WO2016086356A1 - Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système - Google Patents

Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système Download PDF

Info

Publication number
WO2016086356A1
WO2016086356A1 PCT/CN2014/092793 CN2014092793W WO2016086356A1 WO 2016086356 A1 WO2016086356 A1 WO 2016086356A1 CN 2014092793 W CN2014092793 W CN 2014092793W WO 2016086356 A1 WO2016086356 A1 WO 2016086356A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user equipment
sequence
request message
seq
Prior art date
Application number
PCT/CN2014/092793
Other languages
English (en)
Chinese (zh)
Inventor
崇卫微
吴晓波
吕阳明
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2014/092793 priority Critical patent/WO2016086356A1/fr
Priority to CN201480083607.9A priority patent/CN107113610A/zh
Publication of WO2016086356A1 publication Critical patent/WO2016086356A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an authentication method, related device, and system in a wireless communication network.
  • Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks.
  • UE User Equipment
  • Authentication is part of mobile network security management to achieve the confidentiality and data integrity of mobile networks.
  • UE User Equipment
  • the UE triggers the authentication process by initiating a registration request, a service request, or a handover request to the network.
  • authentication is a one-way process, and the network needs to verify the legitimacy of the UE; in the third generation (Third Generation, 3G) network or Long Term Evolution (Long Term Evolution, In the LTE network, in addition to verifying the legitimacy of the UE, the UE also needs to verify the validity of the network, that is, perform network authentication.
  • 3G Third Generation
  • LTE Long Term Evolution
  • the authentication process is performed in a domain-by-domain manner, that is, a packet switching (PS) domain and a circuit switching (CS) domain respectively perform an authentication process, and a PS domain authentication is performed by a mobility management entity ( The Mobility Management Entity (MME) or the General Packet Radio Service (GPRS) Service Support Node (SGSN) is initiated.
  • MME Mobility Management Entity
  • GPRS General Packet Radio Service
  • SGSN General Packet Radio Service
  • the CS domain authentication is initiated by the Mobile Switching Center (MSC).
  • MSC Mobile Switching Center
  • the UE needs to Network authentication is performed on the PS domain and the CS domain, respectively.
  • the MSC/SGSN sends an authentication request carrying the authentication vector to the UE. Message.
  • the UE first determines the validity of the network according to the authentication request message. If the network is legal, it verifies whether the network is synchronized with the network. If the synchronization is successful, the UE successfully authenticates the network, and the UE returns a response message to the network, and the MSC/SGSN according to the UE. The response message sent by the UE verifies the validity of the UE. If the synchronization fails, the UE will reply the MSC/SGSN with an authentication failure message carrying the cause value, and the MSC/SGSN will send an authentication request message to the UE again.
  • the UE may fail to perform network authentication on the CS domain; or
  • the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process saves the unused authentication vector, which may cause the UE to fail the network authentication for the CS domain.
  • the MSC/SGSN/MME receives the authentication failure message sent by the UE twice, the authentication process is terminated, and an authentication rejection message is sent to the UE. Once the UE receives the authentication rejection message, it will not be able to initiate the service normally until it restarts, which has a serious impact on the user.
  • the embodiments of the present invention provide an authentication method, a related device, and a system in a wireless communication network, which can solve the problem that the user equipment cannot initiate the service normally caused by two consecutive authentication failures in the prior art. Until the issue of rebooting.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, where the authentication device includes: an authentication data request message sent by a core network device, where the authentication data request message includes a user equipment. Identity and synchronization failure indications;
  • the authentication device acquires a difference DIF value of the user equipment according to the identity identifier of the user equipment, and generates a resynchronization sequence according to the DIF value of the user equipment;
  • the authentication device generates an authentication vector according to the resynchronization sequence
  • the authentication device sends the authentication vector to the core network device.
  • the authentication device acquires a difference of the user equipment according to the identity identifier of the user equipment, and generates a resynchronization according to the difference of the user equipment.
  • the sequence includes:
  • the authentication device queries the database according to the identity identifier of the user equipment, and obtains a DIF value of the user equipment; the authentication device is configured according to a DIF value of the user equipment and a value of a current global counter.
  • the resynchronization sequence is generated.
  • the authentication data request message further includes information about a sequence of a maximum sequence number stored by the user equipment. .
  • the identity of the user equipment is an international mobile subscriber identity of the user equipment IMSI.
  • an embodiment of the present invention provides an authentication device, where the core network device sends an authentication data request message to an authentication device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication.
