WO2016086355A1 - Procédé d'authentification dans un réseau de communication sans fil, appareil et système associés - Google Patents

Procédé d'authentification dans un réseau de communication sans fil, appareil et système associés Download PDF

Info

Publication number
WO2016086355A1
WO2016086355A1 PCT/CN2014/092787 CN2014092787W WO2016086355A1 WO 2016086355 A1 WO2016086355 A1 WO 2016086355A1 CN 2014092787 W CN2014092787 W CN 2014092787W WO 2016086355 A1 WO2016086355 A1 WO 2016086355A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
network
user equipment
request message
vector
Prior art date
Application number
PCT/CN2014/092787
Other languages
English (en)
Chinese (zh)
Inventor
崇卫微
吴晓波
吕阳明
陈璟
席国宝
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2014/092787 priority Critical patent/WO2016086355A1/fr
Priority to CN201480083832.2A priority patent/CN107005842B/zh
Publication of WO2016086355A1 publication Critical patent/WO2016086355A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an authentication method, related device, and system in a wireless communication network.
  • Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks.
  • UE User Equipment
  • Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks.
  • UE User Equipment
  • the UE triggers the authentication process by initiating a registration request, a service request, or a handover request to the network.
  • authentication is a one-way process, and the network needs to verify the legitimacy of the UE; in the third generation (Third Generation, 3G) network or Long Term Evolution (Long Term Evolution, In the LTE network, in addition to verifying the legitimacy of the UE, the UE also needs to verify the validity of the network, that is, perform network authentication.
  • 3G Third Generation
  • LTE Long Term Evolution
  • the authentication process is performed in a domain-by-domain manner, that is, a packet switching (PS) domain and a circuit switching (CS) domain respectively perform an authentication process, and a PS domain authentication is performed by a mobility management entity ( The Mobility Management Entity (MME) or the General Packet Radio Service (GPRS) Service Support Node (SGSN) is initiated.
  • MME Mobility Management Entity
  • GPRS General Packet Radio Service
  • SGSN General Packet Radio Service
  • the CS domain authentication is initiated by the Mobile Switching Center (MSC).
  • MSC Mobile Switching Center
  • the UE needs to Network authentication is performed on the PS domain and the CS domain, respectively.
  • the MSC/SGSN sends an authentication request carrying the authentication vector to the UE. Message.
  • the UE first determines the validity of the network according to the authentication request message. If the network is legal, it verifies whether the network is synchronized with the network. If the synchronization is successful, the UE successfully authenticates the network, and the UE returns a response message to the network, and the MSC/SGSN according to the UE. The response message sent by the UE verifies the validity of the UE. If the synchronization fails, the UE will reply to the MSC/SGSN with an authentication failure message carrying the cause value, and the MSC/SGSN will send an authentication request message to the UE again.
  • the UE may fail to perform network authentication on the CS domain; or
  • the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process saves the unused authentication vector, which may cause the UE to fail the network authentication for the CS domain.
  • the MSC/SGSN/MME receives the authentication failure message sent by the UE twice, the authentication process is terminated, and an authentication rejection message is sent to the UE. Once the UE receives the authentication rejection message, it will not be able to initiate the service normally until it restarts, which has a serious impact on the user.
  • the embodiments of the present invention provide an authentication method, a related device, and a system in a wireless communication network, which can solve the problem of authentication failure in the prior art.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, where the method includes:
  • the core network device that stores the unused authentication vector for the user equipment sends a first authentication data request message to the authentication device, where the first authentication data request message is used to request the authentication device to be the user equipment. Generating an authentication vector;
  • the core network device sends a first authentication request message to the user equipment, where the first authentication request message includes a random number and an authentication token in the first authentication vector, where the user equipment saves An unused authentication vector indicates that the unused authentication vector is associated with the user equipment or the unused authentication vector is generated for the user equipment.
  • the method further includes: after the user equipment accesses the first network where the core network device is located, the core network device determines that the user equipment is a user equipment that is accessed from the second network to the first network;
  • the network standard of the first network is different from the network standard of the second network.
  • the first network is a 3G network
  • the second network is an LTE network, a 2G network, a 5G network, or a 4.5G network.
  • the first network is an LTE network
  • the second network is a 5G network or a 4.5G network.
  • the core network device that saves an unused authentication vector for the user equipment Before the authentication device sends the first authentication data request message, the method further includes:
  • the core network device sends a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment; Receiving, by the network device, the second authentication data response message returned by the authentication device according to the second authentication data request message, where the second authentication data response message carries the second authentication vector and the unused authentication a weight vector; the core network device sends a second authentication request message to the user equipment, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, where the method includes:
  • the authentication device Receiving, by the authentication device, a first authentication data request message sent by the core network device that is saved by the user equipment with an unused authentication vector, where the first authentication data request message is used to request the authentication device to be the user
  • the device generates an authentication vector, and the authentication device generates a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes the authentication device as the user a first authentication vector generated by the device; the authentication device returns the first authentication data response message to the core network device.
  • the authenticating device before the authenticating device receives the first authentication data request message sent by the core network device that the user device stores the unused authentication vector, the method also includes:
  • the authentication device Receiving, by the authentication device, a second authentication data request message sent by the core network device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment;
  • the authentication device generates a second authentication data response message according to the second authentication data request message, where
  • the authentication data response message includes a second authentication vector generated by the authentication device for the user equipment and the unused authentication vector; the authentication device returns the second to the core network device Authentication data response message.
  • an embodiment of the present invention provides a core network device, where the core network device includes:
  • a storage unit configured to save an unused authentication vector for the user equipment
  • An acquiring unit configured to send, by the storage unit, the first authentication data request message to the authentication device, where the storage unit saves the unused authentication vector, the first authentication The data request message is used to request the authentication device to generate an authentication vector for the user equipment, and receive a first authentication data response message returned by the authentication device according to the authentication data request message, the first The weight data response message includes a first authentication vector;
  • a sending unit configured to send a first authentication request message to the user equipment, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
  • the core network device further includes:
  • a determining unit configured to determine, after the user equipment accesses the first network where the core network device is located, the user equipment is a user equipment that is accessed from the second network to the first network;
  • the network system of the first network is different from the network system of the second network.
  • the acquiring unit is specifically configured to determine, in the determining unit, that the user equipment is accessed from the second network to the first network. After the user equipment, the first authentication data request message is sent to the authentication device.
  • the first network is a 3G network
  • the second network is an LTE network, a 2G network, or a 5G network.
  • a 4.5G network or the first network is an LTE network, and the second network is a 5G network or a 4.5G network.
