WO2018032984A1 - Access authentication method, ue, and access device - Google Patents

Access authentication method, ue, and access device Download PDF

Info

Publication number
WO2018032984A1
WO2018032984A1 PCT/CN2017/095922 CN2017095922W WO2018032984A1 WO 2018032984 A1 WO2018032984 A1 WO 2018032984A1 CN 2017095922 W CN2017095922 W CN 2017095922W WO 2018032984 A1 WO2018032984 A1 WO 2018032984A1
Authority
WO
WIPO (PCT)
Prior art keywords
user terminal
temporary identifier
network function
network
access
Prior art date
Application number
PCT/CN2017/095922
Other languages
French (fr)
Chinese (zh)
Inventor
侯云静
Original Assignee
电信科学技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 电信科学技术研究院 filed Critical 电信科学技术研究院
Publication of WO2018032984A1 publication Critical patent/WO2018032984A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present disclosure relates to the field of communications technologies, and in particular, to an access authentication method, a user equipment (UE), and an access device.
  • UE user equipment
  • the UE In a communication system, the UE often needs to connect to the core network through different access networks in different locations or in different scenarios. For example, after the UE is connected to the core network through an access network, the UE connects to the core network through another access network.
  • the UE needs to perform an authentication process each time it connects to the core network through the access network. There is a signaling interaction every time the authentication process, so there is a problem of signaling waste.
  • An object of the present disclosure is to provide an access authentication method, a UE, and an access device, which solve the problem of signaling waste.
  • an embodiment of the present disclosure provides an access authentication method, including: sending, by a UE, a temporary identifier to an access network, so that the access network sends the temporary identifier to a network function, where the network function is Determining, according to the temporary identifier, whether the UE is authenticated.
  • the temporary identifier is a temporary identifier allocated by the network function to the UE when the UE connects to the core network through another access network.
  • the method further includes: if the UE is not authenticated, the UE performs an authentication process initiated by the network function, where the UE is not authenticated, and the network function is not found according to the temporary identifier.
  • the context of the UE is not authenticated.
  • the UE further sends the security verification information to the access network, and the access network further sends the security verification information to the network function, so that the network function is based on the security verification information. Determining the legitimacy of the UE.
  • the security verification information includes one or more of the following: an encrypted identifier, and an encryption. Request message or signature.
  • the method further includes: if the verification fails, the UE performs an authentication process initiated by the network function; or if the verification fails, the UE receives the network function by using the UE A new identity sent by the connected access network; or if the verification fails, the user terminal receives a rejection message returned by the network function.
  • An embodiment of the present disclosure further provides an access authentication method, including: an access device receiving a temporary identifier sent by a UE; and the access device sending the temporary identifier to a network function, so that the network function is based on the temporary The identifier determines whether the UE is authenticated.
  • the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
  • the method further includes: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated, and the access device receives the The UE has been authenticated.
  • the access device further receives the security verification information sent by the UE, and the access network further sends the security verification information to the network function, so that the network function is verified according to security The information authenticates the UE.
  • the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
  • the embodiment of the present disclosure further provides a UE, including: a sending module, configured to send a temporary identifier to the access network, so that the access network sends the temporary identifier to a network function, where the network function is The temporary identifier determines whether the UE is authenticated.
  • a sending module configured to send a temporary identifier to the access network, so that the access network sends the temporary identifier to a network function, where the network function is The temporary identifier determines whether the UE is authenticated.
  • the temporary identifier is a temporary identifier allocated by the network function to the UE when the UE connects to the core network through another access network.
  • the UE further includes: a first execution module, configured to perform an authentication process initiated by the network function if the UE is not authenticated, where the UE is not authenticated to be the network function according to the temporary The identity of the UE is not found to be identified.
  • a first execution module configured to perform an authentication process initiated by the network function if the UE is not authenticated, where the UE is not authenticated to be the network function according to the temporary The identity of the UE is not found to be identified.
  • the UE further sends the security verification information to the access network, and the access network further sends the security verification information to the network function, so that the network function is based on the security check.
  • the certificate information determines the legitimacy of the UE.
  • the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
  • the UE further includes: a second execution module, configured to perform an authentication process initiated by the network function if the verification fails, or a first receiving module, configured to: if the verification fails, receive The network function is sent by the access network that the UE has connected to the new identifier; or the second receiving module is configured to receive the reject message returned by the network function if the verification fails.
  • a second execution module configured to perform an authentication process initiated by the network function if the verification fails
  • a first receiving module configured to: if the verification fails, receive The network function is sent by the access network that the UE has connected to the new identifier; or the second receiving module is configured to receive the reject message returned by the network function if the verification fails.
  • the embodiment of the present disclosure further provides an access device, including: a first receiving module, configured to receive a temporary identifier sent by the UE, and a sending module, configured to send the temporary identifier to the network function, so that the network function is based on The temporary identifier determines whether the UE is authenticated.
  • the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
  • the access device further includes: a second receiving module, configured to: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated, and receiving the network function The sent prompt information that the UE has been authenticated.
  • a second receiving module configured to: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated, and receiving the network function The sent prompt information that the UE has been authenticated.
  • the access device further receives the security verification information sent by the UE, and the access network further sends the security verification information to the network function, so that the network function is verified according to security The information authenticates the UE.
  • the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
  • the embodiment of the present disclosure further provides a user terminal, including: a processor, a transceiver, a memory, a user interface, and a bus interface, wherein: the processor is configured to read a program in the memory, and perform the following process: connecting through the transceiver Sending a temporary identifier to the network, so that the access network sends the temporary identifier to the network function, and the network function determines, according to the temporary identifier, whether the user terminal is authenticated; the transceiver is used in the processor. Receive and send data under control.
  • An embodiment of the present disclosure further provides an access device, including: a processor, a transceiver, a memory, a user interface, and a bus interface, where: a processor is configured to read a program in the memory, and execute the following Process: receiving, by the transceiver, a temporary identifier sent by the UE; sending, by the transceiver, the temporary identifier to the network function, so that the network function determines, according to the temporary identifier, whether the user terminal is authenticated; and the transceiver is configured to: Receive and transmit data under the control of the processor.
  • a processor is configured to read a program in the memory, and execute the following Process: receiving, by the transceiver, a temporary identifier sent by the UE; sending, by the transceiver, the temporary identifier to the network function, so that the network function determines, according to the temporary identifier, whether the user terminal is authenticated; and the transceiver is configured to: Receive and transmit data under the control of the processor.
  • the UE sends a temporary identifier to the access network, so that the access network sends the temporary identifier to the network function, and the network function determines, according to the temporary identifier, whether the UE is authenticated.
  • the UE only needs to send a temporary identifier to the access network, and the network function can determine whether the UE is authenticated according to the temporary identifier, so that the UE needs to perform the authentication process when connecting to the core network through an access network.
  • Reduce signaling waste is possible.
  • FIG. 1 is a schematic structural diagram of a network applicable to an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of an access authentication method according to an embodiment of the present disclosure
  • FIG. 3 is a schematic diagram of another access authentication method according to an embodiment of the present disclosure.
  • FIG. 4 is a schematic diagram of another access authentication method according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic diagram of another access authentication method according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic diagram of another access authentication method according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic flowchart of another access authentication method according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a UE according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of another UE according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of another UE according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of an access device according to an embodiment of the present disclosure.
  • FIG. 12 is a schematic structural diagram of another access device according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic structural diagram of another UE according to an embodiment of the present disclosure.
  • FIG. 14 is a schematic structural diagram of another access device according to an embodiment of the present disclosure.
  • FIG. 1 is a schematic diagram of a network structure applicable to an embodiment of the present disclosure.
  • the UE includes a UE, a non-3GPP access network entity, and a non-3GPP access layer function (Non-3GPP Access).
  • Stratum Function, N3ASF Non-3GPP Access
  • CP functions CP functions
  • UP functions Application Function
  • DN Data Network
  • Y1 represents an interface between the UE and a non-3GPP access network (eg, WLAN) entity
  • Y2 represents an interface between the UE and the N3ASF entity
  • Y4 represents a location between the N3ASF entity and the non-3GPP access network entity.
  • NG1 represents the interface between the UE and the control plane function
  • NG2 represents the interface between the functions of the N3ASF control plane, and can also be understood as the interface between the radio access network (RAN) and the control plane function
  • NG3 represents the interface between the N3ASF and the user plane function, and can also be understood as the interface between the RAN and the user plane function
  • NG4 represents the interface between the control plane function and the user plane function
  • NG5 represents the control plane function and
  • NG6 represents the interface between the user plane function and the DN.
  • the above N3ASF is a logical component of the access network, which terminates the NG2 or NG3 interface.
  • the protocol used between the UE and the N3ASF is N3-AS, which can be used to transparently transmit NAS messages, user plane bearer information, and security information between the UE and the core network.
  • N3-AS The protocol used between the UE and the N3ASF
  • other access network entities such as a 3GPP access network entity, may be included in the foregoing network structure, which is not limited in comparison with the embodiments of the present disclosure.
  • the implementation is not limited to the foregoing network structure, and the foregoing network structure is only an example.
  • the UE may be a mobile phone, a tablet personal computer, a laptop computer, a personal digital assistant (PDA), a mobile internet device (MID), or a wearable device.
  • PDA personal digital assistant
  • MID mobile internet device
  • a terminal device such as a device (Wearable Device), it should be noted that the specific type of the UE is not limited in the embodiment of the present disclosure.
  • an embodiment of the present disclosure provides an access authentication method.
  • the method includes the following steps: 201: A UE sends a temporary identifier to an access network, so that the access network sends a network function. And determining, by the network function, whether the UE is authenticated according to the temporary identifier by the network function.
  • the foregoing step can be used to enable the UE to send the temporary identifier to the access network, and the network function can determine whether the UR is authenticated according to the temporary identifier. For example, the network function can find the UE by using the temporary identifier.
  • the context indicates that the UE has been authenticated, that is, the UE has been connected to the core network through other access networks. After the network function determines that the UE has been authenticated, it does not need to initiate an authentication process to the UE. Therefore, the UE can be avoided by the above steps.
  • multiple authentication processes are performed to reduce signaling waste.
  • the network function may be a control plane function.
  • the foregoing temporary identifier is a temporary identifier that is allocated by the network function to the UE when the UE connects to the core network through another access network.
  • the temporary identifier is a temporary identifier allocated by the network function when the UE connects to the core network through another access network.
  • the other access network may be an access network different from the access technology of the access network in step 201.
  • the access network in step 201 is a 3GPP access network
  • the other access networks may be It is an access network other than the 3GPP access network, such as a non-3GPP access network.
  • the method further includes: if the UE is not authenticated, the UE performs an authentication process initiated by the network function, where the UE is not authenticated, and the network function does not find the location according to the temporary identifier.
  • the context of the UE is not authenticated.
  • the network function may be initiated to the UE.
  • the authentication process that is, the above-mentioned UE performs the authentication process initiated by the above network function.
  • the foregoing UE further sends the security verification information to the access network
  • the access network (the access network in step 201) further sends the security verification information to the network function, so that The network function determines the legitimacy of the UE according to the security verification information.
  • the security verification information may be sent together with the temporary identifier, for example, sending a message carrying the security verification information and the temporary identifier to the access network.
  • the security verification information is also sent to the network function, so that the network function can determine the legality of the UE according to the security verification information. In this way, the malicious terminal intercepts the identity of the UE, and the UE is connected to the core network.
  • the foregoing security verification information may be that the UE and the network function are pre-negotiated, or the foregoing security verification information may be pre-designated by the network function or the like.
  • the foregoing security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
  • the request message may be an attach request or a connection to a core network request, if the foregoing security If the verification message includes the above request message, the network function may be to check the integrity of the request message by using the integrity key in the context of the UE, and decrypt the request message by using the key in the above context, and if the decryption is successful, determine the verification. By means, it is determined that the above UE is legal.
  • the identifier may be an International Mobile Subscriber Identification Number (IMSI) or an International Mobile Equipment Identity (IMEI). If the foregoing security verification information includes the foregoing identifier, the network function may be to use the security information in the context of the UE to decrypt the identifier. If the decryption succeeds, determine that the verification succeeds, that is, determine that the UE is legal.
  • IMSI International Mobile Subscriber Identification Number
  • IMEI International Mobile Equipment Identity
  • the signature may be a digital signature.
  • the network function may be that the signature in the context of the foregoing UE is matched with the signature in the foregoing security verification information. If the matching succeeds, it is determined that the verification is passed, that is, the UE is determined to be legal.
  • the method further includes: if the verification fails, the UE performs an authentication process initiated by the network function; or if the verification fails, the UE receives the network function by using the UE a new identity sent by the connected access network; or if the verification fails, the UE receives a reject message returned by the network function.
  • the UE performs an authentication process initiated by the network function. Or if the verification fails, the UE receives a new identifier sent by the network function through the access network that the UE has connected, so that the UE can use the new identifier for authentication. In addition, if the verification fails, the receiving network rejects the reject message, that is, the network function rejects the UE to connect to the core network through the access network, so that the malicious terminal can intercept the identifier of the UE and impersonate the UE to connect to the core network.
