WO2017107745A1 - Terminal authentication method, device and system - Google Patents

Terminal authentication method, device and system Download PDF

Info

Publication number
WO2017107745A1
WO2017107745A1 PCT/CN2016/107731 CN2016107731W WO2017107745A1 WO 2017107745 A1 WO2017107745 A1 WO 2017107745A1 CN 2016107731 W CN2016107731 W CN 2016107731W WO 2017107745 A1 WO2017107745 A1 WO 2017107745A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
access gateway
certificate
authentication
message
Prior art date
Application number
PCT/CN2016/107731
Other languages
French (fr)
Chinese (zh)
Inventor
范红伟
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017107745A1 publication Critical patent/WO2017107745A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to a terminal authentication method, apparatus, and system.
  • the current mobile communication is developed to the fourth generation Long Term Evolution (4G LTE) network, and the user terminal can access through a Wireless Local Area Networks (WLAN) to implement WiFi voice over Internet (VoWiFi).
  • 4G LTE Long Term Evolution
  • WLAN Wireless Local Area Networks
  • VoIP WiFi voice over Internet
  • Business such as VoWiFi phones.
  • the terminal accesses the LTE network in a WLAN manner, and performs an extensible authentication protocol-authentication and key agreement protocol through a Universal Subscriber Identity Module/Subscriber Identity Module (USIM/SIM). (Extensible Authentication Protocol-Authentication and Key Agreement, EAP-AKA) or EAP-AKA' authentication authentication access to the network.
  • EAP-AKA is an authentication authentication access method for the third mobile communication based on the EAP protocol
  • EAP-AKA' is a new authentication method after the EAP-AKA authentication is corrected.
  • both authentication authentication methods require the terminal to have a USIM/SIM card.
  • a terminal without a USIM/SIM card such as a PAD, PC, etc.
  • the USIM/SIM card cannot be obtained due to permissions or system restrictions.
  • the terminal of the information the LTE network cannot be accessed, and the VoWiFi service cannot be used, which brings inconvenience to the user.
  • the main purpose of the embodiments of the present invention is to provide a terminal authentication method, device, and system, which are related to the problem that the cardless terminal in the related art or the terminal that cannot obtain the USIM/SIM card information type cannot access the LTE network.
  • a terminal authentication method includes: the terminal initiates an initial attach request to the access gateway; and according to the initial attach request, the access gateway to the third generation collaborative group
  • the authentication, authorization, and accounting 3GPP AAA server sends a DER message; when the 3GPP AAA server receives the DER message and determines that the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, then
  • the terminal is an extensible authentication protocol-secure transport layer protocol EAP-TLS access; and the 3GPP AAA server performs authentication authentication on the terminal through EAP-TLS interaction.
  • the 3GPP AAA server performs authentication and authentication on the terminal by using an EAP-TLS interaction, including: after receiving the handshake message sent by the access gateway, the 3GPP AAA server returns a service certificate to the server.
  • the access gateway receives the server certificate sent by the access gateway, and verifies the server certificate.
  • the terminal sends the terminal certificate.
  • the 3GPP AAA server receives and verifies the terminal certificate sent by the access gateway, and sends a handshake completion message to the access gateway when the verification passes, to complete the The authentication of the terminal.
  • the method further includes: after receiving the DER message sent by the access gateway to acknowledge the receipt of the handshake completion message, the 3GPP AAA server sends the MAR message to the evolved packet core network-home subscriber server EPC-HSS server. And the SAR message, to obtain the authentication data and the user data, and perform an authorization check.
  • the authorization check succeeds, the DEA message indicating that the authorization check succeeds is sent to the access gateway, and the terminal and the 3GPP AAA server are completed.
  • Authorization the 3GPP AAA server sends the MAR message to the evolved packet core network-home subscriber server EPC-HSS server.
  • the SAR message to obtain the authentication data and the user data, and perform an authorization check.
  • the EAP-IDENTITY prefix in the DER message is extended to use English characters.
  • the prefix is a preset character
  • the authentication mode is EAP-TLS, where the preset character is an English character.
  • the terminal is installed with a terminal certificate, where the terminal certificate includes at least IMSI information of the terminal for performing a communication service, and the 3GPP AAA server is installed with a server certificate.
  • an embodiment of the present invention further provides a terminal authentication method, which should For a terminal without a global subscriber identity card/customer identification card USIM/SIM terminal or unable to acquire USIM/SIM card information, the method includes: sending an initial attach request to an access gateway to send through the access gateway The DER message is sent to the 3GPP AAA server; when the 3GPP AAA server performs authentication authentication on the terminal through EAP-TLS interaction, the server certificate forwarded by the access gateway is received; and the server certificate is verified; And when the server certificate is verified, the terminal certificate is sent to the access gateway, so that the terminal certificate is sent by the access gateway to the 3GPP AAA server for verification.
  • the terminal certificate includes at least the IMSI information that the terminal performs a communication service.
  • the embodiment of the present invention further provides a terminal authentication method, which is applied to a 3GPP AAA server, where the method includes: receiving a DER message from an access gateway; and determining EAP-PAYLOAD in the DER message.
  • the EAP-IDENTITY prefix in the attribute is a preset character
  • the terminal is EAP-TLS access
  • the terminal is authenticated and authenticated through EAP-TLS interaction.
  • the authenticating the terminal by using the EAP-TLS interaction includes: receiving a handshake message from the access gateway, and sending a server certificate to the access gateway, so that the terminal is configured to The server certificate is verified; when the terminal verifies the server certificate, the terminal certificate is received from the access gateway; the terminal certificate is verified; when the verification is passed, the handshake is completed.
  • the message is sent to the access gateway to complete authentication of the terminal.
  • the method further includes: receiving a DER message from the access gateway confirming receipt of the handshake completion message; sending the MAR message and the SAR message to the EPC-HSS server to obtain the authentication data and the user data, and performing Authorization check; when the authorization check of the authentication data and the user data is successful, sending a DEA message indicating that the authorization check succeeds to the access gateway.
  • an embodiment of the present invention further provides a terminal authentication system, where the system includes a terminal, an access gateway, and a 3GPP AAA server, where the terminal is configured to initiate initial attachment to the access gateway.
  • the access gateway configured to send a DER message to the 3GPP AAA server according to the initial attach request;
  • the 3GPP AAA server configured to receive the DER message, and determine an EAP in the DER message
  • the EAP-IDENTITY prefix in the PAYLOAD attribute is a preset character
  • the terminal is EAP-TLS access
  • the terminal is authenticated and authenticated through EAP-TLS interaction.
  • the 3GPP AAA server is further configured to: after receiving the handshake message sent by the access gateway, return a service certificate to the access gateway; and the terminal is further configured to receive the access And the server certificate is sent by the gateway, and the server certificate is verified. After the server certificate is verified, the terminal certificate is sent to the access gateway; the 3GPP AAA server is further configured to Receiving and verifying the terminal certificate sent by the access gateway, and when the verification is successful, sending a handshake completion message to the access gateway to complete authentication of the terminal.
  • the system further includes an EPC-HSS server, where: the EPC-HSS server is configured to receive the MAR message and the SAR message sent by the 3GPP AAA server, and send the authentication data to the 3GPP AAA server. And the user data; the 3GPP AAA server is further configured to perform an authorization check on the terminal according to the authentication data and the user data, and when the authorization check succeeds, send a DEA message indicating that the authorization check succeeds to the access gateway, and complete the Authorization between the terminal and the 3GPP AAA server.
  • the EPC-HSS server is configured to receive the MAR message and the SAR message sent by the 3GPP AAA server, and send the authentication data to the 3GPP AAA server.
  • the 3GPP AAA server is further configured to perform an authorization check on the terminal according to the authentication data and the user data, and when the authorization check succeeds, send a DEA message indicating that the authorization check succeeds to the access gateway, and complete the Authorization between the terminal and the 3GPP AAA server.
  • the EAP-IDENTITY prefix in the DER message is extended to use English characters.
  • the prefix is a preset character
  • the authentication mode is EAP-TLS, where the preset character is an English character.
  • the terminal is installed with a terminal certificate, where the terminal certificate includes at least IMSI information of the terminal for performing a communication service, and the 3GPP AAA server is installed with a server certificate.
  • an embodiment of the present invention further provides a terminal authentication apparatus, which should In the terminal for the USIM/SIM card terminal or the USIM/SIM card information, the device includes: a first sending module, configured to send an initial attach request to the access gateway, to send the DER through the access gateway Sending a message to the 3GPP AAA server; the first receiving module is configured to: when the 3GPP AAA server performs authentication authentication on the terminal by using EAP-TLS interaction, receive the server certificate forwarded by the access gateway; the server certificate a verification module, configured to verify the server certificate; the second sending module is further configured to send a terminal certificate to the access gateway to send through the access gateway when the server certificate is verified The terminal certificate is verified by the 3GPP AAA server.
  • a first sending module configured to send an initial attach request to the access gateway, to send the DER through the access gateway Sending a message to the 3GPP AAA server
  • the first receiving module is configured to: when the 3GPP AAA server performs authentication authentication on the terminal by using EAP-TLS interaction,
  • the terminal certificate includes at least the IMSI information that the terminal performs a communication service.
  • an embodiment of the present invention further provides a terminal authentication apparatus, which is applied to a 3GPP AAA server, where the apparatus includes: a third receiving module, configured to receive a DER message from an access gateway; and an authentication pass module When the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is determined to be a preset character, the terminal is EAP-TLS access, and the terminal is performed through EAP-TLS interaction. Authentication certification.
  • the authentication pass module further includes: a fourth receiving module, configured to receive a handshake message from the access gateway; and a third sending module, configured to send a server certificate to the access gateway, so that The terminal is configured to verify the server certificate; the fifth receiving module is configured to: when the terminal verifies the server certificate, pass the terminal certificate from the access gateway; the verification module sets To verify the terminal certificate, the fourth sending module is configured to send a handshake completion message to the access gateway when the verification passes, to complete the authentication of the terminal.
  • the device further includes: a sixth receiving module, configured to receive a DER message from the access gateway for confirming receipt of a handshake completion message; and a fifth sending module, configured to send a MAR message and a SAR message to the EPC - an HSS server to obtain authentication data and user data and perform an authorization check; a sixth sending module, configured to when the authentication data and the number of users are When the authorization check is successful, a DEA message indicating that the authorization check succeeds is sent to the access gateway.
  • a sixth receiving module configured to receive a DER message from the access gateway for confirming receipt of a handshake completion message
  • a fifth sending module configured to send a MAR message and a SAR message to the EPC - an HSS server to obtain authentication data and user data and perform an authorization check
  • a sixth sending module configured to when the authentication data and the number of users are When the authorization check is successful, a DEA message indicating that the authorization check succeeds is sent to the access gateway.
  • a computer storage medium is further provided, and the computer storage medium may store an execution instruction, where the execution instruction is used to execute the terminal authentication method in the foregoing embodiment.
  • the terminal authentication method, device and system initiates an initial attach request to the access gateway by the terminal, and according to the initial attach request, the access gateway sends a DER message to the 3GPP AAA server, and the 3GPP AAA server receives the Declaring that the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message contains a preset character, determining that the terminal is EAP-TLS access, and the 3GPP AAA server interacts through EAP-TLS
  • the terminal performs authentication and authentication. Therefore, the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information can access the LTE network and use the VoWiFi service to improve the user experience.
  • FIG. 1 is a schematic flowchart of a terminal authentication method according to a first embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a terminal authentication method according to a second embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a method for authenticating a terminal according to a third embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a method for authenticating a terminal according to a fourth embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of a method for authenticating a terminal according to a fifth embodiment of the present invention.
  • FIG. 6 is a schematic flowchart of a sub-process of a terminal authentication method according to a fifth embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a method for authenticating a terminal according to a sixth embodiment of the present invention.
  • FIG. 8 is a schematic block diagram of a terminal authentication system according to a seventh embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of a terminal authentication system according to a ninth embodiment of the present invention.
  • FIG. 10 is a schematic block diagram of a terminal authentication apparatus according to a tenth embodiment of the present invention.
  • FIG. 11 is a schematic block diagram of a terminal authentication apparatus according to an eleventh embodiment of the present invention.
  • FIG. 12 is a schematic block diagram of a terminal authentication apparatus according to a twelfth embodiment of the present invention.
  • the first embodiment of the present invention provides a terminal authentication method, which is applicable to a Universal Subscriber Identity Module/Subscriber Identity Module (USIM/SIM) terminal or a terminal that cannot obtain USIM/SIM card information.
  • USIM/SIM Universal Subscriber Identity Module/Subscriber Identity Module
  • the terminal may be implemented in various forms, for example, the terminal described in the present invention may include, for example, a mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a PDA (Personal Digital Assistant), a PAD (Plate) Mobile terminals of computers, PMPs (portable multimedia players), navigation devices, and the like, and fixed terminals such as digital TVs, desktop computers, and the like.
  • the terminal is a mobile terminal.
  • PDA Personal Digital Assistant
  • PAD Portable multimedia players
  • navigation devices and the like
  • fixed terminals such as digital TVs, desktop computers, and the like.
  • the terminal is a mobile terminal.
  • those skilled in the art will appreciate that configurations in accordance with embodiments of the present invention can be applied to fixed type terminals in addition to components that are specifically for mobile purposes.
  • the terminal is installed with a terminal certificate, and the terminal certificate includes at least the IMSI (International Mobile Subscriber Identification Number) information of the terminal for performing communication services, and the third generation collaborative group project authentication-authorization and accounting (3rd Generation Partnership Project Authentication-Authorization and Accounting, 3GPP AAA) server installed service Service certificate.
  • the certificate is applied by the network operator to the certificate authority. This embodiment is not described here.
  • the common name field in the terminal certificate is an IMSI of the service performed by the terminal, and the terminal supports an Extensible Authentication Protocol and Transport Layer Security (EAP-TLS) authentication.
  • EAP-TLS Extensible Authentication Protocol and Transport Layer Security
  • FIG. 1 is a schematic flowchart of a terminal authentication method according to a first embodiment of the present invention, where the method includes:
  • Step 101 The terminal initiates an attach request to the access gateway.
  • the EAP-IDENTITY prefix of the EAP-PAYLOAD attribute in the attach request is set to a certain character in AZ and az, and it is assumed that the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the attach request in this embodiment is determined by the network operator.
  • the preset is A.
  • Step 102 The access gateway receives an attach request sent by the terminal, and sends a DER message to the 3GPP AAA server.
  • the access gateway after receiving the terminal attach request, the access gateway sends a DER (Diameter-EAP-Request) message to the 3GPP AAA server according to the attach request.
  • DER Diameter-EAP-Request
  • the EAP-PAYLOAD attribute in the DER message is EAP-
  • the IDENTITY prefix is A.
  • the access gateway may be an Evolved Packet Data Gateway (ePDG); if the terminal is connected from the trusted WLAN network Ingress, the access gateway may be an HRPD Gateway (HSGW).
  • ePDG Evolved Packet Data Gateway
  • HSGW HRPD Gateway
  • Step 103 The 3GPP AAA server receives the DER message sent by the access gateway.
  • Step 104 The 3GPP AAA server checks whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, and if yes, proceeds to step 105; if not, ends;
  • Step 105 Determine that the terminal is an EAP-TLS access.
  • Step 106 The 3GPP AAA server authenticates the terminal by using EAP-TLS interaction Certification.
  • the EAP-IDENTITY prefix in the DER message is extended in advance.
  • the 3GPP protocol stipulates that the prefix corresponding to the EAP-AKA authentication mode is 0, 2, and 4, and the EAP-AKA' authentication mode is the corresponding prefix of 6, 7, 8. Therefore, in this embodiment, the English character AZ can be used for the extension.
  • the prefix corresponding to the az that is, the EAP-TLS authentication mode is an English character.
  • the network operator can set the prefix to be A, that is, the prefix corresponding to the EAP-TLS authentication mode is the English character A.
  • the 3GPP AAA server determines that the access request is EAP. - TLS access, the authentication authentication of the terminal will be followed by the EAP-TLS authentication mode. If the authentication succeeds, the terminal can access the LTE network to use various services such as VoWiFi services.
  • the terminal initiates an initial attach request to the access gateway, and according to the initial attach request, the access gateway sends a DER message to the 3GPP AAA server, and the 3GPP AAA server receives the DER message, when checking
  • the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message includes a preset character
  • the terminal authentication method in this embodiment can enable the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information to access the LTE network and use the VoWiFi service to improve the user experience.
  • a terminal authentication method provided by the second embodiment of the present invention is different from the first embodiment in that the step 106 specifically includes:
  • the 3GPP AAA server After receiving the handshake message sent by the access gateway, the 3GPP AAA server returns a service certificate to the access gateway;
  • the terminal receives the server certificate sent by the access gateway, and verifies the server certificate, and when the server certificate is verified, the terminal sends the terminal certificate. Sent to the access gateway;
  • the 3GPP AAA server receives and verifies the terminal certificate sent by the access gateway, and sends a handshake completion message to the access gateway when the verification passes, to complete the authentication of the terminal.
  • the interaction between the access gateway, the 3GPP AAA server, and the terminal may refer to FIG. 2, and the interaction process is as follows: :
  • Step 201 The 3GPP AAA server returns a DEA (Diameter-EAP-Answer) message (TLS-Start), and starts EAP-TLS interaction with the access gateway.
  • DEA Diameter-EAP-Answer
  • Step 202 The terminal sends an EAP message to the access gateway.
  • Step 203 The access gateway receives the EAP message sent by the terminal, and sends a DER handshake message (TLS-Client Hello) to the 3GPP AAA server.
  • TLS-Client Hello a DER handshake message
  • Step 204 The 3GPP AAA server receives the DER handshake message sent by the access gateway, and returns a DEA message (TLS-Server Hello) to the access gateway to return the certificate information saved by the server.
  • DEA TLS-Server Hello
  • Step 205 The access gateway receives the server certificate sent by the 3GPP AAA server, and forwards the certificate to the terminal.
  • Step 206 The terminal receives the server certificate sent by the access gateway, and verifies the server certificate.
  • Step 207 When the server certificate is verified, the terminal sends the terminal certificate to the access gateway.
  • step 111 When the server certificate verification fails, the process proceeds to step 111.
  • Step 208 The access gateway receives the terminal certificate sent by the terminal, and sends a DER message to the 3GPP AAA server, where the DER message carries the terminal certificate information.
  • Step 209 The 3GPP AAA server receives the DER message sent by the access gateway, and performs verification on the terminal certificate.
  • the 3GPP AAA server verifies the CA signature, validity period, and IMSI binding in the terminal information.
  • Step 210 When the terminal certificate is verified, the 3GPP AAA server sends a handshake complete DEA message to the access gateway to complete the authentication of the terminal.
  • step 211 the authentication fails, and the return message rejects the access request of the current terminal.
  • the terminal authentication method provided in this embodiment adopts two-way authentication, and the 3GPP AAA server checks the terminal certificate to confirm that the terminal is a legitimate terminal, and the terminal checks the server certificate to confirm that the accessed network is a legitimate network, thereby improving user access. safety.
  • a third embodiment of the present invention provides another terminal authentication method.
  • the terminal authentication method is different from the second embodiment in that the method further includes:
  • the 3GPP AAA server After receiving the DER message sent by the access gateway and confirming receipt of the handshake completion message, the 3GPP AAA server sends a MAR (Multimedia-Authentication-Request) message and a SAR (Server-Assignment) to the EPC Home Subscriber (HSS) server. a -Request message to obtain the authentication data and the user data and perform an authorization check. When the authorization check succeeds, the DEA message indicating that the authorization check succeeds is sent to the access gateway, and the terminal and the 3GPP AAA server are completed. Authorization.
  • MAR Multimedia-Authentication-Request
  • SAR Server-Assignment
  • HSS EPC Home Subscriber
  • the 3GPP AAA server performs EAP-TLS authentication on the terminal, and further includes the following steps:
  • Step 301 The access gateway sends a DER message to the 3GPP AAA server to confirm that the handshake completion DEA message sent by the 3GPP AAA server is received.
  • Step 302 The 3GPP AAA server receives the DER message sent by the access gateway, and sends a MAR message to the EPC Home Subscriber (HSS) server.
  • HSS EPC Home Subscriber
  • Step 303 The EPC-HSS server receives the MAR message sent by the 3GPP AAA server, and returns the authentication data to the 3GPP AAA server.
  • Step 304 The 3GPP AAA server acquires the authentication data sent by the EPC-HSS server, and performs an authorization check on the authentication data.
  • Step 305 The 3GPP AAA server sends a SAR message to the EPC-HSS server.
  • Step 306 the EPC-HSS server receives the SAR message sent by the 3GPP AAA server, and replies the user data to the 3GPP AAA server;
  • Step 307 The 3GPP AAA server acquires user data sent by the EPC-HSS server, and performs authorization check on the user data.
  • Step 308 The 3GPP AAA server sends a DEA message indicating that the authorization is successful to the access gateway, and then completes the authorization between the terminal and the 3GPP AAA server, and waits for the subsequent access procedure of the terminal.
  • the terminal authentication method provided in this embodiment sends a MAR message and a SAR message to the EPC-HSS server through the 3GPP AAA server to obtain the authentication data and the user data, and performs authorization check. When the authentication data and the user data are successfully checked. Sending a DEA message indicating that the authorization check succeeds to the access gateway, and completing authorization between the terminal and the 3GPP AAA server.
  • a fourth embodiment of the present invention further provides a terminal authentication method, which is applied to a terminal that does not have a USIM/SIM card terminal or cannot obtain USIM/SIM card information, and the method includes:
  • Step 401 Send an initial attach request to the access gateway, to send a DER message to the 3GPP AAA server by using the access gateway;
  • Step 402 When the 3GPP AAA server performs authentication authentication on the terminal through EAP-TLS interaction, receiving a server certificate forwarded by the access gateway;
  • the terminal certificate includes at least the IMSI information that the terminal performs a communication service.
  • Step 403 verifying the server certificate
  • Step 404 When the server certificate is verified, sending a terminal certificate to the access And the gateway sends the terminal certificate to the 3GPP AAA server for verification by using the access gateway.
  • the terminal authentication method in this embodiment sends an initial attach request to the access gateway.
  • the 3GPP AAA server performs authentication authentication on the terminal through EAP-TLS interaction
  • the server certificate is received and verified, and the USIM/SIM card terminal can be enabled.
  • the terminal that cannot obtain the USIM/SIM card information accesses the LTE network and uses the VoWiFi service to improve the user experience.
  • a fifth embodiment of the present invention further provides a terminal authentication method, which is applied to a 3GPP AAA server, where the method includes:
  • Step 501 Receive a DER message from an access gateway.
  • Step 502 Check whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character; if yes, go to step 503; if no, the process ends;
  • Step 503 Determine that the terminal is EAP-TLS access, and perform authentication authentication on the terminal by using EAP-TLS interaction.
  • the authentication of the terminal by the EAP-TLS interaction in step 503 is further combined with FIG.
  • Step 601 Receive a handshake message from the access gateway.
  • Step 602 Send a server certificate to the access gateway, so that the terminal verifies the server certificate.
  • Step 603 When the terminal verifies the server certificate, the terminal certificate is received from the access gateway.
  • Step 604 verifying the terminal certificate
  • Step 605 When the verification passes, sending a handshake completion message to the access gateway to complete authentication of the terminal.
  • the terminal authentication method in this embodiment adopts two-way authentication, and the 3GPP AAA server checks the end.
  • the end certificate confirms that the terminal is a legitimate terminal, and the terminal checks the server certificate to confirm that the accessed network is a legitimate network, thereby improving the security of user access.
  • a sixth embodiment of the present invention further provides a terminal authentication method.
  • the terminal authentication method is different from the fifth embodiment in that the method further includes:
  • Step 701 Receive a DER message from the access gateway confirming receipt of a handshake completion message.
  • Step 702 Send a MAR message and a SAR message to the EPC-HSS server to obtain authentication data and user data and perform an authorization check;
  • Step 703 When the authorization check of the authentication data and the user data is successful, send a DEA message indicating that the authorization check succeeds to the access gateway.
  • the terminal authentication method in this embodiment receives the DER message from the access gateway and acknowledges receipt of the handshake completion message, and sends the MAR message and the SAR message to the EPC-HSS server to obtain the authentication data and the user data, and perform authorization check.
  • the DEA message indicating that the authorization check succeeds is sent to the access gateway, and the authorization between the terminal and the 3GPP AAA server is completed.
  • a seventh embodiment of the present invention further provides a terminal authentication system, where the system includes the terminal 810, an access gateway 820, and a 3GPP AAA server 830.
  • the terminal 810 is a terminal without a USIM/SIM card terminal or unable to acquire USIM/SIM card information.
  • the terminal 810 can be implemented in various forms, for example, the terminal described in the present invention can include, for example, a mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a PDA (Personal Digital Assistant), a PAD ( Mobile terminals of tablet computers, PMPs (portable multimedia players), navigation devices, and the like, and fixed terminals such as digital TVs, desktop computers, and the like.
  • the terminal is a mobile terminal.
  • those skilled in the art will appreciate that configurations in accordance with embodiments of the present invention can be applied in addition to components that are specifically for mobile purposes. Fixed type of terminal.
  • the terminal 810 is installed with a terminal certificate, and the terminal certificate includes at least the IMSI information of the communication service performed by the terminal 810, and the 3GPP AAA is installed with a server certificate.
  • the certificate is applied by the network operator to the certificate authority. This embodiment is not described here.
  • the common name field in the terminal certificate is an IMSI of the service performed by the terminal, and the terminal supports EAP-TLS authentication.
  • the terminal 810 is configured to initiate an attach request to the access gateway 820.
  • the EAP-IDENTITY prefix of the EAP-PAYLOAD attribute is carried in the attach request, and the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the attach request in this embodiment is preset to be A by the network operator.
  • the access gateway 820 is configured to receive an attach request sent by the terminal 810 and send a DER message to the 3GPP AAA server 830.
  • the access gateway 820 sends a network access request (Diameter-EAP-Request, DER) message to the 3GPP AAA server 830 according to the attach request.
  • DER network access request
  • the EAP in the DER message is The EAP-IDENTITY prefix in the -PAYLOAD attribute is A.
  • the access gateway may be an Evolved Packet Data Gateway (ePDG); if the terminal is connected from the trusted WLAN network Ingress, the access gateway may be an HRPD Gateway (HSGW).
  • ePDG Evolved Packet Data Gateway
  • HSGW HRPD Gateway
  • the 3GPP AAA server 830 is configured to receive the DER message sent by the access gateway 820, and check whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, and if yes, determine that the terminal is EAP-TLS accesses and authenticates the terminal 810 through EAP-TLS interaction.
  • the EAP-IDENTITY prefix in the DER message is extended in advance.
  • the 3GPP protocol stipulates that the prefix corresponding to the EAP-AKA authentication mode is 0, 2, and 4, and the EAP-AKA' authentication mode is the corresponding prefix of 6, 7, 8. Therefore, in this embodiment, the English character AZ can be used for the extension.
  • the prefix corresponding to the A-z that is, the EAP-TLS authentication mode is an English character.
  • the network operator can set the prefix to be A, that is, the prefix corresponding to the EAP-TLS authentication mode is the English character A.
  • the 3GPP AAA server 830 determines the current access.
  • the request is EAP-TLS access, and the authentication authentication for the terminal 810 will be followed by the EAP-TLS authentication mode. If the authentication succeeds, the terminal 810 can access the LTE network to use various services such as VoWiFi services.
  • the terminal 810 initiates an initial attach request to the access gateway 820.
  • the access gateway 820 sends a DER message to the 3GPP AAA server 830, and the 3GPP AAA server 830 receives the DER message.
  • the terminal 810 is EAP-TLS access, and the 3GPP AAA server 830 interacts with the EAP-TLS.
  • the terminal 810 performs authentication authentication. It can be seen that the terminal authentication system in this embodiment can enable the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information to access the LTE network and use the VoWiFi service to improve the user experience.
  • the eighth embodiment of the present invention further provides a terminal authentication system.
  • the terminal authentication system is different from the seventh embodiment only in that, in the embodiment, when the terminal 810 is authenticated by EAP-TLS interaction through the 3GPP AAA server, :
  • the 3GPP AAA server 830 is further configured to: after receiving the handshake message sent by the access gateway 820, return a service certificate to the access gateway 820;
  • the terminal 810 is further configured to receive the server certificate sent by the access gateway 820, and verify the server certificate. After verifying the server certificate, send the terminal certificate to the terminal.
  • the gateway 820 Into the gateway 820;
  • the 3GPP AAA server 830 is further configured to receive and verify the terminal certificate sent by the access gateway 820, and send a handshake completion message to the access network when the verification is successful. Off 820 to complete authentication of the terminal 810.
  • the 3GPP AAA server 830 performs EAP-TLS authentication on the terminal 810
  • the interaction between the access gateway 820, the 3GPP AAA server 830, and the terminal 810 can be referred to FIG.
  • the 3GPP AAA server 830 returns a DEA message (TLS-Start) and begins EAP-TLS interaction with the access gateway 820.
  • the terminal 810 is further configured to send an EAP message to the access gateway 820.
  • the access gateway 820 is further configured to receive the EAP message sent by the terminal 810 and send a DER handshake message (TLS-Client Hello) to the 3GPP AAA server 830.
  • TLS-Client Hello a DER handshake message
  • the 3GPP AAA server 830 is further configured to receive the DER handshake message sent by the access gateway 820, and reply to the access gateway 820 with a DEA message (TLS-Server Hello) to return the certificate information saved by the server.
  • a DEA message TLS-Server Hello
  • the access gateway 820 is further configured to receive the server certificate sent by the 3GPP AAA server 830 and forward it to the terminal 810.
  • the terminal 810 is further configured to receive the server certificate sent by the access gateway 820, and verify the server certificate.
  • the terminal 810 sends the terminal certificate to the access gateway 820;
  • the access gateway 820 is further configured to receive the terminal certificate sent by the terminal 810, and send a DER message to the 3GPP AAA server 830, where the DER message carries the terminal certificate information.
  • the 3GPP AAA server 830 is further configured to receive the DER message sent by the access gateway 820 and verify the terminal certificate.
  • the 3GPP AAA server 830 checks the CA signature, validity period, and IMSI binding in the terminal information.
  • the 3GPP AAA server 830 will handshake to complete the DEA.
  • the message is sent to the access gateway 820 to complete the authentication of the terminal 810;
  • the terminal authentication system provided in this embodiment adopts two-way authentication, the 3GPP AAA server 830 checks the terminal certificate, confirms that the terminal 810 is a legitimate terminal, and the terminal 820 checks the server certificate to confirm that the accessed network is a legitimate network, thereby improving the user. Access security.
  • FIG. 9 is a terminal authentication system according to a ninth embodiment of the present invention.
  • the terminal authentication system is different from the eighth embodiment only in that the system further includes an EPC Home Subscriber (HSS) service 910, where:
  • HSS EPC Home Subscriber
  • the EPC-HSS server 910 is configured to receive the MAR message and the SAR message sent by the 3GPP AAA server 830, and send the authentication data and the user data to the 3GPP AAA server;
  • the 3GPP AAA server 830 is further configured to perform an authorization check on the terminal according to the authentication data and the user data, and when the authorization check succeeds, send a DEA message indicating that the authorization check succeeds to the access gateway, and complete the terminal and Authorization between the 3GPP AAA servers 830.
  • the interaction between the access gateway 820, the 3GPP AAA server 830, and the terminal 810 is as follows:
  • the 3GPP AAA server 830 performs EAP-TLS authentication on the terminal 810
  • the interaction between the access gateway 820, the 3GPP AAA server 830, and the terminal 810 is:
  • the access gateway 820 is further configured to send a DER message to the 3GPP AAA server 830 to acknowledge receipt of the DEA message sent by the 3GPP AAA server 830.
  • the 3GPP AAA server 830 is further configured to receive the DER message sent by the access gateway 820 and send the MAR message to the EPC-HSS server 910.
  • the EPC-HSS server 910 is configured to receive the MAR message sent by the 3GPP AAA server 830 and reply the authentication data to the 3GPP AAA server 830.
  • the 3GPP AAA server 830 is further configured to acquire authentication data sent by the EPC-HSS server 910.
  • the 3GPP AAA server 830 is further configured to perform authorization check on the authentication data and send the SAR message to the EPC-HSS server 910.
  • the EPC-HSS server 910 is further configured to receive the SAR message sent by the 3GPP AAA server 830 and reply the user data to the 3GPP AAA server 830.
  • the 3GPP AAA server 830 is further configured to acquire user data sent by the EPC-HSS server 910 to perform authorization check on the user data, and send a DEA message for successfully checking the access to the access gateway 820, thereby completing the terminal 810 and the 3GPP AAA server 830. Authorization between and waits for the subsequent access procedure of the terminal 810.
  • the terminal authentication system provided in this embodiment provides a 3GPP AAA server 830 to send a MAR message and a SAR message to the EPC-HSS server 910 to obtain authentication data and user data and perform authorization check.
  • a 3GPP AAA server 830 to send a MAR message and a SAR message to the EPC-HSS server 910 to obtain authentication data and user data and perform authorization check.
  • a DEA message indicating that the authorization check is successful is sent to the access gateway 820, and the authorization between the terminal 810 and the 3GPP AAA server 830 is completed.
  • a tenth embodiment of the present invention further provides a terminal authentication apparatus, which is applied to a terminal 810 that does not have a USIM/SIM card terminal or cannot obtain USIM/SIM card information, and the device includes a first sending module 1010.
  • the first receiving module 1020, the server certificate verification module 1030, and the second sending module 1040 are included in the device.
  • the first sending module 1010 is configured to send an initial attach request to the access gateway 820, to send a DER message to the 3GPP AAA server 830 through the access gateway 820;
  • the first receiving module 1020 is configured to receive the server certificate forwarded by the access gateway 820 when the 3GPP AAA server 830 performs authentication authentication on the terminal 810 through EAP-TLS interaction;
  • the server certificate verification module 1030 is configured to verify the server certificate.
  • the second sending module 1040 is further configured to: when the server certificate is verified, send a terminal certificate to the access gateway 820, to send the terminal certificate to the 3GPP AAA server 830 through the access gateway 820. Test.
  • the terminal certificate includes at least the IMSI information that the terminal performs a communication service.
  • the terminal authentication device in this embodiment can authenticate the terminal 810 through the 3GPP AAA server 830, and can enable the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information to access the LTE network, and use the VoWiFi service to improve the user experience. .
  • an eleventh embodiment of the present invention further provides a terminal authentication apparatus, which is applied to a 3GPP AAA server, where the apparatus includes a third receiving module 1110, a determining module 1120, and an authentication passing module 1130. among them:
  • the third receiving module 1110 is configured to receive a DER message from the access gateway 820.
  • the determining module 1120 is configured to check whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character
  • the authentication pass module 1130 is configured to determine, when the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, the determining module 1120 determines that the terminal 810 is an EAP-TLS access.
  • the terminal 810 is authenticated and authenticated through EAP-TLS interaction.
  • the authentication pass module 1130 further includes a fourth receiving module 1140, a third sending module 1150, a fifth receiving module 1160, a checking module 1170, and a fourth sending module 1180. among them:
  • the fourth receiving module 1140 is configured to receive a handshake message from the access gateway 820.
  • the third sending module 1150 is configured to send a server certificate to the access gateway 820, so that the terminal 810 verifies the server certificate.
  • the fifth receiving module 1160 is configured to: when the terminal 810 authenticates the server certificate Obsolete, receiving a terminal certificate from the access gateway 820;
  • a verification module 1170 configured to verify the terminal certificate
  • the fourth sending module 1180 is configured to send a handshake complete message to the access gateway 820 to complete the authentication of the terminal 810 when the check is passed.
  • the terminal authentication device of the embodiment adopts two-way authentication, and the 3GPP AAA server checks the terminal certificate to confirm that the terminal is a legitimate terminal, and the terminal checks the server certificate to confirm that the accessed network is a legitimate network, thereby improving the security of user access. Sex.
  • a twelfth embodiment of the present invention further provides a terminal authentication apparatus.
  • the terminal authentication apparatus is different from the eleventh embodiment only in that the apparatus further includes The six receiving module 1210, the fifth sending module 1210, and the sixth sending module 1230. among them:
  • the sixth receiving module 1210 is configured to receive a DER message from the access gateway 820 confirming receipt of the handshake completion message;
  • the fifth sending module is configured to send the MAR message and the SAR message to the EPC-HSS server 910 to obtain the authentication data and the user data and perform an authorization check;
  • the sixth sending module 1230 is configured to send a DEA message indicating that the authorization check succeeds to the access gateway 820 when the authorization check of the authentication data and the user data is successful.
  • the terminal authentication device of the embodiment receives the DER message from the access gateway 820 confirming the receipt of the handshake completion message by the sixth receiving module 1210, and the fifth sending module sends the MAR message and the SAR message to the EPC-HSS server 910 to obtain The authentication data and the user data are checked for authorization.
  • the sixth sending module 1230 sends a DEA message indicating that the authorization check succeeds to the access gateway 820, completing the terminal 810 and the Authorization between 3GPP AAA servers 830.
  • Embodiments of the present invention also provide a storage medium.
  • the storage medium can be configured to store program code for performing the following steps:
  • the terminal initiates an initial attach request to the access gateway.
  • the access gateway sends a DER message to the third generation collaborative group to verify, authorize, and bill the 3GPP AAA server.
  • the terminal is an extensible authentication protocol-secure transport layer protocol EAP-TLS access.
  • the 3GPP AAA server authenticates the terminal through EAP-TLS interaction.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the 3GPP AAA server After receiving the handshake message sent by the access gateway, the 3GPP AAA server returns a service certificate to the access gateway.
  • S2 The terminal receives the server certificate sent by the access gateway, and verifies the server certificate. When the server certificate is verified, the terminal sends the terminal certificate to the access gateway.
  • the 3GPP AAA server receives and verifies the terminal certificate sent by the access gateway. When the check is passed, the handshake completion message is sent to the access gateway to complete the authentication of the terminal.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • a mobile hard disk e.g., a hard disk
  • magnetic memory e.g., a hard disk
  • the terminal initiates an initial attach request to the access gateway, and according to the initial attach request, the access gateway sends a DER message to the 3GPP AAA server, and the 3GPP AAA server receives the DER message, and the checkpoint
  • the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message includes a preset character
  • the terminal is an EAP-TLS access
  • the 3GPP AAA server performs authentication and authentication on the terminal through EAP-TLS interaction. . Therefore, the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information can access the LTE network and use the VoWiFi service to improve the user experience.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a terminal authentication method, device and system, belonging to the technical field of communications and being applicable to a terminal which does not have a USIM/SIM card or a terminal which cannot obtain USIM/SIM card information. The terminal authentication method comprises: a terminal initiating an initial attachment request to an access gateway; the access gateway transmitting a DER message to a 3GPP AAA server according to the initial attachment request; the 3GPP AAA server receiving the DER message and determining that the terminal is in EAP-TLS access when an EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a pre-set character; and the 3GPP AAA server performing authentication certification on the terminal by means of EAP-TLS interaction. It can be seen therefrom that the terminal authentication method in this embodiment can enable the terminal which does not have a USIM/SIM card or the terminal which cannot obtain USIM/SIM card information to access an LTE network and use a VoWiFi service, thereby improving the user experience.