  • the acquiring unit is further configured to send the first authentication data request to the authentication device Before the message, the second authentication data request message is sent to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, and receive the authentication. And the second authentication data response message returned by the device according to the second authentication data request message, where the second authentication data response message carries the second authentication vector and the unused authentication vector; Also used to send the first authentication data request message to the authentication device before the obtaining unit sends the first authentication data request message to the user The device sends a second authentication request message, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
  • the embodiment of the present invention further provides an authentication device, where the authentication device includes a receiving unit, configured to receive first authentication data sent by a core network device that stores an unused authentication vector for the user equipment. a request message, the first authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, and the processing unit is configured to generate a first template according to the first authentication data request message And a first data authentication message, the first authentication data response message includes a first authentication vector generated for the user equipment, and a sending unit, configured to return the first authentication data response message to the core network device.
  • the authentication device includes a receiving unit, configured to receive first authentication data sent by a core network device that stores an unused authentication vector for the user equipment.
  • a request message the first authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment
  • the processing unit is configured to generate a first template according to the first authentication data request message
  • a first data authentication message the first authentication data response message includes a first authentication vector generated for the user equipment, and
  • the receiving unit is further configured to: before receiving the first authentication data request message, receive a second authentication data request message sent by the core network device.
  • the processing unit is further configured to: according to the second authentication data request message, the second authentication data request message is used to request the authentication device to generate an authentication vector for the user equipment, to generate a second a weight data response message, the authentication data response message includes a second authentication vector generated for the user equipment and the unused authentication vector; the sending unit is further configured to return to the core network device The second authentication data response message is described.
  • the embodiment of the present invention further provides an authentication system, including the core network device and any of the fourth aspect or the fourth aspect, which may be implemented in any one of the third aspect or the third aspect.
  • an authentication system including the core network device and any of the fourth aspect or the fourth aspect, which may be implemented in any one of the third aspect or the third aspect. The implementation of the authentication network device described.
  • the embodiment of the present invention further provides an authentication method in a wireless communication network, where the method includes: after the user equipment accesses from the 3G network to the long term evolution LTE network, the mobility management entity MME of the LTE network Obtaining an unused authentication vector saved by the general packet radio system GPRS service supporting node SGSN of the 3G network for the user equipment;
  • the MME deletes or discards the unused authentication vector, so that after the user equipment re-accesses from the LTE network to the 3G network, the MME cannot send the unused authentication vector Give the SGSN.
  • the mobility management entity MME of the LTE network acquires an unused packet saved by the GPRS service support node SGSN of the 3G network for the user equipment
  • the weight vector includes:
  • the first SGSN of the LTE network receives the first forward relocation request message, and the first forward relocation request message includes the unused authentication vector.
  • the method further includes :
  • the MME After the user equipment re-accesses the LTE network to the 3G network, the MME receives the SGSN to send a second context request message, and returns a second context response message to the SGSN, where the second The context response message does not include the unused authentication vector;
  • the MME sends a second forward relocation request message to the SGSN, where the second forward relocation request message is not The unused authentication vector is included.
  • an embodiment of the present invention provides a mobility management entity MME, including:
  • an acquiring unit configured to acquire, after the UE accesses the LTE network from the 3G network, an unused authentication vector saved by the SGSN of the 3G network for the UE.
  • the acquiring unit may receive, by using a context request message sent by the SGSN of the 3G network, a first context response message returned by the SGSN, where the first context response message includes the unused authentication vector;
  • the acquiring unit may receive, by the first SGSN of the 3G network, a first forward relocation request message, where the first forward relocation request message includes the unused authentication vector;
  • a processing unit configured to delete or discard the unused authentication vector, so that the MME cannot use the unused authentication vector after the UE re-accesses from the LTE network to the 3G network Sent to the SGSN.
  • the acquiring unit is further configured to: after the user equipment re-accesses the LTE network to the 3G network, receive the SGSN to send a second context. Requesting a message and returning a second context response message to the SGSN, the second context response message not including the unused authentication vector; or, at the user equipment from the LTE After the network re-accesses to the 3G network, a second forward relocation request message is sent to the SGSN, where the second forward relocation request message does not include the unused authentication vector.
  • an embodiment of the present invention provides a core network device, including a processor, a memory, a bus, and a communication interface.
  • the memory is configured to store a computer to execute an instruction
  • the processor is connected to the memory through the bus, and when the core network device is in operation, the processor executes the computer-executed instruction stored in the memory to
  • the core network device is configured to perform an authentication method in the wireless communication network according to the first aspect or any one of the possible implementation manners of the first aspect.
  • an embodiment of the present invention provides an authentication device, where the processor includes a processor, a memory, a bus, and a communication interface.
  • the memory is configured to store a computer to execute an instruction
  • the processor is connected to the memory through the bus, and when the authentication device is in operation, the processor executes the computer-executed instruction stored in the memory to
  • the authentication device is configured to perform an authentication method in a wireless communication network according to any of the possible implementations of the second aspect or the second aspect.
  • An embodiment of the present invention provides an authentication method in a wireless communication network. Before the core network device sends an authentication request message to the UE, even if the core network device saves an unused authentication vector for the UE, And acquiring, by the authentication device, a first authentication vector, and sending, by using the random number and the authentication token in the first authentication vector, an authentication request message to the UE, to start the UE and the core network. Network authentication process between devices. The above method ensures that each time the CS domain/PS domain network authentication is performed, the authentication device obtains the first authentication vector for authentication, instead of using the unused authentication vector saved by the core network device.
  • FIG. 1 is an authentication method in a wireless communication network according to an embodiment of the present invention
  • 3 is another authentication method in a wireless communication network according to an embodiment of the present invention.
  • FIG. 5 is another authentication method in a wireless communication network according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a core network device according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic diagram of an authentication device according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of an authentication system according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of an authentication device in a wireless communication network according to an embodiment of the present invention.
  • the embodiments of the present invention provide a method, a related device, and a system for authenticating in a wireless communication network, which can solve the problem of authentication failure caused by synchronization failure in the prior art.
  • the UE needs to verify whether it is synchronized with the network. If it is not synchronized, the authentication process fails.
  • the UE needs to obtain a sequence number (SQN) from the authentication vector sent by the core network device (MME/MSC/SGSN), and detect whether the sequence number satisfies a series of detection conditions, where Including whether the sequence (SEQ) included in the verification sequence number satisfies SEQ MS - SEQ ⁇ L, where L is usually set by the operator, L may be 32, and SEQ MS is a sequence of the maximum sequence number currently stored by the UE itself.
  • the SQN generated by the authentication device is usually expressed in binary, consisting of two parts, SEQ and IND.