  • the UE may send the temporary identifier to the access network by using an RRC message, and the RRC message further includes an attach request.
  • the access network in step 201 is a 3GPP access network, and the UE has connected to the core network through the non-3GPP access network. As shown in FIG. 3, the method includes the following steps:
  • Step 1 The UE sends an RRC message to the 3GPP access network, where the RRC message includes an attach request and a temporary identifier, where the attach request may be an encrypted attach request.
  • Step 2 The 3GPP access network obtains the network function of the temporary identifier according to the temporary identifier, and sends an NG2 interface message to the network function, where the message includes an attach request and a temporary identifier.
  • Step 3 The network function finds the context of the UE according to the temporary identifier, and uses the security in the context. The full information determines the security of the attach request. If the attach request is secure (eg, using the integrity key to check the integrity of the message, the key can successfully decrypt the attach request), the network function stores the new connection in the context of the UE. Entering information of the network (ie, the 3GPP access network to which the foregoing 3GPP access network entity belongs), and then returning an NG2 interface message to the 3GPP access network, where the message includes an attach accept message;
  • Step 4 The 3GPP access network returns an RRC message to the UE, where the message includes an attach accept message.
  • the UE may also send the temporary identifier to the access network by using a connection setup message, for example, the message parameter of the connection setup message includes the temporary identifier.
  • the access network in step 201 is a non-3GPP access network, and the UE has connected to the core network through the 3GPP access network, as shown in FIG. 4, the following steps are included:
  • Step 1 The UE sends a connection setup message to the non-3GPP access network, where the message parameter includes a temporary identifier allocated by the network function when the UE connects to the core network through the 3GPP access;
  • Step 2 The non-3GPP access network sends a connection request message to the N3ASF, where the message parameter is a temporary identifier provided by the UE. It should be noted that if the N3ASF and the non-3GPP access network are combined, this step is not performed;
  • Step 3 The N3ASF sends an NG2 interface message to the network function, where the message parameters include the access technology and the temporary identifier provided by the UE.
  • Step 4 The network function searches for the context of the UE according to the temporary identifier of the UE, and finds that the UE has connected to the core network through the 3GPP access network, and the network function sends an NG2 interface message to the N3ASF, where the message carries the authenticated prompt information.
  • Step 5 The N3ASF sends a connection reply message to the non-3GPP access network, where the message carries the authenticated prompt information. It should be noted that if the N3ASF and the non-3GPP access network are combined, this step is not performed;
  • Step 6 The non-3GPP access network sends a connection establishment complete message to the UE.
  • connection establishment message may further include an encrypted identifier or a signature.
  • the UE may further encrypt the IMSI or IMEI of the UE by using a security context, and the encrypted IMSI or The IMEI is sent to the non-3GPP access network entity through step 1. That is, in the above embodiment, the messages of steps 1, 2 and 3 also carry the encrypted IMSI or IMEI, or signature.
  • the network function uses the temporary identity to find the context of the UE, then decrypts the IMSI and IMEI using the security information in the context, or verifies the signature, if Decrypting the IMSI and IMEI or signature of the UE is correct, indicating that the UE is the correct UE. If the decrypted identifier is different from the IMSI or IMEI in the UE context, or the signature is incorrect, it indicates that the UE is a malicious terminal impersonating.
  • connection establishment message and the connection completion message are transmitted between the UE and the access network, the protocol between the extended UE and the non-3GPP access network can be implemented.
  • the foregoing UE may further send the temporary identifier to the access network by using an Extensible Authentication Protocol (EAP) response message.
  • EAP Extensible Authentication Protocol
  • the access network in step 201 may be a non-3GPP access network, and the UE has been connected to the core network through the 3GPP access network.
  • the method includes the following steps:
  • Step 1 Establish a connection between the UE and the non-3GPP access network.
  • Step 2 The non-3GPP access network sends an EAP-REQ/Identity message to the UE, and initiates an EAP authentication process.
  • Step 3 The UE returns an EAP-RSP/Identity message to the non-3GPP access network, where the message carries the temporary identifier of the UE.
  • Step 4 The non-3GPP access network sends an EAP-RSP/Identity message to the N3ASF. It should be noted that if the N3ASF and the non-3GPP access network are set together, this step is not performed;
  • Step 5 The N3ASF sends an EAP-RSP/Identity message to the network function.
  • Step 6 The network function finds that the UE has connected to the core network through the 3GPP access, and the network function does not perform the authentication process on the UE again, and returns an EAP-Success message to the N3ASF.
  • Step 7 The N3ASF returns an EAP-Success message to the non-3GPP access network. It should be noted that if the N3ASF and the non-3GPP access network are set together, this step is not performed;
  • Step 8 The non-3GPP access network returns an EAP-Success message to the UE.
  • the UE may also carry the encrypted IMSI, IMEI, or signature in the EAP-RSP/Identity message, in order to ensure that the UE is a valid UE.
  • the foregoing UE may also send the foregoing temporary identifier to the access network by using a protocol request message.
  • the access network in step 201 may be an access network including the N3ASF, and the UE has connected to the core network through the 3GPP access network, which may be as shown in the figure. As shown in 6, it includes the following steps:
  • Step 1 The UE sends an N3-AS request message to the N3ASF, where the message includes the UE passing the 3GPP.
  • the temporary identifier assigned to the network function when accessing the core network;
  • Step 2 The N3ASF obtains the network function of the temporary identifier according to the temporary identifier, and then sends an NG2 interface message to the network function, where the message includes the access technology and the temporary identifier.
  • Step 3 The network function searches for the context of the UE according to the temporary identifier, which indicates that the UE has performed the authentication process through the 3GPP access, and returns an NG2 interface message to the N3ASF, where the message includes the authenticated prompt information.
  • Step 4 The N3ASF returns an N3-AS reply message to the UE, where the message includes the authenticated prompt information.
  • the messages of steps 1 and 2 may also include an encrypted IMSI, IMEI or signature.
  • the UE sends a temporary identifier to the access network, so that the access network sends the temporary identifier to the network function, and the network function determines, according to the temporary identifier, whether the UE is authenticated.
  • the UE only needs to send a temporary identifier to the access network, and the network function can determine whether the UE is authenticated according to the temporary identifier, so that the UE needs to perform the authentication process when connecting to the core network through an access network. Reduce signaling waste.
  • FIG. 7 is another access authentication method according to an embodiment of the present disclosure. As shown in FIG. 7, the method includes the following steps: 701: an access device receives a temporary identifier sent by a UE; 702, an access device to a network The function sends the temporary identifier, so that the network function determines, according to the temporary identifier, whether the UE is authenticated.
  • the foregoing access device may be an access device in the access network in step 201 in the embodiment shown in FIG. 2, where the access network in step 201 in the embodiment shown in FIG.
  • the access device entity can be implemented in any implementation manner, and details are not described herein.
  • the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
  • the method further includes: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated, and the access device receives the network function The sent information that the UE has been authenticated.
  • the access device further receives the security verification information sent by the UE, and the access network further sends the security verification information to the network function, so that the network function is verified according to security The information authenticates the UE.
  • the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
  • the UE 800 includes the following module: a sending module 801, configured to send a temporary identifier to the access network, so as to enable the access network to perform network functions. Sending the temporary identifier, and determining, by the network function, whether the UE is authenticated according to the temporary identifier.
  • a sending module 801 configured to send a temporary identifier to the access network, so as to enable the access network to perform network functions. Sending the temporary identifier, and determining, by the network function, whether the UE is authenticated according to the temporary identifier.
  • the temporary identifier is a temporary identifier allocated by the network function to the UE when the UE connects to the core network through another access network.
  • the UE 800 further includes: a first execution module 802, configured to perform an authentication process initiated by the network function if the UE is not authenticated, where the UE is not authenticated as the network The function does not find the context of the UE according to the temporary identifier.
  • the UE further sends the security verification information to the access network, and the access network further sends the security verification information to the network function, so that the network function is based on the security verification information. Determining the legitimacy of the UE.
  • the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
  • the UE 800 further includes: a second execution module 803, configured to perform an authentication process initiated by the network function if the verification fails, or a first receiving module 804, where If the verification fails, the receiving the network function is sent by the access network that the UE has connected to the new identifier; or the second receiving module 805 is configured to receive the rejection of the network function if the verification fails. Message.
  • the UE 800 may be the UE in any of the method embodiments in the embodiments of the disclosure, and any implementation manner of the UE in the method embodiment in this disclosure may be used in this embodiment.
  • the foregoing UE 800 is implemented, and the same beneficial effects are achieved, and details are not described herein again.
  • the access device 1100 includes the following modules: a first receiving module 1101, configured to receive a temporary identifier sent by the UE, and a sending module 1102. And the method is configured to send the temporary identifier to a network function, so that the network function determines, according to the temporary identifier, whether the UE is authenticated.
  • the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
  • the access device 1100 further includes: a second receiving module 1103, configured to: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated Receiving, by the network function, the prompt information that the UE has been authenticated.
  • a second receiving module 1103 configured to: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated Receiving, by the network function, the prompt information that the UE has been authenticated.
  • the access device further receives the security verification information sent by the UE, and the access network further sends the security verification information to the network function, so that the network function is verified according to security The information authenticates the UE.
  • the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
  • the foregoing access device 1100 may be an access device in any of the method embodiments in the embodiments of the disclosure, and any implementation manner of the access device in the method embodiment in the embodiment of the disclosure It can be implemented by the foregoing access device 1100 in this embodiment, and achieve the same beneficial effects, and details are not described herein again.
  • the UE includes: a processor 1300, a transceiver 1310, a memory 1320, a user interface 1330, and a bus interface.
  • the processor 1300 is configured to read the memory 1320.
  • the program is configured to: send, by the transceiver 1310, a temporary identifier to the access network, so that the access network sends the temporary identifier to the network function, where the network function determines, according to the temporary identifier, whether the UE is verified.
  • the transceiver 1310 is configured to receive and transmit data under the control of the processor 1300.
  • the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by processor 1300 and various circuits of memory represented by memory 1320.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • Transceiver 1310 can be a plurality of components, including a transmitter and a receiver, providing means for communicating with various other devices on a transmission medium.
  • the user interface 1330 may also be an interface capable of externally connecting the required devices, including but not limited to a keypad, a display, a speaker, a microphone, a joystick, and the like.
  • the processor 1300 is responsible for managing the bus architecture and general processing, and the memory 1320 can store data used by the processor 1300 in performing operations.
  • the temporary identifier is a temporary identifier allocated by the network function to the UE when the UE connects to the core network through another access network.
  • the processor 1300 is further configured to: if the UE is not authenticated, perform an authentication process initiated by the network function, where the UE is not authenticated, and the network function does not find the foregoing according to the temporary identifier.
  • the context of the UE is further configured to: if the UE is not authenticated, perform an authentication process initiated by the network function, where the UE is not authenticated, and the network function does not find the foregoing according to the temporary identifier.
  • the processor 1300 further sends the security verification information to the access network by using the transceiver 1310, and the access network further sends the security verification information to the network function, so that the network function is performed. Determining the legitimacy of the UE according to the security verification information.
  • the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
  • the processor 1300 is further configured to: if the verification fails, perform an authentication process initiated by the network function; or if the verification fails, receive the access that the network function is connected through the UE A new identity sent by the network; or if the verification fails, the UE's request to connect to the core network through the access network is rejected by the network function.
  • the foregoing UE may be the UE in any of the method embodiments in the embodiments of the disclosure, and any implementation manner of the UE in the method embodiment in this disclosure may be used in this embodiment.
  • the foregoing UE implements and achieves the same beneficial effects, and details are not described herein again.
  • the access device includes: a processor 1400, The transceiver 1410, the memory 1420, the user interface 1430, and the bus interface, wherein the processor 1400 is configured to read the program in the memory 1420, and execute the following process: receiving, by the transceiver 1410, a temporary identifier sent by the UE; And sending the temporary identifier to the network function, so that the network function determines, according to the temporary identifier, whether the UE is authenticated.
  • the transceiver 1410 is configured to receive and transmit data under the control of the processor 1400.
  • the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by processor 1400 and various circuits of memory represented by memory 1420.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • Transceiver 1410 can be a plurality of components, including a transmitter and a receiver, providing means for communicating with various other devices on a transmission medium.
  • the user interface 1430 may also be an interface capable of externally connecting the required devices, including but not limited to a keypad, a display, a speaker, a microphone, a joystick, and the like.
  • the processor 1400 is responsible for managing the bus architecture and general processing, and the memory 1420 can store data used by the processor 1400 in performing operations.
  • the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
  • the processor 1400 is further configured to: if the network function searches for the context of the UE according to the temporary identifier, indicating that the UE is authenticated, and receiving, by the network function, that the UE is authenticated Prompt message.
  • the processor 1400 further receives the security verification information sent by the UE by using the transceiver 1410, and further sends the security verification information to the network function by using the transceiver 1410, so that the network function is based on security.
  • the authentication information authenticates the UE.
  • the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
  • the foregoing access device may be an access device in any of the embodiments of the method in the embodiments of the disclosure, and any implementation manner of the access device in the method embodiment in the embodiment of the disclosure may be used. Implemented by the above access device in this embodiment, and achieved the same The beneficial effects will not be described here.
  • the disclosed method and apparatus may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • each functional unit in various embodiments of the present disclosure may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium.
  • the above software functional unit is stored in a storage medium and includes a plurality of instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform part of the steps of the transceiving method of the various embodiments of the present disclosure.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, and the program code can be stored. Medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present disclosure provides an access authentication method, a user terminal, and an access device. The method may comprise: a user terminal sends a temporary identifier to an access network, so that the access network sends the temporary identifier to a network function, and the network function determines, according to the temporary identifier, whether the UE is authenticated.

