WO2017000620A1 - 重认证识别方法、演进分组数据网关及系统 - Google Patents

重认证识别方法、演进分组数据网关及系统 Download PDF

Info

Publication number
WO2017000620A1
WO2017000620A1 PCT/CN2016/078692 CN2016078692W WO2017000620A1 WO 2017000620 A1 WO2017000620 A1 WO 2017000620A1 CN 2016078692 W CN2016078692 W CN 2016078692W WO 2017000620 A1 WO2017000620 A1 WO 2017000620A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
epdg
identifier
request message
aaa server
Prior art date
Application number
PCT/CN2016/078692
Other languages
English (en)
French (fr)
Inventor
洪芸芸
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017000620A1 publication Critical patent/WO2017000620A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • the present invention relates to the field of communications, and in particular to a method and apparatus for re-authentication identification based on an evolved packet data gateway.
  • VoWiFi Voice over Wireless Fidelity
  • WiFi Wireless Fidelity
  • the trusted access method is implemented under the operator's WiFi network.
  • the user's terminal does not need to establish a network protocol security (IPSec) tunnel with the network, but directly passes the packet data.
  • IPSec network protocol security
  • the gateway (PDN Gateway, PGW for short) can access the mobile core network, but this method requires operators to deploy their own WiFi networks in large quantities, which increases operating costs.
  • untrusted access refers to access by a user through a WiFi network provided by a non-operator.
  • the data sent by the user terminal needs to access the core network through the Evolved Packet Data Gateway (ePDG), which is added by the network.
  • ePDG Evolved Packet Data Gateway
  • the data is transmitted between the terminal and the ePDG through the IPSec tunnel, so that the network of the untrusted network is enabled.
  • the element cannot sense the data transmission, thus ensuring the security of data transmission.
  • the untrusted access method can make full use of the existing WiFi network, and does not need to increase operating costs in the WiFi network, and is increasingly favored by major operators.
  • the untrusted access authentication is performed based on the Subscriber Identity Module (SIM) card, so that external intruders cannot access the ePDG and the core network.
  • SIM Subscriber Identity Module
  • authentication and re-authentication highlight the importance of untrusted access.
  • the 3GPP protocol only defines how the user equipment (User Equipment, UE for short) uses the ePDG network for authentication and re-authentication, but does not define how the ePDG recognizes re-authentication.
  • the UE carries the re-authentication network only in the re-authentication of the Internet Key Exchange Authentication (IKE_AUTH), that is, the first authentication (AUTH) request message.
  • IKE_AUTH Internet Key Exchange Authentication
  • NAI Access Authorization Accounting Server
  • AAA Server Authentication Authorization Accounting Server
  • EAP Agreement (Extensible Authentication) Protocol
  • the ePDG Even if the UE carries the original IP address of the UE in the re-authenticated IKE AUTH (Identity) message, the ePDG cannot distinguish whether this is a cross-LTE handover procedure or a re-authentication procedure. At this time, ePDG treats the re-authentication process as an initial access procedure, and needs to pass all the information to AAA. AAA determines whether this is a re-authentication request, which increases the complexity of processing and interaction between network elements. The news will also increase.
  • the present invention provides a re-authentication identification method and apparatus based on an evolved packet data gateway to at least solve the above problems.
  • a re-authentication identification method comprising: an evolved packet data gateway ePDG receiving a re-authentication request message sent by a user equipment UE, wherein the re-authentication request message includes a re-authentication identifier; the ePDG And identifying, according to the re-authentication identifier, that the current process is a re-authentication process, and associating the original user data, and notifying the authentication and authorization charging AAA server to perform re-authentication.
  • the re-authentication identifier is carried in an International Mobile Subscriber Identity (IMSI) message that is allocated to the UE by the authentication and authorization charging AAA server when the UE is initially authenticated.
  • IMSI International Mobile Subscriber Identity
  • the re-authentication identifier is an extension identifier used by the UE and the ePDG to identify re-authentication jointly negotiated at the time of initial authentication.
  • the re-authentication identifier is an identifier bit or an identification string used to identify re-authentication.
  • the re-authentication request message further carries a network protocol IP address and/or an access point APN of the UE.
  • an evolved packet data gateway ePDG comprising: a receiving unit, configured to receive a re-authentication request message sent by a user equipment UE, where the re-authentication request message includes a re-authentication identifier; The unit is configured to identify that the current process is a re-authentication process according to the re-authentication identifier, and associate the original user data to notify the server to perform re-authentication.
  • the re-authentication identifier is carried in an IMSI message that is allocated to the UE by the authentication and authorization charging AAA server when the UE is initially authenticated.
  • the re-authentication identifier is an extension identifier used by the UE and the ePDG to identify re-authentication jointly negotiated at the time of initial authentication.
  • the re-authentication identifier is an identifier bit or an identification string used to identify re-authentication.
  • the re-authentication request message further carries a network protocol IP address and/or an access point APN of the UE.
  • a re-authentication identification system including: a user equipment UE, an evolved packet data gateway ePDG, and an authentication and authorization charging AAA server; wherein the UE is set to the ePDG Sending a re-authentication request message, where the re-authentication request message includes a re-authentication identifier; the ePDG is configured to identify that the current process is a re-authentication process according to the re-authentication identifier, and associate the original user data to notify the AAA Server; the AAA server is set to initiate a re-authentication process.
  • the method of the present invention solves the problem that the ePDG cannot actively identify the re-authentication process by adding the re-authentication identifier to the re-authentication request message, thereby enabling the ePDG to actively identify the re-authentication process in the initial stage of re-authentication.
  • the consumption of user resources on the ePDG is reduced, and the entire re-authentication process based on the evolved packet data gateway is simplified.
  • FIG. 1 is a structural diagram of a non-roaming evolution packet system of the related art
  • FIG. 2 is a flowchart of a method for identifying a re-authentication according to an embodiment of the present invention
  • FIG. 3 is a structural block diagram of an evolved packet data gateway ePDG according to an embodiment of the present invention.
  • Example 4 is a flow chart of user EPD-based EAP-AKA fast re-authentication provided by Example 1 of the present invention
