to the corresponding service type; and after the discovery service processing is completed, the first A ProSe function entity sends a discovery service response message to the UE, where the discovery service response message carries a D2D service temporary identifier allocated by the first ProSe function entity to the UE.
  • a computer storage medium includes a set of instructions, when executed, causing at least one processor to execute the authentication authentication method.
  • the method and system for authentication authentication provided by the embodiment of the present invention, the ProSe functional entity, and the UE, the first ProSe functional entity sends configuration parameters to the UE; the UE initiates authentication to the first ProSe functional entity according to the configuration parameter.
  • the authentication process and after the authentication is successful, the first ProSe functional entity allocates a D2D service temporary identifier to the UE; in this way, before the D2D discovery service of the UE, in the authentication and authentication process for the UE, The UE allocates a D2D service temporary identifier, and the D2D service temporary identifier can be used for authentication authentication when the UE initiates the discovery service.
  • the MSISDN parameter can be avoided when performing authentication authentication. Errors that are prone to occur and the disadvantages of exposing user privacy to discovery services when performing authentication with IMSI.
  • Figure 1 is a diagram of a D2D discovery service communication architecture
  • FIG. 3 is a flowchart 1 of an authentication authentication method according to at least one embodiment of the present invention
  • FIG. 4 is a flowchart 2 of an authentication authentication method according to at least one embodiment of the present invention
  • FIG. FIG. 6 is a flowchart of an authentication authentication method according to at least one embodiment of the present invention
  • FIG. 7 is a flowchart 5 of an authentication authentication method according to at least one embodiment of the present invention
  • FIG. 9 is a basic structural diagram of a ProSe functional entity according to at least one embodiment of the present invention
  • FIG. 10 is a basic structural diagram of a user equipment UE according to at least one embodiment of the present invention
  • FIG. 11 is a basic structural diagram of an authentication authentication system according to at least one embodiment of the present invention.
  • the first ProSe functional entity sends a configuration parameter to the UE; the UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameter, and after the authentication is successful, the first A ProSe functional entity allocates a D2D service temporary identifier to the UE.
  • the first embodiment of the present invention provides an authentication authentication method. As shown in FIG. 3, the method includes the following steps:
  • Step 301 The first ProSe function entity sends configuration parameters to the UE.
  • the first ProSe functional entity refers to a ProSe functional entity under the HPLMN of the UE, and after the UE and the first ProSe functional entity establish a secure connection, the UE Sending a discovery service request message to the first ProSe functional entity;
  • the first ProSe function entity sends a configuration parameter to the UE, where the configuration parameter includes: a PLMN identifier list supported by the UE, and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or
  • the configuration parameter includes only a list of PLMN identifiers supported by the UE;
  • the configuration parameters that are delivered to the UE include: the PLMN identifier list supported by the UE and the D2D service temporary identifier allocated by the first ProSe function entity to the UE, the first ProSe function entity will save the location Corresponding relationship between the D2D service temporary identifier sent by the UE and the IMSI of the UE.
  • the D2D service temporary identifier is a temporary identifier that can be used for the D2D discovery service of the UE, and the D2D service temporary identifier may be a ProSe functional entity identifier or may be a parameter corresponding to the UE uniquely.
  • the parameter may use any representation that can be used to uniquely identify a UE.
  • the D2D service temporary identifier may be allocated to the UE in sequence or the D2D service temporary may be randomly allocated to the UE by a mathematical function. logo.
  • Step 302 The UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameter, and after the first ProSe functional entity successfully authenticates the UE, allocates a D2D service to the UE. Identification
  • the UE After the UE obtains the configuration parameter, it first determines whether the local PLMN identifier is in the received PLMN identifier list, and if not, does not perform any operation, and ends the current processing flow;
  • the UE When the local PLMN identity of the UE is in the received PLMN identity list, the UE will initiate an authentication authentication request to the second ProSe functional entity.
  • the second ProSe functional entity refers to the UE.
  • a ProSe functional entity under the LPLMN where there are different authentication authentication procedures for the UEs that receive different configuration parameters in step 301; The following describes the authentication and authentication process of the UE in the above two cases by using FIG. 4 and FIG. 5;
  • Step 401 The UE sends an authentication request to a second ProSe functional entity. Specifically, the UE directly sends a packet to the second ProSe functional entity. a right authentication request, where the authentication authentication request carries the local PLMN identifier and the received D2D service temporary identifier;
  • Step 402 The second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity;
  • the second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a D2D service temporary identifier and a local PLMN identifier.
  • Step 403 The first ProSe function entity determines whether the UE context exists. If yes, continue to perform according to steps 404a to 406a. If not, perform according to steps 404b and 404b. In this step, the first ProSe function entity The UE context corresponding to the UE is searched according to the D2D service temporary identifier, where the UE context includes the IMSI of the UE and the service parameter. Specifically, the first ProSe functional entity has saved the D2D service temporary identifier when the UE sends the temporary identifier to the UE. Corresponding relationship between the D2D service temporary identifier and the IMSI of the UE.
  • the first ProSe function entity may find a corresponding IMSI according to the received D2D service temporary identifier, and then search and locate according to the IMSI.
  • the UE context corresponding to the IMSI when the UE context corresponding to the UE is found, the authentication authentication is passed.
  • the execution is continued according to steps 404a to 406a; if not, the steps are performed according to steps 404b and 404b.
  • Step 404a The first ProSe functional entity allocates a D2D service temporary identifier to the UE.
  • the UE uses the D2D service temporary identifier allocated for the UE to perform the identification.