  • the core network device receives the authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to the resynchronization sequence, and the resynchronization sequence is the authentication device according to the authentication device.
  • the identity of the user equipment is generated by the DIF value of the user equipment acquired;
  • the core network sends an authentication request message to the user equipment, where the authentication request message includes a random number and an authentication token in the authentication vector.
  • the method before the sending, by the core network device, the authentication data request message to the authentication device, the method further includes:
  • the core network device receives an authentication failure message sent by the user equipment, where the authentication failure message includes a cause value, and the cause value is a synchronization failure.
  • an embodiment of the present invention provides an authentication device, including:
  • a receiving unit configured to receive an authentication data request message sent by the core network device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication;
  • a processing unit configured to determine a DIF value of the user equipment according to the identity identifier of the user equipment, determine a resynchronization sequence according to the difference DIF value of the user equipment, and generate an authentication vector according to the resynchronization sequence;
  • a sending unit configured to send the authentication vector to the core network device.
  • the processing unit is specifically configured to query a database according to an identity identifier of the user equipment, to obtain a DIF value of the user equipment, and according to a DIF value of the user equipment.
  • the value of the current global counter is generated to generate the resynchronization sequence.
  • the authentication data request message further includes information about a sequence of a maximum sequence number stored by the user equipment.
  • an embodiment of the present invention provides a core network device, including:
  • a sending unit configured to send an authentication data request message to the authentication device, where the authentication data request message includes an identity identifier of the user equipment and a synchronization failure indication;
  • An obtaining unit configured to receive an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to a resynchronization sequence, where the resynchronization sequence is The identity of the user equipment is generated by the DIF value of the user equipment acquired;
  • the sending unit is further configured to send an authentication request message to the user equipment, where the authentication request message includes a random number and an authentication token in the authentication vector.
  • the core network device further includes:
  • a receiving unit configured to receive an authentication failure message sent by the user equipment, where the sending failure unit sends a verification data request message, where the authentication failure message includes a cause value, the cause value Failed for synchronization.
  • an embodiment of the present invention provides an authentication system, including the authentication device according to any one of the third aspect or the third aspect, and any of the fourth or fourth aspects.
  • the core network device described in the implementation manner.
  • the system further includes a user equipment
  • the user equipment is configured to receive an authentication request message sent by the core network device, and perform authentication by using a random number and an authentication token in the authentication vector included in the authentication request message.
  • an embodiment of the present invention provides an authentication device, including a processor, a memory, a bus, and a communication interface.
  • the memory is configured to store a computer to execute an instruction
  • the processor is connected to the memory through the bus, and when the authentication device is in operation, the processor executes the computer-executed instruction stored in the memory to
  • the authentication device is configured to perform an authentication method in the wireless communication network of the first aspect or any of the possible implementations of the first aspect.
  • an embodiment of the present invention provides a core network device, where the processor includes a processor, a memory, a bus, and a communication interface.
  • the memory is configured to store a computer to execute an instruction
  • the processor is connected to the memory through the bus, and when the core network device is in operation, the processor executes the computer-executed instruction stored in the memory to
  • the core network device is configured to perform an authentication method in the wireless communication network described in the second aspect or the first possible implementation manner of the second aspect.
  • an embodiment of the present invention provides a computer readable medium, comprising: executing, by a computer, an instruction to execute, by a processor of a computer, the first aspect or the first An authentication method in a wireless communication network as described in any of the possible implementations.
  • an embodiment of the present invention provides a computer readable medium, comprising: a computer executing an instruction, when the processor of the computer executes the computer to execute an instruction, the computer performs the second aspect or the second An authentication method in a wireless communication network as described in the first possible implementation of the aspect.
  • the DIF value of the user equipment represents a difference between a value of a sequence generated by the user equipment and a value of a global counter.