  • FIG. 5 is a flowchart of establishing an EAP-AKA initial authentication by a user based on an initial session of an ePDG according to an example 2 of the present invention
  • Example 6 is a flowchart of a user-based ePDG-based EAP-AKA fast re-authentication according to Example 2 of the present invention
  • FIG. 7 is a block diagram of a re-authentication identification system according to an embodiment of the present invention.
  • Embodiment 1 of the present invention provides a re-authentication identification method, as shown in FIG. 2, including the following steps:
  • the eNodeB ePDG receives a re-authentication request message sent by the user equipment UE, where the re-authentication request message includes a re-authentication identifier.
  • the ePDG identifies, according to the re-authentication identifier, that the current process is a re-authentication process, and associates the original user data, and notifies the server to perform re-authentication.
  • the re-authentication identifier is that the UE is authenticated by the AAA server during initial authentication. It is carried in the International Mobile Subscriber Identification Number (IMSI) message assigned to the UE.
  • IMSI International Mobile Subscriber Identification Number
  • the re-authentication identifier is any extension identifier used by the UE and the ePDG to jointly identify the re-authentication when initially authenticated.
  • the re-authentication identifier is an identifier bit or an identification string for re-authentication.
  • the re-authentication request message further carries the network protocol IP address and/or the access point APN of the UE.
  • the embodiment 2 of the present invention provides an evolved packet data gateway ePDG.
  • the method includes a receiving unit 300, configured to receive a re-authentication request message sent by the user equipment UE, where the re-authentication request message includes a re-authentication identifier.
  • the identification unit 302 is configured to identify that the current process is a re-authentication process according to the re-authentication identifier, and associate the original user data to notify the server to perform re-authentication.
  • the device corresponds to the above method, and the specific content is not described in detail.
  • the method for carrying the re-authentication identifier when the re-authentication request message is added is used to solve the problem that the ePDG cannot actively identify the re-authentication process, thereby enabling the ePDG to actively identify the re-authentication process in the initial stage of re-authentication.
  • the consumption of user resources on the ePDG is reduced, and the entire re-authentication process based on the evolved packet data gateway is simplified.
  • FIG. 4 is an ePDG-based third-generation authentication and key agreement (EAP-AKA) of the user-provided ePDG according to the first embodiment of the present invention.
  • the fast re-authentication flow chart is as shown in FIG. 4.
  • the EPD-based EAP-AKA fast re-authentication process of the user includes the following steps:
  • the UE and the ePDG exchange the first pair of messages, that is, the Internet Key Exchange Security Association Initiate (IKE_SA_INIT) request and response, and the ePDG and the UE negotiate the encryption algorithm, exchange the random number NONCES, and execute Diffie- Hellman Key Exchange/Agreement Algorithm (Diffie_Hellman) exchange;
  • IKE_SA_INIT Internet Key Exchange Security Association Initiate
  • Diffie_Hellman Diffie-Hellman Key Exchange/Agreement Algorithm
  • the UE sends an IKE_AUTH request message to the ePDG, and carries the user identifier permanent NAI and the re-authentication identifier, which may be a Flag identifier bit or an identifier string.
  • the re-authentication Flag flag or identification string can be extended in the original IKE Config payload or Notify payload, or a new payload can be extended.
  • the request message further carries an IP address originally allocated by the UE and/or an access point originally used by the UE (Access Point Name, abbreviated as APN);
  • APN Access Point Name
  • the ePDG identifies that the re-authentication process is a re-authentication process, and locates the original user data by using the IP address and the APN in the message, and sends a Diameter EAP Request (Diameter EAP Request, referred to as The DER) message carries the user identity, the APN, the tunnel establishment indication, and the EAP attribute, and notifies the AAA server that the UE requests re-authentication.
  • Diameter EAP Request Diameter EAP Request
  • the AAA server identifies that the UE initiates the EAP-AKA fast re-authentication process, returns a DEA message to the ePDG, and carries an EAP-AKA re-authentication request.
  • the EAP-Request message includes a counter, exchanges random numbers NONCE, MAC, and is used for the next fast. Re-authenticated protected fast re-authentication identifier;
  • the ePDG forwards the EAP-AKA re-authentication request to the UE by using an IKE_AUTH response message;
  • the UE checks the counter to the latest, the message authentication code is correct, and sends an IKE_AUTH request message to the ePDG, carrying the EAP-AKA re-authentication response, including the same counter value (accumulated by the AAA Server) and the calculated message authentication code;
  • the ePDG forwards the EAP-AKA re-authentication response to the 3GPP AAA Server through the DER message;
  • the ePG calculates the AUTH parameter using the key material to verify the IKE_SA_INIT message, and sends an IKE_AUTH request message to the ePDG.
  • the ePD returns an IKE_AUTH response and carries EAP-success, indicating that the EAP authentication is successful.
  • the UE calculates the AUTH sent to the ePDG by using the key material material that is derived by itself, so that the ePDG verifies the IKE_SA_INIT message sent by the UE, and sends an IKE_AUTH request message to the ePDG.
  • the ePDG verifies whether the AUTH payload received from the UE is correct, and sends a KE_AUTH response message to the UE after the verification succeeds. If the UE requests a dynamic address, the ePDG includes the IP address assigned to the UE in the configuration payload, and then sends it to the UE together with the AUTH parameter, the security association, and the traffic selector, and ends the IKEv2 negotiation. At this point, the user re-authentication process ends.
  • FIG. 5 is a flowchart of establishing an EAP-AKA initial authentication by a user based on an initial session of the ePDG according to the second embodiment of the present invention.
  • the initial EAP-AKA initial authentication process based on the initial session of the ePDG includes the following steps. :
  • the UE and the ePDG exchange the first pair of messages, that is, the IKE_SA_INIT request and response, and the ePDG and the UE negotiate an encryption algorithm, exchange the NONCES, and perform a Diffie_Hellman exchange.
  • the UE sends an IKE_AUTH request message to the ePDG, and carries the user identifier NAI (Permanent NAI) and the APN information to start negotiating the child SA.
  • NAI Permanent NAI
  • the UE indicates to the ePDG that the EAP over IKEv2 authentication mode is used by not including the authentication parameter. Address, need to carry the configuration load;
  • the ePD sends a DER message to the AAA server, carrying the user identifier and the APN.