Description

一种接入认证方法、UE和接入设备Access authentication method, UE and access device
相关申请的交叉引用Cross-reference to related applications
本申请主张在2016年8月16日在中国提交的中国专利申请号No.201610676117.0的优先权,其全部内容通过引用包含于此。The present application claims priority to Chinese Patent Application No. 201610676117.0, filed on Aug.
技术领域Technical field
本公开涉及通信技术领域,特别涉及一种接入认证方法、用户终端(User Equipment,UE)和接入设备。The present disclosure relates to the field of communications technologies, and in particular, to an access authentication method, a user equipment (UE), and an access device.
背景技术Background technique
在通信系统中,UE在不同位置或者不同场景等情况下经常需要通过不同的接入网连接核心网。例如:UE通过一接入网连接到核心网后,UE再通过另一接入网连接核心网。然而,目前通信系统中,UE每次通过接入网连接核心网时,都需要执行认证过程。而每次认证过程都存在信令的交互,这样就会存在信令浪费的问题。In a communication system, the UE often needs to connect to the core network through different access networks in different locations or in different scenarios. For example, after the UE is connected to the core network through an access network, the UE connects to the core network through another access network. However, in the current communication system, the UE needs to perform an authentication process each time it connects to the core network through the access network. There is a signaling interaction every time the authentication process, so there is a problem of signaling waste.
发明内容Summary of the invention
本公开的目的在于提供一种接入认证方法、UE和接入设备,解决信令浪费的问题。An object of the present disclosure is to provide an access authentication method, a UE, and an access device, which solve the problem of signaling waste.
为了达到上述目的,本公开实施例提供一种接入认证方法,包括:UE向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述UE是否已认证。In order to achieve the above object, an embodiment of the present disclosure provides an access authentication method, including: sending, by a UE, a temporary identifier to an access network, so that the access network sends the temporary identifier to a network function, where the network function is Determining, according to the temporary identifier, whether the UE is authenticated.
可选的,所述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识。Optionally, the temporary identifier is a temporary identifier allocated by the network function to the UE when the UE connects to the core network through another access network.
可选的,所述方法还包括:若所述UE未认证,所述UE执行所述网络功能发起的认证过程,其中,所述UE未认证为所述网络功能根据所述临时标识没有查找到所述UE的上下文。Optionally, the method further includes: if the UE is not authenticated, the UE performs an authentication process initiated by the network function, where the UE is not authenticated, and the network function is not found according to the temporary identifier. The context of the UE.
可选的,所述UE还向所述接入网发送有安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息判断所述UE合法性。Optionally, the UE further sends the security verification information to the access network, and the access network further sends the security verification information to the network function, so that the network function is based on the security verification information. Determining the legitimacy of the UE.
可选的,所述安全验证信息包括如下一项或者多项:加密的标识、加密 的请求消息或者签名。Optionally, the security verification information includes one or more of the following: an encrypted identifier, and an encryption. Request message or signature.
可选的,所述方法还包括:若所述验证不通过,所述UE执行所述网络功能发起的认证过程;或者若所述验证不通过,所述UE接收所述网络功能通过所述UE已经连接的接入网发送的新的标识;或者若所述验证不通过,所述用户终端接收所述网络功能返回的拒绝消息。Optionally, the method further includes: if the verification fails, the UE performs an authentication process initiated by the network function; or if the verification fails, the UE receives the network function by using the UE A new identity sent by the connected access network; or if the verification fails, the user terminal receives a rejection message returned by the network function.
本公开实施例还提供一种接入认证方法,包括:接入设备接收UE发送的一临时标识;所述接入设备向网络功能发送所述临时标识,以使所述网络功能根据所述临时标识判断所述UE是否已认证。An embodiment of the present disclosure further provides an access authentication method, including: an access device receiving a temporary identifier sent by a UE; and the access device sending the temporary identifier to a network function, so that the network function is based on the temporary The identifier determines whether the UE is authenticated.
可选的,所述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识,其中,所述其他接入网不包括所述接入设备。Optionally, the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
可选的,所述方法还包括:若所述网络功能根据所述临时标识查找到所述UE的上下文,则表示所述UE已认证,所述接入设备接收所述网络功能发送的所述UE已认证的提示信息。Optionally, the method further includes: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated, and the access device receives the The UE has been authenticated.
可选的,所述接入设备还接收有所述UE发送的安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息对所述UE进行认证。Optionally, the access device further receives the security verification information sent by the UE, and the access network further sends the security verification information to the network function, so that the network function is verified according to security The information authenticates the UE.
可选的,所述安全验证信息包括如下一项或者多项:加密的标识、加密的请求消息或者签名。Optionally, the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
本公开实施例还提供一种UE,包括:发送模块,用于向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述UE是否已认证。The embodiment of the present disclosure further provides a UE, including: a sending module, configured to send a temporary identifier to the access network, so that the access network sends the temporary identifier to a network function, where the network function is The temporary identifier determines whether the UE is authenticated.
可选的,所述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识。Optionally, the temporary identifier is a temporary identifier allocated by the network function to the UE when the UE connects to the core network through another access network.
可选的,所述UE还包括:第一执行模块,用于若所述UE未认证,执行所述网络功能发起的认证过程,其中,所述UE未认证为所述网络功能根据所述临时标识没有查找到所述UE的上下文。Optionally, the UE further includes: a first execution module, configured to perform an authentication process initiated by the network function if the UE is not authenticated, where the UE is not authenticated to be the network function according to the temporary The identity of the UE is not found to be identified.
可选的,所述UE还向所述接入网发送有安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验 证信息判断所述UE合法性。Optionally, the UE further sends the security verification information to the access network, and the access network further sends the security verification information to the network function, so that the network function is based on the security check. The certificate information determines the legitimacy of the UE.
可选的,所述安全验证信息包括如下一项或者多项:加密的标识、加密的请求消息或者签名。Optionally, the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
可选的,所述UE还包括:第二执行模块,用于若所述验证不通过,执行所述网络功能发起的认证过程;或者第一接收模块,用于若所述验证不通过,接收所述网络功能通过所述UE已经连接的接入网发送的新的标识;或者第二接收模块,用于若所述验证不通过,接收所述网络功能返回的拒绝消息。Optionally, the UE further includes: a second execution module, configured to perform an authentication process initiated by the network function if the verification fails, or a first receiving module, configured to: if the verification fails, receive The network function is sent by the access network that the UE has connected to the new identifier; or the second receiving module is configured to receive the reject message returned by the network function if the verification fails.
本公开实施例还提供一种接入设备,包括:第一接收模块,用于接收UE发送的一临时标识;发送模块,用于向网络功能发送所述临时标识,以使所述网络功能根据所述临时标识判断所述UE是否已认证。The embodiment of the present disclosure further provides an access device, including: a first receiving module, configured to receive a temporary identifier sent by the UE, and a sending module, configured to send the temporary identifier to the network function, so that the network function is based on The temporary identifier determines whether the UE is authenticated.
可选的,所述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识,其中,所述其他接入网不包括所述接入设备。Optionally, the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
可选的,所述接入设备还包括:第二接收模块,用于若所述网络功能根据所述临时标识查找到所述UE的上下文,则表示所述UE已认证,接收所述网络功能发送的所述UE已认证的提示信息。Optionally, the access device further includes: a second receiving module, configured to: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated, and receiving the network function The sent prompt information that the UE has been authenticated.
可选的,所述接入设备还接收有所述UE发送的安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息对所述UE进行认证。Optionally, the access device further receives the security verification information sent by the UE, and the access network further sends the security verification information to the network function, so that the network function is verified according to security The information authenticates the UE.
可选的,所述安全验证信息包括如下一项或者多项:加密的标识、加密的请求消息或者签名。Optionally, the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
本公开实施例还提供一种用户终端,包括:处理器、收发机、存储器、用户接口和总线接口,其中:处理器,用于读取存储器中的程序,执行下列过程:通过收发机向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述用户终端是否已认证;收发机,用于在处理器的控制下接收和发送数据。The embodiment of the present disclosure further provides a user terminal, including: a processor, a transceiver, a memory, a user interface, and a bus interface, wherein: the processor is configured to read a program in the memory, and perform the following process: connecting through the transceiver Sending a temporary identifier to the network, so that the access network sends the temporary identifier to the network function, and the network function determines, according to the temporary identifier, whether the user terminal is authenticated; the transceiver is used in the processor. Receive and send data under control.
本公开实施例还提供一种接入设备,包括:处理器、收发机、存储器、用户接口和总线接口,其中:处理器,用于读取存储器中的程序,执行下列 过程:通过收发机接收UE发送的一临时标识;通过收发机向网络功能发送所述临时标识,以使所述网络功能根据所述临时标识判断所述用户终端是否已认证;收发机,用于在处理器的控制下接收和发送数据。An embodiment of the present disclosure further provides an access device, including: a processor, a transceiver, a memory, a user interface, and a bus interface, where: a processor is configured to read a program in the memory, and execute the following Process: receiving, by the transceiver, a temporary identifier sent by the UE; sending, by the transceiver, the temporary identifier to the network function, so that the network function determines, according to the temporary identifier, whether the user terminal is authenticated; and the transceiver is configured to: Receive and transmit data under the control of the processor.
本公开的上述技术方案至少具有如下有益效果。本公开实施例,UE向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述UE是否已认证。这样UE只需要向接入网发送一临时标识,网络功能就可以根据临时标识判断UE是否已认证,从而可以避免了UE每通过一接入网连接到核心网时,都需要执行认证过程,以减少信令浪费。The above technical solutions of the present disclosure have at least the following advantageous effects. In the embodiment of the present disclosure, the UE sends a temporary identifier to the access network, so that the access network sends the temporary identifier to the network function, and the network function determines, according to the temporary identifier, whether the UE is authenticated. In this way, the UE only needs to send a temporary identifier to the access network, and the network function can determine whether the UE is authenticated according to the temporary identifier, so that the UE needs to perform the authentication process when connecting to the core network through an access network. Reduce signaling waste.
附图说明DRAWINGS
图1为本公开实施例可应用于的网络结构示意图;FIG. 1 is a schematic structural diagram of a network applicable to an embodiment of the present disclosure;
图2为本公开实施例提供的一种接入认证方法的流程示意图;2 is a schematic flowchart of an access authentication method according to an embodiment of the present disclosure;
图3为本公开实施例提供的另一种接入认证方法的示意图;FIG. 3 is a schematic diagram of another access authentication method according to an embodiment of the present disclosure;
图4为本公开实施例提供的另一种接入认证方法的示意图;FIG. 4 is a schematic diagram of another access authentication method according to an embodiment of the present disclosure;
图5为本公开实施例提供的另一种接入认证方法的示意图;FIG. 5 is a schematic diagram of another access authentication method according to an embodiment of the present disclosure;
图6为本公开实施例提供的另一种接入认证方法的示意图;FIG. 6 is a schematic diagram of another access authentication method according to an embodiment of the present disclosure;
图7为本公开实施例提供的另一种接入认证方法的流程示意图;FIG. 7 is a schematic flowchart of another access authentication method according to an embodiment of the present disclosure;
图8为本公开实施例提供的一种UE的结构示意图;FIG. 8 is a schematic structural diagram of a UE according to an embodiment of the present disclosure;
图9为本公开实施例提供的另一种UE的结构示意图;FIG. 9 is a schematic structural diagram of another UE according to an embodiment of the present disclosure;
图10为本公开实施例提供的另一种UE的结构示意图;FIG. 10 is a schematic structural diagram of another UE according to an embodiment of the present disclosure;
图11为本公开实施例提供的一种接入设备的结构示意图;FIG. 11 is a schematic structural diagram of an access device according to an embodiment of the present disclosure;
图12为本公开实施例提供的另一种接入设备的结构示意图;FIG. 12 is a schematic structural diagram of another access device according to an embodiment of the present disclosure;
图13为本公开实施例提供的另一种UE的结构示意图;FIG. 13 is a schematic structural diagram of another UE according to an embodiment of the present disclosure;
图14为本公开实施例提供的另一种接入设备的结构示意图。FIG. 14 is a schematic structural diagram of another access device according to an embodiment of the present disclosure.
具体实施方式detailed description