  • the embodiment of the present invention provides an authentication method in a wireless communication network, after the authentication device receives the authentication data request message sent by the core network device, even if the authentication data request message carries a synchronization failure indication, The ID of the UE obtains the DIF value of the UE to generate a resynchronization sequence, so that the resynchronization sequence is not equal to (or approximately equal to) the sequence of the maximum sequence number stored by the UE, which avoids resynchronization in the prior art.
  • the re-authentication failure caused by the sequence equal to (or approximately equal to) the sequence of the largest sequence number stored by the UE ensures that the authentication of the core network device by using the authentication vector including the resynchronization sequence is successful, thereby solving the present problem.
  • the UE fails to initiate the service normally until the restart is caused after the failure of the authentication again.
  • FIG. 1 is an authentication method in a wireless communication network according to an embodiment of the present invention
  • 3 is another authentication method in a wireless communication network according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of an authentication device according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a core network device according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic diagram of an authentication system according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an authentication device in a wireless communication network according to an embodiment of the present invention.
  • the embodiment of the invention provides a method, a related device and a system for authenticating in a wireless communication network, which can solve the problem that the user equipment cannot initiate a service normally until restarting due to two consecutive authentication failures in the prior art.
  • the UE needs to verify whether it is synchronized with the network. If it is not synchronized, the authentication process fails.
  • the UE needs to obtain a sequence number (SQN) from the authentication vector sent by the core network device (MME/MSC/SGSN), and detect whether the sequence number satisfies a series of detection conditions, where Including whether the sequence (SEQ) included in the verification sequence number satisfies SEQ MS - SEQ ⁇ L, where L is usually set by the operator, L may be 32, and SEQ MS is a sequence of the maximum sequence number currently stored by the UE itself.
  • the SQN generated by the authentication device is usually expressed in binary, consisting of two parts, SEQ and IND.
  • the authentication device stores a difference (DIF) value for each user equipment in its own database, and the DIF value of each user equipment is different, and the DIF value of the user equipment is represented.
  • the difference between the two generated SEQs is only related to the value of the global counter GLC, and the value of the global counter GLC is usually taken from the time point (time stamp). For example, the value of the global counter GLC can be increased by 1 every 0.1 seconds, then 5 seconds.
  • the inventor has found that in the prior art, since the UE does not completely separate the synchronization detection of the PS domain and the CS domain, once the PS domain authentication is inserted before the CS domain authentication, and the CS domain authentication process is initiated, the MSC is in the MSC. If the unused authentication vector is saved, the UE may fail to perform network authentication on the CS domain; or the CS domain authentication is inserted before the PS domain authentication, and the MME/SGSN that initiates the PS domain authentication process is initiated. The unused authentication vector is saved, which may cause the UE to perform network authentication failure on the PS domain.
  • the MSC may obtain multiple authentications from the authentication device before the core network device initiates the first CS domain authentication.
  • the authentication vectors AV C11 and AV C12 after performing the first CS domain authentication, the unused authentication vector AV C12 is still stored in the MSC; and then, due to the change of the radio access type of the UE, etc., it may be required
  • the PS domain authentication and the second CS domain authentication are initiated for the UE, and the PS domain authentication may be before the second CS domain authentication.
  • the core network device utilizes the unused authentication vector AV C12 acquired during the first CS domain network authentication saved by itself during the second CS domain authentication, if the authentication device generates AV P and AV The time of C12 is very different, so that SEQ MS - SEQ is not less than L, and the detection condition cannot be satisfied, resulting in synchronization failure, thereby causing authentication failure.
  • the core network device when the authentication fails due to the synchronization failure, the core network device usually receives an authentication failure message carrying the cause value sent by the UE, and the reason value is that the synchronization fails, and the core network device passes the The data authentication request message of the synchronization failure indication is sent to the authentication device to trigger the resynchronization process, wherein the data authentication request message carrying the synchronization failure indication further includes the information of the sequence SEQ MS1 of the largest sequence number stored in the UE when the synchronization fails. . Different from the data authentication request message that does not carry the synchronization failure indication message, the authentication device generates a sequence SEQ according to the DIF value of the UE acquired by the identity identifier of the UE.
  • the resynchronization sequence SEQ sy is almost equal to SEQ MS1 .
  • the UE performs network authentication again on the CS domain, in the UE.
  • the authentication failure may be caused again.