  • the authentication device stores a difference (DIF) value for each user equipment in its own database, and the DIF value of each user equipment is different, and the DIF value of the user equipment is represented.
  • the SEQ value generated for the user equipment and the global counter (Golbal Counter) GLC The difference in value, thus the SEQ generated for the same UE, is only related to the value of the global counter GLC.
  • the inventor has found that in the prior art, since the UE does not completely separate the synchronization detection of the PS domain and the CS domain, once the PS domain authentication is inserted before the CS domain authentication, and the CS domain authentication process is initiated, the MSC is in the MSC. If the unused authentication vector is saved, the UE may fail to perform network authentication on the CS domain; or the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process is initiated. The unused authentication vector is saved, which may cause the UE to perform network authentication failure on the PS domain.
  • the MSC may obtain multiple authentications from the authentication device before the core network device initiates the first CS domain authentication.
  • the authentication vectors AV C11 and AV C12 after performing the first CS domain authentication, the unused authentication vector AV C12 is still stored in the MSC; and then, due to the change of the radio access type of the UE, etc., it may be required
  • the PS domain authentication and the second CS domain authentication are initiated for the UE, and the PS domain authentication may be before the second CS domain authentication.
  • the core network device utilizes the unused authentication vector AV C12 acquired during the first CS domain network authentication saved by itself during the second CS domain authentication, if the authentication device generates AV P and AV The time of C12 is very different, so that SEQ MS - SEQ is not less than L, and the detection condition cannot be satisfied, resulting in synchronization failure, thereby causing authentication failure.
  • the core network device when the authentication fails due to the synchronization failure, the core network device usually receives an authentication failure message carrying the cause value sent by the UE, and the reason value is that the synchronization fails, and the core network device passes the The data authentication request message of the synchronization failure indication is sent to the authentication device to trigger the resynchronization process, wherein the data authentication request message carrying the synchronization failure indication further includes the information of the sequence SEQ MS1 of the largest sequence number stored in the UE when the synchronization fails. . Different from the data authentication request message that does not carry the synchronization failure indication message, the authentication device generates a sequence SEQ according to the DIF value of the UE acquired by the identity identifier of the UE.
  • the resynchronization sequence SEQ sy is almost equal to SEQ MS1 .
  • the UE performs network authentication again on the CS domain, in the UE.
  • the authentication failure may be caused again.
  • the suspension of the rights process causes the UE to fail to initiate a service normally until it is restarted.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, which enables a core network device (MSC/SGSN/MME) to acquire a new one from an authentication device before initiating an authentication request to the UE.
  • a core network device MSC/SGSN/MME
  • the authorization vector even if the core network device saves the unused authentication vector, uses the acquired new authentication vector for authentication, ensuring that each time the CS domain/PS domain network authentication is performed
  • the SEQ included in the authentication vector is newly generated by the authentication device, and even if the PS domain network authentication is inserted before the CS domain network authentication or the CS domain network authentication is inserted before the PS domain network authentication, The synchronization success is ensured, and the problem of authentication failure caused by the synchronization failure in the prior art is solved, and the UE disconnection may be avoided due to the authentication failure.
  • the embodiment of the present invention further provides an authentication method in a wireless communication network, which enables the authentication device to use the sequence SEQ MS of the largest sequence number stored in the UE when the core network device triggers the resynchronization process due to synchronization failure.
  • the resynchronization sequence SEQ sy is generated, and the DIF value of the UE is directly obtained according to the identity identifier of the UE, just according to the authentication data request message that does not carry the synchronization failure indication, according to the DIF value of the UE and the value of the current global counter GLC ( That is, the time at which the resynchronization SEQ is generated) to generate the resynchronization sequence SEQ sy such that the resynchronization sequence SEQ sy is not equal to (or approximately equal to) SEQ MS1 , ensuring that the core network device is utilizing the authentication vector containing the resynchronization sequence SEQ sy
  • the authentication succeeds when the authentication is performed, so as to avoid the problem that the UE cannot initiate the service normally until
  • the core network device may be an MSC, an SGSN, or an MME
  • the authentication device may be an HLR, a Home Subscriber Server (HSS), an AUC, or a Home Environment (HE). ).
  • an embodiment of the present invention provides an authentication method in a wireless communication network, where the method includes:
  • S101 The core network device that saves the unused authentication vector for the UE sends a first authentication data request message (authentication data request), where the first authentication data request message is used to request the authentication.
  • the device generates an authentication vector for the UE.
  • the core network device of the target network When the radio access type (RAT) of the UE changes, the core network device of the target network initiates an authentication process for the UE from one network to another.
  • the authentication process may be PS.
  • the network authentication process of the domain may also be the network authentication process of the CS domain.
  • CSFB Circuit Switched Fallback
  • the core network device of the 2G or 3G network may send an authentication to the UE. Request a message to initiate a network authentication process for the CS domain or the PS domain.
  • the core network device may send a first authentication data request message to the authentication device to request to obtain an authentication vector.
  • the core network device may request the authentication device to generate an authentication for the UE, whether or not the UE maintains an unused authentication vector for the UE.
  • Vector, and using the generated authentication vector to initiate network authentication of the CS domain or the PS domain to avoid synchronization failure that may occur when the core network device in the prior art initiates network authentication by using an unused authentication vector saved by itself. The problem of authentication failure has ensured the success of network authentication as much as possible.
  • the authentication device may receive a location in which the UE stores an unused authentication vector.
  • the first authentication data request message sent by the core network device according to the first authentication data request message, generating a first authentication data response message, where the first authentication data response message includes the authentication device
  • the first authentication vector generated by the UE returns the first authentication data response message to the core network device.
  • an unused authentication vector is saved for the UE, that is, the unused authentication vector is generated for the UE, or the unused authentication vector and The UE is related.
  • S102 The core network device receives a first authentication data response message (authentication data response) returned by the authentication device according to the first authentication data request message, where the first authentication data response message carries the first Authentication vector.
  • the core network device sends a first authentication request message (authentication request) to the UE, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
  • the first authentication vector may include a random number (RAND), an authentication token (AUTN), an expected response (XRES), an integrity key (IK), and an encryption. Key (cipher key, CK).
  • the core network device may send a first authentication request message by using a random number and an authentication token in the first authentication vector, to start the UE and the The authentication process between the core network devices.
  • the UE may determine an SQN according to the random number and the authentication token, that is, determine SEQ (including SEQ in SQN), so that synchronization detection between the UE and the network may be completed by using SQN (SEQ) or other The authentication process.
  • the first authentication vector obtained by the core network device to the authentication device may be one or more.
  • the multiple first authentication vectors constitute a reference.
  • the first authentication request message may include an authentication token and a random number in one of the plurality of first authentication vectors.
  • the core network device may impose a large burden on the authentication device if the authentication device obtains the authentication vector before the authentication process is initiated.
  • the authentication failure problem caused by the synchronization failure basically occurs in the authentication process after the UE switches from the LTE network to the 3G network, or occurs after the UE switches from the 2G network to the 3G network.