Description

终端认证方法、装置及系统Terminal authentication method, device and system 技术领域Technical field
本发明实施例涉及通讯技术领域,尤其涉及一种终端认证方法、装置及系统。The embodiments of the present invention relate to the field of communications technologies, and in particular, to a terminal authentication method, apparatus, and system.
背景技术Background technique
随着网络技术的快速发展,用户的通信需求不断从固定语音业务迁移到移动通信业务。当前的移动通信发展到第四代长期演进(The Fourth Generation Long Term Evolution,4G LTE)网络,用户终端可以通过无线局域网络(Wireless Local Area Networks,WLAN)接入,以实现WiFi网络语音(VoWiFi)业务,例如VoWiFi电话等。With the rapid development of network technologies, the communication needs of users continue to migrate from fixed voice services to mobile communication services. The current mobile communication is developed to the fourth generation Long Term Evolution (4G LTE) network, and the user terminal can access through a Wireless Local Area Networks (WLAN) to implement WiFi voice over Internet (VoWiFi). Business, such as VoWiFi phones.
在相关技术中,终端以WLAN的方式接入LTE网络,通过全球用户识别卡/客户识别卡(Universal Subscriber Identity Module/Subscriber Identity Module,USIM/SIM)进行可扩展认证协议-认证与密钥协商协议(Extensible Authentication Protocol-Authentication and Key Agreement,EAP-AKA)或者EAP-AKA’鉴权认证的方式接入网络。其中,EAP-AKA是基于EAP协议的用于第三带移动通信的鉴权认证接入方法,EAP-AKA’是对EAP-AKA认证进行了修正后的一种新的认证方式。In the related art, the terminal accesses the LTE network in a WLAN manner, and performs an extensible authentication protocol-authentication and key agreement protocol through a Universal Subscriber Identity Module/Subscriber Identity Module (USIM/SIM). (Extensible Authentication Protocol-Authentication and Key Agreement, EAP-AKA) or EAP-AKA' authentication authentication access to the network. Among them, EAP-AKA is an authentication authentication access method for the third mobile communication based on the EAP protocol, and EAP-AKA' is a new authentication method after the EAP-AKA authentication is corrected.
然而,上述两种鉴权认证方式都需要终端具有USIM/SIM卡才能够实现,对于无USIM/SIM卡的终端(例如PAD、PC等)、由于权限或者系统限制等原因无法获取USIM/SIM卡信息的终端来说,则无法接入LTE网络,也不能使用VoWiFi业务,给用户的使用带来不便。However, both authentication authentication methods require the terminal to have a USIM/SIM card. For a terminal without a USIM/SIM card (such as a PAD, PC, etc.), the USIM/SIM card cannot be obtained due to permissions or system restrictions. For the terminal of the information, the LTE network cannot be accessed, and the VoWiFi service cannot be used, which brings inconvenience to the user.
发明内容Summary of the invention
本发明实施例的主要目的在于提出一种终端认证方法、装置及系统,旨在解决相关技术中的无卡终端或者无法获取USIM/SIM卡信息类型的终端无法接入LTE网络的问题。 The main purpose of the embodiments of the present invention is to provide a terminal authentication method, device, and system, which are related to the problem that the cardless terminal in the related art or the terminal that cannot obtain the USIM/SIM card information type cannot access the LTE network.
为实现上述目的,本发明实施例提供的一种终端认证方法,所述方法包括:终端向接入网关发起初始附着请求;根据所述初始附着请求,所述接入网关向第三代协作组验证、授权和记账3GPP AAA服务器发送DER消息;所述3GPP AAA服务器接收所述DER消息,并确定所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为预设的字符时,则所述终端为可扩展认证协议-安全传输层协议EAP-TLS接入;以及所述3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证。To achieve the above object, a terminal authentication method is provided by the embodiment of the present invention, the method includes: the terminal initiates an initial attach request to the access gateway; and according to the initial attach request, the access gateway to the third generation collaborative group The authentication, authorization, and accounting 3GPP AAA server sends a DER message; when the 3GPP AAA server receives the DER message and determines that the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, then The terminal is an extensible authentication protocol-secure transport layer protocol EAP-TLS access; and the 3GPP AAA server performs authentication authentication on the terminal through EAP-TLS interaction.
可选地,所述3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证,包括:所述3GPP AAA服务器接收到所述接入网关发送的握手消息后,返回服务端服证书给所述接入网关;所述终端接收所述接入网关发送的所述服务端证书,并对所述服务端证书进行验证,当对所述服务端证书验证通过时,所述终端将终端证书发送给所述接入网关;所述3GPP AAA服务器接收并校验所述接入网关发送的所述终端证书,当校验通过时,将握手完成消息发送给所述接入网关,以完成对所述终端的认证。Optionally, the 3GPP AAA server performs authentication and authentication on the terminal by using an EAP-TLS interaction, including: after receiving the handshake message sent by the access gateway, the 3GPP AAA server returns a service certificate to the server. The access gateway receives the server certificate sent by the access gateway, and verifies the server certificate. When the server certificate is verified, the terminal sends the terminal certificate. And the 3GPP AAA server receives and verifies the terminal certificate sent by the access gateway, and sends a handshake completion message to the access gateway when the verification passes, to complete the The authentication of the terminal.
可选地,所述方法还包括:所述3GPP AAA服务器接收所述接入网关发送的确认收到握手完成消息的DER消息后,向演进分组核心网-归属用户服务器EPC-HSS服务器发送MAR消息和SAR消息,以获取鉴权数据和用户数据并进行授权检查,在授权检查成功时,向所述接入网关发送授权检查成功的DEA消息,完成所述终端和所述3GPP AAA服务器之间的授权。Optionally, the method further includes: after receiving the DER message sent by the access gateway to acknowledge the receipt of the handshake completion message, the 3GPP AAA server sends the MAR message to the evolved packet core network-home subscriber server EPC-HSS server. And the SAR message, to obtain the authentication data and the user data, and perform an authorization check. When the authorization check succeeds, the DEA message indicating that the authorization check succeeds is sent to the access gateway, and the terminal and the 3GPP AAA server are completed. Authorization.
可选地,DER消息中的EAP-IDENTITY前缀经扩展后使用英文字符,当所述前缀为预设字符时,则其鉴权方式为EAP-TLS,其中,所述预设字符为英文字符。Optionally, the EAP-IDENTITY prefix in the DER message is extended to use English characters. When the prefix is a preset character, the authentication mode is EAP-TLS, where the preset character is an English character.
可选地,所述终端安装有终端证书,所述终端证书中至少包含所述终端进行通信业务的IMSI信息,所述3GPP AAA服务器安装有服务端证书。Optionally, the terminal is installed with a terminal certificate, where the terminal certificate includes at least IMSI information of the terminal for performing a communication service, and the 3GPP AAA server is installed with a server certificate.
此外,为实现上述目的,本发明实施例还提出一种终端认证方法,应 用于无无全球用户识别卡/客户识别卡USIM/SIM终端或者无法获取USIM/SIM卡信息的终端中,所述方法包括:发送初始附着请求给接入网关,以通过所述接入网关发送DER消息给3GPP AAA服务器;当所述3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证时,则接收所述接入网关转发的服务端证书;对所述服务端证书进行验证;当所述服务端证书验证通过时,发送终端证书给所述接入网关,以通过所述接入网关发送所述终端证书给3GPP AAA服务器进行校验。In addition, in order to achieve the above object, an embodiment of the present invention further provides a terminal authentication method, which should For a terminal without a global subscriber identity card/customer identification card USIM/SIM terminal or unable to acquire USIM/SIM card information, the method includes: sending an initial attach request to an access gateway to send through the access gateway The DER message is sent to the 3GPP AAA server; when the 3GPP AAA server performs authentication authentication on the terminal through EAP-TLS interaction, the server certificate forwarded by the access gateway is received; and the server certificate is verified; And when the server certificate is verified, the terminal certificate is sent to the access gateway, so that the terminal certificate is sent by the access gateway to the 3GPP AAA server for verification.
可选地,所述终端证书中至少包含所述终端进行通信业务的IMSI信息。Optionally, the terminal certificate includes at least the IMSI information that the terminal performs a communication service.
此外,为实现上述目的,本发明实施例还提出一种终端认证方法,应用于3GPP AAA服务器中,所述方法包括:接收来自接入网关的DER消息;确定所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为预设的字符时,则所述终端为EAP-TLS接入,并通过EAP-TLS交互对所述终端进行鉴权认证。In addition, to achieve the above object, the embodiment of the present invention further provides a terminal authentication method, which is applied to a 3GPP AAA server, where the method includes: receiving a DER message from an access gateway; and determining EAP-PAYLOAD in the DER message. When the EAP-IDENTITY prefix in the attribute is a preset character, the terminal is EAP-TLS access, and the terminal is authenticated and authenticated through EAP-TLS interaction.
可选地,所述通过EAP-TLS交互对所述终端进行鉴权认证,包括:接收来自所述接入网关的握手消息;发送服务端证书给所述接入网关,以使所述终端对所述服务端证书进行验证;当所述终端对所述服务端证书验证通过时,则接收来自所述接入网关的终端证书;校验所述终端证书;当校验通过时,发送握手完成消息给所述接入网关,以完成对所述终端的认证。Optionally, the authenticating the terminal by using the EAP-TLS interaction includes: receiving a handshake message from the access gateway, and sending a server certificate to the access gateway, so that the terminal is configured to The server certificate is verified; when the terminal verifies the server certificate, the terminal certificate is received from the access gateway; the terminal certificate is verified; when the verification is passed, the handshake is completed. The message is sent to the access gateway to complete authentication of the terminal.
可选地,所述方法还包括:接收来自所述接入网关的确认收到握手完成消息的DER消息;发送MAR消息和SAR消息给EPC-HSS服务器,以获取鉴权数据和用户数据并进行授权检查;当对所述鉴权数据和所述用户数据的授权检查成功时,则发送授权检查成功的DEA消息给所述接入网关。 Optionally, the method further includes: receiving a DER message from the access gateway confirming receipt of the handshake completion message; sending the MAR message and the SAR message to the EPC-HSS server to obtain the authentication data and the user data, and performing Authorization check; when the authorization check of the authentication data and the user data is successful, sending a DEA message indicating that the authorization check succeeds to the access gateway.
此外,为实现上述目的,本发明实施例还提出一种终端认证系统,所述系统包括终端、接入网关及3GPP AAA服务器,其中,所述终端,设置为向所述接入网关发起初始附着请求;所述接入网关,设置为根据所述初始附着请求,向所述3GPP AAA服务器发送DER消息;所述3GPP AAA服务器,设置为接收所述DER消息,并确定所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为预设的字符时,则所述终端为EAP-TLS接入,并通过EAP-TLS交互对所述终端进行鉴权认证。In addition, in order to achieve the above object, an embodiment of the present invention further provides a terminal authentication system, where the system includes a terminal, an access gateway, and a 3GPP AAA server, where the terminal is configured to initiate initial attachment to the access gateway. Requesting, the access gateway, configured to send a DER message to the 3GPP AAA server according to the initial attach request; the 3GPP AAA server, configured to receive the DER message, and determine an EAP in the DER message When the EAP-IDENTITY prefix in the PAYLOAD attribute is a preset character, the terminal is EAP-TLS access, and the terminal is authenticated and authenticated through EAP-TLS interaction.
可选地,所述3GPP AAA服务器,还设置为接收到所述接入网关发送的握手消息后,返回服务端服证书给所述接入网关;所述终端,还设置为接收所述接入网关发送的所述服务端证书,并对所述服务端证书进行验证,当对所述服务端证书验证通过后,将终端证书发送给所述接入网关;所述3GPP AAA服务器,还设置为接收并校验所述接入网关发送的所述终端证书,当校验成功时,将握手完成消息发送给所述接入网关,以完成对所述终端的认证。Optionally, the 3GPP AAA server is further configured to: after receiving the handshake message sent by the access gateway, return a service certificate to the access gateway; and the terminal is further configured to receive the access And the server certificate is sent by the gateway, and the server certificate is verified. After the server certificate is verified, the terminal certificate is sent to the access gateway; the 3GPP AAA server is further configured to Receiving and verifying the terminal certificate sent by the access gateway, and when the verification is successful, sending a handshake completion message to the access gateway to complete authentication of the terminal.
可选地,所述系统还包括EPC-HSS服务器,其中:所述EPC-HSS服务器,设置为接收所述3GPP AAA服务器发送的MAR消息和SAR消息,并向所述3GPP AAA服务器发送鉴权数据和用户数据;所述3GPP AAA服务器,还设置为根据所述鉴权数据和用户数据对所述终端进行授权检查,在授权检查成功时,向接入网关发送授权检查成功的DEA消息,完成所述终端和所述3GPP AAA服务器之间的授权。Optionally, the system further includes an EPC-HSS server, where: the EPC-HSS server is configured to receive the MAR message and the SAR message sent by the 3GPP AAA server, and send the authentication data to the 3GPP AAA server. And the user data; the 3GPP AAA server is further configured to perform an authorization check on the terminal according to the authentication data and the user data, and when the authorization check succeeds, send a DEA message indicating that the authorization check succeeds to the access gateway, and complete the Authorization between the terminal and the 3GPP AAA server.
可选地,DER消息中的EAP-IDENTITY前缀经扩展后使用英文字符,当所述前缀为预设字符时,则其鉴权方式为EAP-TLS,其中,所述预设字符为英文字符。Optionally, the EAP-IDENTITY prefix in the DER message is extended to use English characters. When the prefix is a preset character, the authentication mode is EAP-TLS, where the preset character is an English character.
可选地,所述终端安装有终端证书,所述终端证书中至少包含所述终端进行通信业务的IMSI信息,所述3GPP AAA服务器安装有服务端证书。Optionally, the terminal is installed with a terminal certificate, where the terminal certificate includes at least IMSI information of the terminal for performing a communication service, and the 3GPP AAA server is installed with a server certificate.
此外,为实现上述目的,本发明实施例还提出一种终端认证装置,应 用于无USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端中,所述装置包括:第一发送模块,设置为发送初始附着请求给接入网关,以通过所述接入网关发送DER消息给3GPP AAA服务器;第一接收模块,设置为当所述3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证时,则接收所述接入网关转发的服务端证书;服务端证书验证模块,设置为对所述服务端证书进行验证;第二发送模块,还设置为当所述服务端证书验证通过时,发送终端证书给所述接入网关,以通过所述接入网关发送所述终端证书给3GPP AAA服务器进行校验。In addition, in order to achieve the above object, an embodiment of the present invention further provides a terminal authentication apparatus, which should In the terminal for the USIM/SIM card terminal or the USIM/SIM card information, the device includes: a first sending module, configured to send an initial attach request to the access gateway, to send the DER through the access gateway Sending a message to the 3GPP AAA server; the first receiving module is configured to: when the 3GPP AAA server performs authentication authentication on the terminal by using EAP-TLS interaction, receive the server certificate forwarded by the access gateway; the server certificate a verification module, configured to verify the server certificate; the second sending module is further configured to send a terminal certificate to the access gateway to send through the access gateway when the server certificate is verified The terminal certificate is verified by the 3GPP AAA server.
可选地,所述终端证书中至少包含所述终端进行通信业务的IMSI信息。Optionally, the terminal certificate includes at least the IMSI information that the terminal performs a communication service.
此外,为实现上述目的,本发明实施例还提出一种终端认证装置,应用于3GPP AAA服务器中,所述装置包括:第三接收模块,设置为接收来自接入网关的DER消息;认证通过模块,设置为当确定所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为预设的字符时,则所述终端为EAP-TLS接入,并通过EAP-TLS交互对所述终端进行鉴权认证。In addition, in order to achieve the above object, an embodiment of the present invention further provides a terminal authentication apparatus, which is applied to a 3GPP AAA server, where the apparatus includes: a third receiving module, configured to receive a DER message from an access gateway; and an authentication pass module When the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is determined to be a preset character, the terminal is EAP-TLS access, and the terminal is performed through EAP-TLS interaction. Authentication certification.
可选地,所述认证通过模块进一步包括:第四接收模块,设置为接收来自所述接入网关的握手消息;第三发送模块,设置为发送服务端证书给所述接入网关,以使所述终端对所述服务端证书进行验证;第五接收模块,设置为当所述终端对所述服务端证书验证通过时,则接收来自所述接入网关的终端证书;校验模块,设置为校验所述终端证书;第四发送模块,设置为当校验通过时,发送握手完成消息给所述接入网关,以完成对所述终端的认证。Optionally, the authentication pass module further includes: a fourth receiving module, configured to receive a handshake message from the access gateway; and a third sending module, configured to send a server certificate to the access gateway, so that The terminal is configured to verify the server certificate; the fifth receiving module is configured to: when the terminal verifies the server certificate, pass the terminal certificate from the access gateway; the verification module sets To verify the terminal certificate, the fourth sending module is configured to send a handshake completion message to the access gateway when the verification passes, to complete the authentication of the terminal.
可选地,所述装置还包括:第六接收模块,设置为接收来自所述接入网关的确认收到握手完成消息的DER消息;第五发送模块,设置为发送MAR消息和SAR消息给EPC-HSS服务器,以获取鉴权数据和用户数据并进行授权检查;第六发送模块,设置为当对所述鉴权数据和所述用户数 据的授权检查成功时,则发送授权检查成功的DEA消息给所述接入网关。Optionally, the device further includes: a sixth receiving module, configured to receive a DER message from the access gateway for confirming receipt of a handshake completion message; and a fifth sending module, configured to send a MAR message and a SAR message to the EPC - an HSS server to obtain authentication data and user data and perform an authorization check; a sixth sending module, configured to when the authentication data and the number of users are When the authorization check is successful, a DEA message indicating that the authorization check succeeds is sent to the access gateway.
在本发明实施例中,还提供了一种计算机存储介质,该计算机存储介质可以存储有执行指令,该执行指令用于执行上述实施例中的终端认证方法。In the embodiment of the present invention, a computer storage medium is further provided, and the computer storage medium may store an execution instruction, where the execution instruction is used to execute the terminal authentication method in the foregoing embodiment.