  • the first ProSe functional entity may re-allocate the D2D service temporary identifier for the UE, and the re-allocated D2D service temporary identifier may be used for authentication authentication when the UE performs the discovery service next time;
  • the D2D service temporary identifier is re-assigned to the UE. This prevents the UE from using the same D2D service temporary identifier to perform multiple authentication authentication. This is because if the UE uses the same long-term.
  • the D2D service temporary identifier is easily acquired and used by an attacker or other users by using an illegal means. Therefore, in the solution according to the first embodiment of the present invention, the UE's D2D service temporary identifier is used each time. After use, it will be dynamically updated, so that the D2D service temporary identifier used each time is different, which can ensure the security of the UE;
  • Step 405a The first ProSe functional entity sends back an authentication authentication response to the second ProSe functional entity.
  • the authentication authentication response carries a D2D service temporary identifier allocated by the first ProSe functional entity to the UE and a UE context corresponding to the UE, where the UE context includes an authentication vector parameter group.
  • Step 406a The second ProSe functional entity sends back an authentication authentication request response message to the UE.
  • the authentication authentication request response message carries a D2D service temporary identifier and an authentication authentication parameter that are re-allocated by the first ProSe functional entity to the UE, and the UE saves the D2D service temporary identifier; the D2D The service temporary identifier may be used for authentication authentication of the D2D discovery service of the subsequent UE; ending the current process;
  • the first ProSe function entity sends a context acquisition request message to the HSS; specifically, the context acquisition request carries the IMSI of the UE;
  • the HSS searches for a UE corresponding to the UE according to an IMSI of the UE.
  • the context retrieval response message is sent back to the first ProSe function entity, where the context acquisition response message carries the UE context corresponding to the UE, and the UE context includes a UE authentication vector group; the first ProSe functional entity After obtaining the UE context, returning to step 403, the first ProSe functional entity passes the UE authentication and authentication according to the UE context, and is performed according to steps 404a to 405a;
  • the authentication authentication process between the UE and the first ProSe functional entity includes two cases: in the first case, the The UE is a UE that has not been assigned a temporary identifier of the D2D service. In the second case, the UE is a UE that has been assigned a temporary identifier of the D2D service.
  • Step 501 The UE determines whether there is an allocated D2D service temporary identifier, if not, step 502a, if yes, step 502c;
  • the UE may determine whether it has an allocated D2D service temporary identifier by detecting the value of the D2D service temporary identifier field; specifically, if the UE detects that the D2D service temporary identifier field is empty or is not a D2D service temporary If the identified field (such as the case of all bits 1 or 0), it may be determined that there is no allocated D2D service temporary identifier, and at this time, the processing is performed according to the first case; if the UE detects its own D2D service If the temporary identifier field is not empty and is a normal D2D service temporary identifier, it may be determined that the existing D2D service temporary identifier exists. At this time, the processing is performed according to the second case;
  • Step 502a The UE sends an authentication authentication request to the second ProSe functional entity.
  • the authentication authentication request carries a local PLMN identifier and an IMSI, and the D2D service temporary identifier in the authentication authentication request is Empty or a field temporarily identified by a non-D2D service (such as when all bits are 1 or 0);
  • Step 503a The second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity.
  • Step 504a The first ProSe functional entity determines whether the UE context exists, if yes, step 505a, if not, step 505b;
  • the first ProSe function entity searches for a corresponding UE context according to the IMSI, and the UE context includes a service parameter corresponding to the UE, and searching for a corresponding UE context according to the IMSI of the UE belongs to the prior art, where the If the corresponding UE context is found, step 505a-step 507a is performed; if not found, step 505b, 506b is performed;
  • Step 505b The first ProSe function entity sends a UE context acquisition request message to the HSS, where the UE context acquisition request message carries the IMSI of the UE;
  • Step 506b After the HSS authenticates the UE successfully, the HSS sends an authentication authentication response to the first ProSe functional entity.
  • the HSS finds the UE context corresponding to the UE, it sends a context acquisition response message to the first ProSe function entity, where the context acquisition response message carries the authentication vector parameter group corresponding to the user;
  • the process returns to step 503b, the first ProSe functional entity passes the authentication authentication of the UE according to the UE context, and is performed according to steps 504a-505a;
  • Step 505a The first ProSe functional entity allocates a D2D service temporary identifier to the UE.
  • the first ProSe functional entity allocates a D2D service temporary identifier to the UE, and the allocated D2D service temporary identifier may be used by the UE to perform D2D discovery for the next time. Authentication at the time of business;
  • Step 506a The first ProSe functional entity sends back an authentication authentication response to the second ProSe functional entity.
  • the authentication authentication response carries a D2D service temporary identifier allocated by the first ProSe functional entity to the UE, and a UE context corresponding to the UE, where the UE
  • the context includes an authentication vector parameter set.
  • Step 507a The second ProSe function entity sends an authentication authentication response message to the UE, where the authentication authentication response message carries the D2D service temporary identifier and the authentication authentication parameter that are re-allocated by the first ProSe functional entity to the UE.
  • the UE saves the D2D service temporary identifier; the D2D service temporary identifier may be used for authentication authentication when the UE performs the D2D discovery service next time; and ends the current process.
  • Step 502c The UE sends an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier.
  • the configuration parameter delivered by the first ProSe functional entity to the UE does not include the D2D service temporary identifier, and the D2D service temporary identifier herein is actually the UE.
