WO2018053856A1 - Procédé et appareil de transmission de message, et passerelle d'accès - Google Patents

Procédé et appareil de transmission de message, et passerelle d'accès Download PDF

Info

Publication number
WO2018053856A1
WO2018053856A1 PCT/CN2016/100173 CN2016100173W WO2018053856A1 WO 2018053856 A1 WO2018053856 A1 WO 2018053856A1 CN 2016100173 W CN2016100173 W CN 2016100173W WO 2018053856 A1 WO2018053856 A1 WO 2018053856A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
message
core network
eap
network element
Prior art date
Application number
PCT/CN2016/100173
Other languages
English (en)
Chinese (zh)
Inventor
陈璟
李欢
李�赫
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2016/100173 priority Critical patent/WO2018053856A1/fr
Publication of WO2018053856A1 publication Critical patent/WO2018053856A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and an access gateway for message forwarding.
  • the entire wireless communication network architecture is divided into two parts, an access network and a core network, and according to different ways for users to access the core network, it can be divided into 3GPP (3rd Generation Partnership Project) access mode. And non-3GPP access methods.
  • 3GPP access mode generally refers to the way that the user accesses the core network by using the technology specified by the 3GPP.
  • the user accesses the core network by using the base station mode
  • the non-3GPP access mode generally refers to the user accessing the technology by the non-3GPP.
  • the core network mode for example, the user accesses the core network by using Wifi.
  • the existing 4G network is taken as an example.
  • the UE accesses the core network through the eNodeB (base station), which is 3GPP access.
  • the UE passes the WLAN-AP (Wireless Local). Area Networks Access Point (WLAN access point) accesses the core network in a non-3GPP access mode.
  • WLAN-AP Wireless Local Area Networks Access Point
  • non-3GPP access In the prior art, according to different entities deploying non-3GPP access methods, it can be divided into trusted non-3GPP access and non-trusted non-3GPP access, for example, when a user adopts a communication carrier (such as China Mobile and China).
  • a communication carrier such as China Mobile and China.
  • the core network When the non-3GPP access mode deployed by China Unicom is connected to the core network, the core network considers that the current access is trusted. At this time, the core network can consider that the current access mode is trusted non-3GPP access, and when the user adopts non-operation.
  • a non-3GPP access mode deployed by a business such as a Starbucks business scenario
  • the core network considers that the current access is not trusted, and the current access mode is considered to be non-trusted non-3GPP access.
  • the core network element first initiates the user-side device to the core network.
  • the authentication of the element is as follows: the core network element sends an authentication request message to the user side device, where the authentication request message includes an authentication parameter; and the user side device according to the authentication request message The weight parameter authenticates the core network element.
  • the core network element when the core network element sends an authentication request message to the user side device, the core network element first sends an authentication request message to the access gateway, and the access gateway re- The authentication request message is forwarded to the user side device.
  • the core network element and the user side device generally adopt the EAP authentication method when performing authentication, and now in the 5G network, the core network element and the user side device also use non-EAP authentication.
  • the method performs the authentication requirement, and the method for the existing access gateway to forward the authentication request message is only applicable to the EAP authentication method. For the non-EAP authentication method, how does the access gateway forward the message, and there is no good solution.
  • the embodiment of the invention provides a method, a device and an access gateway for message forwarding.
  • the method, the device and the access gateway of the present invention can forward the user authentication request message sent by the core network element to the user side device.
  • the first aspect provides a method for message forwarding, where the method includes: an access gateway receives a user authentication request message sent by a core network element; and the access gateway determines a selected one of the core network element.
  • the weight method is a non-EAP scalable authentication protocol authentication method
  • the user authentication request message is forwarded by using a non-EAP payload in the IKEV2 second version key exchange protocol message, where the IKEV2 message includes at least a non-EAP payload.
  • the non-EAP payload is used to carry other parameters than the EAP authentication method.
  • the user authentication request message sent by the core network element can be forwarded to the user side device.