本发明实施例提出的终端认证方法、装置及系统,通过终端向接入网关发起初始附着请求,根据所述初始附着请求,所述接入网关向3GPP AAA服务器发送DER消息,3GPP AAA服务器接收所述DER消息,当检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀包含预设的字符时,判定所述终端为EAP-TLS接入,且3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证。从而能够使USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端接入LTE网络,并使用VoWiFi业务,提高了用户体验。The terminal authentication method, device and system according to the embodiment of the present invention initiates an initial attach request to the access gateway by the terminal, and according to the initial attach request, the access gateway sends a DER message to the 3GPP AAA server, and the 3GPP AAA server receives the Declaring that the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message contains a preset character, determining that the terminal is EAP-TLS access, and the 3GPP AAA server interacts through EAP-TLS The terminal performs authentication and authentication. Therefore, the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information can access the LTE network and use the VoWiFi service to improve the user experience.
附图说明DRAWINGS
图1为本发明第一实施例提供的终端认证方法的流程示意图;1 is a schematic flowchart of a terminal authentication method according to a first embodiment of the present invention;
图2为本发明第二实施例提供的终端认证方法的流程示意图;2 is a schematic flowchart of a terminal authentication method according to a second embodiment of the present invention;
图3为本发明第三实施例提供的终端认证方法的流程示意图;3 is a schematic flowchart of a method for authenticating a terminal according to a third embodiment of the present invention;
图4为本发明第四实施例提供的终端认证方法的流程示意图;4 is a schematic flowchart of a method for authenticating a terminal according to a fourth embodiment of the present invention;
图5为本发明第五实施例提供的终端认证方法的流程示意图;FIG. 5 is a schematic flowchart of a method for authenticating a terminal according to a fifth embodiment of the present invention;
图6为本发明第五实施例提供的终端认证方法的子流程示意图;FIG. 6 is a schematic flowchart of a sub-process of a terminal authentication method according to a fifth embodiment of the present invention;
图7为本发明第六实施例提供的终端认证方法的流程示意图;FIG. 7 is a schematic flowchart of a method for authenticating a terminal according to a sixth embodiment of the present invention;
图8为本发明第七实施例提供的终端认证系统的模块示意图;8 is a schematic block diagram of a terminal authentication system according to a seventh embodiment of the present invention;
图9为本发明第九实施例提供的终端认证系统的模块示意图;9 is a schematic block diagram of a terminal authentication system according to a ninth embodiment of the present invention;
图10为本发明第十实施例提供的终端认证装置的模块示意图;FIG. 10 is a schematic block diagram of a terminal authentication apparatus according to a tenth embodiment of the present invention;
图11为本发明第十一实施例提供的终端认证装置的模块示意图;FIG. 11 is a schematic block diagram of a terminal authentication apparatus according to an eleventh embodiment of the present invention;
图12为本发明第十二实施例提供的终端认证装置的模块示意图。 FIG. 12 is a schematic block diagram of a terminal authentication apparatus according to a twelfth embodiment of the present invention.
本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional features, and advantages of the present invention will be further described in conjunction with the embodiments.
具体实施方式detailed description
应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
现在将参考附图描述实现本发明各个实施例的移动终端。在后续的描述中,使用用于表示元件的诸如“模块”、“部件”或“单元”的后缀仅为了有利于本发明的说明,其本身并没有特定的意义。因此,"模块"与"部件"可以混合地使用。A mobile terminal embodying various embodiments of the present invention will now be described with reference to the accompanying drawings. In the following description, the use of suffixes such as "module", "component" or "unit" for indicating an element is merely an explanation for facilitating the present invention, and does not have a specific meaning per se. Therefore, "module" and "component" can be used in combination.
本发明第一实施例提供一种终端认证方法,适用于无全球用户识别卡/客户识别卡(Universal Subscriber Identity Module/Subscriber Identity Module,USIM/SIM)终端或者无法获取USIM/SIM卡信息的终端。The first embodiment of the present invention provides a terminal authentication method, which is applicable to a Universal Subscriber Identity Module/Subscriber Identity Module (USIM/SIM) terminal or a terminal that cannot obtain USIM/SIM card information.
在本实施例中,终端可以以各种形式来实施,例如,本发明中描述的终端可以包括诸如移动电话、智能电话、笔记本电脑、数字广播接收器、PDA(个人数字助理)、PAD(平板电脑)、PMP(便携式多媒体播放器)、导航装置等等的移动终端以及诸如数字TV、台式计算机等等的固定终端。下面,假设终端是移动终端。然而,本领域技术人员将理解的是,除了特别用于移动目的的元件之外,根据本发明的实施方式的构造也能够应用于固定类型的终端。In the present embodiment, the terminal may be implemented in various forms, for example, the terminal described in the present invention may include, for example, a mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a PDA (Personal Digital Assistant), a PAD (Plate) Mobile terminals of computers, PMPs (portable multimedia players), navigation devices, and the like, and fixed terminals such as digital TVs, desktop computers, and the like. In the following, it is assumed that the terminal is a mobile terminal. However, those skilled in the art will appreciate that configurations in accordance with embodiments of the present invention can be applied to fixed type terminals in addition to components that are specifically for mobile purposes.
终端安装有终端证书,所述终端证书中至少包含所述终端进行通信业务的IMSI(International Mobile Subscriber Identification Number)信息,第三代协作组验证、授权和记账(3rd Generation Partnership Project Authentication-Authorization and Accounting,3GPP AAA)服务器安装有服 务端证书。证书由网络运营商向证书机构申请颁发,本实施例在此不再赘述。The terminal is installed with a terminal certificate, and the terminal certificate includes at least the IMSI (International Mobile Subscriber Identification Number) information of the terminal for performing communication services, and the third generation collaborative group project authentication-authorization and accounting (3rd Generation Partnership Project Authentication-Authorization and Accounting, 3GPP AAA) server installed service Service certificate. The certificate is applied by the network operator to the certificate authority. This embodiment is not described here.
可选地,终端证书中的common name字段为本终端进行业务的IMSI,且所述终端支持可扩展认证协议-安全传输层协议(Extensible Authentication Protocol and Transport Layer Security,EAP-TLS)鉴权。Optionally, the common name field in the terminal certificate is an IMSI of the service performed by the terminal, and the terminal supports an Extensible Authentication Protocol and Transport Layer Security (EAP-TLS) authentication.
如图1所示,为本发明第一实施例提供的终端认证方法的流程示意图,所述方法包括:FIG. 1 is a schematic flowchart of a terminal authentication method according to a first embodiment of the present invention, where the method includes:
步骤101,终端向接入网关发起附着请求;Step 101: The terminal initiates an attach request to the access gateway.
具体地,附着请求中EAP-PAYLOAD属性的EAP-IDENTITY前缀设置为A-Z和a-z中的某一字符,假定本实施例中的附着请求中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀由网络运营商预置为A。Specifically, the EAP-IDENTITY prefix of the EAP-PAYLOAD attribute in the attach request is set to a certain character in AZ and az, and it is assumed that the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the attach request in this embodiment is determined by the network operator. The preset is A.
步骤102,接入网关接收终端发送的附着请求,并向3GPP AAA服务器发送DER消息;Step 102: The access gateway receives an attach request sent by the terminal, and sends a DER message to the 3GPP AAA server.
具体的,接收到终端附着请求后,接入网关依据该附着请求向3GPP AAA服务器发送DER(Diameter-EAP-Request)消息,可以理解的是,该DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为A。Specifically, after receiving the terminal attach request, the access gateway sends a DER (Diameter-EAP-Request) message to the 3GPP AAA server according to the attach request. It can be understood that the EAP-PAYLOAD attribute in the DER message is EAP- The IDENTITY prefix is A.
可选地,本领域技术人员可以理解的是,若终端从非授信WiFi网络接入,则接入网关可以是演进的分组数据网关(Evolved Packet Data Gateway,ePDG);若终端从授信WLAN网络接入,则接入网关可以是HRPD服务网关(HRPD Gateway,HSGW)。Optionally, those skilled in the art can understand that if the terminal accesses from the untrusted WiFi network, the access gateway may be an Evolved Packet Data Gateway (ePDG); if the terminal is connected from the trusted WLAN network Ingress, the access gateway may be an HRPD Gateway (HSGW).
步骤103,3GPP AAA服务器接收接入网关发送的DER消息;Step 103: The 3GPP AAA server receives the DER message sent by the access gateway.
步骤104,3GPP AAA服务器检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀是否为预设的字符,若是,则进入步骤105;若否,则结束;Step 104: The 3GPP AAA server checks whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, and if yes, proceeds to step 105; if not, ends;
步骤105,判定所述终端为EAP-TLS接入;Step 105: Determine that the terminal is an EAP-TLS access.
步骤106,3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权 认证。Step 106: The 3GPP AAA server authenticates the terminal by using EAP-TLS interaction Certification.
具体地,预先对DER消息中的EAP-IDENTITY前缀进行扩展。3GPP协议中规定EAP-AKA鉴权方式对应的前缀为0、2、4,EAP-AKA’鉴权方式为对应的前缀为6、7、8,因此,本实施例中扩展可以使用英文字符A-Z和a-z,即EAP-TLS鉴权方式对应的前缀为英文字符,更进一步的,可由网络运营商设置该前缀为A,即EAP-TLS鉴权方式对应的前缀为英文字符A。Specifically, the EAP-IDENTITY prefix in the DER message is extended in advance. The 3GPP protocol stipulates that the prefix corresponding to the EAP-AKA authentication mode is 0, 2, and 4, and the EAP-AKA' authentication mode is the corresponding prefix of 6, 7, 8. Therefore, in this embodiment, the English character AZ can be used for the extension. The prefix corresponding to the az, that is, the EAP-TLS authentication mode is an English character. Further, the network operator can set the prefix to be A, that is, the prefix corresponding to the EAP-TLS authentication mode is the English character A.
因此,当3GPP AAA服务器接收到接入网关发送的DER消息且该消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为预设的字符A时,则3GPP AAA服务器判定此次接入请求为EAP-TLS接入,后续将对终端的鉴权认证将采用EAP-TLS鉴权方式,鉴权成功则终端可接入LTE网络以使用各类业务如VoWiFi业务。Therefore, when the 3GPP AAA server receives the DER message sent by the access gateway and the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the message is the preset character A, the 3GPP AAA server determines that the access request is EAP. - TLS access, the authentication authentication of the terminal will be followed by the EAP-TLS authentication mode. If the authentication succeeds, the terminal can access the LTE network to use various services such as VoWiFi services.
本实施例提供的终端认证方法,终端向接入网关发起初始附着请求,根据所述初始附着请求,所述接入网关向3GPP AAA服务器发送DER消息,3GPP AAA服务器接收所述DER消息,当检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀包含预设的字符时,判定所述终端为EAP-TLS接入,且3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证。由此可见,本实施例的终端认证方法,能够使USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端接入LTE网络,并使用VoWiFi业务,提高了用户体验。In the terminal authentication method provided by the embodiment, the terminal initiates an initial attach request to the access gateway, and according to the initial attach request, the access gateway sends a DER message to the 3GPP AAA server, and the 3GPP AAA server receives the DER message, when checking When the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message includes a preset character, it is determined that the terminal is EAP-TLS access, and the 3GPP AAA server authenticates the terminal through EAP-TLS interaction. Certification. It can be seen that the terminal authentication method in this embodiment can enable the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information to access the LTE network and use the VoWiFi service to improve the user experience.
本发明第二实施例提供的终端认证方法。在第二实施例中,所述终端认证方法与第一实施例相比,区别仅在于,步骤106具体包括:A terminal authentication method provided by the second embodiment of the present invention. In the second embodiment, the terminal authentication method is different from the first embodiment in that the step 106 specifically includes:
a.所述3GPP AAA服务器接收到所述接入网关发送的握手消息后,返回服务端服证书给所述接入网关;After receiving the handshake message sent by the access gateway, the 3GPP AAA server returns a service certificate to the access gateway;
b.所述终端接收所述接入网关发送的所述服务端证书,并对所述服务端证书进行验证,当对所述服务端证书验证通过时,所述终端将终端证书 发送给所述接入网关;The terminal receives the server certificate sent by the access gateway, and verifies the server certificate, and when the server certificate is verified, the terminal sends the terminal certificate. Sent to the access gateway;
c.所述3GPP AAA服务器接收并校验所述接入网关发送的所述终端证书,当校验通过时,将握手完成消息发送给所述接入网关,以完成对所述终端的认证。The 3GPP AAA server receives and verifies the terminal certificate sent by the access gateway, and sends a handshake completion message to the access gateway when the verification passes, to complete the authentication of the terminal.
具体的,实际应用中,在步骤105之后,3GPP AAA服务器通过EAP-TLS对终端进行EAP-TLS鉴权时,接入网关,3GPP AAA服务器以及终端之间的交互可参考图2,其交互过程如下:Specifically, in actual application, after the step 105, when the 3GPP AAA server performs EAP-TLS authentication on the terminal through EAP-TLS, the interaction between the access gateway, the 3GPP AAA server, and the terminal may refer to FIG. 2, and the interaction process is as follows: :
步骤201,3GPP AAA服务器返回DEA(Diameter-EAP-Answer)消息(TLS-Start),开始与接入网关进行EAP-TLS交互;Step 201: The 3GPP AAA server returns a DEA (Diameter-EAP-Answer) message (TLS-Start), and starts EAP-TLS interaction with the access gateway.
步骤202,终端向接入网关发送EAP消息;Step 202: The terminal sends an EAP message to the access gateway.
步骤203,接入网关接收终端发送的EAP消息,并向到3GPP AAA服务器发送DER握手消息(TLS-Client Hello);Step 203: The access gateway receives the EAP message sent by the terminal, and sends a DER handshake message (TLS-Client Hello) to the 3GPP AAA server.
步骤204,3GPP AAA服务器接收接入网关发送的DER握手消息,并向接入网关回复DEA消息(TLS-Server Hello),以返回服务端保存的证书信息;Step 204: The 3GPP AAA server receives the DER handshake message sent by the access gateway, and returns a DEA message (TLS-Server Hello) to the access gateway to return the certificate information saved by the server.
步骤205,接入网关接收3GPP AAA服务器发送的服务端证书,并转发给终端;Step 205: The access gateway receives the server certificate sent by the 3GPP AAA server, and forwards the certificate to the terminal.
步骤206,终端接收接入网关发送的服务端证书,并对服务端证书进行验证;Step 206: The terminal receives the server certificate sent by the access gateway, and verifies the server certificate.
步骤207,当对所述服务端证书验证通过时,则终端将终端证书发送给接入网关;Step 207: When the server certificate is verified, the terminal sends the terminal certificate to the access gateway.
当所述服务端证书验证失败,则进入步骤111。When the server certificate verification fails, the process proceeds to step 111.
步骤208,接入网关接收终端发送的终端证书,并向3GPP AAA服务器发送DER消息,该DER消息中携带终端证书信息;Step 208: The access gateway receives the terminal certificate sent by the terminal, and sends a DER message to the 3GPP AAA server, where the DER message carries the terminal certificate information.
步骤209,3GPP AAA服务器接收接入网关发送的DER消息,并对终端证书进行校验; Step 209: The 3GPP AAA server receives the DER message sent by the access gateway, and performs verification on the terminal certificate.
具体地,3GPP AAA服务器对终端信息中的CA签名、有效期、及IMSI绑定,进行校验。Specifically, the 3GPP AAA server verifies the CA signature, validity period, and IMSI binding in the terminal information.
步骤210,当对终端证书校验通过时,则3GPP AAA服务器将握手完成DEA消息发送给接入网关,以完成对终端的认证;Step 210: When the terminal certificate is verified, the 3GPP AAA server sends a handshake complete DEA message to the access gateway to complete the authentication of the terminal.
当终端证书验证失败,则进入步骤211。When the terminal certificate verification fails, the process proceeds to step 211.
步骤211,鉴权失败,并返回消息拒绝当前终端的接入请求。In step 211, the authentication fails, and the return message rejects the access request of the current terminal.
本实施例提供的终端认证方法,采用双向认证,3GPP AAA服务器检验终端证书,确认终端是合法的终端,终端检验服务端证书,确认接入的网络是合法的网络,从而提高了用户接入的安全性。The terminal authentication method provided in this embodiment adopts two-way authentication, and the 3GPP AAA server checks the terminal certificate to confirm that the terminal is a legitimate terminal, and the terminal checks the server certificate to confirm that the accessed network is a legitimate network, thereby improving user access. safety.
本发明第三实施例提供另一种终端认证方法。在第三实施例中,所述终端认证方法与第二实施例相比,区别仅在于,所述方法还包括:A third embodiment of the present invention provides another terminal authentication method. In the third embodiment, the terminal authentication method is different from the second embodiment in that the method further includes:
所述3GPP AAA服务器接收所述接入网关发送的确认收到所述握手完成消息的DER消息后,向EPC归属用户(HSS)服务器发送MAR(Multimedia-Authentication-Request)消息和SAR(Server-Assignment-Request)消息,以获取鉴权数据和用户数据并进行授权检查,在授权检查成功时,向所述接入网关发送授权检查成功的DEA消息,完成所述终端和所述3GPP AAA服务器之间的授权。After receiving the DER message sent by the access gateway and confirming receipt of the handshake completion message, the 3GPP AAA server sends a MAR (Multimedia-Authentication-Request) message and a SAR (Server-Assignment) to the EPC Home Subscriber (HSS) server. a -Request message to obtain the authentication data and the user data and perform an authorization check. When the authorization check succeeds, the DEA message indicating that the authorization check succeeds is sent to the access gateway, and the terminal and the 3GPP AAA server are completed. Authorization.
具体的,可同时参考图2及图3,实际应用中,在步骤210之后,3GPP AAA服务器对终端进行EAP-TLS鉴权还包括以下步骤:Specifically, reference may be made to FIG. 2 and FIG. 3 simultaneously. In an actual application, after step 210, the 3GPP AAA server performs EAP-TLS authentication on the terminal, and further includes the following steps:
步骤301,接入网关向3GPP AAA服务器发送DER消息,以确认收到3GPP AAA服务器发送的握手完成DEA消息;Step 301: The access gateway sends a DER message to the 3GPP AAA server to confirm that the handshake completion DEA message sent by the 3GPP AAA server is received.
步骤302,3GPP AAA服务器接收接入网关发送的DER消息,并向EPC归属用户(HSS)服务器发送MAR消息;Step 302: The 3GPP AAA server receives the DER message sent by the access gateway, and sends a MAR message to the EPC Home Subscriber (HSS) server.
步骤303,EPC-HSS服务器接收3GPP AAA服务器发送的MAR消息,并回复鉴权数据到3GPP AAA服务器; Step 303: The EPC-HSS server receives the MAR message sent by the 3GPP AAA server, and returns the authentication data to the 3GPP AAA server.