  • the D2D service temporary identifier allocated by the first ProSe functional entity to the UE after the last authentication authentication process is performed, and the D2D service temporary identifier itself may be used for the next authentication and authentication process of the UE; That is, before the process according to the first embodiment of the present invention starts, the allocated D2D service temporary identifier may already exist in the UE; therefore, the first ProSe functional entity is in the current process flow to the UE.
  • the configuration parameter that is delivered does not include the temporary ID of the D2D service allocated to the UE. It is also considered that for the UE that has obtained the temporary identifier of the D2D service in the last authentication and authentication process, if it is in this authentication, It is not necessary to directly allocate new D2D service temporary identifiers, and it will cause waste of resources;
  • Step 503c The second ProSe functional entity sends the authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier.
  • Step 504c The first ProSe function entity searches for a corresponding UE context according to the D2D service temporary identifier, where the UE context includes a service parameter corresponding to the UE, and if found, the implementation Step 505c, if not found, step 505d;
  • the first ProSe functional entity has saved the correspondence between the temporary identifier of the D2D service and the IMSI of the UE, and the first ProSe is configured to obtain the D2D service temporary identifier.
  • the function entity may find the corresponding IMSI according to the received D2D service temporary identifier, and then search for the UE context corresponding to the IMSI according to the IMSI; if the corresponding UE context is found, perform steps 505c-507c; If not found, follow steps 505d, 506d;
  • Step 505d The first ProSe function entity sends a context acquisition request message to the HSS.
  • the context acquisition request message carries an IMSI of the UE
  • Step 506d After the HSS successfully authenticates the UE, the HSS sends an authentication authentication response to the first ProSe functional entity.
  • the HSS finds the UE context corresponding to the UE, it sends a context acquisition response message to the first ProSe function entity, where the context acquisition response message carries the authentication vector parameter group corresponding to the user;
  • the process returns to step 504c, where the first ProSe function entity passes the authentication authentication of the UE according to the UE context, and then executes according to steps 505c-507c;
  • Step 505c The first ProSe functional entity allocates a D2D service temporary identifier to the UE.
  • Step 506c The first ProSe functional entity sends back an authentication authentication response to the second ProSe functional entity.
  • the authentication authentication response carries a D2D service temporary identifier allocated by the first ProSe functional entity for the UE and a UE context corresponding to the UE, where the UE context includes an authentication vector parameter group.
  • Step 507c The second ProSe functional entity sends back an authentication request to the UE. Message
  • the authentication authentication request response message carries a D2D service temporary identifier and an authentication authentication parameter that are re-allocated by the first ProSe function entity to the UE, where the UE saves the D2D service temporary identifier; Identifying authentication authentication that can be used for subsequent D2D discovery services of the UE; ending the current process.
  • the D2D discovery service may be initiated according to the acquired D2D service temporary identifier, and the D2D discovery service processing flowchart is as shown in FIG. 6
  • the method includes the following steps:
  • Step 601 When the UE needs to initiate the D2D discovery service to the other one or more discovered UEs, the UE first needs to perform D2D discovery service authentication to the ProSe functional entity under the HPLMN, that is, the first ProSe functional entity; After the first ProSe functional entity establishes a secure connection, the first ProSe functional entity sends a discovery service request message, where the discovery service request message includes: a discovery service type and a D2D service temporary identifier.
  • the discovery service type includes: an announce, that is, a discovery request initiated by the UE; a monitor, that is, a discovery request initiated by the UE; a match, that is, the UE is found to be sent to the discoverable ProSe functional entity.
  • the matching report is as follows: the UE is found to be the UE that initiates the discovery service, and the discovered UE refers to the discovery object requested by the UE.
  • Step 602 The first ProSe functional entity searches and describes the D2D service temporary identifier according to the D2D service temporary identifier.
  • step 607 the process is completed according to steps 603-606, and then follow step 607;
  • Step 603 The first ProSe functional entity initiates an acquisition of an IMSI request to the UE.
  • Step 604 The UE sends back an IMSI response to the first ProSe functional entity, where the acquired IMSI response carries the UE Corresponding IMSI;
  • Step 605 The first ProSe functional entity queries whether the UE exists in the upper or lower according to the IMSI. If yes, the service is authenticated. If yes, go directly to step 608 to perform discovery service processing. If not, follow steps 606 and 607 to complete the process.
  • Step 606 The first ProSe functional entity performs authentication service authentication with the HSS, and the HSS establishes a new UE context for the UE, where the UE context includes a subscription parameter of the UE.
  • Step 607 If the request is found to be authenticated, the first ProSe functional entity initiates a corresponding discovery service flow to the ProSe functional entity in the local PLMN of the discovered UE according to the corresponding service type.
  • the first ProSe function entity When the service type is advertised, the first ProSe function entity sends a publish request message to the ProSe function entity under the local PLMN of the discovered UE, and the ProSe function entity under the local PLMN of the UE is found to be the first The ProSe function entity corresponds to the loopback advertisement request message. Similarly, when the service type is the interception, the first ProSe function entity sends a snoop request message to the ProSe function entity in the local PLMN of the discovered UE, and the UE is found. The ProSe function entity in the local PLMN sends a listen request response message to the first ProSe function entity.
  • the first ProSe function entity is sent to the local PLMN of the discovered UE.
  • the ProSe function entity sends a match request message, and the match is successful.
  • the ProSe function entity in the local PLMN of the UE is found to send a match request response message to the first ProSe function entity.
  • Step 608 After the service processing is found to be complete, the first ProSe function entity sends a discovery service request response message to the UE, where the message carries the D2D service temporary identifier allocated by the first ProSe function entity to the UE. After receiving the response, the UE completes the related radio resource allocation.