为使本公开要解决的技术问题、技术方案和优点更加清楚,下面将结合附图及具体实施例进行详细描述。The technical problems, the technical solutions, and the advantages of the present invention will be more clearly described in conjunction with the accompanying drawings and specific embodiments.
参见图1,图1为本公开实施例可应用于的网络结构示意图,如图1所示,包括UE、非3GPP接入网实体、非3GPP接入层功能(Non-3GPP Access  Stratum Function,N3ASF)、控制面功能(CP functions)、用户面功能(UP functions)、应用功能(Application Function,AF)和数据网络(Data Network,DN)。其中,Y1表示位于UE和非3GPP接入网(例如:WLAN)实体之间的接口,Y2表示位于UE和N3ASF实体之间的接口,Y4表示位于N3ASF实体和非3GPP接入网实体之间的接口,NG1表示位于UE和控制面功能之间的接口,NG2表示位于N3ASF控制面功能之间的接口,也可以理解为无线接入网(Radio Access Network,RAN)和控制面功能之间的接口,NG3表示位于N3ASF和用户面功能之间的接口,也可以理解为RAN和用户面功能之间的接口,NG4表示位于控制面功能和用户面功能之间的接口,NG5表示位于控制面功能和AF之间的接口,NG6表示位于用户面功能和DN之间的接口。另外,上述N3ASF是接入网络的逻辑组成部分,其终止NG2或者NG3接口。UE和N3ASF之间使用的协议为N3-AS,该协议可以用于在UE和核心网之间透明地传输NAS消息、用户面承载的信息和安全信息。当然,在上述网络结构中还可以包括3GPP接入网实体等其他接入网实体,对比本公开实施例不作限定。需要说明的是,本公开实施例中并不限定在上述网络结构中实现,上述网络结构仅是一举例。Referring to FIG. 1 , FIG. 1 is a schematic diagram of a network structure applicable to an embodiment of the present disclosure. As shown in FIG. 1 , the UE includes a UE, a non-3GPP access network entity, and a non-3GPP access layer function (Non-3GPP Access). Stratum Function, N3ASF), CP functions, UP functions, Application Function (AF), and Data Network (DN). Wherein Y1 represents an interface between the UE and a non-3GPP access network (eg, WLAN) entity, Y2 represents an interface between the UE and the N3ASF entity, and Y4 represents a location between the N3ASF entity and the non-3GPP access network entity. Interface, NG1 represents the interface between the UE and the control plane function, NG2 represents the interface between the functions of the N3ASF control plane, and can also be understood as the interface between the radio access network (RAN) and the control plane function. NG3 represents the interface between the N3ASF and the user plane function, and can also be understood as the interface between the RAN and the user plane function, NG4 represents the interface between the control plane function and the user plane function, and NG5 represents the control plane function and The interface between the AFs, NG6 represents the interface between the user plane function and the DN. In addition, the above N3ASF is a logical component of the access network, which terminates the NG2 or NG3 interface. The protocol used between the UE and the N3ASF is N3-AS, which can be used to transparently transmit NAS messages, user plane bearer information, and security information between the UE and the core network. Certainly, other access network entities, such as a 3GPP access network entity, may be included in the foregoing network structure, which is not limited in comparison with the embodiments of the present disclosure. It should be noted that, in the embodiment of the present disclosure, the implementation is not limited to the foregoing network structure, and the foregoing network structure is only an example.
另外,UE可以是手机、平板电脑(Tablet Personal Computer)、膝上型电脑(Laptop Computer)、个人数字助理(personal digital assistant,简称PDA)、移动上网装置(Mobile Internet Device,MID)或可穿戴式设备(Wearable Device)等终端侧设备,需要说明的是,在本公开实施例中并不限定UE的具体类型。In addition, the UE may be a mobile phone, a tablet personal computer, a laptop computer, a personal digital assistant (PDA), a mobile internet device (MID), or a wearable device. A terminal device such as a device (Wearable Device), it should be noted that the specific type of the UE is not limited in the embodiment of the present disclosure.
请参阅图2,本公开实施例提供一种接入认证方法,如图2所示,包括以下步骤:201、UE向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述UE是否已认证。Referring to FIG. 2, an embodiment of the present disclosure provides an access authentication method. As shown in FIG. 2, the method includes the following steps: 201: A UE sends a temporary identifier to an access network, so that the access network sends a network function. And determining, by the network function, whether the UE is authenticated according to the temporary identifier by the network function.
本公开实施例中,通过上述步骤可以实现UE向接入网发送上述临时标识,就可以实现网络功能根据该临时标识判断该UR是否已认证,例如:网络功能通过该临时标识能查找到上述UE的上下文,则表示该UE已经认证,即说明该UE已经通过其他接入网连接到核心网。且网络功能确定UE已认证后,就不需要向该UE发起认证过程。从而通过上述步骤可以实现避免了UE 通过不同的接入网络连接到核心网时,执行多次认证过程,以减少信令浪费。In the embodiment of the present disclosure, the foregoing step can be used to enable the UE to send the temporary identifier to the access network, and the network function can determine whether the UR is authenticated according to the temporary identifier. For example, the network function can find the UE by using the temporary identifier. The context indicates that the UE has been authenticated, that is, the UE has been connected to the core network through other access networks. After the network function determines that the UE has been authenticated, it does not need to initiate an authentication process to the UE. Therefore, the UE can be avoided by the above steps. When connecting to the core network through different access networks, multiple authentication processes are performed to reduce signaling waste.
本公开实施例中,上述网络功能可以是控制面功能。In the embodiment of the present disclosure, the network function may be a control plane function.
可选的,上述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识。Optionally, the foregoing temporary identifier is a temporary identifier that is allocated by the network function to the UE when the UE connects to the core network through another access network.
该实施方式中,上述临时标识为UE通过其他接入网连接核心网时,网络功能为其分配的临时标识。其中,上述其他接入网可以是与步骤201中的接入网的接入技术不同的接入网,例如:步骤201中的接入网为3GPP接入网,而上述其他接入网则可以是除3GPP接入网之外的接入网,如非3GPP接入网。In this implementation manner, the temporary identifier is a temporary identifier allocated by the network function when the UE connects to the core network through another access network. The other access network may be an access network different from the access technology of the access network in step 201. For example, the access network in step 201 is a 3GPP access network, and the other access networks may be It is an access network other than the 3GPP access network, such as a non-3GPP access network.
可选的,上述方法还包括:若所述UE未认证,所述UE执行所述网络功能发起的认证过程,其中,所述UE未认证为所述网络功能根据所述临时标识没有查找到所述UE的上下文。Optionally, the method further includes: if the UE is not authenticated, the UE performs an authentication process initiated by the network function, where the UE is not authenticated, and the network function does not find the location according to the temporary identifier. The context of the UE.
该实施方式中,可以实现若上述网络功能根据上述临时标识确定上述UE未认证,例如:UE在执行步骤201之前,该UE没有通过其他接入网连接核心网,则网络功能可以向上述UE发起认证过程,即上述UE执行上述网络功能发起的认证过程。In this implementation, if the network function determines that the UE is not authenticated according to the foregoing temporary identifier, for example, the UE does not connect to the core network through another access network before performing the step 201, the network function may be initiated to the UE. The authentication process, that is, the above-mentioned UE performs the authentication process initiated by the above network function.
可选的,上述UE还向所述接入网发送有安全验证信息,且所述接入网(步骤201中的接入网)还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息判断所述UE合法性。Optionally, the foregoing UE further sends the security verification information to the access network, and the access network (the access network in step 201) further sends the security verification information to the network function, so that The network function determines the legitimacy of the UE according to the security verification information.
其中,上述安全验证信息可以是同上述临时标识一起发送的,例如:向上述接入网发送一携带有上述安全验证信息和上述临时标识的消息。另外,在上述接入网接收到该安全验证信息后,也会将该安全验证信息发送给上述网络功能,从而该网络功能就可以根据安全验证信息判断上述UE的合法性。这样可以避免出现恶意终端截获UE的标识,冒充UE连接到核心网的情况。另外,上述安全验证信息可以是UE与网络功能预先协商好的,或者上述安全验证信息可以是网络功能预先指定的等等。The security verification information may be sent together with the temporary identifier, for example, sending a message carrying the security verification information and the temporary identifier to the access network. In addition, after the access network receives the security verification information, the security verification information is also sent to the network function, so that the network function can determine the legality of the UE according to the security verification information. In this way, the malicious terminal intercepts the identity of the UE, and the UE is connected to the core network. In addition, the foregoing security verification information may be that the UE and the network function are pre-negotiated, or the foregoing security verification information may be pre-designated by the network function or the like.
可选的,上述安全验证信息包括如下一项或者多项:加密的标识、加密的请求消息或者签名。Optionally, the foregoing security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
其中,上述请求消息可以是附着请求或者连接核心网请求,若上述安全 验证信息中包括上述请求消息,则网络功能可以是使用上述UE的上下文中的完整性密钥检查请求消息的完整性,以及使用上述上下文中的密钥解密请求消息,若解密成功,则确定验证通过,即确定上述UE是合法的。The request message may be an attach request or a connection to a core network request, if the foregoing security If the verification message includes the above request message, the network function may be to check the integrity of the request message by using the integrity key in the context of the UE, and decrypt the request message by using the key in the above context, and if the decryption is successful, determine the verification. By means, it is determined that the above UE is legal.
其中,上述标识可以是国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)或国际移动设备标识(International Mobile Equipment Identity,IMEI)等。若上述安全验证信息中包括上述标识,则网络功能可以是使用上述UE的上下文中的安全信息对上述标识进行解密,若解密成功,则确定验证通过,即确定上述UE是合法的。The identifier may be an International Mobile Subscriber Identification Number (IMSI) or an International Mobile Equipment Identity (IMEI). If the foregoing security verification information includes the foregoing identifier, the network function may be to use the security information in the context of the UE to decrypt the identifier. If the decryption succeeds, determine that the verification succeeds, that is, determine that the UE is legal.
其中,上述签名可以是数字签名。网络功能可以是使用上述UE的上下文中的签名与上述安全验证信息中的签名进行匹配,若匹配成功,则确定验证通过,即确定上述UE是合法的。Wherein, the signature may be a digital signature. The network function may be that the signature in the context of the foregoing UE is matched with the signature in the foregoing security verification information. If the matching succeeds, it is determined that the verification is passed, that is, the UE is determined to be legal.
可选的,上述方法还包括:若所述验证不通过,所述UE执行所述网络功能发起的认证过程;或者若所述验证不通过,所述UE接收所述网络功能通过所述UE已经连接的接入网发送的新的标识;或者若所述验证不通过,所述UE接收所述网络功能返回的拒绝消息。Optionally, the method further includes: if the verification fails, the UE performs an authentication process initiated by the network function; or if the verification fails, the UE receives the network function by using the UE a new identity sent by the connected access network; or if the verification fails, the UE receives a reject message returned by the network function.
该实施方式中,可以实现若验证不通过,则UE执行由网络功能发起的认证过程。或者若验证不通过,则UE接收网络功能通过UE已经连接的接入网发送的新的标识,从而UE可以使用该新的标识进行认证。另外,验证不通过,接收网络功能返回的拒绝消息,即表示网络功能拒绝UE通过上述接入网连接核心网,从而可以避免出现恶意终端截获UE的标识,冒充UE连接到核心网的情况。In this implementation manner, if the verification fails, the UE performs an authentication process initiated by the network function. Or if the verification fails, the UE receives a new identifier sent by the network function through the access network that the UE has connected, so that the UE can use the new identifier for authentication. In addition, if the verification fails, the receiving network rejects the reject message, that is, the network function rejects the UE to connect to the core network through the access network, so that the malicious terminal can intercept the identifier of the UE and impersonate the UE to connect to the core network.
可选的,UE可以是通过一RRC消息向接入网发送上述临时标识,且该RRC消息还包括附着请求。例如:步骤201中的接入网为3GPP接入网,而UE已经通过非3GPP接入网连接核心网,则可以如图3所示,包括如下步骤:Optionally, the UE may send the temporary identifier to the access network by using an RRC message, and the RRC message further includes an attach request. For example, the access network in step 201 is a 3GPP access network, and the UE has connected to the core network through the non-3GPP access network. As shown in FIG. 3, the method includes the following steps:
步骤1、UE向3GPP接入网发送RRC消息,该RRC消息中包括附着请求和临时标识,该附着请求可以是加密的附着请求;Step 1: The UE sends an RRC message to the 3GPP access network, where the RRC message includes an attach request and a temporary identifier, where the attach request may be an encrypted attach request.
步骤2、3GPP接入网根据临时标识得到分配该临时标识的网络功能,并向网络功能发送NG2接口消息,消息中包括附着请求和临时标识;Step 2: The 3GPP access network obtains the network function of the temporary identifier according to the temporary identifier, and sends an NG2 interface message to the network function, where the message includes an attach request and a temporary identifier.
步骤3、网络功能根据临时标识查找到UE的上下文,使用上下文中的安 全信息判断附着请求的安全性,如果附着请求是安全的(例如使用完整性密钥检查消息的完整性,使用密钥可成功解密附着请求),则网络功能在UE的上下文中存储新的接入网络(即上述3GPP接入网实体所属的3GPP接入网)的信息,然后向3GPP接入网返回NG2接口消息,消息中包括附着接受消息;Step 3: The network function finds the context of the UE according to the temporary identifier, and uses the security in the context. The full information determines the security of the attach request. If the attach request is secure (eg, using the integrity key to check the integrity of the message, the key can successfully decrypt the attach request), the network function stores the new connection in the context of the UE. Entering information of the network (ie, the 3GPP access network to which the foregoing 3GPP access network entity belongs), and then returning an NG2 interface message to the 3GPP access network, where the message includes an attach accept message;