  • the method of the present invention can be used only for the above scenario, and the step 101 can be specifically: After the UE accesses the 3G network, the core network device of the 3G network sends a first authentication data request message to the authentication device. At this time, the core network device stores an unused authentication vector for the UE. .
  • the core network devices in steps 102 and 103 refer to the core network devices of the 3G network.
  • the method may also be performed only for the scenario that the UE performs the network authentication after the UE is switched from the second network to the first network.
  • the method may further include the step S100:
  • the core network device determines that the UE is a UE that accesses the first network from the second network.
  • the core network devices in steps S101 to S103 all refer to the core network devices located in the first network.
  • the network standard of the first network is different from the network standard of the second network, where the first network may be a 3G network, and the second network may be an LTE network or a 2G network; or The first network may be an LTE network, and the second network may be a 5G/4.5G network.
  • S100 is: after the UE accesses the 3G network, the core network device of the 3G network determines that the UE is connected from the LTE network. The UE entering the 3G network determines that the UE is a UE from an LTE network. The method ensures that the core network device obtains the first authentication to the authentication device even if the core network device stores an unused authentication vector when the UE is accessed from the LTE network to the 3G network. The vector uses the first authentication vector to initiate the network authentication process.
  • the core network device may also have multiple modes when determining that the UE is a UE accessing the LTE network to the 3G network.
  • the core network device may determine, according to the CS domain Non-Access Stratum (CS domain NAS) message sent by the UE or the paging response message of the UE in the called scenario, whether the UE is For the CSFB user, if it is determined that it is a CSFB user, that is, the UE is determined to be a UE accessing the LTE network to the 3G network, the CS domain NAS message may be a connection management service request message or a location update request message, etc.
  • the core network device may be an MSC; or,
  • the core network device may determine, according to the PS domain Non-Access Stratum (PS domain NAS) message sent by the UE, whether the UE is a UE that accesses the LTE network to the 3G network.
  • PS domain NAS Non-Access Stratum
  • the routing area update (RAU) request message may be used to determine that the UE is a UE that is accessed from the LTE network to the 3G network, where the core is
  • the network device can be an SGSN; or,
  • the function of the base station may be enhanced, so that the base station can determine whether the UE is a CSFB user by analyzing whether the UE includes the CSFB indication information in the Radio Resource Control (RRC) connection request message sent by the UE.
  • RRC Radio Resource Control
  • the UE sends a notification message to the core network device, and the core network device may determine, according to the notification message, that the UE is a UE that accesses the LTE network to the 3G network.
  • the core network device may be an MSC or an SGSN; or
  • the core network device may determine whether the UE is connected to the UE of the 3G network from the LTE network by determining whether the SGS interface is associated with the MME, and if the SGS interface is associated, determining The UE is a UE that accesses the LTE network to the 3G network, and the core network device may be an MSC.
  • the unused authentication vector saved in the core network device may be acquired before the core network device initiates the last authentication process, as shown in FIG. 2, before step S101.
  • the method may further include:
  • the core network device sends a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate an authentication vector for the UE.
  • the authentication device may receive a second authentication data request message sent by the core network device, and generate a second authentication data response message according to the second authentication data request message, where the authentication data is generated.
  • the response message includes a second authentication vector and the unused authentication vector, and returns the second authentication data response message to the core network device.
  • the core network device receives a second authentication data response message that is returned by the authentication device according to the second authentication data request message, where the second authentication data response message includes the authentication device The second authentication vector generated by the UE and the unused authentication vector.
  • the core network device sends a second authentication request message to the UE, where the second authentication request message includes a random number and an authentication token in the second authentication vector.
  • the second authentication vector generated for the UE and the unused authentication vector are obtained from the authentication device.
  • the second authentication vector is used, and the unused authentication vector is also saved in the core network device.
  • the subsequent core network device needs to send the first authentication.
  • the first authentication vector generated for the UE is obtained by using the re-authentication device to avoid the unused use of the core network device saved in the prior art.
  • the authentication vector initiates network authentication the authentication failure may be caused by the synchronization failure, and the success of the network authentication is guaranteed as much as possible.
  • the embodiment of the present invention provides a network authentication method, which can be applied to a scenario in which PS domain authentication is inserted between two CS domain authentications.
  • the scenario may be that the UE located in the LTE network initiates a joint attach procedure, and is registered on the MME of the LTE network and the MSC of the 3G network.
  • the MSC initiates an authentication process for the UE, that is, initiates a first CS domain authentication process.
  • the UE resides on the LTE network.
  • the UE may access the 3G network from the LTE network due to reasons such as CSFB, and may provide CS domain services by the originally registered MSC, the SGSN and the MSC in the 3G network may respectively
  • the UE initiates the PS domain authentication process and the second CS domain authentication process, and the method can ensure that the authentication is successful in the foregoing authentication process.
  • the method may include:
  • S301 The UE located in the LTE network initiates a joint attach procedure, and is registered on the MME of the LTE network and the MSC of the 3G network.
  • an SGs interface association is established between the MME and the MSC corresponding to the UE.
  • the UE sends an attach request message to the MME, where the attach request message includes an attach type cell, where the attach type cell is used to notify the MME that the UE requests a joint evolved packet system (evolved packet) System, EPS) Attachment or International Mobile Subscriber Identity (IMSI) attachment.
  • the MME After receiving the attach request message, the MME performs an EPS attach procedure, and then the MME selects an MSC according to the configuration information and/or the budget algorithm, and sends a location update request message to the MSC to enable the UE to register.
  • the SGs interface between the MME and the MSC enters an association state, that is, an SGs interface association corresponding to the UE is established between the two.
  • the MSC sends a second authentication data request message to the authentication device, where the second authentication data request message includes an identity of the UE, and the second authentication data request message is used.
  • the authentication device is requested to generate an authentication vector for the UE.
  • the MSC or MME may be triggered to initiate an authentication process.
  • the MSC may obtain an authentication vector by using a second authentication data request message before initiating the authentication process.
  • the identity of the UE may be an IMSI.
  • the number of authentication vectors requested to be acquired may be specified. In order to save network resource expenditure, multiple authentication vectors may be acquired each time, that is, an authentication vector required for subsequent authentication is reserved.
  • the second authentication data request message may include indication information, where the indication information is used to indicate that the number of authentication vectors requested to be acquired is 3.
  • the authentication device returns a second authentication data response message to the MSC, where the second authentication data response message includes an authentication vector AV21, AV22, and AV23 generated for the UE.
  • Each of the authentication vectors returned by the authentication device may include a random number RAND, an authentication token AUTN, a desired response XRES, an integrity key IK, and an encryption key CK.
  • the anonymous key AK may be first obtained from the random number RAND, and the SQN is obtained from the authentication token AUTN for synchronization detection by using the anonymous key AK and the correlation algorithm. That is to verify whether the SQN is in the correct range.
  • the MSC sends a second authentication request message to the UE, where the second authentication request message includes RAND21 and AUTN21 in the authentication vector AV21.
  • S305 The UE performs CS domain authentication on the 3G network according to the second authentication request message, and after the authentication succeeds, returns a second authentication response message (authentication response) to the MSC.