步骤304,3GPP AAA服务器获取EPC-HSS服务器发送的鉴权数据,并对鉴权数据进行授权检查;Step 304: The 3GPP AAA server acquires the authentication data sent by the EPC-HSS server, and performs an authorization check on the authentication data.
步骤305,3GPP AAA服务器向EPC-HSS服务器发送SAR消息;Step 305: The 3GPP AAA server sends a SAR message to the EPC-HSS server.
步骤306,EPC-HSS服务器接收3GPP AAA服务器发送的SAR消息,并回复用户数据到3GPP AAA服务器;Step 306, the EPC-HSS server receives the SAR message sent by the 3GPP AAA server, and replies the user data to the 3GPP AAA server;
步骤307,3GPP AAA服务器获取EPC-HSS服务器发送的用户数据,并对用户数据进行授权检查;Step 307: The 3GPP AAA server acquires user data sent by the EPC-HSS server, and performs authorization check on the user data.
步骤308,3GPP AAA服务器发送授权检查成功的DEA消息至接入网关,进而完成所述终端和所述3GPP AAA服务器之间的授权,并等待终端后续的接入流程。Step 308: The 3GPP AAA server sends a DEA message indicating that the authorization is successful to the access gateway, and then completes the authorization between the terminal and the 3GPP AAA server, and waits for the subsequent access procedure of the terminal.
本实施例提供的终端认证方法,通过3GPP AAA服务器向EPC-HSS服务器发送MAR消息和SAR消息,以获取鉴权数据和用户数据并进行授权检查,当对鉴权数据和用户数据授权检查成功时,向接入网关发送授权检查成功的DEA消息,完成所述终端和所述3GPP AAA服务器之间的授权。The terminal authentication method provided in this embodiment sends a MAR message and a SAR message to the EPC-HSS server through the 3GPP AAA server to obtain the authentication data and the user data, and performs authorization check. When the authentication data and the user data are successfully checked. Sending a DEA message indicating that the authorization check succeeds to the access gateway, and completing authorization between the terminal and the 3GPP AAA server.
请参照图4,本发明第四实施例进一步提供一种终端认证方法,应用于无USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端中,所述方法包括:Referring to FIG. 4, a fourth embodiment of the present invention further provides a terminal authentication method, which is applied to a terminal that does not have a USIM/SIM card terminal or cannot obtain USIM/SIM card information, and the method includes:
步骤401,发送初始附着请求给接入网关,以通过所述接入网关发送DER消息给3GPP AAA服务器;Step 401: Send an initial attach request to the access gateway, to send a DER message to the 3GPP AAA server by using the access gateway;
步骤402,当所述3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证时,则接收所述接入网关转发的服务端证书;Step 402: When the 3GPP AAA server performs authentication authentication on the terminal through EAP-TLS interaction, receiving a server certificate forwarded by the access gateway;
具体地,终端证书中至少包含所述终端进行通信业务的IMSI信息。Specifically, the terminal certificate includes at least the IMSI information that the terminal performs a communication service.
步骤403,对所述服务端证书进行验证;以及 Step 403, verifying the server certificate; and
步骤404,当所述服务端证书验证通过时,发送终端证书给所述接入 网关,以通过所述接入网关发送所述终端证书给3GPP AAA服务器进行校验。Step 404: When the server certificate is verified, sending a terminal certificate to the access And the gateway sends the terminal certificate to the 3GPP AAA server for verification by using the access gateway.
本实施例的终端认证方法,通过发送初始附着请求给接入网关,当3GPP AAA服务器通过EAP-TLS交互对终端进行鉴权认证时,再接收并验证服务端证书,能够使USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端接入LTE网络,并使用VoWiFi业务,提高了用户体验。The terminal authentication method in this embodiment sends an initial attach request to the access gateway. When the 3GPP AAA server performs authentication authentication on the terminal through EAP-TLS interaction, the server certificate is received and verified, and the USIM/SIM card terminal can be enabled. Or the terminal that cannot obtain the USIM/SIM card information accesses the LTE network and uses the VoWiFi service to improve the user experience.
请参照图5,本发明第五实施例进一步提供一种终端认证方法,应用于3GPP AAA服务器中,所述方法包括:Referring to FIG. 5, a fifth embodiment of the present invention further provides a terminal authentication method, which is applied to a 3GPP AAA server, where the method includes:
步骤501,接收来自接入网关的DER消息;Step 501: Receive a DER message from an access gateway.
步骤502,检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀是否为预设的字符;若是,则进入步骤503;若否,则流程结束;Step 502: Check whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character; if yes, go to step 503; if no, the process ends;
步骤503,判定所述终端为EAP-TLS接入,并通过EAP-TLS交互对所述终端进行鉴权认证。Step 503: Determine that the terminal is EAP-TLS access, and perform authentication authentication on the terminal by using EAP-TLS interaction.
作为本实施例的进一步改进,请结合图6,步骤503中的通过EAP-TLS交互对所述终端进行鉴权认证,进一步包括:As a further improvement of the embodiment, the authentication of the terminal by the EAP-TLS interaction in step 503 is further combined with FIG.
步骤601,接收来自所述接入网关的握手消息;Step 601: Receive a handshake message from the access gateway.
步骤602,发送服务端证书给所述接入网关,以使所述终端对所述服务端证书进行验证;Step 602: Send a server certificate to the access gateway, so that the terminal verifies the server certificate.
步骤603,当所述终端对所述服务端证书验证通过时,则接收来自所述接入网关的终端证书;Step 603: When the terminal verifies the server certificate, the terminal certificate is received from the access gateway.
步骤604,校验所述终端证书;以及 Step 604, verifying the terminal certificate;
步骤605,当校验通过时,发送握手完成消息给所述接入网关,以完成对所述终端的认证。Step 605: When the verification passes, sending a handshake completion message to the access gateway to complete authentication of the terminal.
本实施例的终端认证方法,采用双向认证,3GPP AAA服务器检验终 端证书,确认终端是合法的终端,终端检验服务端证书,确认接入的网络是合法的网络,从而提高了用户接入的安全性。The terminal authentication method in this embodiment adopts two-way authentication, and the 3GPP AAA server checks the end. The end certificate confirms that the terminal is a legitimate terminal, and the terminal checks the server certificate to confirm that the accessed network is a legitimate network, thereby improving the security of user access.
请参照图7,本发明第六实施例进一步提供一种终端认证方法,在第六实施例中,所述终端认证方法与第五实施例相比,区别仅在于,所述方法还包括:Referring to FIG. 7, a sixth embodiment of the present invention further provides a terminal authentication method. In the sixth embodiment, the terminal authentication method is different from the fifth embodiment in that the method further includes:
步骤701,接收来自所述接入网关的确认收到握手完成消息的DER消息;Step 701: Receive a DER message from the access gateway confirming receipt of a handshake completion message.
步骤702,发送MAR消息和SAR消息给EPC-HSS服务器,以获取鉴权数据和用户数据并进行授权检查;以及Step 702: Send a MAR message and a SAR message to the EPC-HSS server to obtain authentication data and user data and perform an authorization check;
步骤703,当对所述鉴权数据和所述用户数据的授权检查成功时,则发送授权检查成功的DEA消息给所述接入网关。Step 703: When the authorization check of the authentication data and the user data is successful, send a DEA message indicating that the authorization check succeeds to the access gateway.
本实施例的终端认证方法,通过接收来自接入网关的确认收到握手完成消息的DER消息,发送MAR消息和SAR消息给EPC-HSS服务器,以获取鉴权数据和用户数据并进行授权检查,当对鉴权数据和用户数据授权检查成功时,向接入网关发送授权检查成功的DEA消息,完成所述终端和所述3GPP AAA服务器之间的授权。The terminal authentication method in this embodiment receives the DER message from the access gateway and acknowledges receipt of the handshake completion message, and sends the MAR message and the SAR message to the EPC-HSS server to obtain the authentication data and the user data, and perform authorization check. When the authorization data and the user data are successfully checked, the DEA message indicating that the authorization check succeeds is sent to the access gateway, and the authorization between the terminal and the 3GPP AAA server is completed.
请参照图8,本发明第七实施例进一步提供一种终端认证系统,所述系统包括所述终810、接入网关820及3GPP AAA服务器830。Referring to FIG. 8, a seventh embodiment of the present invention further provides a terminal authentication system, where the system includes the terminal 810, an access gateway 820, and a 3GPP AAA server 830.
终端810为无USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端。在本实施例中,终端810可以以各种形式来实施,例如,本发明中描述的终端可以包括诸如移动电话、智能电话、笔记本电脑、数字广播接收器、PDA(个人数字助理)、PAD(平板电脑)、PMP(便携式多媒体播放器)、导航装置等等的移动终端以及诸如数字TV、台式计算机等等的固定终端。下面,假设终端是移动终端。然而,本领域技术人员将理解的是,除了特别用于移动目的的元件之外,根据本发明的实施方式的构造也能够应用于 固定类型的终端。The terminal 810 is a terminal without a USIM/SIM card terminal or unable to acquire USIM/SIM card information. In the present embodiment, the terminal 810 can be implemented in various forms, for example, the terminal described in the present invention can include, for example, a mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a PDA (Personal Digital Assistant), a PAD ( Mobile terminals of tablet computers, PMPs (portable multimedia players), navigation devices, and the like, and fixed terminals such as digital TVs, desktop computers, and the like. In the following, it is assumed that the terminal is a mobile terminal. However, those skilled in the art will appreciate that configurations in accordance with embodiments of the present invention can be applied in addition to components that are specifically for mobile purposes. Fixed type of terminal.
终端810安装有终端证书,所述终端证书中至少包含所述终端810进行通信业务的IMSI信息,3GPP AAA安装有服务端证书。证书由网络运营商向证书机构申请颁发,本实施例在此不再赘述。The terminal 810 is installed with a terminal certificate, and the terminal certificate includes at least the IMSI information of the communication service performed by the terminal 810, and the 3GPP AAA is installed with a server certificate. The certificate is applied by the network operator to the certificate authority. This embodiment is not described here.
可选地,终端证书中的common name字段为本终端进行业务的IMSI,且所述终端支持EAP-TLS鉴权。Optionally, the common name field in the terminal certificate is an IMSI of the service performed by the terminal, and the terminal supports EAP-TLS authentication.
终端810,设置为向接入网关820发起附着请求。The terminal 810 is configured to initiate an attach request to the access gateway 820.
具体地,附着请求中携带EAP-PAYLOAD属性的EAP-IDENTITY前缀,假定本实施例中的附着请求中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀由网络运营商预置为A。Specifically, the EAP-IDENTITY prefix of the EAP-PAYLOAD attribute is carried in the attach request, and the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the attach request in this embodiment is preset to be A by the network operator.
接入网关820,设置为接收终端810发送的附着请求,并向3GPP AAA服务器830发送DER消息。The access gateway 820 is configured to receive an attach request sent by the terminal 810 and send a DER message to the 3GPP AAA server 830.
具体的,接收到终端附着请求后,接入网关820依据该附着请求向3GPP AAA服务器830发送网络接入请求(Diameter-EAP-Request,DER)消息,可以理解的是,该DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为A。Specifically, after receiving the terminal attach request, the access gateway 820 sends a network access request (Diameter-EAP-Request, DER) message to the 3GPP AAA server 830 according to the attach request. It can be understood that the EAP in the DER message is The EAP-IDENTITY prefix in the -PAYLOAD attribute is A.
可选地,本领域技术人员可以理解的是,若终端从非授信WiFi网络接入,则接入网关可以是演进的分组数据网关(Evolved Packet Data Gateway,ePDG);若终端从授信WLAN网络接入,则接入网关可以是HRPD服务网关(HRPD Gateway,HSGW)。Optionally, those skilled in the art can understand that if the terminal accesses from the untrusted WiFi network, the access gateway may be an Evolved Packet Data Gateway (ePDG); if the terminal is connected from the trusted WLAN network Ingress, the access gateway may be an HRPD Gateway (HSGW).
3GPP AAA服务器830,设置为接收接入网关820发送的DER消息,并检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀是否为预设的字符,若是,则判定所述终端为EAP-TLS接入,并通过EAP-TLS交互对所述终端810进行鉴权认证。The 3GPP AAA server 830 is configured to receive the DER message sent by the access gateway 820, and check whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, and if yes, determine that the terminal is EAP-TLS accesses and authenticates the terminal 810 through EAP-TLS interaction.
具体地,预先对DER消息中的EAP-IDENTITY前缀进行扩展。3GPP协议中规定EAP-AKA鉴权方式对应的前缀为0、2、4,EAP-AKA’鉴权方式为对应的前缀为6、7、8,因此,本实施例中扩展可以使用英文字符A-Z 和a-z,即EAP-TLS鉴权方式对应的前缀为英文字符,更进一步的,可由网络运营商设置该前缀为A,即EAP-TLS鉴权方式对应的前缀为英文字符A。Specifically, the EAP-IDENTITY prefix in the DER message is extended in advance. The 3GPP protocol stipulates that the prefix corresponding to the EAP-AKA authentication mode is 0, 2, and 4, and the EAP-AKA' authentication mode is the corresponding prefix of 6, 7, 8. Therefore, in this embodiment, the English character AZ can be used for the extension. The prefix corresponding to the A-z, that is, the EAP-TLS authentication mode is an English character. Further, the network operator can set the prefix to be A, that is, the prefix corresponding to the EAP-TLS authentication mode is the English character A.
因此,当3GPP AAA服务器830接收到接入网关发送的DER消息且该消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为预设的字符A时,则3GPP AAA服务器830判定该此次接入请求为EAP-TLS接入,后续将对终端810的鉴权认证将采用EAP-TLS鉴权方式,鉴权成功则终端810可接入LTE网络以使用各类业务如VoWiFi业务。Therefore, when the 3GPP AAA server 830 receives the DER message sent by the access gateway and the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the message is the preset character A, the 3GPP AAA server 830 determines the current access. The request is EAP-TLS access, and the authentication authentication for the terminal 810 will be followed by the EAP-TLS authentication mode. If the authentication succeeds, the terminal 810 can access the LTE network to use various services such as VoWiFi services.
本实施例提供的终端认证系统,终端810向接入网关820发起初始附着请求,根据所述初始附着请求,接入网关820向3GPP AAA服务器830发送DER消息,3GPP AAA服务器830接收所述DER消息,当检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀包含预设的字符时,判定所述终端810为EAP-TLS接入,且3GPP AAA服务器830通过EAP-TLS交互对所述终端810进行鉴权认证。由此可见,本实施例的终端认证系统,能够使USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端接入LTE网络,并使用VoWiFi业务,提高了用户体验。In the terminal authentication system provided by this embodiment, the terminal 810 initiates an initial attach request to the access gateway 820. According to the initial attach request, the access gateway 820 sends a DER message to the 3GPP AAA server 830, and the 3GPP AAA server 830 receives the DER message. When it is checked that the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message contains a preset character, it is determined that the terminal 810 is EAP-TLS access, and the 3GPP AAA server 830 interacts with the EAP-TLS. The terminal 810 performs authentication authentication. It can be seen that the terminal authentication system in this embodiment can enable the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information to access the LTE network and use the VoWiFi service to improve the user experience.
本发明第八实施例进一步提供终端认证系统。在第八实施例中,所述终端认证系统与第七实施例相比,区别仅在于,在本实施例中,当通过3GPP AAA服务器通过EAP-TLS交互对所述终端810进行鉴权认证时:The eighth embodiment of the present invention further provides a terminal authentication system. In the eighth embodiment, the terminal authentication system is different from the seventh embodiment only in that, in the embodiment, when the terminal 810 is authenticated by EAP-TLS interaction through the 3GPP AAA server, :
所述3GPP AAA服务器830,还设置为接收到所述接入网关820发送的握手消息后,返回服务端服证书给所述接入网关820;The 3GPP AAA server 830 is further configured to: after receiving the handshake message sent by the access gateway 820, return a service certificate to the access gateway 820;
所述终端810,还设置为接收所述接入网关820发送的服务端证书,并对所述服务端证书进行验证,当对所述服务端证书验证通过后,将终端证书发送给所述接入网关820;The terminal 810 is further configured to receive the server certificate sent by the access gateway 820, and verify the server certificate. After verifying the server certificate, send the terminal certificate to the terminal. Into the gateway 820;
所述3GPP AAA服务器830,还设置为接收并校验所述接入网关820发送的所述终端证书,当校验成功时,将握手完成消息发送给所述接入网 关820,以完成对所述终端810的认证。The 3GPP AAA server 830 is further configured to receive and verify the terminal certificate sent by the access gateway 820, and send a handshake completion message to the access network when the verification is successful. Off 820 to complete authentication of the terminal 810.
具体的,实际应用中,3GPP AAA服务器830对终端810进行EAP-TLS鉴权时,接入网关820、3GPP AAA服务器830以及终端810之间的交互可参考图2,Specifically, in an actual application, when the 3GPP AAA server 830 performs EAP-TLS authentication on the terminal 810, the interaction between the access gateway 820, the 3GPP AAA server 830, and the terminal 810 can be referred to FIG.
3GPP AAA服务器830返回DEA消息(TLS-Start),开始与接入网关820进行EAP-TLS交互。The 3GPP AAA server 830 returns a DEA message (TLS-Start) and begins EAP-TLS interaction with the access gateway 820.
终端810,还设置为向接入网关820发送EAP消息。The terminal 810 is further configured to send an EAP message to the access gateway 820.
接入网关820,还设置为接收终端810发送的EAP消息,并向到3GPP AAA服务器830发送DER握手消息(TLS-Client Hello)。The access gateway 820 is further configured to receive the EAP message sent by the terminal 810 and send a DER handshake message (TLS-Client Hello) to the 3GPP AAA server 830.
3GPP AAA服务器830,还设置为接收接入网关820发送的DER握手消息,并向接入网关820回复DEA消息(TLS-Server Hello),以返回服务端保存的证书信息。The 3GPP AAA server 830 is further configured to receive the DER handshake message sent by the access gateway 820, and reply to the access gateway 820 with a DEA message (TLS-Server Hello) to return the certificate information saved by the server.
接入网关820,还设置为接收3GPP AAA服务器830发送的服务端证书,并转发给终端810。The access gateway 820 is further configured to receive the server certificate sent by the 3GPP AAA server 830 and forward it to the terminal 810.
终端810,还设置为接收接入网关820发送的服务端证书,并对服务端证书进行验证。The terminal 810 is further configured to receive the server certificate sent by the access gateway 820, and verify the server certificate.
当对所述服务端证书验证通过时,则终端810将终端证书发送给接入网关820;When the server certificate is verified, the terminal 810 sends the terminal certificate to the access gateway 820;
当所述服务端证书验证失败,则鉴权失败。When the server certificate verification fails, the authentication fails.