  • the suspension of the rights process causes the UE to fail to initiate a service normally until it is restarted.
  • an embodiment of the present invention provides an authentication method in a wireless communication network, which enables a core network device (MSC/SGSN/MME) to acquire a new one from an authentication device before initiating an authentication request to the UE.
  • a core network device MSC/SGSN/MME
  • the authorization vector even if the core network device saves the unused authentication vector, uses the acquired new authentication vector for authentication, ensuring that each time the CS domain/PS domain network authentication is performed
  • the SEQ included in the authentication vector is newly generated by the authentication device, and even if the PS domain network authentication is inserted before the CS domain network authentication or the CS domain network authentication is inserted before the PS domain network authentication, The synchronization success is ensured, and the problem of authentication failure caused by the synchronization failure in the prior art is solved, and the UE disconnection may be avoided due to the authentication failure.
  • the embodiment of the present invention further provides an authentication method in a wireless communication network, which enables the authentication device to use the sequence SEQ MS of the largest sequence number stored in the UE when the core network device triggers the resynchronization process due to synchronization failure.
  • the resynchronization sequence SEQ sy is generated, and the DIF value of the UE is directly obtained according to the identity identifier of the UE, just according to the authentication data request message that does not carry the synchronization failure indication, according to the DIF value of the UE and the value of the current global counter GLC ( That is, the time at which the resynchronization SEQ is generated) to generate the resynchronization sequence SEQ sy such that the resynchronization sequence SEQ sy is not equal to (or approximately equal to) SEQ MS1 , ensuring that the core network device is utilizing the authentication vector containing the resynchronization sequence SEQ sy
  • the authentication succeeds when the authentication is performed, so as to avoid the problem that the UE cannot initiate the service normally until
  • the core network device may be an MSC, an SGSN, or an MME
  • the authentication device may be an authentication device, which may be an HLR, a Home Subscriber Server (HSS), an AUC, or a home environment. (Home Environment, HE).
  • An embodiment of the present invention provides an authentication method in a wireless communication network. As shown in FIG. 1, the method may include:
  • the authentication device receives an authentication data request sent by the core network device, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication.
  • the identity of the UE may be an International Mobile Subscriber Identity (IMSI) of the UE, the synchronization failure indication is used to indicate that the synchronization fails, and the authentication data request message including the synchronization failure indication is usually The resynchronization process is triggered.
  • IMSI International Mobile Subscriber Identity
  • the authentication data request may also contain information of the sequence SEQ MS1 of the largest sequence number stored by the user equipment, from which the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is stored by the UE after the last successful authentication.
  • the sequence of the largest sequence number of the SEQ MS1 that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
  • the authentication device acquires a DIF value of the UE according to the identity identifier of the UE, and determines a resynchronization sequence SEQ sy according to the DIF value of the UE.
  • the authentication device may query the database according to the identity identifier of the UE, and obtain a DIF value of the UE stored in the database, according to the DIF value of the UE and the value of the current global counter GLC (ie, generate resynchronization At the time of the sequence SEQ sy , a resynchronization sequence SEQ sy is generated.
  • the database is typically configured in the authentication device.
  • the resynchronization sequence SEQ sy is generated, which avoids the re-authentication failure caused by the resynchronization sequence SEQ sy equal to (or approximately equal to) SEQ MS1 in the prior art, and solves the problem that the UE cannot initiate the service normally until restarting due to the re-authentication failure.
  • the problem is to avoid impact on the UE's business.
  • the authentication device generates an authentication vector according to the resynchronization sequence SEQ sy .
  • the authentication device may first include the resynchronization sequence SEQ sy in the sequence number SQN by using a preset algorithm; and then use the SQN and obtain an anonymous key (anonymity key according to a random number (RAND). AK), generating an authentication token (AUTN), the authentication vector including the authentication token and the random number.
  • RAND random number
  • AK anonymity key according to a random number
  • AUTN authentication token
  • the authentication device may obtain an anonymous key AK by using a random number, and include the SQN, the anonymous key AK, and other necessary parameters in the authentication token, where the finally generated authentication vector includes The authentication token and the random number.
  • the UE and the like may obtain the anonymous key AK by using the random number included in the authentication vector, and obtain, by using the anonymous key AK, the re-synchronization sequence from the authentication token.
  • the sequence number ie the authentication token and the random number, may be used to determine an SQN comprising the resynchronization sequence SEQ sy .