  • the D2D service temporary identifier may be: a ProSe functional entity identifier or a 32-bit (bit) unique parameter corresponding to one UE, and the parameters may be allocated in order or through a mathematical function. Discretely obtained;
  • the UE is again assigned a new D2D service temporary identifier, which is also an insecure factor that is easy to occur when the UE performs multiple authentication authentication using the same D2D service temporary identifier.
  • the D2D service temporary identifier of the UE is dynamically updated after each use, so that the D2D service temporary identifier used each time is different, and the security of the UE can be ensured.
  • the second embodiment of the present invention provides an authentication authentication method.
  • the method is shown in flowchart 7.
  • the method includes the following steps:
  • Step 701 The first ProSe function entity sends configuration parameters to the UE.
  • the configuration parameter that is sent by the first ProSe function entity to the UE may include a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or
  • the configuration parameter includes only a list of PLMN identifiers supported by the UE;
  • the D2D service temporary identifier may be a ProSe function entity identifier or a parameter corresponding to the UE, and the parameter may use any representation that can be used to uniquely identify a UE. Specifically, the D2D service temporary identifier is actually In the allocation, parameters may be allocated to the UE in order or randomly assigned to the UE by a mathematical function.
  • Step 702 After the first ProSe functional entity successfully authenticates the UE, the D2D service temporary identifier is allocated to the UE.
  • the first ProSe functional entity authenticates the UE, including:
  • the first ProSe function entity receives the authentication request sent by the second ProSe function entity, where the authentication authentication request carries the D2D service temporary identifier sent by the first ProSe function entity to the UE in step 601.
  • the first ProSe function entity searches for the UE context corresponding to the UE according to the D2D service temporary identifier; when the context corresponding to the UE is found, the The first ProSe function entity successfully authenticates the UE, and allocates a new D2D service temporary identifier to the UE, where the D2D service temporary identifier is used for authentication authentication when the UE initiates the next service discovery;
  • the first ProSe function entity initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity successfully authenticates the UE and allocates the UE to the UE. New D2D business temporary identification.
  • the first ProSe function entity that authenticates the UE further includes: the first ProSe function entity receiving an authentication authentication request sent by the second ProSe function entity, where the authentication authentication request is sent When carrying the IMSI or D2D service temporary identifier, the first ProSe performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier;
  • the D2D service temporary identifier in the authentication authentication request is different from the D2D service temporary identifier carried in the configuration parameter sent by the first ProSe function entity to the UE in step 601;
  • the configuration parameter that is sent by the first ProSe function entity to the UE does not carry the D2D service temporary identifier allocated to the UE. Therefore, the D2D service temporary identifier is actually the authentication authentication process before the UE.
  • the D2D service temporary identifier that has been obtained correspondingly, if the UE does not obtain the D2D service temporary identifier before, the UE will initiate an authentication authentication request to the second ProSe functional entity through the IMSI, in this case, When the second ProSe functional entity forwards the authentication authentication request to the ProSe functional entity under the HPLMN, only the IMSI of the UE is carried;
  • the performing, by the first ProSe, the UE authentication and authentication process according to the IMSI or the D2D service temporary identifier includes:
  • the first ProSe functional entity When the context corresponding to the UE is found, the first ProSe functional entity successfully authenticates the UE, and allocates a new D2D service temporary identifier to the UE; In the corresponding context, the first ProSe function entity initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity successfully authenticates the UE, and returns an allocation to the UE. Temporary identification of D2D services;
  • the first ProSe functional entity encapsulates the D2D service temporary identifier in an authentication authentication response and returns the second ProSe functional entity, and the second ProSe functional entity forwards the authentication authentication response to the Said UE.
  • the method further includes:
  • the first ProSe function entity receives the discovery service request message sent by the UE; the discovery service request of the UE may be a discovery service request for one discovered UE, or may be a discovery service request for multiple discovered UEs.
  • the discovery service request message includes: a discovery service type and a D2D service temporary identifier; the first ProSe function entity authenticates the discovery request of the UE; if the request is found to obtain the authentication, the first ProSe function entity according to the corresponding The service type sends a corresponding discovery service flow to the ProSe of the local PLMN of the discovered UE. After the service processing is found, the first ProSe function entity sends a discovery service request response message to the UE, where the discovery service is sent.
  • the request response message carries the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the first ProSe functional entity authenticates the discovery request of the UE, and includes:
  • the first ProSe function entity searches for a UE context related to the UE according to the D2D service temporary identifier, and when the context corresponding to the UE is found, the UE finds that the request is obtained for authentication; when the context corresponding to the UE is not found, the The first ProSe functional entity initiates an acquisition of an IMSI request to the UE; the UE sends back an IMSI response to the first ProSe functional entity, and carries an IMSI corresponding to the UE; the first ProSe functional entity queries according to the IMSI Whether there is a UE context, and when present, the UE finds that the request is obtained by the authentication; If not, the first ProSe functional entity performs discovery service authentication and authentication to the HSS, and establishes a new UE context, and the UE finds that the request is obtained.
  • the third embodiment of the present invention provides an authentication authentication method.
  • the method is shown in Figure 8.
  • the method includes the following steps:
  • Step 801 The UE receives the configuration parameter delivered by the first ProSe functional entity.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the ProSe function entity to the UE, or the configuration parameter includes only the PLMN identifier list supported by the UE;
  • the D2D service temporary identifier may be a ProSe function entity identifier or a parameter corresponding to the UE, and the parameter may use any representation that can be used to uniquely identify a UE. Specifically, the D2D service temporary identifier is actually In the allocation, parameters may be allocated to the UE in order or randomly assigned to the UE by a mathematical function.