步骤4、3GPP接入网向UE返回RRC消息,消息中包括附着接受消息。Step 4: The 3GPP access network returns an RRC message to the UE, where the message includes an attach accept message.
另外,UE还可以通过连接建立消息向接入网发送上述临时标识,例如:该连接建立消息的消息参数包括上述临时标识。例如:步骤201中的接入网为非3GPP接入网,而UE已经通过3GPP接入网连接核心网,则可以如图4所示,包括以下步骤:In addition, the UE may also send the temporary identifier to the access network by using a connection setup message, for example, the message parameter of the connection setup message includes the temporary identifier. For example, if the access network in step 201 is a non-3GPP access network, and the UE has connected to the core network through the 3GPP access network, as shown in FIG. 4, the following steps are included:
步骤1、UE向非3GPP接入网发送连接建立消息,消息参数包括UE通过3GPP接入连接到核心网时,网络功能为其分配的临时标识;Step 1: The UE sends a connection setup message to the non-3GPP access network, where the message parameter includes a temporary identifier allocated by the network function when the UE connects to the core network through the 3GPP access;
步骤2、非3GPP接入网向N3ASF发送连接请求消息,消息参数为UE提供的临时标识。需要说明的是,如果N3ASF和非3GPP接入网合设,则不执行此步骤;Step 2: The non-3GPP access network sends a connection request message to the N3ASF, where the message parameter is a temporary identifier provided by the UE. It should be noted that if the N3ASF and the non-3GPP access network are combined, this step is not performed;
步骤3、N3ASF向网络功能发送NG2接口消息,消息参数包括接入技术和UE提供的临时标识。Step 3: The N3ASF sends an NG2 interface message to the network function, where the message parameters include the access technology and the temporary identifier provided by the UE.
步骤4、网络功能根据UE的临时标识查找到UE的上下文,发现UE已通过3GPP接入网连接到核心网,网络功能向N3ASF发送NG2接口消息,消息中携带已认证的提示信息;Step 4: The network function searches for the context of the UE according to the temporary identifier of the UE, and finds that the UE has connected to the core network through the 3GPP access network, and the network function sends an NG2 interface message to the N3ASF, where the message carries the authenticated prompt information.
步骤5、N3ASF向非3GPP接入网发送连接回复消息,消息中携带已认证的提示信息。需要说明的是,如果N3ASF和非3GPP接入网合设,则不执行此步骤;Step 5: The N3ASF sends a connection reply message to the non-3GPP access network, where the message carries the authenticated prompt information. It should be noted that if the N3ASF and the non-3GPP access network are combined, this step is not performed;
步骤6、非3GPP接入网向UE发送连接建立完成消息。Step 6. The non-3GPP access network sends a connection establishment complete message to the UE.
另外,该实施方式中,上述连接建立消息还可以包括加密的标识或者签名,例如:在该实施方式中,UE还可使用安全上下文对UE的IMSI或IMEI进行加密,并将加密后的IMSI或IMEI通过步骤1发送给非3GPP接入网实体。即上述实施方式中,步骤1、2和3的消息还携带有加密后的IMSI或IMEI,或签名。在步骤3时,网络功能使用临时标识查找到UE的上下文,然后使用上下文中的安全信息对IMSI和IMEI解密,或对签名进行验证,如果能够 解密出UE的IMSI和IMEI或签名正确,则说明该UE是正确的UE。如果解密出的标识不同于UE上下文中的IMSI或IMEI,或签名不正确,则说明该UE是恶意终端冒充的。In addition, in this implementation manner, the connection establishment message may further include an encrypted identifier or a signature. For example, in this embodiment, the UE may further encrypt the IMSI or IMEI of the UE by using a security context, and the encrypted IMSI or The IMEI is sent to the non-3GPP access network entity through step 1. That is, in the above embodiment, the messages of steps 1, 2 and 3 also carry the encrypted IMSI or IMEI, or signature. In step 3, the network function uses the temporary identity to find the context of the UE, then decrypts the IMSI and IMEI using the security information in the context, or verifies the signature, if Decrypting the IMSI and IMEI or signature of the UE is correct, indicating that the UE is the correct UE. If the decrypted identifier is different from the IMSI or IMEI in the UE context, or the signature is incorrect, it indicates that the UE is a malicious terminal impersonating.
另外,该实施方式中,由于UE和接入网之间传输的是连接建立消息和连接完成消息,从而可以实现扩展UE和非3GPP接入网之间的协议。In addition, in this embodiment, since the connection establishment message and the connection completion message are transmitted between the UE and the access network, the protocol between the extended UE and the non-3GPP access network can be implemented.
另外,上述UE还可以通过可扩展认证协议(Extensible authentication protocol,EAP)响应消息向接入网发送上述临时标识。例如:步骤201中的接入网可以是非3GPP接入网,而UE已经通过3GPP接入网连接到核心网,可以如图5所示,包括以下步骤:In addition, the foregoing UE may further send the temporary identifier to the access network by using an Extensible Authentication Protocol (EAP) response message. For example, the access network in step 201 may be a non-3GPP access network, and the UE has been connected to the core network through the 3GPP access network. As shown in FIG. 5, the method includes the following steps:
步骤1、UE和非3GPP接入网之间建立连接;Step 1. Establish a connection between the UE and the non-3GPP access network.
步骤2、非3GPP接入网向UE发送EAP-REQ/Identity消息,发起EAP认证过程;Step 2: The non-3GPP access network sends an EAP-REQ/Identity message to the UE, and initiates an EAP authentication process.
步骤3、UE向非3GPP接入网返回EAP-RSP/Identity消息,消息中携带有UE的临时标识。Step 3: The UE returns an EAP-RSP/Identity message to the non-3GPP access network, where the message carries the temporary identifier of the UE.
步骤4、非3GPP接入网将EAP-RSP/Identity消息发送给N3ASF,需要说明的是如果N3ASF和非3GPP接入网合设,则不执行此步骤;Step 4: The non-3GPP access network sends an EAP-RSP/Identity message to the N3ASF. It should be noted that if the N3ASF and the non-3GPP access network are set together, this step is not performed;
步骤5、N3ASF将EAP-RSP/Identity消息发送给网络功能;Step 5: The N3ASF sends an EAP-RSP/Identity message to the network function.
步骤6、网络功能发现UE已通过3GPP接入连接到核心网,网络功能不再次对UE执行认证过程,其向N3ASF返回EAP-Success消息。Step 6. The network function finds that the UE has connected to the core network through the 3GPP access, and the network function does not perform the authentication process on the UE again, and returns an EAP-Success message to the N3ASF.
步骤7、N3ASF向非3GPP接入网返回EAP-Success消息,需要说明的是,如果N3ASF和非3GPP接入网络合设,则不执行此步骤;Step 7: The N3ASF returns an EAP-Success message to the non-3GPP access network. It should be noted that if the N3ASF and the non-3GPP access network are set together, this step is not performed;
步骤8、非3GPP接入网向UE返回EAP-Success消息。Step 8. The non-3GPP access network returns an EAP-Success message to the UE.
其中,为了确保UE是合法的UE,UE还可在EAP-RSP/Identity消息中携带加密后的IMSI、IMEI或签名。The UE may also carry the encrypted IMSI, IMEI, or signature in the EAP-RSP/Identity message, in order to ensure that the UE is a valid UE.
另外,该实施方式中,不需要扩展UE和非3GPP接入网之间的协议。In addition, in this embodiment, there is no need to extend the protocol between the UE and the non-3GPP access network.
上述UE还可以通过一协议请求消息向接入网发送上述临时标识,例如:步骤201中的接入网可以是包括N3ASF的接入网,UE已经通过3GPP接入网连接核心网,可以如图6所示,包括以下步骤:The foregoing UE may also send the foregoing temporary identifier to the access network by using a protocol request message. For example, the access network in step 201 may be an access network including the N3ASF, and the UE has connected to the core network through the 3GPP access network, which may be as shown in the figure. As shown in 6, it includes the following steps:
步骤1、UE向N3ASF发送N3-AS请求消息,消息中包括UE通过3GPP 接入核心网时网络功能为其分配的临时标识;Step 1. The UE sends an N3-AS request message to the N3ASF, where the message includes the UE passing the 3GPP. The temporary identifier assigned to the network function when accessing the core network;
步骤2、N3ASF根据临时标识得到分配该临时标识的网络功能,然后向网络功能发送NG2接口消息,消息中包括接入技术和临时标识;Step 2: The N3ASF obtains the network function of the temporary identifier according to the temporary identifier, and then sends an NG2 interface message to the network function, where the message includes the access technology and the temporary identifier.
步骤3、网络功能根据临时标识查找到UE的上下文,这说明UE已通过3GPP接入执行过认证过程,其向N3ASF返回NG2接口消息,消息中包括已认证提示信息。Step 3: The network function searches for the context of the UE according to the temporary identifier, which indicates that the UE has performed the authentication process through the 3GPP access, and returns an NG2 interface message to the N3ASF, where the message includes the authenticated prompt information.
步骤4、N3ASF向UE返回N3-AS回复消息,消息中包括已认证提示信息。Step 4: The N3ASF returns an N3-AS reply message to the UE, where the message includes the authenticated prompt information.
另外,为了确保UE是合法的UE,步骤1和2的消息中还可以包括加密后的IMSI、IMEI或签名In addition, in order to ensure that the UE is a legitimate UE, the messages of steps 1 and 2 may also include an encrypted IMSI, IMEI or signature.
需要说明的是,本公开实施例中介绍的多种可选的实施方式中,彼此可以相互结合实现,也可以单独实现,对此本公开实施例不作限定。It should be noted that, in the various optional embodiments introduced in the embodiments of the present disclosure, the embodiments may be implemented in combination with each other, or may be implemented separately.
本公开实施例,UE向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述UE是否已认证。这样UE只需要向接入网发送一临时标识,网络功能就可以根据临时标识判断UE是否已认证,从而可以避免了UE每通过一接入网连接到核心网时,都需要执行认证过程,以减少信令浪费。In the embodiment of the present disclosure, the UE sends a temporary identifier to the access network, so that the access network sends the temporary identifier to the network function, and the network function determines, according to the temporary identifier, whether the UE is authenticated. In this way, the UE only needs to send a temporary identifier to the access network, and the network function can determine whether the UE is authenticated according to the temporary identifier, so that the UE needs to perform the authentication process when connecting to the core network through an access network. Reduce signaling waste.
请参阅图7,图7是本公开实施例提供的另接入认证方法,如图7所示,包括以下步骤:701、接入设备接收UE发送的一临时标识;702、接入设备向网络功能发送所述临时标识,以使所述网络功能根据所述临时标识判断所述UE是否已认证。Referring to FIG. 7, FIG. 7 is another access authentication method according to an embodiment of the present disclosure. As shown in FIG. 7, the method includes the following steps: 701: an access device receives a temporary identifier sent by a UE; 702, an access device to a network The function sends the temporary identifier, so that the network function determines, according to the temporary identifier, whether the UE is authenticated.
需要说明的是,上述接入设备可以是图2所示的实施例中步骤201中的接入网中的接入设备,其中,图2所示的实施例中步骤201中的接入网的任意实施方式都可以实现该接入设备实体,此处不作赘述。It should be noted that the foregoing access device may be an access device in the access network in step 201 in the embodiment shown in FIG. 2, where the access network in step 201 in the embodiment shown in FIG. The access device entity can be implemented in any implementation manner, and details are not described herein.
可选的,所述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识,其中,所述其他接入网不包括所述接入设备。Optionally, the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
可选的,所述方法还包括:若所述网络功能根据所述临时标识查找到所述UE的上下文,则表示所述UE已认证,所述接入设备接收所述网络功能发 送的所述UE已认证的提示信息。Optionally, the method further includes: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated, and the access device receives the network function The sent information that the UE has been authenticated.
可选的,所述接入设备还接收有所述UE发送的安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息对所述UE进行认证。Optionally, the access device further receives the security verification information sent by the UE, and the access network further sends the security verification information to the network function, so that the network function is verified according to security The information authenticates the UE.
可选的,所述安全验证信息包括如下一项或者多项:加密的标识、加密的请求消息或者签名。Optionally, the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
需要说明的是,本实施例作为与图2-6所示的实施例中对应的接入网(步骤201中的接入网)的实施方式,其具体的实施方式可以参见图2-6所示的实施例的相关说明,以为避免重复说明,本实施例不再赘述。本实施例中,同样可以实现减少信令浪费。It should be noted that, in this embodiment, as an implementation manner of the access network (the access network in step 201) corresponding to the embodiment shown in FIG. 2-6, a specific implementation manner can be seen in FIG. 2-6. The related description of the illustrated embodiment is omitted, and the description is not repeated herein. In this embodiment, signaling waste is also reduced.
请参见图8,图中示出一种UE结构,如图8所示,UE800包括如下模块:发送模块801,用于向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述UE是否已认证。Referring to FIG. 8, a UE structure is shown. As shown in FIG. 8, the UE 800 includes the following module: a sending module 801, configured to send a temporary identifier to the access network, so as to enable the access network to perform network functions. Sending the temporary identifier, and determining, by the network function, whether the UE is authenticated according to the temporary identifier.
可选的,所述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识。Optionally, the temporary identifier is a temporary identifier allocated by the network function to the UE when the UE connects to the core network through another access network.
可选的,如图9所示,UE800还包括:第一执行模块802,用于若所述UE未认证,执行所述网络功能发起的认证过程,其中,所述UE未认证为所述网络功能根据所述临时标识没有查找到所述UE的上下文。Optionally, as shown in FIG. 9, the UE 800 further includes: a first execution module 802, configured to perform an authentication process initiated by the network function if the UE is not authenticated, where the UE is not authenticated as the network The function does not find the context of the UE according to the temporary identifier.