  • the AAA server initiates an authentication challenge by sending a DEA message, and no longer requests the user identifier.
  • the S510.3ePDG sends an IKE_AUTH response message, carries the ePDG identifier, and forwards the EAP message (EAP-/AKA challenge request) received from the AAA server to start the EAP process at the IKEv2 level.
  • EAP message EAP-/AKA challenge request
  • the UE checks the authentication parameter, and sends an IKE_AUTH request message to the ePDG, and carries only the EAP payload except the IKE header, and carries the challenge response.
  • the ePDG forwards the EAP-AKA challenge response to the AAA Server by sending a DER message to the AAA Server;
  • the AAA Server sends the final DEA response to the ePDG, carrying the indication success result code, the related service authentication information, and the key material;
  • the ePDG forwards the EAP final success or failure by sending an IKE_AUTH response message to the UE.
  • the UE generates the AUTH parameter by using the key material derived by itself as an input, and is used to authenticate the IKE_SA_INIT phase message, and send an IKE_AUTH request message to the ePDG.
  • the ePDG verifies whether the AUTH payload received from the UE is correct. After the verification succeeds, the KE_AUTH response message is sent to the UE, and the real IMSI allocated by the AAA can be delivered to the UE by using the attribute type of the extended configuration payload message. If the UE requests a dynamic address, the PDG includes the remote IP address assigned to the UE in the CFG_REPLY parameter, and then sends it to the UE together with the AUTH parameter, the security association, and the selector to end the IKEv2 negotiation. It may also be any extended identifier that the UE and the ePDG jointly negotiate in the initial authentication phase to identify the re-authentication.
  • the re-authentication identifier may be an IMSI allocated by the AAA to the UE when the UE performs initial authentication.
  • the ePDG needs to transmit the real IMSI allocated by the AAA to the UE in the last IKE AUTH response of the initial authentication, and the subsequent UE performs re-authentication.
  • ePDG uses this real IMSI to discover that the user already exists and recognizes that this is a re-authentication process.
  • IMSI recommends extending an attribute type in IKE's Notify payload for carrying.
  • FIG. 6 is a flowchart of a user-based ePDG-based EAP-AKA fast re-authentication according to the second embodiment of the present invention.
  • the ePDG-based EAP-AKA fast re-authentication process includes the following steps:
  • the UE and the ePDG exchange a first pair of messages, that is, an IKE_SA_INIT request and response, and the ePDG and the UE negotiate an encryption algorithm, exchange nonces, and perform a Diffie_Hellman exchange.
  • the UE sends an IKE_AUTH request message to the ePDG, carrying the fast re-authentication NAI and the IMSI allocated by the AAA in the initial authentication process in FIG. 5.
  • the IP address originally allocated by the UE and/or the APN originally used by the UE may also be included;
  • the ePDG recognizes that this is a re-authentication process by receiving the IMSI carried in the message, and locates the original user data area by using the IMSI, the IP address, and the APN in the message, and uses the same session session as the initial authentication to the 3GPP AAA Server.
  • the S608.3GPP AAA Server identifies that the UE initiates the EAP-AKA fast re-authentication process, returns a DEA message to the ePDG, and carries the EAP-AKA re-authentication request.
  • the EAP-Request message includes the counter, NONCE, MAC, and is used for the next fast re-authentication. Protected fast re-certification mark;
  • the ePDG forwards the EAP-AKA re-authentication request to the UE by using an IKE_AUTH response message;
  • the UE checks the counter to the latest, the message authentication code is correct, and sends an IKE_AUTH request message to the ePDG, carrying the EAP-AKA re-authentication response, including the same counter value (accumulated by the AAA Server) and the calculated message authentication code;
  • the ePDG forwards the EAP-AKA re-authentication response to the 3GPP AAA Server through the DER message;
  • the ePDG calculates the AUTH parameter using the key material to verify the IKE_SA_INIT message, and sends an IKE_AUTH request message to the ePDG.
  • the ePD returns an IKE_AUTH response and carries EAP-success, indicating that the EAP authentication is successful.
  • the UE calculates the AUTH sent to the ePDG by using the key material material that is derived by itself, so that the ePDG verifies the IKE_SA_INIT message sent by the UE, and sends an IKE_AUTH request message to the ePDG.
  • the ePDG verifies whether the AUTH payload received from the UE is correct, and sends a KE_AUTH response message to the UE after the verification succeeds. If the UE requests a dynamic address, the ePDG includes the IP address assigned to the UE in the configuration payload, and then sends it to the UE together with the AUTH parameter, the security association, and the traffic selector, and ends the IKEv2 negotiation. At this point, the user re-authentication process ends.
  • the embodiment 3 of the present invention provides a re-authentication identification system, as shown in FIG. 7, including a user equipment UE, an evolved packet data gateway ePDG, and an authentication and authorization charging AAA server; wherein the UE is configured to send a heavy weight to the ePDG.
  • An authentication request message wherein the re-authentication request message includes a re-authentication identifier; the ePDG is configured to identify, according to the re-authentication identifier, that the current process is a re-authentication process, and associate the original user data with the server; the AAA Server, set to start the re-authentication process.
  • the ePDG can be actively identified in the re-authentication process in the initial stage of re-authentication, thereby reducing the consumption of user resources on the ePDG, and simplifying the entire evolving packet-based data gateway.
  • the re-certification process it is achieved that the ePDG can be actively identified in the re-authentication process in the initial stage of re-authentication, thereby reducing the consumption of user resources on the ePDG, and simplifying the entire evolving packet-based data gateway.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in a storage device by a computing device, or they may be fabricated into individual integrated circuit modules, or Multiple modules or steps are made into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
  • the foregoing technical solution provided by the embodiment of the present invention increases the manner in which the re-authentication identifier is carried in the re-authentication request message, and solves the problem that the ePDG cannot actively identify the re-authentication process, thereby achieving the active recognition of the ePDG in the initial stage of re-authentication.
  • the outbound process is in the re-authentication process, which reduces the consumption of user resources on the ePDG and simplifies the entire re-authentication process based on the evolved packet data gateway.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种重认证识别方法,包括:演进分组数据网关ePDG接收用户设备UE发送的重认证请求消息,其中所述重认证请求消息包括重认证标识;所述ePDG根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知认证授权计费AAA服务器进行重认证。通过本方法,解决了ePDG无法主动识别重认证流程的问题,进而达到了能够使ePDG在重认证初始阶段主动识别出处于重认证流程中,进而降低了ePDG上用户资源的消耗,简化了整个基于演进分组数据网关的重认证流程。