  • the UE may first verify the validity of the network by using RAND21 and AUTN21. If the network is legal, the synchronization sequence number SQN21 is obtained from the AUTN 21 by using the AK21 and related algorithm obtained from the RAND21, wherein the SQN21 includes the parameter SEQ21.
  • S306 The UE accesses the 3G network from the LTE network.
  • the UE may access the 3G network from the LTE network and may provide CS domain services for it by the originally registered MSC.
  • the LTE network may not support the voice service, and when the UE needs to make a voice call, the CSFB is dropped back to the 3G network to initiate the CS voice service; for example, the UE may be abnormal due to the LTE network.
  • the 3G network is accessed by means of handover or network reselection.
  • S307 The UE sends an RAU request message to the SGSN of the 3G network.
  • the UE may send a RAU request message to the SGSN of the 3G network for requesting registration to the PS domain of the 3G network, so as to be able to perform PS domain service.
  • the SGSN sends a third authentication data request message to the authentication device, where the third authentication data request message includes an identity identifier of the UE, and the third authentication data request message is used to request the location
  • the authentication device generates an authentication vector for the UE.
  • the SGSN may need to initiate an authentication process, that is, PS domain authentication, and thus, before the authentication, the authentication vector may be obtained through the third authentication data request message.
  • the authentication device returns a third authentication data response message to the SGSN, where the third authentication data response message includes an authentication vector AV31, AV32, and AV33 generated for the UE.
  • the authentication device For example, assuming that the third authentication data request message is sent after the second authentication data request message is transmitted for 5 s, the authentication device generates a time difference between the AV31/AV32/AV33 and the generated AV21/AV22/AV23.
  • the SGSN sends a third authentication request message to the UE, where the third authentication request message includes RAND31 and AUTN32 in the authentication vector AV31.
  • S311 The UE performs PS domain authentication on the 3G network according to the third authentication request message. After the authentication succeeds, a third authentication response message is returned to the SGSN.
  • the process that the SGSN obtains the authentication vector and initiates the authentication process for the PS domain may also be performed by the MME.
  • the UE is still located in the LTE network.
  • the MME obtains an authentication vector and initiates an authentication process for the PS domain.
  • the UE may switch from the LTE network to the 3G network, and the MSC of the 3G network performs the acquisition of the authentication vector and the following steps. CS domain authentication process.
  • S312 The UE sends an access request message or a service request message to the MSC to obtain a CS domain service of the 3G network.
  • the UE may send an access request message or a service request message, such as a location update request message and a connection management service request message, to obtain the CS domain service of the 3G network.
  • a service request message such as a location update request message and a connection management service request message
  • the MSC determines, according to the access request message or the service request message, whether the UE is a UE that accesses the LTE network to the 3G network.
  • the MSC After determining that the UE is a UE that accesses the LTE network to the 3G network, the MSC sends a first authentication data request message to the authentication device, where the first authentication data request message includes the UE. An identifier, the first authentication data request message is used to request the authentication device to generate an authentication vector for the UE.
  • the authentication device returns a first authentication data response message to the MSC, where the first The authentication data response message contains an authentication vector AV11 generated for the UE.
  • the time difference between the authentication device generating the AV31/AV32/AV33 and generating the AV11 is about 0.5s.
  • the MSC may also obtain multiple authentication vectors from the authentication device, and the first authentication data response message may also include multiple authentication vectors.
  • the MSC sends a first authentication request message to the UE, where the first authentication request message includes RAND11 and AUTN11 in the authentication vector AV11.
  • S317 The UE performs CS domain authentication on the 3G network according to the first authentication request message, and after the authentication succeeds, returns a first authentication response message to the MSC.
  • the SGSN of the 3G network may transmit an authentication vector to the MME of the LTE network, when the UE is again from the LTE network.
  • the MME may send an authentication vector to the SGSN of the 3G network, so that the SGSN may use the authentication vector to send an authentication during the authentication process.
  • the request message is not obtained by acquiring the newly generated authentication vector of the authentication device, resulting in failure of authentication.
  • the embodiment of the present invention provides an authentication method in a wireless communication network.
  • the first SGSN of the 3G network does not save the UE as the UE.
  • An unused authentication vector is sent to the MME of the LTE network, so that after the UE re-accesses the 3G network from the LTE network, the MME cannot send the saved authentication vector to
  • the second SGSN of the 3G network the first SGSN may be the same or different, and the method provided by the embodiment of the present invention may be used to prevent an unused authentication vector from being saved in the SGSN, thereby ensuring that the SGSN initiates the authentication each time.
  • the authentication device obtains the authentication vector, which solves the problem of the prior art.
  • the method may include:
  • the first SGSN of the 3G network receives a context request message sent by the MME of the LTE network.
  • the context request message is used to request to acquire information of the UE.
  • S401 The first SGSN that saves an unused authentication vector sends a first context response message to the MME, where the first context response message does not include the unused authentication vector.
  • the unused authentication vector may be a 3G authentication vector (3G AV).
  • the unused authentication vector is not sent to the MME, so that when the UE is subsequently After re-accessing the LTE network to the 3G network, the MME is also unable to send the unused authentication vector to the SGSN in the 3G network, thereby avoiding saving the unused authentication vector in the SGSN, thereby ensuring The SGSN obtains a new authentication vector before each initiation of the authentication process, which solves the problem of authentication failure in the prior art.
  • the steps S400-S401 may be replaced by:
  • the first SGSN of the 3G network sends a first forward relocation request message to the MME of the LTE network; wherein the first When the SGSN sends the first pre-relocation request message, the UE saves an unused authentication vector, and the first forward relocation request message does not include the unused authentication vector.
  • the first forward relocation request message is used to notify the MME of information about the UE, such as an identity and a context of the UE.
  • the forward relocation request message does not include the unused 3G authentication vector.
  • the method may further include:
  • the first SGSN may be the same as or different from the second SGSN.
  • the unused authentication vector is not included in the MME by step S400-S401 or step S401'.
  • the second SGSN receives a second context response message returned by the MME, where the The second context response message does not contain the unused authentication vector.
  • steps S402-S403 may be replaced by:
  • S403 ′ after the UE re-accesses the LTE network to the 3G network, the second SGSN of the 3G network receives a second forward relocation request message sent by the MME, where the second front The relocation request message does not contain the unused authentication vector.
  • the second forward relocation request message is used to notify the second SGSN of the information of the UE, such as the identity and context of the UE.
  • the second SGSN sends an authentication data request message to the authentication device.
  • the second SGSN may initiate an authentication process, and the authentication is initiated because the unused authentication vector is not saved in the second SGSN. Before the process, the second SGSN will request the authentication device to obtain an authentication vector.
  • the second SGSN receives an authentication data response message returned by the authentication device, where the authentication data response message includes an authentication vector.
  • the authentication vector contains a random number and an authentication token, or may also include a desired response, an integrity key, and an encryption key.
  • the second SGSN sends an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector included in the authentication data response message.
  • the first SGSN of the 3G network does not send the unused authentication vector saved by itself to the MME of the LTE network, so that the After the UE re-accesses from the LTE network to the 3G network, the MME is also unable to send the unused authentication vector to the second SGSN in the 3G network, to avoid saving the unused in the second SGSN.