可选的,所述UE还向所述接入网发送有安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息判断所述UE合法性。Optionally, the UE further sends the security verification information to the access network, and the access network further sends the security verification information to the network function, so that the network function is based on the security verification information. Determining the legitimacy of the UE.
可选的,所述安全验证信息包括如下一项或者多项:加密的标识、加密的请求消息或者签名。Optionally, the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
可选的,如图10所示,UE800还包括:第二执行模块803,用于若所述验证不通过,执行所述网络功能发起的认证过程;或者第一接收模块804,用于若所述验证不通过,接收所述网络功能通过所述UE已经连接的接入网发送的新的标识;或者第二接收模块805,用于若所述验证不通过,接收所述网络功能返回的拒绝消息。 Optionally, as shown in FIG. 10, the UE 800 further includes: a second execution module 803, configured to perform an authentication process initiated by the network function if the verification fails, or a first receiving module 804, where If the verification fails, the receiving the network function is sent by the access network that the UE has connected to the new identifier; or the second receiving module 805 is configured to receive the rejection of the network function if the verification fails. Message.
需要说明的是,本实施例中上述UE800可以是本公开实施例中方法实施例中任意实施方式的UE,本公开实施例中方法实施例中UE的任意实施方式都可以被本实施例中的上述UE800所实现,以及达到相同的有益效果,此处不再赘述。It should be noted that, in the embodiment, the UE 800 may be the UE in any of the method embodiments in the embodiments of the disclosure, and any implementation manner of the UE in the method embodiment in this disclosure may be used in this embodiment. The foregoing UE 800 is implemented, and the same beneficial effects are achieved, and details are not described herein again.
请参见图11,本公开实施例提供一种接入设备,如图11所示,接入设备1100包括以下模块:第一接收模块1101,用于接收UE发送的一临时标识;发送模块1102,用于向网络功能发送所述临时标识,以使所述网络功能根据所述临时标识判断所述UE是否已认证。Referring to FIG. 11 , an embodiment of the present disclosure provides an access device. As shown in FIG. 11 , the access device 1100 includes the following modules: a first receiving module 1101, configured to receive a temporary identifier sent by the UE, and a sending module 1102. And the method is configured to send the temporary identifier to a network function, so that the network function determines, according to the temporary identifier, whether the UE is authenticated.
可选的,所述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识,其中,所述其他接入网不包括所述接入设备。Optionally, the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
可选的,如图12所示,接入设备1100还包括:第二接收模块1103,用于若所述网络功能根据所述临时标识查找到所述UE的上下文,则表示所述UE已认证,接收所述网络功能发送的所述UE已认证的提示信息。Optionally, as shown in FIG. 12, the access device 1100 further includes: a second receiving module 1103, configured to: if the network function searches for a context of the UE according to the temporary identifier, indicating that the UE is authenticated Receiving, by the network function, the prompt information that the UE has been authenticated.
可选的,所述接入设备还接收有所述UE发送的安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息对所述UE进行认证。Optionally, the access device further receives the security verification information sent by the UE, and the access network further sends the security verification information to the network function, so that the network function is verified according to security The information authenticates the UE.
可选的,所述安全验证信息包括如下一项或者多项:加密的标识、加密的请求消息或者签名。Optionally, the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
需要说明的是,本实施例中上述接入设备1100可以是本公开实施例中方法实施例中任意实施方式的接入设备,本公开实施例中方法实施例中接入设备的任意实施方式都可以被本实施例中的上述接入设备1100所实现,以及达到相同的有益效果,此处不再赘述。It should be noted that, in the embodiment, the foregoing access device 1100 may be an access device in any of the method embodiments in the embodiments of the disclosure, and any implementation manner of the access device in the method embodiment in the embodiment of the disclosure It can be implemented by the foregoing access device 1100 in this embodiment, and achieve the same beneficial effects, and details are not described herein again.
参见图13,图中示出一种UE的结构,该UE包括:处理器1300、收发机1310、存储器1320、用户接口1330和总线接口,其中:处理器1300,用于读取存储器1320中的程序,执行下列过程:通过收发机1310向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述UE是否已认证。其中,收发机1310,用于在处理器1300的控制下接收和发送数据。 Referring to FIG. 13, a structure of a UE is shown. The UE includes: a processor 1300, a transceiver 1310, a memory 1320, a user interface 1330, and a bus interface. The processor 1300 is configured to read the memory 1320. The program is configured to: send, by the transceiver 1310, a temporary identifier to the access network, so that the access network sends the temporary identifier to the network function, where the network function determines, according to the temporary identifier, whether the UE is verified. The transceiver 1310 is configured to receive and transmit data under the control of the processor 1300.
在图13中,总线架构可以包括任意数量的互联的总线和桥,具体由处理器1300代表的一个或多个处理器和存储器1320代表的存储器的各种电路链接在一起。总线架构还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。收发机1310可以是多个元件,即包括发送机和接收机,提供用于在传输介质上与各种其他装置通信的单元。针对不同的用户设备,用户接口1330还可以是能够外接内接需要设备的接口,连接的设备包括但不限于小键盘、显示器、扬声器、麦克风、操纵杆等。In FIG. 13, the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by processor 1300 and various circuits of memory represented by memory 1320. The bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein. The bus interface provides an interface. Transceiver 1310 can be a plurality of components, including a transmitter and a receiver, providing means for communicating with various other devices on a transmission medium. For different user equipments, the user interface 1330 may also be an interface capable of externally connecting the required devices, including but not limited to a keypad, a display, a speaker, a microphone, a joystick, and the like.
处理器1300负责管理总线架构和通常的处理,存储器1320可以存储处理器1300在执行操作时所使用的数据。The processor 1300 is responsible for managing the bus architecture and general processing, and the memory 1320 can store data used by the processor 1300 in performing operations.
可选的,所述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识。Optionally, the temporary identifier is a temporary identifier allocated by the network function to the UE when the UE connects to the core network through another access network.
可选的,处理器1300还用于:若所述UE未认证,执行所述网络功能发起的认证过程,其中,所述UE未认证为所述网络功能根据所述临时标识没有查找到所述UE的上下文。Optionally, the processor 1300 is further configured to: if the UE is not authenticated, perform an authentication process initiated by the network function, where the UE is not authenticated, and the network function does not find the foregoing according to the temporary identifier. The context of the UE.
可选的,处理器1300还通过收发机1310向所述接入网发送有安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息判断所述UE合法性。Optionally, the processor 1300 further sends the security verification information to the access network by using the transceiver 1310, and the access network further sends the security verification information to the network function, so that the network function is performed. Determining the legitimacy of the UE according to the security verification information.
可选的,所述安全验证信息包括如下一项或者多项:加密的标识、加密的请求消息或者签名。Optionally, the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
可选的,处理器1300还用于:若所述验证不通过,执行所述网络功能发起的认证过程;或者若所述验证不通过,接收所述网络功能通过所述UE已经连接的接入网发送的新的标识;或者若所述验证不通过,所述UE通过所述接入网连接核心网的请求被所述网络功能拒绝。Optionally, the processor 1300 is further configured to: if the verification fails, perform an authentication process initiated by the network function; or if the verification fails, receive the access that the network function is connected through the UE A new identity sent by the network; or if the verification fails, the UE's request to connect to the core network through the access network is rejected by the network function.
需要说明的是,本实施例中上述UE可以是本公开实施例中方法实施例中任意实施方式的UE,本公开实施例中方法实施例中UE的任意实施方式都可以被本实施例中的上述UE所实现,以及达到相同的有益效果,此处不再赘述。It should be noted that, in this embodiment, the foregoing UE may be the UE in any of the method embodiments in the embodiments of the disclosure, and any implementation manner of the UE in the method embodiment in this disclosure may be used in this embodiment. The foregoing UE implements and achieves the same beneficial effects, and details are not described herein again.
参见图14,图中示出一种接入设备的结构,该接入设备包括:处理器1400、 收发机1410、存储器1420、用户接口1430和总线接口,其中:处理器1400,用于读取存储器1420中的程序,执行下列过程:通过收发机1410接收UE发送的一临时标识;通过收发机1410向网络功能发送所述临时标识,以使所述网络功能根据所述临时标识判断所述UE是否已认证。其中,收发机1410,用于在处理器1400的控制下接收和发送数据。Referring to FIG. 14, a structure of an access device is shown, where the access device includes: a processor 1400, The transceiver 1410, the memory 1420, the user interface 1430, and the bus interface, wherein the processor 1400 is configured to read the program in the memory 1420, and execute the following process: receiving, by the transceiver 1410, a temporary identifier sent by the UE; And sending the temporary identifier to the network function, so that the network function determines, according to the temporary identifier, whether the UE is authenticated. The transceiver 1410 is configured to receive and transmit data under the control of the processor 1400.
在图14中,总线架构可以包括任意数量的互联的总线和桥,具体由处理器1400代表的一个或多个处理器和存储器1420代表的存储器的各种电路链接在一起。总线架构还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。收发机1410可以是多个元件,即包括发送机和接收机,提供用于在传输介质上与各种其他装置通信的单元。针对不同的用户设备,用户接口1430还可以是能够外接内接需要设备的接口,连接的设备包括但不限于小键盘、显示器、扬声器、麦克风、操纵杆等。In FIG. 14, the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by processor 1400 and various circuits of memory represented by memory 1420. The bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein. The bus interface provides an interface. Transceiver 1410 can be a plurality of components, including a transmitter and a receiver, providing means for communicating with various other devices on a transmission medium. For different user equipments, the user interface 1430 may also be an interface capable of externally connecting the required devices, including but not limited to a keypad, a display, a speaker, a microphone, a joystick, and the like.
处理器1400负责管理总线架构和通常的处理,存储器1420可以存储处理器1400在执行操作时所使用的数据。The processor 1400 is responsible for managing the bus architecture and general processing, and the memory 1420 can store data used by the processor 1400 in performing operations.
可选的,所述临时标识为所述UE通过其他接入网连接核心网时,所述网络功能为所述UE分配的临时标识,其中,所述其他接入网不包括所述接入设备。Optionally, the temporary identifier is a temporary identifier that is allocated to the UE when the UE is connected to the core network by using another access network, where the other access network does not include the access device. .
可选的,处理器1400还用于:若所述网络功能根据所述临时标识查找到所述UE的上下文,则表示所述UE已认证,接收所述网络功能发送的所述UE已认证的提示信息。Optionally, the processor 1400 is further configured to: if the network function searches for the context of the UE according to the temporary identifier, indicating that the UE is authenticated, and receiving, by the network function, that the UE is authenticated Prompt message.
可选的,处理器1400通过收发机1410还接收有所述UE发送的安全验证信息,且通过收发机1410还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息对所述UE进行认证。Optionally, the processor 1400 further receives the security verification information sent by the UE by using the transceiver 1410, and further sends the security verification information to the network function by using the transceiver 1410, so that the network function is based on security. The authentication information authenticates the UE.
可选的,所述安全验证信息包括如下一项或者多项:加密的标识、加密的请求消息或者签名。Optionally, the security verification information includes one or more of the following: an encrypted identifier, an encrypted request message, or a signature.
需要说明的是,本实施例中上述接入设备可以是本公开实施例中方法实施例中任意实施方式的接入设备,本公开实施例中方法实施例中接入设备的任意实施方式都可以被本实施例中的上述接入设备所实现,以及达到相同的 有益效果,此处不再赘述。It should be noted that, in the embodiment, the foregoing access device may be an access device in any of the embodiments of the method in the embodiments of the disclosure, and any implementation manner of the access device in the method embodiment in the embodiment of the disclosure may be used. Implemented by the above access device in this embodiment, and achieved the same The beneficial effects will not be described here.
在本申请所提供的几个实施例中,应该理解到,所揭露方法和装置,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in the present application, it should be understood that the disclosed method and apparatus may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
另外,在本公开各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理包括,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in various embodiments of the present disclosure may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本公开各个实施例所述收发方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,简称ROM)、随机存取存储器(Random Access Memory,简称RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium. The above software functional unit is stored in a storage medium and includes a plurality of instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform part of the steps of the transceiving method of the various embodiments of the present disclosure. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, and the program code can be stored. Medium.
以上所述是本公开的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本公开所述原理的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本公开的保护范围。 The above is a preferred embodiment of the present disclosure, and it should be noted that those skilled in the art can also make several improvements and refinements without departing from the principles of the present disclosure. It should be considered as the scope of protection of this disclosure.