  • the access gateway uses the non-EAP payload in the IKEV2 message to forward the user authentication request message, including: the access gateway sends an IKEV2 message to the user side.
  • the device, the non-EAP payload of the IKEV2 message carries the user authentication request message.
  • a second aspect provides a method for forwarding a message, where the method includes: an access gateway receives a user authentication request message sent by a core network element; and the access gateway determines the core network element.
  • the selected authentication method is the EAP extensible authentication protocol authentication method
  • the user authentication request message is forwarded by using at least the EAP payload of the IKEV2 second version key exchange protocol message, where the IKEV2 message includes at least the EAP payload.
  • the EAP payload is used to carry related parameters of the EAP authentication method.
  • the user authentication request message sent by the core network element can also be forwarded to the user side device.
  • the user authentication request message includes only an authentication parameter related to the authentication method, and the access gateway forwards the at least the EAP payload in the IKEV2 message.
  • the user authentication request message includes: the access gateway sends an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message.
  • the user authentication request includes an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method
  • the IKEV2 message further includes a non-EAP
  • the access gateway forwards the user authentication request message by using the EAP payload in the IKEV2 message, including: the access gateway sends an IKEV2 message to the user equipment, and the EAP payload of the IKEV2 message carries An authentication parameter in the user authentication request message, where the non-EAP payload of the IKEV2 message carries an additional parameter in the user authentication request message.
  • the access gateway forwards the user authentication request message by using the EAP payload in the IKEV2 message, including: the access gateway sends an IKEV2 message to the user side.
  • the EAP payload of the IKEV2 message carries the entire user authentication request message.
  • a third aspect provides a method for selecting an authentication method, including: receiving, by a core network element, an attach request sent by an access gateway, where the attach request does not carry indication information, where the indication information may indicate that the user side device is connected The method of entering the core network; the core network element determines the authentication method used when the core network element and the user side device mutually authenticate each other according to the authentication vector set.
  • an authentication method used when the core network element and the user side device mutually authenticate each other can be determined.
  • the authentication vector set includes at least an indication bit
  • the core network element determines the core network element and the user side according to the authentication vector set.
  • the authentication method used includes: the core network element obtains an indication bit of the authentication vector set; and the indication bit of the core network element in the authentication vector set is first In the case of data, when the core network element and the user side device are mutually authenticated, the method used is an EAP method; and the core network element determines the location when the indication bit of the authentication vector set is the second data.
  • the method adopted is a non-EAP method.
  • a fourth aspect provides a method for selecting an authentication method, including: receiving, by a core network element, an attach request sent by an access gateway, where the attach request carries indication information, where the indication information may indicate that the user side device accesses The method of the core network; the core network element determines an authentication method used when the core network element and the user side device mutually authenticate each other according to the access method corresponding to the indication information in the attach request.
  • the core network element determines, according to the access method corresponding to the indication information in the attach request, the core network element and the user side device
  • the authentication method used includes: determining, by the core network element, that the access mode corresponding to the indication information in the attach request is a 3GPP third-generation partner plan access mode, determining the core network When the network element and the user side device authenticate each other, the non-EAP authentication method is adopted; when the access mode corresponding to the indication information in the attach request is the non-3GPP access mode, the core network element determines the When the core network element and the user side device authenticate each other, the EAP authentication method is adopted.
  • the fifth aspect provides an apparatus for message forwarding, where the apparatus includes: a first receiving unit, configured to receive a user authentication request message sent by a core network element; and a first forwarding unit, configured to determine the core network
  • the authentication method selected by the network element is a non-EAP extensible authentication protocol authentication method
  • the user authentication request message is forwarded by using a non-EAP payload in the IKEV2 second version key exchange protocol message, where the IKEV2 message is used.
  • At least non-EAP payloads are included, the non-EAP payloads being used to carry other parameters than the EAP authentication method.
  • the user authentication request message sent by the core network element can be forwarded to the user side device.
  • the first forwarding unit is specifically configured to: send an IKEV2 message to the user side device, where the IKEV2 message carries the non-EAP payload. With the user authentication request message.