  • the authentication vector so that the second SGSN needs to obtain the newly generated authentication vector from the authentication device before sending the authentication request message to the UE, which solves the problem of authentication failure in the prior art.
  • An embodiment of the present invention provides an authentication method in a wireless communication network. After the UE accesses the LTE network from the 3G network, the MME of the LTE network acquires the SGSN of the 3G network and saves the SGSN of the 3G network. Unused authentication vector, the MME deletes or discards the unused An authentication vector, such that after the UE re-accesses the 3G network from the LTE network, the MME cannot send the unused authentication vector to the SGSN.
  • the method provided by the embodiment of the present invention can prevent the unused authentication vector from being saved in the SGSN, thereby ensuring that the SGSN obtains a new authentication vector before each initiation of the authentication process, thereby solving the problem of the prior art. Specifically, as described in FIG. 5, the method may include:
  • S500 A context request message sent by the MME of the LTE network to the first SGSN of the 3G network after the UE accesses the LTE network from the 3G network.
  • the MME receives a first context response message returned by the first SGSN, where the first context response message includes an unused authentication vector saved by the first SGSN for the UE.
  • the unused authentication vector may be a 3G authentication vector.
  • the steps S500-S501 may be replaced by:
  • step S501 ′ after the UE accesses the LTE network from the 3G network, the MME of the LTE network receives a first forward relocation request message sent by the first SGSN of the 3G network, where the first When the SGSN sends the pre-relocation request message, the UE stores an unused authentication vector, and the first forward relocation request message includes an unused authentication vector saved by the first SGSN.
  • step S501' reference may be made to step S401'.
  • the MME After the UE re-accesses the 3G network from the LTE network, the MME receives a second context request message sent by the second SGSN.
  • S503 The second context response message returned by the MME to the second SGSN, where the second context response message does not include the unused authentication vector.
  • step S500-S501 is configured to save the unused authentication vector in the MME, different from the prior art, the second context response message sent by the MME that stores the unused authentication vector does not The unused authentication vector is included.
  • the unused one is not used.
  • the right device obtains the authentication vector and solves the problem of authentication failure in the prior art.
  • steps S502-S503 may be replaced by:
  • S503 ′ After the UE re-accesses the LTE network to the 3G network, the MME sends a second forward relocation request message to the second SGSN of the 3G network, where the second forwarding The relocation request message does not contain the unused authentication vector.
  • step S501 ′ is configured to save the unused authentication vector in the MME, different from the prior art, the second forward relocation request message sent by the MME that saves the unused authentication vector is used. Does not contain the unused authentication vector.
  • the MME may delete or discard the unused authentication vector, so as to be sent to the second SGSN.
  • the unused forwarding vector is not included in the sent second forward relocation request message or the second context response message.
  • the MME may not delete the unused authentication vector, but only send the unused authentication vector to the second SGSN.
  • the method may further include:
  • S504 The second SGSN sends an authentication data request message to the authentication device.
  • the second SGSN may initiate an authentication process, and if the second SGSN does not store an unused authentication vector, the authentication is initiated. Before the rights flow, the second SGSN may request the authentication device to acquire a newly generated authentication vector.
  • the second SGSN receives an authentication data response message returned by the authentication device, where the authentication data response message includes an authentication vector.
  • the second SGSN sends an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector included in the authentication data response message.
  • the unused metric is not used even if an unused authentication vector is stored in the MME of the LTE network. Transmitting a weight vector to the second SGSN of the 3G network, avoiding saving the unused authentication vector in the second SGSN, so that the second SGSN needs to send an authentication request message to the UE
  • the newly generated authentication vector is obtained from the authentication device, which solves the problem of authentication failure in the prior art.
  • the embodiment of the present invention provides a core network device 60.
  • the core network device may be a mobile switching center MSC or a core network device of a SGSN or a 5G network, where the core
  • the network device may include a storage unit 601, an obtaining unit 602, and a sending unit 603;
  • the storage unit 601 is configured to save an unused authentication vector for the UE.
  • the obtaining unit 602 is configured to send a first authentication data request message to the authentication device, where the first authentication data request message is used to request the authentication device to generate an authentication vector for the UE. Receiving, by the authentication device, a first authentication data response message returned according to the authentication data request message, where the first authentication data response message includes a first authentication vector generated by the authentication device for the UE .
  • the obtaining unit 602 may send, before the sending unit 603 sends a first authentication request message to the UE, the storage unit 601, if the UE saves the unused authentication vector,
  • the authentication device sends the first authentication data request message, where the first authentication data request message may further include an identifier of the UE, so that the core network device is configured according to the identity of the UE.
  • the UE generates a first authentication vector.
  • the sending unit 603 is configured to send a first authentication request message to the UE UE, where the first authentication request message includes a random number and an authentication token in the first authentication vector.
  • the core network device may impose a large burden on the authentication device if the authentication device obtains the authentication vector before the authentication process is initiated. In practical applications, certain scenes can be protected by pointers.
  • the core network device may further include:
  • a determining unit 604 configured to determine, after the UE accesses the first network where the core network device is located, that the UE is a UE that is accessed from the second network to the first network; 602 may send the first authentication data request message to the authentication device after the determining unit 604 determines that the UE is accessing the UE of the first network from the second network.
  • the first network may be a 3G network
  • the second network may be a long term evolution LTE network
  • the determining unit 604 is specifically configured to determine that the UE is a UE that accesses the LTE network to the 3G network.
  • the method ensures that the core network device obtains the first authentication to the authentication device even if the core network device stores an unused authentication vector when the UE is accessed from the LTE network to the 3G network.
  • the vector uses the first authentication vector to initiate the network authentication process.
  • the determining unit 604 determines that the UE is accessing from the LTE network to the 3G network. There are also many ways to use the UE.
  • the determining unit 604 may determine, according to the CS domain NAS message sent by the UE or the paging response message of the UE in the called scenario, whether the UE is a CSFB user, and if it is determined to be a CSFB user, determine the UE.
  • the CS domain NAS message may be a connection management service request message or a location update request message, etc., where the core network device may be an MSC; or, the determining The unit 604 may determine, according to the PS domain NAS message sent by the UE, whether the UE is a UE that accesses the LTE network to the 3G network, for example, may determine, according to the RAU request message, that the UE is accessed from an LTE network.
  • the core network device may be an SGSN, or the determining unit 604 may determine, according to the notification message sent by the base station, that the UE is a UE that accesses the LTE network to the 3G network.
  • the notification message is a message sent by the base station to the core network device after determining that the UE is a circuit switched fallback CSFB user, and the core network device may be an MSC or an SGSN; or,
  • the determining unit 604 may determine, by determining whether the SGS interface is associated between the core network device and the MME, that the UE is an UE that is accessed from the LTE network to the 3G network, and if there is an SGS interface association, And determining that the UE is a UE that accesses the LTE network to the 3G network, where the core network device may be an MSC.