Description

重认证识别方法、演进分组数据网关及系统 技术领域
本发明涉及通信领域,具体而言,涉及一种基于演进分组数据网关的重认证识别方法及装置。
背景技术
随着第四代移动通信技术的发展,人们对语音服务的质量要求越来越高。在苹果在推出iPhone6宣布将支持基于无线保真的语音通话(Voice over Wireless Fidelity,简称为VoWiFi)时,VoWiFi逐渐转入大家的视线。VoWiFi利用通过改善的网络基础设施来提供新的语音服务交付方式,而这种方式可以弥补4G网络室外基站对室内的覆盖不够,使得用户接收信号较差的不足,毕竟WiFi(Wireless Fidelity,简称为WiFi)网络在室内的覆盖普及程度已经非常高。目前实现VoWiFi主要有两种方式,语音数据通过WiFi接入运营商核心网可被视为可信任接入和不可信任接入。
可信任接入的方式是在运营商的WiFi网络下完成的,这种情况下,用户的终端不需要与网络建立网络协议安全性(Internet Protocol Security,简称为IPSec)隧道,而直接通过分组数据网关(PDN Gateway,简称为PGW)就能接入到移动核心网,但这种方式需要运营商大量布局自己的WiFi网络,增加了运营成本。
如图1所示,不可信任接入是指用户通过非运营商提供的WiFi网络进行的接入。这种情况下用户终端发出的数据需要通过网络新增的演进分组数据网关(Evolved Packet Data Gateway,简称ePDG)接入核心网,终端和ePDG之间通过IPSec隧道传输数据,使得不可信网络的网元无法感知数据传输,从而保证数据传输的安全性。不可信任接入方式由于可以充分利用现有的WiFi网络,不需要在WiFi网络方面增加运营成本,日渐为各大运营商所亲睐。
不可信任接入时认证是基于客户识别模块(Subscriber Identity Module,简称为SIM)卡完成的,使外界入侵者无法访问到ePDG和核心网。此时,认证与重认证就凸显出在不可信任接入方式时的重要性。而3GPP协议仅仅定义用户设备(User Equipment,简称为UE)怎样利用ePDG网络来进行认证和重认证,却没有定义ePDG怎样识别重认证。
根据相关技术,UE在进行重认证时,仅在重认证的互联网密钥交换认证(Internet Key Exchange Authentication,简称为IKE_AUTH)即第一个认证(Authentication,简称为AUTH)请求消息中携带重认证网络接入标识(Network Access Identifier,简称为NAI),而认证授权计费服务器(Authentication Authorization Accounting Server,简称为AAA Server)在下发重认证NAI和伪随机NAI给UE时,是通过加密的可扩展认证协议(Extensible Authentication  Protocol,简称EAP)消息传递的,ePDG无法感知,所以ePDG无法识别这是一个重认证NAI。即使UE在重认证的IKE AUTH(Identity)消息中同时携带UE原来的IP地址,ePDG也无法区分这是一个跨LTE切换流程还是一个重认证流程。此时ePDG会把重认证流程当成一个初始接入流程进行处理,需要把所有信息都传递给AAA,由AAA来判断这是否是一个重认证请求,增加了处理的复杂性,同时网元间交互消息也会增多。
针对相关技术中上述的问题,目前尚未提出有效的解决方案。
发明内容
本发明提供了一种基于演进分组数据网关的重认证识别方法及装置,以至少解决上述问题。
根据本发明的一个实施例,提供了一种重认证识别方法,包括:演进分组数据网关ePDG接收用户设备UE发送的重认证请求消息,其中所述重认证请求消息包括重认证标识;所述ePDG根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知认证授权计费AAA服务器进行重认证。
在本发明的实施例中,所述重认证标识是UE在初始认证时,由认证授权计费AAA服务器分配给UE的国际移动用户识别码IMSI消息中携带。
在本发明的实施例中,所述重认证标识是UE和ePDG在初始认证时共同协商的、用于识别重认证的扩展标识。
在本发明的实施例中,所述重认证标识是用于标识重认证的标识位或标识字符串。
在本发明的实施例中,所述重认证请求消息中还携带所述UE的网络协议IP地址和/或接入点APN。
根据本发明的一个实施例,还提供了一种演进分组数据网关ePDG,包括:接收单元,设置为接收用户设备UE发送的重认证请求消息,其中所述重认证请求消息包括重认证标识;识别单元,设置为根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知服务器进行重认证。
在本发明的实施例中,所述重认证标识是UE在初始认证时,由认证授权计费AAA服务器分配给UE的IMSI消息中携带。
在本发明的实施例中,所述重认证标识是UE和ePDG在初始认证时共同协商的、用于识别重认证的扩展标识。
在本发明的实施例中,所述重认证标识是用于标识重认证的标识位或标识字符串。
在本发明的实施例中,所述重认证请求消息中还携带所述UE的网络协议IP地址和/或接入点APN。
据本发明的又一个实施例,还提供了一种重认证识别系统,包括:用户设备UE、演进分组数据网关ePDG和认证授权计费AAA服务器;其中,所述UE,设置为向所述ePDG发送重认证请求消息,其中所述重认证请求消息包括重认证标识;所述ePDG,设置为根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知所述AAA服务器;所述AAA服务器,设置为启动重认证流程。
通过本发明方法,采用增加在重认证请求消息时携带重认证标识的方式,解决了ePDG无法主动识别重认证流程的问题,进而达到了能够使ePDG在重认证初始阶段主动识别出处于重认证流程中,进而降低了ePDG上用户资源的消耗,简化了整个基于演进分组数据网关的重认证流程。
附图说明
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:
图1为相关技术的非漫游演进分组系统架构图;
图2为本发明实施例提供的一种重认证识别方法流程图;
图3为本发明实施例提供的演进分组数据网关ePDG结构框图;
图4为本发明示例1提供的用户基于ePDG的EAP-AKA快速重认证流程图;
图5为本发明示例2提供的用户基于ePDG初始会话建立EAP-AKA初始认证流程图;
图6为本发明示例2提供的用户基于ePDG的EAP-AKA快速重认证流程图;
图7为本发明实施例提供的一种重认证识别系统框图。
具体实施方式
需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本发明。
实施1
本发明实施例1提供了一种重认证识别方法,如图2所示,包括如下的步骤:
S200,演进分组数据网关ePDG接收用户设备UE发送的重认证请求消息,其中所述重认证请求消息包括重认证标识;
S202,所述ePDG根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知服务器进行重认证。
作为可选方案,其中所述重认证标识是UE在初始认证时,由认证授权计费AAA服务器 分配给UE的国际移动用户识别码(International Mobile Subscriber Identification Number,简称为IMSI)消息中携带。
作为可选方案,其中所述重认证标识是UE和ePDG在初始认证时共同协商的用于识别重认证的任何扩展标识。
作为可选方案,其中所述重认证标识是用于重认证的标识位或标识字符串。
作为可选方案,其中所述重认证请求消息中还携带所述UE的网络协议IP地址和/或接入点APN。
实施例2
本发明实施例2提供了一种演进分组数据网关ePDG,如图3所示,包括接收单元300,设置为接收用户设备UE发送的重认证请求消息,其中所述重认证请求消息包括重认证标识;识别单元302,设置为根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知服务器进行重认证。该装置对应于上述方法,具体内容不在详述。
通过上述技术方案,采用增加在重认证请求消息时携带重认证标识的方法,解决了ePDG无法主动识别重认证流程的问题,进而达到了能够使ePDG在重认证初始阶段主动识别出处于重认证流程中,进而降低了ePDG上用户资源的消耗,简化了整个基于演进分组数据网关的重认证流程。
为了使本发明的技术方案和实现方法更加清楚,下面将结合优选示例对其实现过程进行详细描述。
示例1
请参考图4,图4为本发明示例1提供的用户基于ePDG的第三代认证与密钥协商协议可扩展认证协议(Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement,简称为EAP-AKA)快速重认证流程图,如图4所示,本发明示例1中,用户基于ePDG的EAP-AKA快速重认证流程包括以下步骤:
S402.UE和ePDG交互第一对消息,即互联网密钥交换安全联盟发起(Internet Key Exchange Security Association Initiate,简称为IKE_SA_INIT)请求和响应,ePDG和UE协商加密算法、交换随机数NONCES和执行Diffie-Hellman密钥交换协议/算法(Diffie-Hellman Key Exchange/Agreement Algorithm,简称为Diffie_Hellman)交换;
S404.UE向ePDG发送IKE_AUTH请求消息,携带用户标识永久NAI和重认证标识,可以是Flag标识位或标识字符串。重认证Flag标识位或标识字符串可以在原来的IKE Config载荷或Notify载荷中扩展一个属性类型,也可以扩展一个新的载荷。
可选的,请求消息中还携带UE原来分配的IP地址和/或UE原来使用的接入点(Access Point Name,简称为APN);
S406.ePDG通过收到消息中的重认证标识识别出这是一个重认证流程,并通过消息中的IP地址以及APN定位到原来用户数据,向AAA Server发送Diameter EAP请求(Diameter EAP Request,简称为DER)消息,携带用户标识、APN、隧道建立指示和EAP属性,并通知AAA服务器UE请求重认证。
S408.AAA Server识别出UE发起EAP-AKA快速重认证流程,向ePDG回DEA消息,携带EAP-AKA重认证请求,EAP-Request消息中包含计数器、交换随机数NONCE、MAC和用于下一次快速重认证受保护的快速重认证标识;
S410.ePDG通过IKE_AUTH响应消息将EAP-AKA重认证请求转发给UE;
S412.UE校验计数器至最新,消息认证码正确,并向ePDG发送IKE_AUTH请求消息,携带EAP-AKA重认证响应,包含相同计数器值(由AAA Server累加)和计算的消息认证码;
S414.ePDG通过DER消息将EAP-AKA重认证响应转发给3GPP AAA Server;
S416.ePDG使用秘钥材料计算出AUTH参数,以便验证IKE_SA_INIT消息,向ePDG发送IKE_AUTH请求消息;
S418.ePDG返回IKE_AUTH响应,携带EAP-success,指示EAP认证成功;
S420.UE使用自己导出的秘钥材料计算产生AUTH发给ePDG,以便ePDG验证UE发送的IKE_SA_INIT消息,向ePDG发送IKE_AUTH请求消息;
S422.ePDG验证从UE收到的AUTH载荷是否正确,验证成功后向UE发送KE_AUTH响应消息。如果UE请求动态地址,ePDG在配置载荷中包含分配给UE的IP地址,然后和AUTH参数、安全联盟、流量选择器一起发送给UE,结束IKEv2协商。至此,用户重认证流程结束。
示例2
图5为本发明示例2提供的用户基于ePDG初始会话建立EAP-AKA初始认证流程图,如图5所示,本发明示例2中,用户基于ePDG初始会话建立EAP-AKA初始认证流程包括以下步骤:
S502.UE和ePDG交互第一对消息即IKE_SA_INIT请求和响应,ePDG和UE协商加密算法、交换NONCES和执行Diffie_Hellman交换;