Claims (24)

  1. 一种接入认证方法,包括:An access authentication method includes:
    用户终端向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述用户终端是否已认证。The user terminal sends a temporary identifier to the access network, so that the access network sends the temporary identifier to the network function, and the network function determines, according to the temporary identifier, whether the user terminal is authenticated.
  2. 如权利要求1所述的方法,其中,所述临时标识为所述用户终端通过其他接入网连接核心网时,所述网络功能为所述用户终端分配的临时标识。The method according to claim 1, wherein the temporary identifier is a temporary identifier assigned by the network function to the user terminal when the user terminal connects to the core network through another access network.
  3. 如权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    若所述用户终端未认证,所述用户终端执行所述网络功能发起的认证过程,其中,所述用户终端未认证为所述网络功能根据所述临时标识没有查找到所述用户终端的上下文。If the user terminal is not authenticated, the user terminal performs an authentication process initiated by the network function, where the user terminal does not authenticate that the network function does not find the context of the user terminal according to the temporary identifier.
  4. 如权利要求1-3中任一项所述的方法,其中,所述用户终端还向所述接入网发送有安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息判断所述用户终端合法性。The method according to any one of claims 1 to 3, wherein the user terminal further transmits security authentication information to the access network, and the access network further transmits the The security verification information is such that the network function determines the legitimacy of the user terminal according to the security verification information.
  5. 如权利要求4所述的方法,其中,所述安全验证信息包括如下一项或者多项:The method of claim 4, wherein the security verification information comprises one or more of the following:
    加密的标识、加密的请求消息或者签名。Encrypted ID, encrypted request message, or signature.
  6. 如权利要求4所述的方法,其中,所述方法还包括:The method of claim 4 wherein the method further comprises:
    若所述验证不通过,所述用户终端执行所述网络功能发起的认证过程;或者If the verification fails, the user terminal performs an authentication process initiated by the network function; or
    若所述验证不通过,所述用户终端接收所述网络功能通过所述用户终端已经连接的接入网发送的新的标识;或者If the verification fails, the user terminal receives a new identifier sent by the network function by using an access network that the user terminal has connected; or
    若所述验证不通过,所述用户终端接收所述网络功能返回的拒绝消息。If the verification fails, the user terminal receives a reject message returned by the network function.
  7. 一种接入认证方法,包括:An access authentication method includes:
    接入设备接收用户终端发送的一临时标识;The access device receives a temporary identifier sent by the user terminal;
    所述接入设备向网络功能发送所述临时标识,以使所述网络功能根据所述临时标识判断所述用户终端是否已认证。And the access device sends the temporary identifier to the network function, so that the network function determines, according to the temporary identifier, whether the user terminal is authenticated.
  8. 如权利要求7所述的方法,其中,所述临时标识为所述用户终端通过 其他接入网连接核心网时,所述网络功能为所述用户终端分配的临时标识,其中,所述其他接入网不包括所述接入设备。The method of claim 7, wherein the temporary identifier is passed by the user terminal When the other access network is connected to the core network, the network function is a temporary identifier allocated by the user terminal, where the other access network does not include the access device.
  9. 如权利要求8所述的方法,其中,所述方法还包括:The method of claim 8 wherein the method further comprises:
    若所述网络功能根据所述临时标识查找到所述用户终端的上下文,则表示所述用户终端已认证,所述接入设备接收所述网络功能发送的所述用户终端已认证的提示信息。If the network function finds the context of the user terminal according to the temporary identifier, it indicates that the user terminal is authenticated, and the access device receives the prompt information that the user terminal has been authenticated by the network function.
  10. 如权利要求7-9中任一项所述的方法,其中,所述接入设备还接收有所述用户终端发送的安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息对所述用户终端进行认证。The method according to any one of claims 7 to 9, wherein the access device further receives security verification information sent by the user terminal, and the access network further sends the network function to the network function. The security verification information is such that the network function authenticates the user terminal according to the security verification information.
  11. 如权利要求10所述的方法,其中,所述安全验证信息包括如下一项或者多项:The method of claim 10, wherein the security verification information comprises one or more of the following:
    加密的标识、加密的请求消息或者签名。Encrypted ID, encrypted request message, or signature.
  12. 一种用户终端,包括:A user terminal comprising:
    发送模块,用于向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述用户终端是否已认证。The sending module is configured to send a temporary identifier to the access network, so that the access network sends the temporary identifier to the network function, and the network function determines, according to the temporary identifier, whether the user terminal is authenticated.
  13. 如权利要求12所述的用户终端,其中,所述临时标识为所述用户终端通过其他接入网连接核心网时,所述网络功能为所述用户终端分配的临时标识。The user terminal according to claim 12, wherein the temporary identifier is a temporary identifier assigned by the network function to the user terminal when the user terminal connects to the core network through another access network.
  14. 如权利要求12所述的用户终端,其中,所述用户终端还包括:The user terminal of claim 12, wherein the user terminal further comprises:
    第一执行模块,用于若所述用户终端未认证,执行所述网络功能发起的认证过程,其中,所述用户终端未认证为所述网络功能根据所述临时标识没有查找到所述用户终端的上下文。a first execution module, configured to perform an authentication process initiated by the network function if the user terminal is not authenticated, where the user terminal is not authenticated to be the network function, and the user terminal is not found according to the temporary identifier Context.
  15. 如权利要求12-14中任一项所述的用户终端,其中,所述用户终端还向所述接入网发送有安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息判断所述用户终端合法性。The user terminal according to any one of claims 12 to 14, wherein the user terminal further sends security authentication information to the access network, and the access network further sends the network function to The security verification information is used to enable the network function to determine the legitimacy of the user terminal according to the security verification information.
  16. 如权利要求15所述的用户终端,其中,所述安全验证信息包括如下 一项或者多项:The user terminal of claim 15, wherein the security verification information comprises the following One or more:
    加密的标识、加密的请求消息或者签名。Encrypted ID, encrypted request message, or signature.
  17. 如权利要求15所述的用户终端,其中,所述用户终端还包括:The user terminal of claim 15, wherein the user terminal further comprises:
    第二执行模块,用于若所述验证不通过,执行所述网络功能发起的认证过程;或者a second execution module, configured to perform an authentication process initiated by the network function if the verification fails; or
    第一接收模块,用于若所述验证不通过,接收所述网络功能通过所述用户终端已经连接的接入网发送的新的标识;或者a first receiving module, configured to: if the verification fails, receive a new identifier sent by the network function by using an access network that the user terminal has connected; or
    第二接收模块,用于若所述验证不通过,接收所述网络功能返回的拒绝消息。The second receiving module is configured to receive a reject message returned by the network function if the verification fails.
  18. 一种接入设备,包括:An access device comprising:
    第一接收模块,用于接收用户终端发送的一临时标识;a first receiving module, configured to receive a temporary identifier sent by the user terminal;
    发送模块,用于向网络功能发送所述临时标识,以使所述网络功能根据所述临时标识判断所述用户终端是否已认证。And a sending module, configured to send the temporary identifier to the network function, so that the network function determines, according to the temporary identifier, whether the user terminal is authenticated.
  19. 如权利要求18所述的接入设备,其中,所述临时标识为所述用户终端通过其他接入网连接核心网时,所述网络功能为所述用户终端分配的临时标识,其中,所述其他接入网不包括所述接入设备。The access device according to claim 18, wherein the temporary identifier is a temporary identifier assigned by the network function to the user terminal when the user terminal connects to the core network through another access network, wherein the temporary identifier is Other access networks do not include the access device.
  20. 如权利要求19所述的接入设备,其中,所述接入设备还包括:The access device of claim 19, wherein the access device further comprises:
    第二接收模块,用于若所述网络功能根据所述临时标识查找到所述用户终端的上下文,则表示所述用户终端已认证,接收所述网络功能发送的所述用户终端已认证的提示信息。a second receiving module, configured to: if the network function searches for a context of the user terminal according to the temporary identifier, indicating that the user terminal is authenticated, and receiving a prompt that the user terminal that is sent by the network function has been authenticated information.
  21. 如权利要求18-20中任一项所述的接入设备,其中,所述接入设备还接收有所述用户终端发送的安全验证信息,且所述接入网还向所述网络功能发送有所述安全验证信息,以使所述网络功能根据安全验证信息对所述用户终端进行认证。The access device according to any one of claims 18 to 20, wherein the access device further receives security verification information sent by the user terminal, and the access network further sends the network function The security verification information is provided to enable the network function to authenticate the user terminal according to the security verification information.
  22. 如权利要求21所述的接入设备,其中,所述安全验证信息包括如下一项或者多项:The access device of claim 21, wherein the security verification information comprises one or more of the following:
    加密的标识、加密的请求消息或者签名。Encrypted ID, encrypted request message, or signature.
  23. 一种用户终端,包括:处理器、收发机、存储器、用户接口和总线接口,其中: A user terminal includes: a processor, a transceiver, a memory, a user interface, and a bus interface, wherein:
    处理器,用于读取存储器中的程序,执行下列过程:通过收发机向接入网发送一临时标识,以使所述接入网向网络功能发送所述临时标识,由所述网络功能根据所述临时标识判断所述用户终端是否已认证;a processor, configured to read a program in the memory, to perform a process of: transmitting, by the transceiver, a temporary identifier to the access network, so that the access network sends the temporary identifier to the network function, where the network function is Determining, by the temporary identifier, whether the user terminal is authenticated;
    收发机,用于在处理器的控制下接收和发送数据。A transceiver for receiving and transmitting data under the control of a processor.
  24. 一种接入设备,包括:处理器、收发机、存储器、用户接口和总线接口,其中:An access device includes: a processor, a transceiver, a memory, a user interface, and a bus interface, wherein:
    处理器,用于读取存储器中的程序,执行下列过程:通过收发机接收UE发送的一临时标识;通过收发机向网络功能发送所述临时标识,以使所述网络功能根据所述临时标识判断所述用户终端是否已认证;a processor, configured to read a program in the memory, to perform the following process: receiving, by the transceiver, a temporary identifier sent by the UE; sending, by the transceiver, the temporary identifier to the network function, so that the network function is based on the temporary identifier Determining whether the user terminal is authenticated;
    收发机,用于在处理器的控制下接收和发送数据。 A transceiver for receiving and transmitting data under the control of a processor.
PCT/CN2017/095922 2016-08-16 2017-08-04 Access authentication method, ue, and access device WO2018032984A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610676117.0 2016-08-16
CN201610676117.0A CN107770770A (en) 2016-08-16 2016-08-16 A kind of access authentication method, UE and access device