接入网关820,还设置为接收终端810发送的终端证书,并向3GPP AAA服务器830发送DER消息,该DER消息中携带终端证书信息。The access gateway 820 is further configured to receive the terminal certificate sent by the terminal 810, and send a DER message to the 3GPP AAA server 830, where the DER message carries the terminal certificate information.
3GPP AAA服务器830,还设置为接收接入网关820发送的DER消息,并对终端证书进行校验。The 3GPP AAA server 830 is further configured to receive the DER message sent by the access gateway 820 and verify the terminal certificate.
具体地,3GPP AAA服务器830对终端信息中的CA签名、有效期、及IMSI绑定,进行校验。Specifically, the 3GPP AAA server 830 checks the CA signature, validity period, and IMSI binding in the terminal information.
当对终端证书校验通过时,则3GPP AAA服务器830将握手完成DEA 消息发送给接入网关820,以完成对终端810的认证;When the terminal certificate is verified, the 3GPP AAA server 830 will handshake to complete the DEA. The message is sent to the access gateway 820 to complete the authentication of the terminal 810;
当终端证书验证失败,则鉴权失败,并返回消息拒绝当前终端810的接入请求。When the terminal certificate verification fails, the authentication fails, and the return message rejects the access request of the current terminal 810.
本实施例提供的终端认证系统,采用双向认证,3GPP AAA服务器830检验终端证书,确认终端810是合法的终端,终端820检验服务端证书,确认接入的网络是合法的网络,从而提高了用户接入的安全性。The terminal authentication system provided in this embodiment adopts two-way authentication, the 3GPP AAA server 830 checks the terminal certificate, confirms that the terminal 810 is a legitimate terminal, and the terminal 820 checks the server certificate to confirm that the accessed network is a legitimate network, thereby improving the user. Access security.
请参照图9,为本发明第九实施例提供的终端认证系统。在第九实施例中,所述终端认证系统与第八实施例相比,区别仅在于,所述系统还包括EPC归属用户(HSS)服务910,其中:Please refer to FIG. 9, which is a terminal authentication system according to a ninth embodiment of the present invention. In the ninth embodiment, the terminal authentication system is different from the eighth embodiment only in that the system further includes an EPC Home Subscriber (HSS) service 910, where:
所述EPC-HSS服务器910,设置为接收所述3GPP AAA服务器830发送的MAR消息和SAR消息,并向所述3GPP AAA服务器发送鉴权数据和用户数据;The EPC-HSS server 910 is configured to receive the MAR message and the SAR message sent by the 3GPP AAA server 830, and send the authentication data and the user data to the 3GPP AAA server;
所述3GPP AAA服务器830,还设置为根据所述鉴权数据和用户数据对所述终端进行授权检查,在授权检查成功时,向接入网关发送授权检查成功的DEA消息,完成所述终端和所述3GPP AAA服务器830之间的授权。The 3GPP AAA server 830 is further configured to perform an authorization check on the terminal according to the authentication data and the user data, and when the authorization check succeeds, send a DEA message indicating that the authorization check succeeds to the access gateway, and complete the terminal and Authorization between the 3GPP AAA servers 830.
具体的,可同时参考图2及图3,实际应用中,3GPP AAA服务器830对终端810进行EAP-TLS鉴权时,接入网关820、3GPP AAA服务器830以及终端810之间的交互为:Specifically, the interaction between the access gateway 820, the 3GPP AAA server 830, and the terminal 810 is as follows: When the 3GPP AAA server 830 performs EAP-TLS authentication on the terminal 810, the interaction between the access gateway 820, the 3GPP AAA server 830, and the terminal 810 is:
接入网关820,还设置为向3GPP AAA服务器830发送DER消息,以确认收到3GPP AAA服务器830发送的DEA消息。The access gateway 820 is further configured to send a DER message to the 3GPP AAA server 830 to acknowledge receipt of the DEA message sent by the 3GPP AAA server 830.
3GPP AAA服务器830,还设置为接收接入网关820发送的DER消息,并向EPC-HSS服务器910发送MAR消息.The 3GPP AAA server 830 is further configured to receive the DER message sent by the access gateway 820 and send the MAR message to the EPC-HSS server 910.
EPC-HSS服务器910,设置为接收3GPP AAA服务器830发送的MAR消息,并回复鉴权数据到3GPP AAA服务器830。 The EPC-HSS server 910 is configured to receive the MAR message sent by the 3GPP AAA server 830 and reply the authentication data to the 3GPP AAA server 830.
3GPP AAA服务器830,还设置为获取EPC-HSS服务器910发送的鉴权数据。The 3GPP AAA server 830 is further configured to acquire authentication data sent by the EPC-HSS server 910.
3GPP AAA服务器830,还设置为对鉴权数据进行授权检查,并向EPC-HSS服务器910发送SAR消息.The 3GPP AAA server 830 is further configured to perform authorization check on the authentication data and send the SAR message to the EPC-HSS server 910.
EPC-HSS服务器910,还设置为接收3GPP AAA服务器830发送的SAR消息,并回复用户数据到3GPP AAA服务器830。The EPC-HSS server 910 is further configured to receive the SAR message sent by the 3GPP AAA server 830 and reply the user data to the 3GPP AAA server 830.
3GPP AAA服务器830,还设置为获取EPC-HSS服务器910发送的用户数据,以对用户数据进行授权检查,并发送授权检查成功的DEA消息至接入网关820,进而完成终端810和3GPP AAA服务器830之间的授权,并等待终端810后续的接入流程。The 3GPP AAA server 830 is further configured to acquire user data sent by the EPC-HSS server 910 to perform authorization check on the user data, and send a DEA message for successfully checking the access to the access gateway 820, thereby completing the terminal 810 and the 3GPP AAA server 830. Authorization between and waits for the subsequent access procedure of the terminal 810.
本实施例提供的终端认证系统,提供3GPP AAA服务器830向EPC-HSS服务器910发送MAR消息和SAR消息,以获取鉴权数据和用户数据并进行授权检查,当对鉴权数据和用户数据授权检查成功时,向接入网关820发送授权检查成功的DEA消息,完成终端810和3GPP AAA服务器830之间的授权。The terminal authentication system provided in this embodiment provides a 3GPP AAA server 830 to send a MAR message and a SAR message to the EPC-HSS server 910 to obtain authentication data and user data and perform authorization check. When authenticating the authentication data and user data, Upon successful, a DEA message indicating that the authorization check is successful is sent to the access gateway 820, and the authorization between the terminal 810 and the 3GPP AAA server 830 is completed.
请参照图10,本发明第十实施例进一步提供一种终端认证装置,应用于无USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端810中,所述装置包括,第一发送模块1010、第一接收模块1020、服务端证书验证模块1030和第二发送模块1040。其中:Referring to FIG. 10, a tenth embodiment of the present invention further provides a terminal authentication apparatus, which is applied to a terminal 810 that does not have a USIM/SIM card terminal or cannot obtain USIM/SIM card information, and the device includes a first sending module 1010. The first receiving module 1020, the server certificate verification module 1030, and the second sending module 1040. among them:
第一发送模块1010,设置为发送初始附着请求给接入网关820,以通过所述接入网关820发送DER消息给3GPP AAA服务器830;The first sending module 1010 is configured to send an initial attach request to the access gateway 820, to send a DER message to the 3GPP AAA server 830 through the access gateway 820;
第一接收模块1020,设置为当所述3GPP AAA服务器830通过EAP-TLS交互对所述终端810进行鉴权认证时,则接收所述接入网关820转发的服务端证书;The first receiving module 1020 is configured to receive the server certificate forwarded by the access gateway 820 when the 3GPP AAA server 830 performs authentication authentication on the terminal 810 through EAP-TLS interaction;
服务端证书验证模块1030,设置为对所述服务端证书进行验证; The server certificate verification module 1030 is configured to verify the server certificate.
第二发送模块1040,还设置为当所述服务端证书验证通过时,发送终端证书给所述接入网关820,以通过所述接入网关820发送所述终端证书给3GPP AAA服务器830进行校验。The second sending module 1040 is further configured to: when the server certificate is verified, send a terminal certificate to the access gateway 820, to send the terminal certificate to the 3GPP AAA server 830 through the access gateway 820. Test.
可选地,所述终端证书中至少包含所述终端进行通信业务的IMSI信息。Optionally, the terminal certificate includes at least the IMSI information that the terminal performs a communication service.
本实施例的终端认证装置,通过3GPP AAA服务器830对终端810的认证,能够使USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端接入LTE网络,并使用VoWiFi业务,提高了用户体验。The terminal authentication device in this embodiment can authenticate the terminal 810 through the 3GPP AAA server 830, and can enable the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information to access the LTE network, and use the VoWiFi service to improve the user experience. .
请参照图11,本发明第十一实施例进一步提供一种终端认证装置,应用于3GPP AAA服务器中,所述装置包括第三接收模块1110、判断模块1120和认证通过模块1130。其中:Referring to FIG. 11, an eleventh embodiment of the present invention further provides a terminal authentication apparatus, which is applied to a 3GPP AAA server, where the apparatus includes a third receiving module 1110, a determining module 1120, and an authentication passing module 1130. among them:
第三接收模块1110,设置为接收来自接入网关820的DER消息;The third receiving module 1110 is configured to receive a DER message from the access gateway 820.
判断模块1120,设置为检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀是否为预设的字符;The determining module 1120 is configured to check whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character;
认证通过模块1130,设置为当检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀是预设的字符时,则所述判断模块1120判定所述终端810为EAP-TLS接入,并通过EAP-TLS交互对所述终端810进行鉴权认证。The authentication pass module 1130 is configured to determine, when the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, the determining module 1120 determines that the terminal 810 is an EAP-TLS access. The terminal 810 is authenticated and authenticated through EAP-TLS interaction.
可选地,认证通过模块1130进一步包括第四接收模块1140、第三发送模块1150、第五接收模块1160、校验模块1170和第四发送模块1180。其中:Optionally, the authentication pass module 1130 further includes a fourth receiving module 1140, a third sending module 1150, a fifth receiving module 1160, a checking module 1170, and a fourth sending module 1180. among them:
第四接收模块1140,设置为接收来自所述接入网关820的握手消息;The fourth receiving module 1140 is configured to receive a handshake message from the access gateway 820.
第三发送模块1150,设置为发送服务端证书给所述接入网关820,以使所述终端810对所述服务端证书进行验证;The third sending module 1150 is configured to send a server certificate to the access gateway 820, so that the terminal 810 verifies the server certificate.
第五接收模块1160,设置为当所述终端810对所述服务端证书验证通 过时,则接收来自所述接入网关820的终端证书;The fifth receiving module 1160 is configured to: when the terminal 810 authenticates the server certificate Obsolete, receiving a terminal certificate from the access gateway 820;
校验模块1170,设置为校验所述终端证书;a verification module 1170, configured to verify the terminal certificate;
第四发送模块1180,设置为当校验通过时,发送握手完成消息给所述接入网关820,以完成对所述终端810的认证。The fourth sending module 1180 is configured to send a handshake complete message to the access gateway 820 to complete the authentication of the terminal 810 when the check is passed.
本实施例的终端认证装置,采用双向认证,3GPP AAA服务器检验终端证书,确认终端是合法的终端,终端检验服务端证书,确认接入的网络是合法的网络,从而提高了用户接入的安全性。The terminal authentication device of the embodiment adopts two-way authentication, and the 3GPP AAA server checks the terminal certificate to confirm that the terminal is a legitimate terminal, and the terminal checks the server certificate to confirm that the accessed network is a legitimate network, thereby improving the security of user access. Sex.
请参照图12,本发明第十二实施例进一步提供一种终端认证装置,在第十二实施例中,所述终端认证装置与第十一实施例的区别仅在于,所述装置还包括第六接收模块1210、第五发送模块1210和第六发送模块1230。其中:Referring to FIG. 12, a twelfth embodiment of the present invention further provides a terminal authentication apparatus. In the twelfth embodiment, the terminal authentication apparatus is different from the eleventh embodiment only in that the apparatus further includes The six receiving module 1210, the fifth sending module 1210, and the sixth sending module 1230. among them:
第六接收模块1210,设置为接收来自所述接入网关820的确认收到握手完成消息的DER消息;The sixth receiving module 1210 is configured to receive a DER message from the access gateway 820 confirming receipt of the handshake completion message;
第五发送模块,设置为发送MAR消息和SAR消息给EPC-HSS服务器910,以获取鉴权数据和用户数据并进行授权检查;The fifth sending module is configured to send the MAR message and the SAR message to the EPC-HSS server 910 to obtain the authentication data and the user data and perform an authorization check;
第六发送模块1230,设置为当对所述鉴权数据和所述用户数据的授权检查成功时,则发送授权检查成功的DEA消息给所述接入网关820。The sixth sending module 1230 is configured to send a DEA message indicating that the authorization check succeeds to the access gateway 820 when the authorization check of the authentication data and the user data is successful.
本实施例的终端认证装置,通过第六接收模块1210接收来自接入网关820的确认收到握手完成消息的DER消息,第五发送模块发送MAR消息和SAR消息给EPC-HSS服务器910,以获取鉴权数据和用户数据并进行授权检查,当对鉴权数据和用户数据授权检查成功时,第六发送模块1230向接入网关820发送授权检查成功的DEA消息,完成所述终端810和所述3GPP AAA服务器830之间的授权。The terminal authentication device of the embodiment receives the DER message from the access gateway 820 confirming the receipt of the handshake completion message by the sixth receiving module 1210, and the fifth sending module sends the MAR message and the SAR message to the EPC-HSS server 910 to obtain The authentication data and the user data are checked for authorization. When the authorization data and the user data are successfully checked, the sixth sending module 1230 sends a DEA message indicating that the authorization check succeeds to the access gateway 820, completing the terminal 810 and the Authorization between 3GPP AAA servers 830.
本发明的实施例还提供了一种存储介质。可选地,在本实施例中,上 述存储介质可以被设置为存储用于执行以下步骤的程序代码:Embodiments of the present invention also provide a storage medium. Optionally, in this embodiment, on The storage medium can be configured to store program code for performing the following steps:
S1,终端向接入网关发起初始附着请求;S1. The terminal initiates an initial attach request to the access gateway.
S2,根据初始附着请求,接入网关向第三代协作组验证、授权和记账3GPP AAA服务器发送DER消息;S2. According to the initial attach request, the access gateway sends a DER message to the third generation collaborative group to verify, authorize, and bill the 3GPP AAA server.
S3,3GPP AAA服务器接收DER消息,并检查DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀是否为预设的字符时,则终端为可扩展认证协议-安全传输层协议EAP-TLS接入;S3. When the 3GPP AAA server receives the DER message and checks whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, the terminal is an extensible authentication protocol-secure transport layer protocol EAP-TLS access. ;
S4,3GPP AAA服务器通过EAP-TLS交互对终端进行鉴权认证。S4, the 3GPP AAA server authenticates the terminal through EAP-TLS interaction.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
S1,3GPP AAA服务器接收到接入网关发送的握手消息后,返回服务端服证书给接入网关;After receiving the handshake message sent by the access gateway, the 3GPP AAA server returns a service certificate to the access gateway.
S2,终端接收接入网关发送的服务端证书,并对服务端证书进行验证,当对服务端证书验证通过时,终端将终端证书发送给接入网关;S2: The terminal receives the server certificate sent by the access gateway, and verifies the server certificate. When the server certificate is verified, the terminal sends the terminal certificate to the access gateway.
S3,3GPP AAA服务器接收并校验接入网关发送的终端证书,当校验通过时,将握手完成消息发送给接入网关,以完成对终端的认证。S3. The 3GPP AAA server receives and verifies the terminal certificate sent by the access gateway. When the check is passed, the handshake completion message is sent to the access gateway to complete the authentication of the terminal.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。 It is to be understood that the term "comprises", "comprising", or any other variants thereof, is intended to encompass a non-exclusive inclusion, such that a process, method, article, or device comprising a series of elements includes those elements. It also includes other elements that are not explicitly listed, or elements that are inherent to such a process, method, article, or device. An element that is defined by the phrase "comprising a ..." does not exclude the presence of additional equivalent elements in the process, method, item, or device that comprises the element.
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the embodiments of the present invention are merely for the description, and do not represent the advantages and disadvantages of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the foregoing embodiment method can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is better. Implementation. Based on such understanding, the technical solution of the present invention in essence or the contribution to the related art can be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, CD-ROM). The instructions include a number of instructions for causing a terminal device (which may be a cell phone, computer, server, air conditioner, or network device, etc.) to perform the methods described in various embodiments of the present invention.
以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only the preferred embodiments of the present invention, and are not intended to limit the scope of the invention, and the equivalent structure or equivalent process transformations made by the description of the present invention and the drawings are directly or indirectly applied to other related technical fields. The same is included in the scope of patent protection of the present invention.
工业实用性Industrial applicability
在本发明实施例中,通过终端向接入网关发起初始附着请求,根据所述初始附着请求,所述接入网关向3GPP AAA服务器发送DER消息,3GPP AAA服务器接收所述DER消息,当检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀包含预设的字符时,判定所述终端为EAP-TLS接入,且3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证。从而能够使USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端接入LTE网络,并使用VoWiFi业务,提高了用户体验。 In the embodiment of the present invention, the terminal initiates an initial attach request to the access gateway, and according to the initial attach request, the access gateway sends a DER message to the 3GPP AAA server, and the 3GPP AAA server receives the DER message, and the checkpoint When the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message includes a preset character, it is determined that the terminal is an EAP-TLS access, and the 3GPP AAA server performs authentication and authentication on the terminal through EAP-TLS interaction. . Therefore, the USIM/SIM card terminal or the terminal that cannot obtain the USIM/SIM card information can access the LTE network and use the VoWiFi service to improve the user experience.