S504.UE向ePDG发送IKE_AUTH请求消息,携带用户标识NAI(永久NAI)和APN信息,开始协商child SA;UE通过不包含认证参数向ePDG指明使用EAP over IKEv2认证方式,如果UE需要动态分配远端地址,需要携带配置载荷;;
S506.ePDG向AAA Server发送DER消息,携带用户标识、APN;
S508.AAA Server通过发送DEA消息发起认证挑战,不再请求用户标识;
S510.3ePDG发送IKE_AUTH响应消息,携带ePDG标识,并转发从AAA Server接收到的EAP消息(EAP-/AKA挑战请求),用于开始IKEv2层面的EAP流程;
S512.UE检查认证参数,向ePDG发送IKE_AUTH请求消息,除了IKE头外仅携带EAP载荷,携带挑战响应;
S514.ePDG通过向AAA Server发送DER消息转发EAP-AKA挑战响应给AAA Server;
S516.当所有检查都成功,AAA Server发送最终的DEA响应给ePDG,携带指示成功结果码、相关业务认证信息和秘钥材料;
S518.ePDG通过向UE发送IKE_AUTH响应消息,转发EAP最终的成功或者失败;
S520.UE使用自己导出的秘钥材料作为输入生成AUTH参数,用于认证IKE_SA_INIT阶段消息,向ePDG发送IKE_AUTH请求消息;
S522.ePDG验证从UE收到的AUTH载荷是否正确,验证成功后向UE发送KE_AUTH响应消息,消息中可以把AAA分配的真实IMSI传递给UE,可通过扩展配置载荷消息的属性类型携带。如果UE请求动态地址,PDG在CFG_REPLY参数中包含分配给UE的remote IP地址,然后和AUTH参数、安全联盟、选择符一起发送给UE,结束IKEv2协商。也可以是UE和ePDG在初始认证阶段共同协商出的可用于识别重认证的任何扩展标识。
重认证标识可以是UE进行初始认证时AAA分配给UE的IMSI,此时需要由ePDG在初始认证的最后一条IKE AUTH响应中,增加字段把AAA分配的真实IMSI传递给UE,后续UE进行重认证时,携带这个真实的IMSI,ePDG通过这个真实的IMSI来发现已经存在此用户,识别出这是一个重认证流程。IMSI建议在IKE的Notify载荷中扩展一个属性类型,用于携带。
至此UE初始建立结束。
图6为本发明示例2提供的用户基于ePDG的EAP-AKA快速重认证流程图,如图6所示,本发明示例2中,用户基于ePDG的EAP-AKA快速重认证流程包括以下步骤:
S602.UE和ePDG交互第一对消息即IKE_SA_INIT请求和响应,ePDG和UE协商加密算法、交换nonces和执行Diffie_Hellman交换;
S604.UE向ePDG发送IKE_AUTH请求消息,携带快速重认证NAI和图5中初始认证过程中AAA分配的IMSI。
可选的,还可以包括UE原来分配的IP地址和/或UE原来使用的APN;
S606.ePDG通过收到消息中携带的IMSI识别出这是一个重认证流程,并通过消息中的IMSI、IP地址以及APN定位到原来用户数据区,使用和初始认证相同的会话session向3GPP AAA Server发送DER(Diameter EAP Request)消息,携带用户标识、APN、隧道建立指示和EAP属性,并通知AAA Server UE请求重认证;
S608.3GPP AAA Server识别出UE发起EAP-AKA快速重认证流程,向ePDG回DEA消息,携带EAP-AKA重认证请求,EAP-Request消息中包含计数器、NONCE、MAC和用于下一次快速重认证受保护的快速重认证标识;
S610.ePDG通过IKE_AUTH响应消息将EAP-AKA重认证请求转发给UE;
S612.UE校验计数器至最新,消息认证码正确,并向ePDG发送IKE_AUTH请求消息,携带EAP-AKA重认证响应,包含相同计数器值(由AAA Server累加)和计算的消息认证码;
S614.ePDG通过DER消息将EAP-AKA重认证响应转发给3GPP AAA Server;
S616.ePDG使用秘钥材料计算出AUTH参数,以便验证IKE_SA_INIT消息,向ePDG发送IKE_AUTH请求消息;
S618.ePDG返回IKE_AUTH响应,携带EAP-success,指示EAP认证成功;
S620.UE使用自己导出的秘钥材料计算产生AUTH发给ePDG,以便ePDG验证UE发送的IKE_SA_INIT消息,向ePDG发送IKE_AUTH请求消息;
S622.ePDG验证从UE收到的AUTH载荷是否正确,验证成功后向UE发送KE_AUTH响应消息。如果UE请求动态地址,ePDG在配置载荷中包含分配给UE的IP地址,然后和AUTH参数、安全联盟、流量选择器一起发送给UE,结束IKEv2协商。至此,用户重认证流程结束。
实施例3
本发明实施例3提供了一种重认证识别系统,如图7,包括用户设备UE、演进分组数据网关ePDG和认证授权计费AAA服务器;其中,所述UE,设置为向所述ePDG发送重认证请求消息,其中所述重认证请求消息包括重认证标识;所述ePDG,设置为根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知服务器;所述AAA服务器,设置为启动重认证流程。
需要说明的是,上述实施例中描述的系统对应于上述的方法实施例,其具体的实现过程在方法实施例中已经进行过详细说明,在此不再赘述。
综上所述,根据本发明的上述实施例,达到了能够使ePDG在重认证初始阶段主动识别出处于重认证流程中,进而降低了ePDG上用户资源的消耗,简化了整个基于演进分组数据网关的重认证流程。
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。
工业实用性
基于本发明实施例提供的上述技术方案,增加在重认证请求消息时携带重认证标识的方式,解决了ePDG无法主动识别重认证流程的问题,进而达到了能够使ePDG在重认证初始阶段主动识别出处于重认证流程中,进而降低了ePDG上用户资源的消耗,简化了整个基于演进分组数据网关的重认证流程。