  • the sixth aspect provides an apparatus for message forwarding, where the apparatus includes: a second receiving unit, configured to receive a user authentication request message sent by a core network element; and a second forwarding unit, configured to determine the core
  • the authentication method selected by the network element is the EAP extensible authentication protocol authentication method
  • the user authentication request message is forwarded by using at least the EAP payload of the IKEV2 second version key exchange protocol message, where the IKEV2 message is at least An EAP payload is included, and the EAP payload is used to carry related parameters of the EAP authentication method.
  • the user authentication request message sent by the core network element can also be forwarded to the user side device.
  • the second forwarding unit when the second forwarding unit includes only the authentication parameter related to the authentication method in the user authentication request message, the second forwarding unit specifically The IKEV2 message carries the authentication parameter in the user authentication request message.
  • the second forwarding unit includes, in the user authentication request, an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method,
  • the second forwarding unit is configured to: send an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries an authentication parameter in the user authentication request message, where the IKEV2 message carries the non-EAP payload There are additional parameters in the user authentication request message.
  • the second forwarding unit is specifically configured to: send an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries the entire user authentication request. Message.
  • the seventh aspect provides a device for selecting an authentication method, including: a third receiving unit, configured to receive an attach request sent by an access gateway, where the attach request does not carry indication information, where the indication information may indicate a user A method for the side device to access the core network; the first determining unit is configured to determine, according to the authentication vector set, an authentication method used when the core network element and the user side device mutually authenticate each other.
  • a third receiving unit configured to receive an attach request sent by an access gateway, where the attach request does not carry indication information, where the indication information may indicate a user A method for the side device to access the core network
  • the first determining unit is configured to determine, according to the authentication vector set, an authentication method used when the core network element and the user side device mutually authenticate each other.
  • the set of authentication vectors includes at least Instructing a bit
  • the first determining unit is specifically configured to: obtain an indication bit of the authentication vector set; and when the indication bit of the authentication vector set is the first data, determine the core network element and the user
  • the method used is an EAP method
  • the indication bit of the authentication vector set is the second data
  • the method used by the core network element and the user side device to authenticate each other is determined.
  • the eighth aspect provides a device for selecting an authentication method, including: a fourth receiving unit, configured to receive an attach request sent by an access gateway, where the attach request carries indication information, where the indication information may indicate a user side a method for the device to access the core network; the second determining unit is configured to determine, according to the access method corresponding to the indication information in the attach request, the authentication used by the core network element and the user side device Right method.
  • the authentication method used when the core network element and the user side device mutually authenticate each other can also be determined.
  • the second determining unit is specifically configured to: the access mode corresponding to the indication information in the attach request is a 3GPP third-generation partner plan In the case of the entry mode, it is determined that the core network element and the user side device use a non-EAP authentication method when the mutual authentication is performed; when the access mode corresponding to the indication information in the attach request is a non-3GPP access mode, The EAP authentication method is adopted when the core network element and the user side device are mutually authenticated.
  • the ninth aspect provides an access gateway, including: a transceiver, configured to receive a user authentication request message sent by a core network element, and forward the encapsulated IKEV2 second version key exchange protocol message to the user side device; At least one processor, configured to encapsulate the user authentication request message into a non-EAP payload in the IKEV2 message when determining that the authentication method selected by the core network is a non-EAP extensible authentication protocol authentication method Or, when determining that the authentication method selected by the core network is an EAP authentication method, the user authentication request message is encapsulated in an EAP payload of the IKEV2 message.
  • the access gateway of the present invention the user authentication request message sent by the core network element can be forwarded to the user side device.
  • the tenth aspect provides a core network element, including: a transceiver, configured to receive an attach request sent by the access gateway; and at least one processor, configured to not carry the indication information in the attach request And determining, according to the authentication vector set, the authentication method used when the core network element and the user side device mutually authenticate, or when the indication request carries the indication information, according to the attach request
  • the access method corresponding to the indication information determines the authentication method used when the core network element and the user side device authenticate each other; the indication information may indicate the manner in which the user side device accesses the core network.