Publications (1)

Publication Number Publication Date
WO2018032984A1 true WO2018032984A1 (en) 2018-02-22

Family

ID=61196332

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/095922 WO2018032984A1 (en) 2016-08-16 2017-08-04 Access authentication method, ue, and access device

Country Status (3)

Country Link
CN (1) CN107770770A (en)
TW (1) TWI641271B (en)
WO (1) WO2018032984A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798833A (en) * 2018-08-03 2020-02-14 华为技术有限公司 Method and device for verifying user equipment identification in authentication process

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101835155A (en) * 2010-03-31 2010-09-15 中兴通讯股份有限公司 Method and system for accessing terminal to fusion network
CN103067337A (en) * 2011-10-19 2013-04-24 中兴通讯股份有限公司 Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN104871511A (en) * 2012-12-19 2015-08-26 瑞典爱立信有限公司 Device authentication by tagging
WO2016004822A1 (en) * 2014-07-10 2016-01-14 华为技术有限公司 Method and apparatus for network switching

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808321B (en) * 2009-02-16 2014-03-12 中兴通讯股份有限公司 Security authentication method
CN104506406B (en) * 2011-11-03 2018-10-30 华为技术有限公司 A kind of authentication equipment
CN104902473A (en) * 2014-04-21 2015-09-09 孟俊 Wireless network access authentication method and device based on CPK (Combined Public Key Cryptosystem) identity authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101835155A (en) * 2010-03-31 2010-09-15 中兴通讯股份有限公司 Method and system for accessing terminal to fusion network
CN103067337A (en) * 2011-10-19 2013-04-24 中兴通讯股份有限公司 Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN104871511A (en) * 2012-12-19 2015-08-26 瑞典爱立信有限公司 Device authentication by tagging
WO2016004822A1 (en) * 2014-07-10 2016-01-14 华为技术有限公司 Method and apparatus for network switching

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798833A (en) * 2018-08-03 2020-02-14 华为技术有限公司 Method and device for verifying user equipment identification in authentication process
CN110798833B (en) * 2018-08-03 2023-10-24 华为技术有限公司 Method and device for verifying user equipment identification in authentication process

Also Published As

Publication number Publication date
CN107770770A (en) 2018-03-06
TWI641271B (en) 2018-11-11
TW201808028A (en) 2018-03-01

Similar Documents

Publication Publication Date Title
US10412083B2 (en) Dynamically generated SSID
US11496320B2 (en) Registration method and apparatus based on service-based architecture
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US10841784B2 (en) Authentication and key agreement in communication network
TWI388180B (en) Key generation in a communication system
US8295488B2 (en) Exchange of key material
US9392453B2 (en) Authentication
JP5390619B2 (en) HOMENODE-B device and security protocol
EP3308519B1 (en) System, apparatus and method for transferring ownership of a device from manufacturer to user using an embedded resource
EP3700124B1 (en) Security authentication method, configuration method, and related device
CN109729523B (en) Terminal networking authentication method and device
US20160119143A1 (en) User identity authenticating method, terminal, and server
CN108880813B (en) Method and device for realizing attachment process
EP3051744A1 (en) Key configuration method and apparatus
WO2019041802A1 (en) Discovery method and apparatus based on service-oriented architecture
WO2020174121A1 (en) Inter-mobile network communication authorization
JP2018532325A (en) User equipment UE access method, access device, and access system
WO2019095990A1 (en) Communication method and device
CN113556227A (en) Network connection management method and device, computer readable medium and electronic equipment
JP2016519873A (en) Establishing secure voice communication using a generic bootstrapping architecture
CN101282215A (en) Method and apparatus for distinguishing certificate
US20190149326A1 (en) Key obtaining method and apparatus
Ouaissa et al. New security level of authentication and key agreement protocol for the IoT on LTE mobile networks
WO2022001225A1 (en) Identity credential application method, identity authentication method, device, and apparatus
WO2015165250A1 (en) Method, device and communication system for terminal to access communication network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17840959

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17840959

Country of ref document: EP

Kind code of ref document: A1