  • the unused authentication vector saved in the storage unit 601 may be acquired before the core network device initiates the last authentication process, and the acquiring unit 602 is further configured to And before the sending, by the right device, the first authentication data request message, sending a second authentication data request message to the authentication device, where the second authentication data request message is used to request the authentication device to generate a template for the UE a weight vector, the second authentication data response message returned by the authentication device according to the second authentication data request message, where the second authentication data response message carries the authentication device generated by the authentication device for the UE a second authentication vector and the unused authentication vector; the sending unit 603 is further configured to send the second to the UE before the acquiring unit 602 sends the first authentication data request message to the authentication device An authentication request message, the second authentication request message includes a random number and an authentication token in the second authentication vector.
  • the acquiring unit 602 may send the first authentication data request message to the authentication device if the storage unit 601 saves an unused authentication vector for the UE.
  • the sending unit 603 may send a first authentication request message to the UE, where the first authentication request message includes a random number and an authentication token in the first authentication vector, so that the core network device Even if an unused authentication vector is saved, the first authentication vector is used for authentication, which avoids synchronization that may occur when the core network device in the prior art initiates network authentication by using an unused authentication vector saved by itself.
  • the failure of authentication caused by failure has ensured the success of network authentication as much as possible.
  • the embodiment of the present invention further provides an authentication device.
  • the authentication device may be a home environment HE, a home location register HLR, a home subscriber server HSS, or an authentication center.
  • AUC the authentication device includes a receiving unit 701, a processing unit 702, and a sending unit 703;
  • the receiving unit 701 is configured to receive a first authentication data request message sent by a core network device that stores an unused authentication vector, where the first authentication data request message is used to request the authentication device to be Said UE generates an authentication vector;
  • the processing unit 702 is configured to generate a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes a first authentication vector generated for the UE;
  • the sending unit 703 is configured to return the first authentication data response message to the core network device.
  • the receiving unit 701 is further configured to: before receiving the first authentication data request message, receive a second authentication data request message sent by the core network device, where the second authentication data request message is And the processing unit 702 is further configured to generate a second authentication data response message according to the second authentication data request message, where the second authentication is generated.
  • the weight data response message includes a second authentication vector generated for the UE and the unused authentication vector; the sending unit 703 is further configured to return the second authentication data response message to the core network device. .
  • the authentication device may receive the first authentication data request message sent by the core network device that the UE saves the unused authentication vector, and is the core that holds the unused authentication vector.
  • the network device returns a first authentication data response message, where the first authentication data response message includes a first authentication vector generated for the UE, so that the core network device uses the unused authentication vector even if it is saved.
  • the first authentication vector is used for authentication, so that the core network device in the prior art is saved by itself.
  • the unused authentication vector initiates network authentication, the authentication failure caused by the synchronization failure may be caused, and the success of the network authentication is guaranteed as much as possible.
  • an embodiment of the present invention further provides an authentication system 80, including a core network device 60 and an authentication device 70.
  • an authentication system 80 including a core network device 60 and an authentication device 70.
  • the authentication system may further include a user equipment 801;
  • the core network device may be configured to send a first authentication data request message to the authentication device, where the user equipment saves an unused authentication vector, the first authentication data request message And configured to request the authentication device to generate an authentication vector for the user equipment;
  • the authentication device may be configured to receive the first authentication data request message, and generate a first authentication data response message according to the first authentication data request message, where the first authentication data response message includes Determining, by the authentication device, a first authentication vector generated by the user equipment, and returning the first authentication data response message to the core network device.
  • the core network device may be further configured to receive the first authentication data response message, and send a first authentication request message to the user equipment, where the first authentication request message includes random in the first authentication vector Number and authentication token;
  • the user equipment may receive the first authentication request message, and perform authentication by using a random number and an authentication token in the first authentication vector included in the first authentication request message.
  • an embodiment of the present invention further provides an authentication device in a wireless communication system, where the authentication device may include:
  • the processor 901, the memory 902, and the communication interface 905 are connected by a bus 904 and complete communication with each other.
  • Processor 901 may be a single core or multi-core central processing unit, or a particular integrated circuit, or one or more integrated circuits configured to implement embodiments of the present invention.
  • the memory 902 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory.
  • Memory 902 is used by computer to execute instructions 903.
  • the computer execution instructions 903 may include program code.
  • the processor 901 runs the computer execution instruction 903, and may perform the method flow of the authentication method in the wireless communication system according to the method embodiment corresponding to any one of FIG. 1 to FIG. 3 or FIG.
  • the authentication device may be a core network device or an authentication device.
  • the embodiment of the present invention further provides a computer readable medium, including a computer executing instruction, when the processor of the computer executes the computer execution instruction, the computer performs the method embodiment corresponding to any one of FIG. 1 to FIG.
  • a computer readable medium including a computer executing instruction, when the processor of the computer executes the computer execution instruction, the computer performs the method embodiment corresponding to any one of FIG. 1 to FIG.
  • the LTE network mentioned in the present invention includes an LTE A network, and may subsequently have an LTE version.
  • the first, second, third, fourth, fifth, etc. in the embodiments of the present invention are only used to distinguish different indication information, messages, or other objects, and do not represent sequential relationships.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division, and the actual implementation may have another
  • the manner of division, such as multiple units or components, may be combined or integrated into another system, or some features may be omitted or not performed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé d'authentification dans un réseau de communication sans fil, un système et un appareil associés. Un dispositif de réseau central qui sauvegarde un vecteur d'authentification inutilisé pour un équipement utilisateur peut envoyer un premier message de demande de données d'authentification à un dispositif d'authentification, le premier message de demande de données d'authentification étant utilisé pour demander au dispositif d'authentification de générer un vecteur d'authentification pour l'équipement utilisateur ; un premier message de réponse de données d'authentification du dispositif d'authentification est reçu ; le premier message de réponse de données d'authentification transporte un premier vecteur d'authentification généré par le dispositif d'authentification pour l'équipement utilisateur et le premier vecteur d'authentification est utilisé pour déclencher un traitement d'authentification pour l'équipement utilisateur. La présente invention garantit que chaque fois qu'une authentification de domaine CS ou PS est effectuée, une séquence incluse dans le vecteur d'authentification est à nouveau générée par le dispositif d'authentification. Une synchronisation réussie est assurée même si une authentification de domaine PS est insérée avant l'authentification de domaine CS, ou si une authentification de domaine CS est insérée avant l'authentification de domaine PS, en résolvant le problème soulevé par la technique antérieure d'une défaillance d'authentification provoquée par une défaillance de synchronisation.
PCT/CN2014/092787 2014-12-02 2014-12-02 Procédé d'authentification dans un réseau de communication sans fil, appareil et système associés WO2016086355A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2014/092787 WO2016086355A1 (fr) 2014-12-02 2014-12-02 Procédé d'authentification dans un réseau de communication sans fil, appareil et système associés
CN201480083832.2A CN107005842B (zh) 2014-12-02 2014-12-02 一种无线通信网络中的鉴权方法、相关装置及系统