Claims (11)

  1. 一种重认证识别方法,该方法包括:
    演进分组数据网关ePDG接收用户设备UE发送的重认证请求消息,其中所述重认证请求消息包括重认证标识;
    所述ePDG根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知认证授权计费AAA服务器进行重认证。
  2. 根据权利要求1所述的方法,其中,所述重认证标识是UE在初始认证时,由认证授权计费AAA服务器分配给UE的国际移动用户识别码IMSI消息中携带。
  3. 根据权利要求2所述的方法,其中,所述重认证标识是UE和ePDG在初始认证时共同协商的、用于识别重认证的扩展标识。
  4. 根据权利要求1-3中任一项所述的方法,其中,所述重认证标识是用于标识重认证的标识位或标识字符串。
  5. 根据权利要求1-3中任一项所述的方法,其中,所述重认证请求消息中还携带所述UE的网络协议IP地址和/或接入点APN。
  6. 一种演进分组数据网关ePDG,包括:
    接收单元,设置为接收用户设备UE发送的重认证请求消息,其中所述重认证请求消息包括重认证标识;
    识别单元,设置为根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知服务器进行重认证。
  7. 根据权利要求6所述的ePDG,其中,所述重认证标识是UE在初始认证时,由认证授权计费AAA服务器分配给UE的IMSI消息中携带。
  8. 根据权利要求7所述的方法,其中,所述重认证标识是UE和ePDG在初始认证时共同协商的、用于识别重认证的扩展标识。
  9. 根据权利要求6-8中任一项所述的方法,其中,所述重认证标识是用于标识重认证的标识位或标识字符串。
  10. 根据权利要求6-8中任一项所述的方法,其中,所述重认证请求消息中还携带所述UE的网络协议IP地址和/或接入点APN。
  11. 一种重认证识别系统,包括:用户设备UE、演进分组数据网关ePDG和认证授权计费AAA服务器;其中,
    所述UE,设置为向所述ePDG发送重认证请求消息,其中所述重认证请求消息包括重认证标识;
    所述ePDG,设置为根据所述重认证标识识别出当前流程是重认证流程,并关联原有用户数据,通知所述AAA服务器;
    所述AAA服务器,设置为启动重认证流程。
PCT/CN2016/078692 2015-06-29 2016-04-07 重认证识别方法、演进分组数据网关及系统 WO2017000620A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510367404.9 2015-06-29
CN201510367404.9A CN106302376A (zh) 2015-06-29 2015-06-29 重认证识别方法、演进分组数据网关及系统