  • Step 802 The UE initiates an authentication and authentication process to the first ProSe functional entity according to the configuration parameter, and after receiving the authentication, the D2D service temporary identifier allocated by the first ProSe functional entity is received;
  • the method further includes: determining, by the UE, whether the local PLMN identifier is in the received PLMN identifier list, if yes, the UE is in the first
  • the second ProSe functional entity initiates an authentication authentication request.
  • the UE initiates authentication to the first ProSe function entity.
  • Certification request including:
  • the UE Sending, by the UE, an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and a D2D service temporary identifier received by the UE; when the authentication authentication is successful, the UE receives The D2D allocated by the first ProSe functional entity to the UE Business temporary identification;
  • the UE initiates an authentication authentication request to the first ProSe functional entity, including:
  • the first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the method further includes:
  • the UE When the UE wishes to initiate a discovery request to one or more discovered UEs, the UE sends a discovery service request message to the first ProSe functional entity; the discovery service request message includes: a discovery service type and a D2D service temporary Identification
  • the UE When the first ProSe functional entity does not find the UE context corresponding to the UE according to the D2D service temporary identifier, the UE receives the acquiring IMSI request sent by the first ProSe functional entity, and according to the acquiring the IMSI request, The first ProSe functional entity returns an IMSI response, and the acquiring IMSI response carries an IMSI corresponding to the UE;
  • the UE After the service processing is completed, the UE receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the fourth embodiment of the present invention provides a ProSe functional entity, which is a ProSe functional entity located under the HPLMN of the UE.
  • the basic structure is as shown in FIG. 9.
  • the ProSe functional entity includes: a configuration parameter delivery module. 91.
  • the configuration parameter sending module 91 is configured to send configuration parameters to the UE.
  • the authentication authentication module 92 is configured to perform authentication authentication on the UE, and trigger the temporary identifier allocation module 93 when the authentication authentication is successful. ;
  • the temporary identifier allocation module 93 when configured to be triggered by the authentication and authentication module 92, delivers a D2D service temporary identifier to the UE.
  • the configuration parameter that is sent by the configuration parameter sending module to the UE may include a PLMN identifier list supported by the UE and a temporary identifier of the D2D service allocated by the temporary identifier allocation module 93 to the UE, or
  • the configuration parameter includes only the PLMN identifier list supported by the UE. Therefore, the temporary identifier allocation module 93 is further configured to allocate the configuration parameter to the UE when the configuration parameter sending module 91 sends the configuration parameter to the UE.
  • the D2D service temporary identifier may be a ProSe functional entity identifier or a parameter corresponding to the UE uniquely, and the parameter may use any representation form that can be used to uniquely identify a UE; specifically, In the actual allocation of the D2D service temporary identifier, the parameters may be allocated to the UE in order or randomly allocated to the UE by a mathematical function.
  • the authentication and authentication module 92 performs authentication authentication on the UE, including:
  • the authentication authentication module 92 receives the authentication authentication request sent by the other ProSe functional entity, and the authentication authentication request carries the temporary identification of the D2D service delivered by the temporary identifier allocation module 93 to the UE.
  • the right authentication module 92 searches for the UE context corresponding to the UE according to the D2D service temporary identifier. When the context corresponding to the UE is found, the authentication authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module.
  • the authentication authentication module 92 assigning a new D2D service temporary identifier to the UE, where the D2D service temporary identifier is used for authentication authentication when the UE initiates the next service discovery; when the context corresponding to the UE is not found, the authentication authentication module 92
  • the UE context acquisition process is initiated to the HSS. After the UE context is successfully obtained, the authentication and authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module 93 to allocate a new D2D service temporary identifier to the UE.
  • the other ProSe functional entities may Refers to the ProSe functional entity under the LPLMN of the UE;
  • the authentication and authentication module 92 the authentication authentication of the UE, further includes: the authentication authentication module 92 receives an authentication authentication request sent by the other ProSe functional entity, when the authentication authentication request is When the IMSI or the D2D service temporary identifier is carried, the authentication and authentication module 92 performs the UE authentication and authentication process according to the IMSI or the D2D service temporary identifier.
  • the D2D service temporary identifier and the configuration in the authentication authentication request are performed.
  • the temporary identifier assigning module 93 allocates the D2D service temporary identifier to the UE, and the configuration parameter is sent to the UE.
  • the configuration parameter does not carry the D2D service temporary identifier allocated to the UE. Therefore, the D2D service temporary identifier is actually the temporary identifier of the D2D service that has been obtained in the authentication authentication process before the UE; The UE does not obtain the D2D service temporary identifier before, and the UE will initiate authentication to the ProSe functional entity under other PLMNs through the IMSI.
  • the request in this case, when the other ProSe functional entity forwards the authentication and authentication request to the authentication and authentication module 92, only the IMSI of the UE is carried;
  • the authentication and authentication module 92 performs the UE authentication and authentication process according to the IMSI or the D2D service temporary identifier, and includes:
  • the authentication and authentication module 92 searches for a UE context corresponding to the UE according to the IMSI or D2D service temporary identifier.
  • the authentication and authentication module 92 When the context corresponding to the UE is found, the authentication and authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module 93 to allocate a new D2D service temporary identifier to the UE; In the corresponding context, the authentication and authentication module 92 initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the authentication and authentication module 92 successfully authenticates the UE, and triggers the temporary identifier allocation module 93. Allocating a new D2D service temporary identifier to the UE;
  • the authentication and authentication module 92 encapsulates the D2D service temporary identifier in the authentication.