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/092787 WO2016086355A1 (fr) 2014-12-02 2014-12-02 Procédé d'authentification dans un réseau de communication sans fil, appareil et système associés

Publications (1)

Publication Number Publication Date
WO2016086355A1 true WO2016086355A1 (fr) 2016-06-09

Family

ID=56090804

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/092787 WO2016086355A1 (fr) 2014-12-02 2014-12-02 Procédé d'authentification dans un réseau de communication sans fil, appareil et système associés

Country Status (2)

Country Link
CN (1) CN107005842B (fr)
WO (1) WO2016086355A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110536296A (zh) * 2019-04-18 2019-12-03 中兴通讯股份有限公司 认证参数发送方法和装置以及认证参数处理方法和装置
US20200228982A1 (en) * 2017-11-17 2020-07-16 Huawei Technologies Co., Ltd. Authentication method, device, and system
CN112867001A (zh) * 2019-11-26 2021-05-28 维沃移动通信有限公司 鉴权方法、终端设备和网络设备
CN114338073A (zh) * 2021-11-09 2022-04-12 江铃汽车股份有限公司 车载网络的防护方法、系统、存储介质及设备
US20230048689A1 (en) * 2016-09-12 2023-02-16 Zte Corporation Network access authentication processing method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112469043B (zh) * 2019-09-09 2022-10-28 华为技术有限公司 一种鉴权的方法及装置
CN115915132A (zh) * 2020-04-30 2023-04-04 华为技术有限公司 密钥管理方法、设备及系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574599B1 (en) * 2002-10-11 2009-08-11 Verizon Laboratories Inc. Robust authentication and key agreement protocol for next-generation wireless networks
CN103281693A (zh) * 2013-05-10 2013-09-04 北京凯华网联技术有限公司 无线通信认证方法、网络转换设备及终端
CN103905400A (zh) * 2012-12-27 2014-07-02 中国移动通信集团公司 一种业务认证方法、装置及系统

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100384120C (zh) * 2004-09-30 2008-04-23 华为技术有限公司 Ip多媒体子系统中对终端用户标识模块进行鉴权的方法
CN100428848C (zh) * 2005-05-31 2008-10-22 华为技术有限公司 一种对终端用户标识模块进行ip多媒体域鉴权的方法
CN101043744B (zh) * 2006-03-21 2012-06-06 华为技术有限公司 一种ims网络中用户终端接入鉴权的方法
CN102413467B (zh) * 2011-11-29 2017-10-27 中兴通讯股份有限公司 一种srvcc切换处理方法、装置及其终端
CN103906051B (zh) * 2012-12-25 2017-11-21 中国移动通信集团北京有限公司 一种接入lte网络的方法、系统和装置
CN104038934B (zh) * 2014-06-30 2017-08-08 武汉虹信技术服务有限责任公司 Lte核心网实时信令监测的非接入层解密方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574599B1 (en) * 2002-10-11 2009-08-11 Verizon Laboratories Inc. Robust authentication and key agreement protocol for next-generation wireless networks
CN103905400A (zh) * 2012-12-27 2014-07-02 中国移动通信集团公司 一种业务认证方法、装置及系统
CN103281693A (zh) * 2013-05-10 2013-09-04 北京凯华网联技术有限公司 无线通信认证方法、网络转换设备及终端

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230048689A1 (en) * 2016-09-12 2023-02-16 Zte Corporation Network access authentication processing method and device
US20200228982A1 (en) * 2017-11-17 2020-07-16 Huawei Technologies Co., Ltd. Authentication method, device, and system
US11595817B2 (en) * 2017-11-17 2023-02-28 Huawei Technologies Co., Ltd. Authentication method, device, and system
CN110536296A (zh) * 2019-04-18 2019-12-03 中兴通讯股份有限公司 认证参数发送方法和装置以及认证参数处理方法和装置
CN112867001A (zh) * 2019-11-26 2021-05-28 维沃移动通信有限公司 鉴权方法、终端设备和网络设备
CN114338073A (zh) * 2021-11-09 2022-04-12 江铃汽车股份有限公司 车载网络的防护方法、系统、存储介质及设备

Also Published As

Publication number Publication date
CN107005842A (zh) 2017-08-01
CN107005842B (zh) 2019-12-24

Similar Documents

Publication Publication Date Title
CN109587688B (zh) 系统间移动性中的安全性
KR102264718B1 (ko) 보안 구현 방법, 및 관련된 장치 및 시스템
JP6943965B2 (ja) 5gにおける接続モード中のセキュリティコンテキストハンドリング
WO2016086355A1 (fr) Procédé d'authentification dans un réseau de communication sans fil, appareil et système associés
JP6812421B2 (ja) モビリティ管理エンティティ再配置を伴うモビリティ手順のための装置および方法
CN112566112B (zh) 用于无线通信的装置、方法和存储介质
CN106028331B (zh) 一种识别伪基站的方法及设备
CN106465106B (zh) 用于从无线电接入网络提供安全性的方法和系统
EP4412148A2 (fr) Protection de la confidentialité d'identité d'abonné contre des stations de base factices
US9467295B2 (en) HNB or HeNB security access method and system, and core network element
EP2603024B1 (fr) Procédé et dispositif d'isolation de clé
US9445265B2 (en) Method and device for processing SRVCC switching, and terminal
US12047506B2 (en) Systems and methods for user-based authentication
WO2009152759A1 (fr) Procédé et dispositif de prévention de perte de synchronisation de sécurité de réseau
CN105830476A (zh) 用于从无线电接入网络提供安全的方法和系统
EP3079392A1 (fr) Procédé, appareil et système pour sélectionner un algorithme d'authentification
WO2016086356A1 (fr) Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système
JP7014800B2 (ja) リンク再確立方法、装置、およびシステム
CN110881020A (zh) 一种用户签约数据的鉴权方法及数据管理网元
WO2019095748A1 (fr) Procédé, appareil et système de gestion de communications, et terminal, entité de gestion et support de stockage
JP2021520664A (ja) 5gネットワークにおける独立seafとの連携のためのセキュリティ機構
CN116939734A (zh) 通信方法及装置
WO2014169568A1 (fr) Méthode et appareil de gestion de contexte de sécurité
WO2014059568A1 (fr) Procédé et dispositif pour l'exécution d'une commutation dans un système de communication sans fil

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14907419

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14907419

Country of ref document: EP

Kind code of ref document: A1