  • the authentication vector may further include an expected response (XRES), an integrity key (IK), and a cipher key (CK).
  • XRES expected response
  • IK integrity key
  • CK cipher key
  • the authentication device sends the authentication vector to the core network device, so that the core network device initiates an authentication process by using the authentication vector.
  • the authentication device may send the authentication vector to the core network device by using an authentication data response message.
  • the authentication data response message includes the authentication vector.
  • An embodiment of the present invention further provides an authentication method in a wireless communication network. As shown in FIG. 2, the method includes:
  • the core network device sends an authentication data request message to the authentication device, where the authentication data is requested.
  • the request message includes the identity of the UE and a synchronization failure indication.
  • the authentication failure message may further include information of a sequence SEQ MS1 of the maximum sequence number stored by the user equipment, and according to the information, the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is the last successful authentication of the UE.
  • the sequence of the maximum sequence number stored after SEQ MS1 that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
  • the authentication data request message may further comprise information of the SEQ MS1 .
  • the core network device receives an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to the resynchronization sequence SEQ sy , and the resynchronization sequence SEQ sy is The authentication device is generated according to the DIF value of the user equipment acquired by the identity of the user equipment.
  • the core network device sends an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector.
  • the core network device may initiate an authentication process by using a random number and an authentication token in the authentication vector, and the UE may use the random number to obtain an anonymous key AK, and use the anonymous key AK.
  • acquiring from the authentication token comprises a sequence number SQN resynchronization SEQ sy and acquires the resynchronization sequence SEQ sy synchronize sequence number SQN from the authentication in.
  • the resynchronization sequence SEQ sy is determined by the authentication device according to the DIF value of the UE obtained according to the identity of the UE, regardless of SEQ MS1 , the prior art due to the resynchronization sequence SEQ sy is avoided. It is equal to (or approximately equal to) the re-authentication failure caused by the SEQ MS1 , which solves the problem that the UE cannot initiate the service normally until restarting due to the failure of the authentication again, and avoids the impact on the service of the UE.
  • step S200 may be further included before S201:
  • the core network device receives an authentication failure message sent by the UE, where the authentication failure message includes a cause value, and the cause value is a synchronisation failure.
  • the core network device may send an authentication data request message to the authentication device according to the authentication failure message, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication.
  • An embodiment of the present invention provides an authentication method in a wireless network communication network. As shown in FIG. 3, the method includes:
  • the UE returns an authentication failure message to the MSC, where the authentication failure message carries the cause value and the information of the sequence SEQ MS1 of the maximum sequence number stored by the UE after the last successful authentication, where the cause value is a synchronization failure.
  • the SGSN of the 3G network may need to obtain an authentication vector from the HLR/HE/AUC to initiate PS domain authentication, and thus step S302 may be performed.
  • the SGSN sends a first authentication data request message to the HLR/HE/AUC, where the first authentication data request message carries an IMSI of the UE.
  • the first authentication data request message is also a PS authentication data request message.
  • the HLR/HE/AUC returns a first authentication data response message to the SGSN, where the first authentication data response message includes an authentication vector AV ps .
  • the AV ps includes the RAND ps and the AUTN ps .
  • the MSC sends a second authentication data request message to the HLR/HE/AUC, where the second authentication data request message includes an IMSI of the UE, a synchronization failure indication, and information of the SEQ MS1 .
  • the HLR/HE/AUC obtains a DIF value DIF of the UE according to the IMSI of the UE, and determines a resynchronization sequence SEQ sy according to the DIF value of the UE, and generates according to the resynchronization sequence SEQ sy
  • the authentication vector AV sy the AV sy contains a random number RAND sy and an authentication token AUTN sy .
  • the HLR/HE/AUC returns a second authentication data response message to the MSC, where the second authentication data response message includes the AV sy .
  • the SGSN sends a first authentication request message to the UE, where the first authentication request message includes RAND ps and AUTN ps (SEQ ps ) in the AV ps .
  • S308 If the authentication succeeds and SEQ ps is greater than SEQ MS1 , the UE updates the sequence of the largest sequence number stored by itself to SEQ ps .
  • the UE updates the sequence of the largest sequence number stored by itself to SEQ ps .
  • steps S307-S308 may also be used in the embodiment of the present invention before the step S304.
  • S309 The UE returns a first authentication response message to the SGSN.
  • the MSC sends a second authentication request message to the UE, where the second authentication request message includes RAND sy and AUTN sy (SEQ sy ) in AV sy .