  • the authentication response is returned to the other ProSe functional entity, and the authentication authentication response is forwarded by the other ProSe functional entity to the UE.
  • the ProSe functional entity further includes: a discovery request authentication module 94 and a discovery service processing module 95;
  • the discovery request authentication module 94 is configured to receive the discovery service request of the UE, and perform authentication on the discovery service request of the UE, where the discovery service request includes: a discovery service type and a D2D service temporary identifier; After the discovery service request of the UE is successfully authenticated, the discovery service processing module 65 is triggered;
  • the discovery service processing module 95 is configured to perform discovery service processing for the UE when triggered by the discovery request authentication module 94, and return a discovery service response message to the UE after the discovery service processing is completed, the discovery service
  • the response message carries the D2D service temporary identifier allocated by the temporary identifier allocation module 93 for the UE.
  • the discovery request authentication module 94 authenticates the discovery service request of the UE, including: the discovery request authentication module 94 searches for a UE context related to the UE according to the D2D service temporary identifier, and when the context corresponding to the UE is found, , requesting that the UE finds that the authentication is successful;
  • the discovery request authentication module 94 initiates an acquisition of the IMSI request to the UE.
  • the discovery request authentication module 94 queries whether the UE exists according to the IMSI carried in the IMSI response returned by the UE. Context, when present, the request for the UE to discover that the authentication is successful;
  • the discovery request authentication module 94 performs discovery service authentication and authentication on the HSS, and establishes a new UE context, and the UE is found to request authentication success.
  • the configuration parameter sending module may be implemented by a transmitter in the ProSe functional entity; the authentication authentication module, the discovery request authentication module, the temporary identifier allocation module, and the discovery service processing module Central processor in the ProSe functional entity (CPU, Central Processing Unit), Digital Signal Processor (DSP) or Field-Programmable Gate Array (FPGA) are implemented in combination with transceivers.
  • CPU Central Processing Unit
  • DSP Digital Signal Processor
  • FPGA Field-Programmable Gate Array
  • the sixth embodiment of the present invention provides a UE.
  • the UE includes: a configuration parameter receiving module 101 and an authentication authentication request sending module 102.
  • the configuration parameter receiving module 101 is configured to receive a configuration parameter that is sent by the first ProSe functional entity; the authentication authentication request sending module 102 is configured to initiate an authentication authentication process to the first ProSe functional entity; The receiving module 101 is further configured to: after the authentication of the first ProSe functional entity is successful, receive the D2D service temporary identifier allocated by the first ProSe functional entity.
  • the configuration parameter includes a PLMN identifier list supported by the UE and a D2D service temporary identifier allocated by the first ProSe function entity to the UE, or the configuration parameter includes only a list of PLMN identifiers supported by the UE. .
  • the UE further includes a determining module 103, where the determining module 103 is configured to determine, before the authentication authentication request sending module 102 initiates an authentication and authentication process to the first ProSe functional entity, Whether the local PLMN identifier exists in the received PLMN identifier list, the trigger authentication authentication request sending module 102 sends an authentication authentication request to the second ProSe functional entity.
  • the authentication authentication request sending module The initiating an authentication process for the first ProSe functional entity, including:
  • the authentication authentication request sending module 102 sends an authentication authentication request to the first ProSe functional entity, where the authentication authentication request carries a local PLMN identifier and the configuration parameter receiving module The D2D service temporary identifier received by the block 101.
  • the configuration parameter receiving module 101 receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the authentication authentication request sending module 102 initiates an authentication authentication request to the first ProSe functional entity, including:
  • the authentication authentication request sending module 102 sends an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier;
  • the first ProSe functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the authentication authentication request sending module 102 initiates an authentication authentication request to the first ProSe functional entity.
  • the authentication authentication request sending module 102 first determines whether the existing D2D service temporary identifier exists, and determines the authentication initiated by the first ProSe functional entity according to the specific situation of whether the D2D service temporary identifier exists.
  • the parameter carried in the authentication request specifically, if the existing D2D service temporary identifier does not exist, the authentication request initiated by the first ProSe functional entity carries only the IMSI; if the existing D2D service exists Transmitting the D2D service temporary identifier in the authentication authentication request and sending the identifier to the first ProSe functional entity;
  • the UE further includes: a discovery service requesting module 104 and a request processing module 105.
  • the discovery service requesting module 104 is configured to send a discovery service request message to the first ProSe functional entity; the discovery service request message includes : discovering the service type and the D2D service temporary identifier; the discovery service request message may be a D2D discovery service for one UE. The request may also be a D2D discovery service request for multiple UEs;
  • the request processing module 105 is configured to receive the IMSI request sent by the first ProSe functional entity, and according to The acquiring an IMSI request returns an IMSI response to the first ProSe, where the acquiring an IMSI response carries an IMSI corresponding to the UE;
  • the configuration parameter receiving module 101 receives the D2D service temporary identifier allocated by the first ProSe functional entity to the UE.
  • the configuration parameter receiving module may be implemented by a receiver in the UE; the authentication authentication request sending module and the request processing module may be implemented by a CPU, a DSP or an FPGA in the UE in combination with the transceiver; the determining module may be implemented by the UE.
  • CPU, DSP or FPGA implementation; the discovery service request module can be implemented by a transmitter in the UE.
  • the fifth embodiment of the present invention provides an authentication and authentication system, and the system structure diagram is as shown in FIG. 11.