Publications (1)

Publication Number Publication Date
WO2017000620A1 true WO2017000620A1 (zh) 2017-01-05

Family

ID=57607782

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/078692 WO2017000620A1 (zh) 2015-06-29 2016-04-07 重认证识别方法、演进分组数据网关及系统

Country Status (2)

Country Link
CN (1) CN106302376A (zh)
WO (1) WO2017000620A1 (zh)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102345932B1 (ko) 2017-07-20 2021-12-30 후아웨이 인터내셔널 피티이. 엘티디. 네트워크 보안 관리 방법 및 장치
WO2021068777A1 (en) * 2019-10-10 2021-04-15 Huawei Technologies Co., Ltd. Methods and systems for internet key exchange re-authentication optimization

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1627753A (zh) * 2003-12-08 2005-06-15 华为技术有限公司 无线局域网中业务隧道建立的方法
CN101594616A (zh) * 2009-07-08 2009-12-02 深圳华为通信技术有限公司 认证方法、服务器、用户设备及通信系统
CN102223634A (zh) * 2010-04-15 2011-10-19 中兴通讯股份有限公司 一种用户终端接入互联网方式的控制方法及装置
WO2011162481A2 (en) * 2010-06-21 2011-12-29 Lg Electronics Inc. Method of communicating between a wireless terminal and a packet data network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7617524B2 (en) * 2005-06-14 2009-11-10 Nokia Corporation Protection against denial-of-service attacks
CN103200534B (zh) * 2012-01-10 2016-08-17 华为技术有限公司 一种集群通信的方法、装置及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1627753A (zh) * 2003-12-08 2005-06-15 华为技术有限公司 无线局域网中业务隧道建立的方法
CN101594616A (zh) * 2009-07-08 2009-12-02 深圳华为通信技术有限公司 认证方法、服务器、用户设备及通信系统
CN102223634A (zh) * 2010-04-15 2011-10-19 中兴通讯股份有限公司 一种用户终端接入互联网方式的控制方法及装置
WO2011162481A2 (en) * 2010-06-21 2011-12-29 Lg Electronics Inc. Method of communicating between a wireless terminal and a packet data network

Also Published As

Publication number Publication date
CN106302376A (zh) 2017-01-04

Similar Documents

Publication Publication Date Title
EP3545702B1 (en) User identity privacy protection in public wireless local access network, wlan, access
US20230007475A1 (en) Method for Performing Verification by Using Shared Key, Method for Performing Verification by Using Public Key and Private Key, and Apparatus
US11178584B2 (en) Access method, device and system for user equipment (UE)
US10849191B2 (en) Unified authentication for heterogeneous networks
KR101961301B1 (ko) 통합된 스몰 셀 및 wi-fi 네트워크를 위한 통합 인증
US9648019B2 (en) Wi-Fi integration for non-SIM devices
JP4965671B2 (ja) 無線通信ネットワークにおけるユーザ・プロファイル、ポリシー及びpmipキーの配布
US9306748B2 (en) Authentication method and apparatus in a communication system
US11316670B2 (en) Secure communications using network access identity
KR20150084224A (ko) 이동 통신 시스템에서 서비스 발견 및 그룹 통신을 위한 보안 지원 방법 및 시스템
WO2009074050A1 (fr) Procede, systeme et appareil d'authentification de dispositif de point d'acces
EP3175639A1 (en) Authentication in a wireless communications network
EP3637815B1 (en) Data transmission method, and device and system related thereto
CN107683615B (zh) 保护twag和ue之间的wlcp消息交换的方法、装置和存储介质
US20120254615A1 (en) Using a dynamically-generated symmetric key to establish internet protocol security for communications between a mobile subscriber and a supporting wireless communications network
WO2017000620A1 (zh) 重认证识别方法、演进分组数据网关及系统
CN110226319B (zh) 用于紧急接入期间的参数交换的方法和设备
US20220030428A1 (en) Communication Method and Communications Device
US9602493B2 (en) Implicit challenge authentication process
KR101338487B1 (ko) I-wlan에서 인증 서버 및 그의 접속 인증 방법
KR20130085170A (ko) 무선 네트워크에서 가입자 단말의 핸드오버 시 인증 절차를 단축시키는 방법 및 장치
KR20120070028A (ko) I-wlan에서 인증 서버 및 그의 접속 인증 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16816985

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16816985

Country of ref document: EP

Kind code of ref document: A1