  • S311 If the authentication succeeds and SEQ sy is greater than SEQ ps , the UE updates the sequence of the largest sequence number stored by itself to SEQ sy .
  • the UE After receiving the second authentication request message, the UE obtains AK sy according to RAND sy , obtains SQN sy including SEQ sy from AUTN sy according to the AK sy and related algorithm, and obtains SEQ sy And compare SEQ sy with the sequence of the largest sequence number stored by itself.
  • the value of the global counter GLC when generating SEQ sy is definitely later than GLC T2
  • S312 The UE returns a second authentication response message to the MSC.
  • the authentication device may directly obtain the re-synchronization sequence SEQ sy according to the IMIF of the UE to obtain the re-synchronization sequence SEQ sy according to the IMSI of the UE.
  • the resynchronization sequence SEQ sy generates an authentication vector and sends the authentication vector to the core network device, even if the subsequent core network device performs CS domain (or PS domain) authentication by using the resynchronization sequence SEQ sy
  • the previous PS domain (or CS domain) authentication is inserted, which also ensures the authentication success, avoiding the use of the prior art process so that the generated resynchronization sequence SEQ sy is almost equal to (or approximately equal to) SEQ MS1 .
  • the problem of authentication failure is possible.
  • the embodiment of the present invention provides an authentication device 40.
  • the authentication device 40 may be an HLR or an AUC or an HE.
  • the authentication device 40 includes a receiving unit 401. , processing unit 402 and transmitting unit 403;
  • the receiving unit 401 is configured to receive an authentication data request message sent by the core network device, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication, where the identity of the UE may be the UE IMSI;
  • the processing unit 402 is configured to determine a DIF value of the UE according to the identity identifier of the UE, determine a resynchronization sequence SEQ sy according to the DIF value of the UE, and generate an authentication according to the resynchronization sequence SEQ sy Specifically, the processing unit 402 may query the database according to the identity of the UE, obtain a DIF value of the UE, and generate the resynchronization sequence according to the DIF value of the UE and the value of the current global counter GLC.
  • the processing unit 402 may further include the resynchronization sequence SEQ sy in the sequence number by using a preset algorithm, and generate an authentication token by using the sequence number and the anonymous key AK obtained according to the random number.
  • the authentication vector includes the authentication token and the random number.
  • the sending unit 403 is configured to send the authentication vector to the core network device.
  • the authentication data request may further include information of a sequence SEQ MS1 of a maximum sequence number stored by the user equipment, and according to the information, the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is the last successful authentication of the UE.
  • the sequence of the maximum sequence number stored after SEQ MS1 that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
  • the receiving unit 401 receives the sync failure indication is carried in the authentication data request message
  • the processing unit 402 acquires a UE identity UE according DIF values, according to the The DIF value of the UE and the value of the current global counter GLC are used to generate the resynchronization sequence SEQ sy , which avoids the re-authentication failure caused by the resynchronization sequence SEQ sy equal to (or approximately equal to) the SEQ MS1 in the prior art.
  • the problem that the UE fails to initiate the service and restarts due to the failure of the right does not affect the service of the UE.
  • the embodiment of the present invention provides a core network device 50.
  • the core network device 50 may be an MME or an MSC or an SGSN, and the core network device 50 includes a sending unit. 501 and acquisition unit 502;
  • the sending unit 501 is configured to send an authentication data request message to the authentication device, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication; the identity identifier of the UE may be an IMSI of the UE;
  • the authentication failure message may further include information of the sequence SEQ MS1 of the largest sequence number stored by the user equipment, according to which the SEQ MS1 may be determined. Since the sequence of the maximum sequence number stored by the user equipment can be updated after the authentication succeeds, the information of the SEQ MS1 included in the authentication data request is the last successful authentication of the UE.
  • the sequence of the maximum sequence number stored after SEQ MS1 that is, the information of the sequence of the largest sequence number stored in the UE when the authentication fails.
  • the authentication data request message may further comprise information of the SEQ MS1 .
  • the obtaining unit 502 is configured to receive an authentication vector returned by the authentication device, where the authentication vector is generated by the authentication device according to the resynchronization sequence SEQ sy , and the resynchronization sequence SEQ sy is The authentication device is generated according to the DIF value of the user equipment acquired by the identity identifier of the user equipment;
  • the sending unit 501 is further configured to send an authentication request message to the UE, where the authentication request message includes a random number and an authentication token in the authentication vector. Therefore, the UE may obtain the anonymous key AK by using the random number, and obtain the sequence number SQN including the resynchronization sequence SEQ sy from the authentication token by using the anonymous key AK, and The resynchronization sequence SEQ sy is obtained in the serial number SQN for synchronization verification. Since the resynchronization sequence SEQ sy is determined by the authentication device according to the DIF value of the UE obtained according to the identity of the UE, regardless of SEQ MS1 , the prior art due to the resynchronization sequence SEQ sy is avoided.