Claims (20)

  1. 一种终端认证方法,所述方法包括:A terminal authentication method, the method comprising:
    终端向接入网关发起初始附着请求;The terminal initiates an initial attach request to the access gateway;
    根据所述初始附着请求,所述接入网关向第三代协作组验证、授权和记账3GPP AAA服务器发送DER消息;According to the initial attach request, the access gateway sends a DER message to the third generation collaborative group authentication, authorization, and accounting 3GPP AAA server;
    所述3GPP AAA服务器接收所述DER消息,并检查所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀是否为预设的字符时,则所述终端为可扩展认证协议-安全传输层协议EAP-TLS接入;以及When the 3GPP AAA server receives the DER message and checks whether the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, the terminal is an extensible authentication protocol-secure transport layer. Protocol EAP-TLS access;
    所述3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证。The 3GPP AAA server performs authentication authentication on the terminal through EAP-TLS interaction.
  2. 根据权利要求1所述的终端认证方法,其中,所述3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证,包括:The terminal authentication method according to claim 1, wherein the 3GPP AAA server performs authentication authentication on the terminal by using an EAP-TLS interaction, including:
    所述3GPP AAA服务器接收到所述接入网关发送的握手消息后,返回服务端服证书给所述接入网关;After receiving the handshake message sent by the access gateway, the 3GPP AAA server returns a service certificate to the access gateway;
    所述终端接收所述接入网关发送的所述服务端证书,并对所述服务端证书进行验证,当对所述服务端证书验证通过时,所述终端将终端证书发送给所述接入网关;以及Receiving, by the terminal, the server certificate sent by the access gateway, and verifying the server certificate, when the server certificate is verified, the terminal sends the terminal certificate to the access Gateway;
    所述3GPP AAA服务器接收并校验所述接入网关发送的所述终端证书,当校验通过时,将握手完成消息发送给所述接入网关,以完成对所述终端的认证。The 3GPP AAA server receives and verifies the terminal certificate sent by the access gateway, and sends a handshake completion message to the access gateway when the verification passes, to complete the authentication of the terminal.
  3. 根据权利要求2所述的终端认证方法,其中,所述方法还包括:The terminal authentication method according to claim 2, wherein the method further comprises:
    所述3GPP AAA服务器接收所述接入网关发送的确认收到握手完成消息的DER消息后,向演进分组核心网-归属用户服务器EPC-HSS服务器发送MAR消息和SAR消息,以获取鉴权数据和用户数据并进行授权检 查,在授权检查成功时,向所述接入网关发送授权检查成功的DEA消息,完成所述终端和所述3GPP AAA服务器之间的授权。After receiving the DER message sent by the access gateway and confirming receipt of the handshake completion message, the 3GPP AAA server sends a MAR message and a SAR message to the Evolved Packet Core Network-Home Subscriber Server EPC-HSS server to obtain authentication data and User data and authorization check If the authorization check is successful, the DEA message indicating that the authorization check succeeds is sent to the access gateway, and the authorization between the terminal and the 3GPP AAA server is completed.
  4. 根据权利要求1所述的终端认证方法,其中,DER消息中的EAP-IDENTITY前缀经扩展后使用英文字符,当所述前缀为预设字符时,则其鉴权方式为EAP-TLS,其中,所述预设字符为英文字符。The terminal authentication method according to claim 1, wherein the EAP-IDENTITY prefix in the DER message is extended to use an English character, and when the prefix is a preset character, the authentication mode is EAP-TLS, wherein The preset character is an English character.
  5. 根据权利要求1所述的终端认证方法,其中,所述终端安装有终端证书,所述终端证书中至少包含所述终端进行通信业务的IMSI信息,所述3GPP AAA服务器安装有服务端证书。The terminal authentication method according to claim 1, wherein the terminal is installed with a terminal certificate, the terminal certificate includes at least IMSI information of the terminal for performing a communication service, and the 3GPP AAA server is installed with a server certificate.
  6. 一种终端认证方法,应用于无全球用户识别卡/客户识别卡USIM/SIM的终端或者无法获取USIM/SIM卡信息的终端中,所述方法包括:A terminal authentication method is applied to a terminal without a global subscriber identity card/customer identification card USIM/SIM or a terminal that cannot obtain USIM/SIM card information, and the method includes:
    发送初始附着请求给接入网关,以通过所述接入网关发送DER消息给3GPP AAA服务器;Sending an initial attach request to the access gateway to send a DER message to the 3GPP AAA server through the access gateway;
    当所述3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证时,则接收所述接入网关转发的服务端证书;Receiving, by the 3GPP AAA server, the server certificate forwarded by the access gateway when the terminal authenticates the terminal through EAP-TLS interaction;
    对所述服务端证书进行验证;以及Verifying the server certificate; and
    当所述服务端证书验证通过时,发送终端证书给所述接入网关,以通过所述接入网关发送所述终端证书给3GPP AAA服务器进行校验。And when the server certificate is verified, the terminal certificate is sent to the access gateway, so that the terminal certificate is sent by the access gateway to the 3GPP AAA server for verification.
  7. 根据权利要求6所述的终端认证方法,其中,所述终端证书中至少包含所述终端进行通信业务的IMSI信息。The terminal authentication method according to claim 6, wherein the terminal certificate includes at least IMSI information for the terminal to perform a communication service.
  8. 一种终端认证方法,应用于3GPP AAA服务器中,所述方法包括:A terminal authentication method is applied to a 3GPP AAA server, and the method includes:
    接收来自接入网关的DER消息; Receiving a DER message from the access gateway;
    确定所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为预设的字符时则所述终端为EAP-TLS接入,并通过EAP-TLS交互对所述终端进行鉴权认证。When the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is determined to be a preset character, the terminal is EAP-TLS access, and the terminal is authenticated and authenticated through EAP-TLS interaction.
  9. 根据权利要求8所述的终端认证方法,其中,所述通过EAP-TLS交互对所述终端进行鉴权认证,包括:The terminal authentication method according to claim 8, wherein the authenticating the terminal by the EAP-TLS interaction comprises:
    接收来自所述接入网关的握手消息;Receiving a handshake message from the access gateway;
    发送服务端证书给所述接入网关,以使所述终端对所述服务端证书进行验证;Sending a server certificate to the access gateway, so that the terminal verifies the server certificate;
    当所述终端对所述服务端证书验证通过时,则接收来自所述接入网关的终端证书;Receiving a terminal certificate from the access gateway when the terminal verifies the server certificate;
    校验所述终端证书;以及Verifying the terminal certificate;
    当校验通过时,发送握手完成消息给所述接入网关,以完成对所述终端的认证。When the verification is passed, a handshake completion message is sent to the access gateway to complete authentication of the terminal.
  10. 根据权利要求8或9所述的终端认证方法,其中,所述方法还包括:The terminal authentication method according to claim 8 or 9, wherein the method further comprises:
    接收来自所述接入网关的确认收到握手完成消息的DER消息;Receiving a DER message from the access gateway confirming receipt of a handshake completion message;
    发送MAR消息和SAR消息给EPC-HSS服务器,以获取鉴权数据和用户数据并进行授权检查;以及Sending a MAR message and a SAR message to the EPC-HSS server to obtain authentication data and user data and perform an authorization check;
    当对所述鉴权数据和所述用户数据的授权检查成功时,则发送授权检查成功的DEA消息给所述接入网关。When the authorization check of the authentication data and the user data is successful, a DEA message indicating that the authorization check succeeds is sent to the access gateway.
  11. 一种终端认证系统,所述系统包括:终端、接入网关及3GPP AAA服务器,其中; A terminal authentication system, the system comprising: a terminal, an access gateway, and a 3GPP AAA server, wherein
    所述终端,设置为向所述接入网关发起初始附着请求;The terminal is configured to initiate an initial attach request to the access gateway;
    所述接入网关,设置为根据所述初始附着请求,向所述3GPP AAA服务器发送DER消息;The access gateway is configured to send a DER message to the 3GPP AAA server according to the initial attach request;
    所述3GPP AAA服务器,设置为接收所述DER消息,并确定所述DER消息中的EAP-PAYLOAD属性中的EAP-IDENTITY前缀为预设的字符时,则所述终端为EAP-TLS接入,并通过EAP-TLS交互对所述终端进行鉴权认证。The 3GPP AAA server is configured to receive the DER message, and determine that the EAP-IDENTITY prefix in the EAP-PAYLOAD attribute in the DER message is a preset character, and the terminal is an EAP-TLS access. The terminal is authenticated and authenticated through EAP-TLS interaction.
  12. 根据权利要求11所述的终端认证系统,其中,The terminal authentication system according to claim 11, wherein
    所述3GPP AAA服务器,还设置为接收到所述接入网关发送的握手消息后,返回服务端服证书给所述接入网关;The 3GPP AAA server is further configured to: after receiving the handshake message sent by the access gateway, return a service certificate to the access gateway;
    所述终端,还设置为接收所述接入网关发送的所述服务端证书,并对所述服务端证书进行验证,当对所述服务端证书验证通过后,将终端证书发送给所述接入网关;The terminal is further configured to receive the server certificate sent by the access gateway, and verify the server certificate, and after verifying the server certificate, send the terminal certificate to the terminal Into the gateway;
    所述3GPP AAA服务器,还设置为接收并校验所述接入网关发送的所述终端证书,当校验成功时,将握手完成消息发送给所述接入网关,以完成对所述终端的认证。The 3GPP AAA server is further configured to receive and verify the terminal certificate sent by the access gateway, and when the verification is successful, send a handshake completion message to the access gateway to complete the Certification.
  13. 根据权利要求12所述的终端认证系统,其中,所述系统还包括EPC-HSS服务器,其中:The terminal authentication system according to claim 12, wherein said system further comprises an EPC-HSS server, wherein:
    所述EPC-HSS服务器,设置为接收所述3GPP AAA服务器发送的MAR消息和SAR消息,并向所述3GPP AAA服务器发送鉴权数据和用户数据;The EPC-HSS server is configured to receive the MAR message and the SAR message sent by the 3GPP AAA server, and send the authentication data and the user data to the 3GPP AAA server;
    所述3GPP AAA服务器,还设置为根据所述鉴权数据和用户数据对所述终端进行授权检查,在授权检查成功时,向接入网关发送授权检查成功 的DEA消息,完成所述终端和所述3GPP AAA服务器之间的授权。The 3GPP AAA server is further configured to perform an authorization check on the terminal according to the authentication data and the user data, and send an authorization check to the access gateway successfully when the authorization check succeeds. The DEA message completes the authorization between the terminal and the 3GPP AAA server.
  14. 根据权利要求11所述的终端认证系统,其中,DER消息中的EAP-IDENTITY前缀经扩展后使用英文字符,当所述前缀为预设字符时,则其鉴权方式为EAP-TLS,其中,所述预设字符为英文字符。The terminal authentication system according to claim 11, wherein the EAP-IDENTITY prefix in the DER message is extended to use an English character, and when the prefix is a preset character, the authentication mode is EAP-TLS, wherein The preset character is an English character.
  15. 根据权利要求11所述的终端认证系统,其中,所述终端安装有终端证书,所述终端证书中至少包含所述终端进行通信业务的IMSI信息,所述3GPP AAA服务器安装有服务端证书。The terminal authentication system according to claim 11, wherein the terminal is installed with a terminal certificate, and the terminal certificate includes at least IMSI information of the terminal for performing a communication service, and the 3GPP AAA server is installed with a server certificate.
  16. 一种终端认证装置,应用于无USIM/SIM卡终端或者无法获取USIM/SIM卡信息的终端中,所述装置包括:A terminal authentication device is applied to a terminal that does not have a USIM/SIM card terminal or cannot obtain USIM/SIM card information, and the device includes:
    第一发送模块,设置为发送初始附着请求给接入网关,以通过所述接入网关发送DER消息给3GPP AAA服务器;The first sending module is configured to send an initial attach request to the access gateway, to send a DER message to the 3GPP AAA server by using the access gateway;
    第一接收模块,设置为当所述3GPP AAA服务器通过EAP-TLS交互对所述终端进行鉴权认证时,则接收所述接入网关转发的服务端证书;a first receiving module, configured to: when the 3GPP AAA server performs authentication authentication on the terminal by using EAP-TLS interaction, receive a server certificate forwarded by the access gateway;
    服务端证书验证模块,设置为对所述服务端证书进行验证;a server certificate verification module, configured to verify the server certificate;
    第二发送模块,还设置为当所述服务端证书验证通过时,发送终端证书给所述接入网关,以通过所述接入网关发送所述终端证书给3GPP AAA服务器进行校验。The second sending module is further configured to send a terminal certificate to the access gateway when the server certificate is verified, to send the terminal certificate to the 3GPP AAA server for verification by using the access gateway.
  17. 根据权利要求16所述的终端认证装置,其中,所述终端证书中至少包含所述终端进行通信业务的IMSI信息。The terminal authentication apparatus according to claim 16, wherein the terminal certificate includes at least IMSI information for the terminal to perform a communication service.
  18. 一种终端认证装置,应用于3GPP AAA服务器中,所述装置包括:A terminal authentication apparatus is applied to a 3GPP AAA server, where the apparatus includes:
    第三接收模块,设置为接收来自接入网关的DER消息;a third receiving module, configured to receive a DER message from the access gateway;
    认证通过模块,设置为当确定所述DER消息中的EAP-PAYLOAD属 性中的EAP-IDENTITY前缀为预设的字符时,则所述终端为EAP-TLS接入,并通过EAP-TLS交互对所述终端进行鉴权认证。The authentication pass module is configured to determine the EAP-PAYLOAD genus in the DER message When the EAP-IDENTITY prefix is a preset character, the terminal is EAP-TLS access, and the terminal is authenticated and authenticated through EAP-TLS interaction.
  19. 根据权利要求18所述的终端认证装置,其中,所述认证通过模块进一步包括:The terminal authentication device according to claim 18, wherein the authentication pass module further comprises:
    第四接收模块,设置为接收来自所述接入网关的握手消息;a fourth receiving module, configured to receive a handshake message from the access gateway;
    第三发送模块,设置为发送服务端证书给所述接入网关,以使所述终端对所述服务端证书进行验证;a third sending module, configured to send a server certificate to the access gateway, so that the terminal verifies the server certificate;
    第五接收模块,设置为当所述终端对所述服务端证书验证通过时,则接收来自所述接入网关的终端证书;a fifth receiving module, configured to receive a terminal certificate from the access gateway when the terminal verifies the server certificate;
    校验模块,设置为校验所述终端证书;a verification module, configured to verify the terminal certificate;
    第四发送模块,设置为当校验通过时,发送握手完成消息给所述接入网关,以完成对所述终端的认证。The fourth sending module is configured to send a handshake completion message to the access gateway when the verification passes, to complete authentication of the terminal.
  20. 根据权利要求18或19所述的终端认证装置,其中,所述装置还包括:The terminal authentication device according to claim 18 or 19, wherein the device further comprises:
    第六接收模块,设置为接收来自所述接入网关的确认收到握手完成消息的DER消息;a sixth receiving module, configured to receive a DER message from the access gateway confirming receipt of a handshake completion message;
    第五发送模块,设置为发送MAR消息和SAR消息给EPC-HSS服务器,以获取鉴权数据和用户数据并进行授权检查;The fifth sending module is configured to send the MAR message and the SAR message to the EPC-HSS server to obtain the authentication data and the user data and perform an authorization check;
    第六发送模块,设置为当对所述鉴权数据和所述用户数据的授权检查成功时,则发送授权检查成功的DEA消息给所述接入网关。 The sixth sending module is configured to send a DEA message indicating that the authorization check succeeds to the access gateway when the authorization check of the authentication data and the user data is successful.
PCT/CN2016/107731 2015-12-22 2016-11-29 Terminal authentication method, device and system WO2017107745A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510977026.6A CN106912047B (en) 2015-12-22 2015-12-22 Terminal authentication method, device and system
CN201510977026.6 2015-12-22