  • the system includes: a first ProSe functional entity 111 and a user equipment UE 112;
  • the first ProSe functional entity 111 is configured to send configuration parameters to the UE, and is configured to allocate a D2D service temporary identifier to the UE after the UE is successfully authenticated by the UE;
  • the UE 112 is configured to send an authentication authentication process to the first ProSe functional entity 111 according to the configuration parameter.
  • the first ProSe function entity 111 sends configuration parameters to the UE 112, including: the first ProSe function entity 111, the PLMN identifier list supported by the UE 112, and the first ProSe function 111 entity.
  • the D2D service temporary identifier allocated to the UE 112 or the PLMN identifier list supported by the UE 112 is sent to the UE 112 as a configuration parameter.
  • the UE 112 is further configured to: before determining whether the local PLMN identifier exists in the received PLMN identifier list, before the authentication authentication process is initiated to the first ProSe functional entity 111 according to the configuration parameter, Sending to the first ProSe functional entity 111 The authentication request is initiated.
  • the UE 112 When the configuration parameters received by the UE 112 include the PLMN identifier list supported by the UE 112 and the D2D service temporary identifier allocated by the first ProSe function entity 111 to the UE 112, the UE 112 goes to the A ProSe functional entity 111 initiates an authentication process, including:
  • the UE 112 sends an authentication request to the second ProSe functional entity, where the authentication authentication request carries the local PLMN identifier and the D2D service temporary identifier received by the UE 112; the second ProSe functional entity goes to the first The ProSel ll functional entity forwards the authentication authentication request;
  • the first ProSe functional entity 111 searches for a UE context corresponding to the UE 112 according to the D2D service temporary identifier.
  • the first ProSe functional entity 111 When the context corresponding to the UE 112 is found, the first ProSe functional entity 111 successfully authenticates the UE 112, and returns an allocated D2D service temporary identifier to the UE 112.
  • the first ProSe function entity 111 When the context corresponding to the UE 112 is not found, the first ProSe function entity 111 initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity 111 successfully authenticates the UE 112. And returning the allocated D2D service temporary identifier to the UE 112.
  • the UE 112 initiates an authentication process to the first ProS function entity el 11 , including:
  • the UE 112 sends an authentication authentication request to the second ProSe functional entity, where the authentication authentication request carries an IMSI or D2D service temporary identifier;
  • the second ProSe functional entity forwards the authentication authentication request to the first ProSe functional entity 111;
  • the first ProSel functional entity performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier.
  • the UE 112 First, it is determined whether the existing D2D service temporary identifier exists, and the parameter carried in the authentication authentication request initiated by the first ProSe functional entity 111 is determined according to the specific situation of whether the D2D service temporary identifier exists.
  • the authentication request sent to the first ProSe functional entity 111 carries only the IMSI; if the existing D2D service temporary identifier exists, the The D2D service temporary identifier is carried in the authentication authentication request and sent to the first ProSe functional entity 111;
  • the first ProSe functional entity 111 performs a UE authentication and authentication process according to the IMSI or D2D service temporary identifier, and includes:
  • the first ProSe functional entity 111 searches for a UE context corresponding to the UE 112 according to the IMSI or D2D service temporary identifier;
  • the first ProSe functional entity When the context corresponding to the UE 112 is found, the first ProSe functional entity successfully authenticates the UE 112, and returns an allocated D2D service temporary identifier to the UE 112; In the context, the first ProSe function entity 111 initiates a UE context acquisition process to the HSS. After the UE context is successfully obtained, the first ProSe function entity 111 successfully authenticates the UE 112 and returns an allocation to the UE 112. D2D business temporary identifier.
  • the UE 112 is further configured to send a discovery service request message to the first ProSe functional entity 111;
  • the message may be a D2D discovery service request for one UE, or may be a D2D discovery service request for multiple UEs; the discovery service
  • the request message includes: a discovery service type and a temporary identifier of the D2D service;
  • the first ProSe functional entity 111 is further configured to authenticate the discovery request of the UE 112; if it is found that the authentication is requested, the first ProSe functional entity 111 according to the corresponding service type to the ProSe under the local PLMN of the discovered UE. Initiating a corresponding discovery service process; the first ProSe function entity 111 sends a discovery service response message to the UE 112, and the message carries the first ProSe function entity 111 as the UE 112.
  • the assigned D2D service temporary identifier is further configured to authenticate the discovery request of the UE 112; if it is found that the authentication is requested, the first ProSe functional entity 111 according to the corresponding service type to the ProSe under the local PLMN of the discovered UE. Initiating a corresponding discovery service process; the first ProSe function entity 111 sends a discovery service response message to the UE 112, and the message carries the first ProSe function entity 111 as the UE 112.
  • the first ProSe functional entity 111 authenticates the discovery request of the UE 112, including:
  • the first ProSe functional entity 111 searches for a UE context related to the UE 112 according to the D2D service temporary identifier, and when the context corresponding to the UE 112 is found, the UE 112 finds that the request is obtained for authentication;
  • the first ProSe functional entity 111 initiates an acquisition of an IMSI request to the UE 112; the UE 112 returns an acquisition IMSI response to the first ProSe functional entity 111, and obtains an IMSI response. Carrying the IMSI corresponding to the UE 112; the first ProSe function entity 111 queries whether the UE context exists according to the IMSI, and when present, the UE 112 finds that the request is obtained for authentication;
  • the first ProSe functional entity 111 performs discovery service authentication authentication to the HSS, and establishes a new UE context, and the UE 112 finds that the request is obtained for authentication.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment of a combination of software and hardware. Moreover, the invention can be embodied in the form of a computer program product embodied on one or more computer usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the present invention is directed to a method, apparatus (system), and computer program in accordance with an embodiment of the present invention.