  • the core network device further includes: a receiving unit 503, configured to receive an authentication failure message sent by the UE, where the authentication failure message includes a cause value, and the cause value is a synchronization failure; Specifically, the method is used to send an authentication data request message to the authentication device according to the authentication failure message, where the authentication data request message includes an identity identifier of the UE and a synchronization failure indication.
  • an embodiment of the present invention further provides an authentication system 60, as shown in FIG. 6, including an authentication device 40 and a core network device 50.
  • an authentication system 60 including an authentication device 40 and a core network device 50.
  • the actions performed by the authentication device 40 and the core network device 50 and the interaction between them refer to the description of the method embodiment corresponding to FIG. 1 to FIG. 3, and also the description of the device embodiment corresponding to FIG. 4 and FIG. , will not repeat them here.
  • the authentication system may further include a user equipment 601;
  • the user equipment 601 may be configured to receive an authentication request message sent by the core network device 50, and perform authentication by using a random number and an authentication token in the authentication vector included in the authentication request message.
  • the user equipment 601 is further configured to send an authentication failure message to the core network device 50, where the authentication failure message includes a cause value, and the cause value is a synchronization failure.
  • an embodiment of the present invention further provides an authentication device in a wireless communication system, where the authentication device 700 can include:
  • the processor 701, the memory 702, and the communication interface 705 are connected by a bus 704 and complete communication with each other.
  • Processor 701 may be a single core or multi-core central processing unit, or a particular integrated circuit, or one or more integrated circuits configured to implement embodiments of the present invention.
  • the memory 702 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory.
  • Memory 702 is used by computer to execute instructions 703.
  • the computer execution instructions 703 may include program code.
  • the processor 701 runs the computer execution instruction 703, and may execute the method flow of the authentication method in the wireless communication system according to the method embodiment corresponding to any one of FIG. 1 to FIG.
  • the authentication device may be an authentication device, and the method corresponding to FIG. 2 or FIG. 3 is implemented.
  • the authentication device may be a core network device.
  • the embodiment of the present invention further provides a computer readable medium, comprising: a computer executing instructions for a processor of a computer to execute the computer to execute an instruction, the computer performing the wireless operation of FIG. 1 or FIG. Method flow of an authentication method in a communication network.
  • the embodiment of the present invention further provides a computer readable medium, comprising: a computer executing instructions for a processor of a computer to execute the computer execution instructions, wherein the computer performs the wireless operation of FIG. 2 or FIG. Method flow of an authentication method in a communication network.
  • the LTE network mentioned in the present invention includes an LTE A network, and may subsequently have an LTE version.
  • the first, second, third, fourth, fifth, etc. in the embodiments of the present invention are only used to distinguish different indication information, messages, or other objects, and do not represent sequential relationships.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé d'authentification dans un réseau de communication sans fil, un appareil associé et un système. Après la réception d'un message de demande de données d'authentification envoyé par un dispositif de réseau central, même si le message de demande de données d'authentification comporte une indication d'échec de synchronisation, un dispositif d'authentification demande et obtient une valeur de DIF d'un UE en fonction d'un identifiant de l'UE afin de générer une séquence de resynchronisation, de manière que la séquence de resynchronisation n'est pas égale (ou est approximativement égale) à une séquence avec un numéro de séquence maximum auto-mémorisé, signalé par l'UE, ce qui évite les échecs d'authentification répétés dans l'état de la technique causée par le fait que la séquence de resynchronisation est égale (ou approximativement égale) à la séquence avec un numéro de séquence maximum mémorisé par l'UE, et ce qui permet une authentification réussie pour le dispositif de réseau central quand un vecteur d'authentification comprenant la séquence de resynchronisation est utilisé pour exécuter l'authentification, ce qui résout le problème dans l'état de la technique causé par les échecs d'authentification répétés de l'UE qui n'est pas capable de lancer un service de façon normale jusqu'à un redémarrage.
PCT/CN2014/092793 2014-12-02 2014-12-02 Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système WO2016086356A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2014/092793 WO2016086356A1 (fr) 2014-12-02 2014-12-02 Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système
CN201480083607.9A CN107113610A (zh) 2014-12-02 2014-12-02 一种无线通信网络中的鉴权方法、相关装置及系统