  • FIG. 1 is a schematic structural diagram of an existing 4G network according to an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of an access gateway forwarding an authentication request message
  • FIG. 3 is a schematic structural diagram of a 5G network according to an embodiment of the present disclosure.
  • FIG. 4 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure
  • FIG. 5 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure
  • FIG. 6 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP mode according to an embodiment of the present disclosure
  • FIG. 7 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure
  • FIG. 8 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure
  • FIG. 9 is a schematic diagram of a message forwarding apparatus according to an embodiment of the present invention.
  • FIG. 10 is another schematic diagram of a message forwarding apparatus according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic diagram of a device for selecting an authentication method according to an embodiment of the present invention.
  • FIG. 12 is another schematic diagram of an apparatus for selecting an authentication method according to an embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of an access gateway according to an embodiment of the present disclosure.
  • FIG. 14 is a schematic structural diagram of a core network element according to an embodiment of the present invention.
  • the entire wireless communication network architecture is divided into two parts, an access network and a core network, and according to different ways for users to access the core network, it can be divided into 3GPP (3rd Generation Partnership Project) access mode. And non-3GPP access methods.
  • 3GPP access mode generally refers to the way that the user accesses the core network by using the technology specified by the 3GPP.
  • the user accesses the core network by using the base station mode
  • the non-3GPP access mode generally refers to the user accessing the technology by the non-3GPP.
  • the core network mode for example, the user accesses the core network by using Wifi.
  • the existing 4G network is taken as an example.
  • the UE accesses the core network through the eNodeB (base station), which is 3GPP access.
  • the UE passes the WLAN-AP (Wireless Local). Area Networks Access Point (WLAN access point) accesses the core network in a non-3GPP access mode.
  • WLAN-AP Wireless Local Area Networks Access Point
  • non-3GPP access In the prior art, according to different entities deploying non-3GPP access methods, it can be divided into trusted non-3GPP access and non-trusted non-3GPP access, for example, when a user adopts a communication carrier (such as China Mobile and China).
  • a communication carrier such as China Mobile and China.
  • the core network When the non-3GPP access mode deployed by China Unicom is connected to the core network, the core network considers that the current access is trusted. At this time, the core network can consider that the current access mode is trusted non-3GPP access, and when the user adopts non-operation.
  • a non-3GPP access mode deployed by a business such as a Starbucks business scenario
  • the core network considers that the current access is not trusted, and the current access mode is considered to be non-trusted non-3GPP access.
  • the present invention provides A flow of a non-trusted non-3GPP access core network in a 5G network, which will be described in detail in Embodiment 1 below.
  • the entire 5G network includes the following devices:
  • the UE can be specifically a device for the user to access the network.
  • NR NextGen Radio: an upgraded version of an eNodeB (Evolved NodeB) in a 4G network;
  • Non-3GPP RAT Non-3GPP Radio Access Technology
  • the UE may use WIFI (WIreless-Fidelity) or CDMA (Code Division Multiple Access). Access to the core network.
  • WIFI WIreless-Fidelity
  • CDMA Code Division Multiple Access
  • SSF/MM SSF (slice select function) mainly selects a suitable MM (mobility management mobility management entity) for the UE.
  • MM mobility management mobility management entity
  • the SSF needs to select an appropriate MM for the UE.
  • CP-AU Authentication function point.
  • HSS Home Subscriber Server: Stores subscription information of users.
  • N3CNGW Non-3GPP Core Network Gateway
  • the UE and the N3CNGW establish a secure tunnel, and the secure tunnel is used to protect the delivery of messages from being seen and destroyed by the non-3GPP RAT.
  • CN-UP User plane network element, used to provide communication between the UE and the Internet (Internet).
  • the UE is a user side device
  • the NR and the Non-3GPP RAT belong to the access side device
  • the SSF/MM, the CP-AU, and the HSS belong to the core network side device
  • the N3CNGW, in the current 5G network has not yet Specifically, the S3/GW, the CP-AU, and the HSS are referred to as the core network element. .