Publications (1)

Publication Number Publication Date
WO2017107745A1 true WO2017107745A1 (en) 2017-06-29

Family

ID=59088978

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/107731 WO2017107745A1 (en) 2015-12-22 2016-11-29 Terminal authentication method, device and system

Country Status (2)

Country Link
CN (1) CN106912047B (en)
WO (1) WO2017107745A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110167025B (en) * 2018-02-13 2021-01-29 华为技术有限公司 Communication method and communication device
CN109257173B (en) * 2018-11-21 2020-02-07 郑州轻工业学院 Asymmetric group key negotiation method based on authority information exchange

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080270534A1 (en) * 2007-04-30 2008-10-30 Futurewei Technologies, Inc. Method and apparatus for ip mobility management selection
CN101374334A (en) * 2007-08-22 2009-02-25 华为技术有限公司 Method and system for transferring packet data network identification information
CN101562814A (en) * 2009-05-15 2009-10-21 中兴通讯股份有限公司 Access method and system for a third-generation network
US20150281966A1 (en) * 2014-03-28 2015-10-01 Qualcomm Incorporated Provisioning credentials in wireless communications

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101715190B (en) * 2009-11-04 2013-08-21 中兴通讯股份有限公司 System and method for realizing authentication of terminal and server in WLAN (Wireless Local Area Network)
US9088891B2 (en) * 2012-08-13 2015-07-21 Wells Fargo Bank, N.A. Wireless multi-factor authentication with captive portals
US9648019B2 (en) * 2014-04-15 2017-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Wi-Fi integration for non-SIM devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080270534A1 (en) * 2007-04-30 2008-10-30 Futurewei Technologies, Inc. Method and apparatus for ip mobility management selection
CN101374334A (en) * 2007-08-22 2009-02-25 华为技术有限公司 Method and system for transferring packet data network identification information
CN101562814A (en) * 2009-05-15 2009-10-21 中兴通讯股份有限公司 Access method and system for a third-generation network
US20150281966A1 (en) * 2014-03-28 2015-10-01 Qualcomm Incorporated Provisioning credentials in wireless communications

Also Published As

Publication number Publication date
CN106912047B (en) 2021-04-20
CN106912047A (en) 2017-06-30

Similar Documents

Publication Publication Date Title
US10587614B2 (en) Method and apparatus for facilitating frictionless two-factor authentication
CN108781216B (en) Method and apparatus for network access
CN105052184B (en) Method, equipment and controller for controlling user equipment to access service
CN108476223B (en) Method and apparatus for SIM-based authentication of non-SIM devices
US10743180B2 (en) Method, apparatus, and system for authenticating WIFI network
KR101214839B1 (en) Authentication method and authentication system
WO2011017924A1 (en) Method, system, server, and terminal for authentication in wireless local area network
US20180295514A1 (en) Method and apparatus for facilitating persistent authentication
DK2924944T3 (en) Presence authentication
US9161217B2 (en) Method and system for authenticating in a communication system
WO2009074050A1 (en) A method, system and apparatus for authenticating an access point device
US20190281053A1 (en) Method and apparatus for facilitating frictionless two-factor authentication
WO2017107745A1 (en) Terminal authentication method, device and system
CN109460647B (en) Multi-device secure login method
US10305884B2 (en) Secure identification of internet hotspots for the passage of sensitive information
WO2016177223A1 (en) Core network access control method and device
JP6075885B2 (en) Authentication system and online sign-up control method
CN108540493B (en) Authentication method, user equipment, network entity and service side server
KR101025083B1 (en) Method for identifying authentication function in extensible authentication protocol
Latze et al. Strong mutual authentication in a user-friendly way in eap-tls
WO2018137239A1 (en) Authentication method, authentication server, and core network equipment
KR101490549B1 (en) Wireless Internet Access Authentication Method for Web Based Advertisement Service
KR101480706B1 (en) Network system for providing security to intranet and method for providing security to intranet using security gateway of mobile communication network
CN103152332B (en) A kind of EAP authentication method and apparatus under WEB service assistance
WO2024049335A1 (en) Two factor authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16877556

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16877556

Country of ref document: EP

Kind code of ref document: A1