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/092793 WO2016086356A1 (fr) 2014-12-02 2014-12-02 Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système

Publications (1)

Publication Number Publication Date
WO2016086356A1 true WO2016086356A1 (fr) 2016-06-09

Family

ID=56090805

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/092793 WO2016086356A1 (fr) 2014-12-02 2014-12-02 Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système

Country Status (2)

Country Link
CN (1) CN107113610A (fr)
WO (1) WO2016086356A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112867001A (zh) * 2019-11-26 2021-05-28 维沃移动通信有限公司 鉴权方法、终端设备和网络设备

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111465007B (zh) * 2019-01-18 2022-10-11 华为技术有限公司 一种认证方法、装置和系统
CN112469043B (zh) * 2019-09-09 2022-10-28 华为技术有限公司 一种鉴权的方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101030854A (zh) * 2006-03-02 2007-09-05 华为技术有限公司 多媒体子系统中网络实体的互认证方法及装置
CN101123778A (zh) * 2007-09-29 2008-02-13 大唐微电子技术有限公司 网络接入鉴权方法及其usim卡
CN101466096A (zh) * 2007-12-17 2009-06-24 大唐移动通信设备有限公司 一种触发鉴权过程同步失败的方法及系统
CN101998395A (zh) * 2009-08-27 2011-03-30 华为技术有限公司 鉴权矢量获取方法、归属服务器和网络系统
CN103596176A (zh) * 2013-10-18 2014-02-19 北京北方烽火科技有限公司 基于演进分组系统的小规模核心网的鉴权方法及装置

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101163326A (zh) * 2006-10-12 2008-04-16 华为技术有限公司 一种抗重放攻击的方法、系统及移动终端
CN102638794B (zh) * 2007-03-22 2016-03-30 华为技术有限公司 鉴权和密钥协商方法、认证方法、系统及设备

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101030854A (zh) * 2006-03-02 2007-09-05 华为技术有限公司 多媒体子系统中网络实体的互认证方法及装置
CN101123778A (zh) * 2007-09-29 2008-02-13 大唐微电子技术有限公司 网络接入鉴权方法及其usim卡
CN101466096A (zh) * 2007-12-17 2009-06-24 大唐移动通信设备有限公司 一种触发鉴权过程同步失败的方法及系统
CN101998395A (zh) * 2009-08-27 2011-03-30 华为技术有限公司 鉴权矢量获取方法、归属服务器和网络系统
CN103596176A (zh) * 2013-10-18 2014-02-19 北京北方烽火科技有限公司 基于演进分组系统的小规模核心网的鉴权方法及装置

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112867001A (zh) * 2019-11-26 2021-05-28 维沃移动通信有限公司 鉴权方法、终端设备和网络设备
CN112867001B (zh) * 2019-11-26 2022-07-15 维沃移动通信有限公司 鉴权方法、终端设备和网络设备

Also Published As

Publication number Publication date
CN107113610A (zh) 2017-08-29

Similar Documents

Publication Publication Date Title
CN109587688B (zh) 系统间移动性中的安全性
CN106465106B (zh) 用于从无线电接入网络提供安全性的方法和系统
US9189632B2 (en) Method for protecting security of data, network entity and communication terminal
US9654284B2 (en) Group based bootstrapping in machine type communication
US11159940B2 (en) Method for mutual authentication between user equipment and a communication network
CN107005842B (zh) 一种无线通信网络中的鉴权方法、相关装置及系统
CN112105021B (zh) 一种认证方法、装置及系统
US12047506B2 (en) Systems and methods for user-based authentication
WO2018205148A1 (fr) Procédé et dispositif de contrôle de paquet de données
WO2020216338A1 (fr) Procédé et appareil d'envoi de paramètres
US20230086032A1 (en) Key management method, device, and system
KR20150135032A (ko) Puf를 이용한 비밀키 업데이트 시스템 및 방법
WO2015144042A1 (fr) Procédé et dispositif de certification d'authentification de réseau
CN111831974A (zh) 接口保护方法、装置、电子设备及存储介质
WO2020147856A1 (fr) Procédé et dispositif de traitement d'authentification, support de stockage, et dispositif électronique
WO2016086356A1 (fr) Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système
JP6581221B2 (ja) セキュリティエレメントを認証するための少なくとも1つの認証パラメータを置き換える方法及び対応するセキュリティエレメント
EP3820078A1 (fr) Dispositif et procédé permettant d'effectuer une médiation de configuration d'informations d'authentification
CN111835691B (zh) 一种认证信息处理方法、终端和网络设备
WO2019192275A1 (fr) Procédé d'authentification et élément de réseau
WO2018126791A1 (fr) Procédé et dispositif d'authentification, et support de stockage informatique
CN111132167B (zh) 5g用户终端接入5g网络的方法、用户终端设备及介质
CN112400335B (zh) 用于执行数据完整性保护的方法和计算设备
WO2024174801A1 (fr) Procédé de communication et appareil de communication
US20220104012A1 (en) Authentication processing method and device, storage medium and electronic device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14907533

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14907533

Country of ref document: EP

Kind code of ref document: A1