  • the flow chart and/or block diagram of the product is described. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a general purpose computer, a special purpose computer, an embedded processor or other programmable data processing device processor to produce a machine such that a flow or a block diagram of a flow or a block diagram or A device that has multiple functions specified in the box.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé d'authentification. Le procédé comprend les étapes au cours desquelles : une première entité fonctionnelle de services de proximité (ProSe) communique un paramètre de configuration à un équipement utilisateur (UE) ; et l'UE lance un processus d'authentification auprès de la première entité fonctionnelle ProSe en fonction du paramètre de configuration et, lorsque la première entité fonctionnelle ProSe a réussi à authentifier l'UE, la première entité fonctionnelle ProSe attribue un identifiant temporaire de services D2D à l'UE. La présente invention concerne également un système d'authentification, l'UE et l'entité fonctionnelle ProSe.
PCT/CN2014/083049 2014-03-12 2014-07-25 Procédé et système d'authentification, entité fonctionnelle prose et ue WO2015135278A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410091463.3A CN104918246A (zh) 2014-03-12 2014-03-12 一种鉴权认证方法和系统、ProSe功能实体以及UE
CN201410091463.3 2014-03-12

Publications (1)

Publication Number Publication Date
WO2015135278A1 true WO2015135278A1 (fr) 2015-09-17

Family

ID=54070860

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/083049 WO2015135278A1 (fr) 2014-03-12 2014-07-25 Procédé et système d'authentification, entité fonctionnelle prose et ue

Country Status (2)

Country Link
CN (1) CN104918246A (fr)
WO (1) WO2015135278A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106792428B (zh) * 2016-05-09 2020-02-11 北京展讯高科通信技术有限公司 基站、近距离业务功能实体及通信资源分配、调度方法
WO2019000405A1 (fr) * 2017-06-30 2019-01-03 华为技术有限公司 Procédé d'authentification, terminal et appareil de réseau
CN108134991B (zh) * 2017-12-22 2020-10-16 杭州清创微品智能科技有限公司 一种减少d2d设备切换的方法及系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1867164A (zh) * 2005-05-19 2006-11-22 华为技术有限公司 用户终端获取bsf为其分配的会话事务标识的方法
CN101488945A (zh) * 2008-01-14 2009-07-22 北京大唐高鸿数据网络技术有限公司 一种面向会话初始化协议的鉴权方法
US20120204027A1 (en) * 2011-02-09 2012-08-09 Samsung Electronics Co. Ltd. Authentication method and apparatus in a communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022651B (zh) * 2006-02-13 2012-05-02 华为技术有限公司 一种组合鉴权架构及其实现方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1867164A (zh) * 2005-05-19 2006-11-22 华为技术有限公司 用户终端获取bsf为其分配的会话事务标识的方法
CN101488945A (zh) * 2008-01-14 2009-07-22 北京大唐高鸿数据网络技术有限公司 一种面向会话初始化协议的鉴权方法
US20120204027A1 (en) * 2011-02-09 2012-08-09 Samsung Electronics Co. Ltd. Authentication method and apparatus in a communication system

Also Published As

Publication number Publication date
CN104918246A (zh) 2015-09-16

Similar Documents

Publication Publication Date Title
CN110800331B (zh) 网络验证方法、相关设备及系统
AU2021221761B2 (en) Selection of ip version
US9179289B2 (en) Method and system for remotely accessing
US9794785B2 (en) Communication system, connection control apparatus, mobile terminal, base station control method, service request method, and program
WO2012130085A1 (fr) Procédé et dispositif destinés à établir une connexion avec un système de gestion de réseau, et système de communication
WO2009000206A1 (fr) Procédé et système de commande d'accès de nœud initial b
KR101885043B1 (ko) 동적 가입들의 확립 및 구성
WO2015165149A1 (fr) Procédé de configuration, entité fonctionnelle de gestion de clés pour prose, terminal, système et support de stockage
WO2014183260A1 (fr) Procédé, dispositif et système de traitement de service de données dans un scénario d'itinérance
CN108616805B (zh) 一种紧急号码的配置、获取方法及装置
US9713176B2 (en) Telecommunication method and telecommunication system
US10863555B2 (en) Access method, apparatus, device, and system
JP2015503304A (ja) アクセス方法、モビリティ管理デバイス、およびユーザ機器
EP3182762B1 (fr) Procédé, appareil et système de découverte de communication en champ proche
WO2015135278A1 (fr) Procédé et système d'authentification, entité fonctionnelle prose et ue
US10219309B2 (en) D2D service authorizing method and device and home near field communication server
WO2015154426A1 (fr) Procédé et dispositif de notification et de mise à jour temporaire d'identifiant prose
WO2013067744A1 (fr) Procédé et système de sélection de passerelle de desserte pour groupe de terminaux
WO2015135269A1 (fr) Procédé de découverte et d'authentification de service, dispositif, terminal, système et support d'informations informatique
WO2016034018A1 (fr) Procédé, dispositif et serveur d'abonné résidentiel pour rétablissement d'un service de dispositif à dispositif
CN116438824A (zh) 用于无线网络中核心网装置重分配的方法、装置及系统
CN106688259B (zh) 一种对用户设备的鉴权方法及装置
WO2016065696A1 (fr) Procédé d'application de carte sim, procédé d'attribution, appareil, terminal et serveur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14885264

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14885264

Country of ref document: EP

Kind code of ref document: A1