  • the present invention provides a process for a UE to access a core network through a non-trusted non-3GPP mode in a 5G network (that is, a method for accessing a core network by using a Non-3GPP RAT in FIG. 3), as shown in FIG. as follows:
  • Step S40 The UE and the N3CNGW establish a secure tunnel by using an IKEV2 (Internet Key Exchange Protocol Version 2, second version key exchange protocol) message;
  • IKEV2 Internet Key Exchange Protocol Version 2, second version key exchange protocol
  • Step S41 The UE sends an attach request to the N3CNGW.
  • the UE may specifically place the attach request in the payload of the IKEV2 message, and the payload may be specifically a V payload, an N payload, a CP payload, or a new payload.
  • Step S42 The N3CNGW takes out the attach request in the IKEV2 message and forwards the request to the SSF/MM.
  • Step S43 The SSF/MM generates an authentication request message, and sends an authentication request message to the CP-AU.
  • the SSF/MM may specifically adopt any one of the following manners to generate an authentication request message, as follows:
  • the instruction information of the non-3GPP access mode is added, and the added indication information may be specifically 1; for example, when the attach request is from the NR, the UE that is currently requesting access may be considered to be accessed through the 3GPP mode, and is added for the attach request.
  • the indication information of the 3GPP access mode, the added indication information may be specifically 0;
  • the attach request is directly used as an authentication request message.
  • Step S44 The CP-AU obtains an authentication vector set through the HSS
  • the authentication vector set may include an indication bit and a characterization bit; the indication bit may indicate that the CP-AU determines an authentication method, and the characterization bit may specifically represent the authentication method determined by the indication bit.
  • the specific authentication sub-method for example, the indication bit may specifically occupy one bit, specifically 1 indicates an EAP extensible authentication protocol authentication method, 0 indicates a non-EAP authentication method; and EAP authentication method and non-EAP
  • the authentication methods all include multiple authentication sub-methods, and the characterization bits may represent specific authentication sub-methods; the characterization bits may occupy 3 to 5 bits, for example, when the indication bit is 0, indicating non-EAP
  • the authentication method assumes that the EAP authentication method specifically includes an authentication sub-method such as EAP-AKA', EAP-TLS, and EAP-TTLS, and the characterization bit may specifically represent 00 for the EAP-AKA authentication sub-method, and 01 for EAP-
  • the AKA's authentication submethod uses 02 for the EAP-TLS authentication submethod and
  • Step S45 The CP-AU determines an authentication method used between the UE and the UE;
  • the authentication method may be specifically determined in two ways, as follows:
  • the first type when the indication request carries the indication information, the CP-AU first obtains the indication information in the attachment request, and then determines, according to the access method corresponding to the indication information, that the UE and the UE are mutually authenticated. Authentication method;
  • the authentication method used between the CP-AU and the UE may be specifically determined to be a non-EAP authentication method, and the specific non-EAP authentication method is specifically
  • the weight sub-method may determine the specific non-EAP authentication sub-method according to the correspondence between the representation bit and the non-EAP authentication sub-method in the authentication vector value.
  • the authentication method used between the CP-AU and the UE may be specifically determined to be an EAP authentication method, and the same is true.
  • the specific relationship between the bit and the EAP authentication sub-method in the authentication vector set can be specifically referred to.
  • the CP-AU determines the authentication method used by the CP-AU according to the authentication vector set to identify the mutual authentication with the UE, as follows; and details about the authentication vector set For discussion, refer to step S44.
  • the CP-AU obtains an indication bit that obtains the set of authentication vectors; and the CP-AU determines that it is with the UE when the indication bit of the authentication vector set is the first data (for example, the first data may be 1)
  • the method adopted is an EAP method; and when the indication bit of the authentication vector set is the second data (for example, the second data may be 0), it is determined that the UE and the UE are mutually authenticated.
  • the method is a non-EAP method.
  • Step S46 The CP-AU initiates an authentication challenge to the UE, and the specific CP-AU may send an authentication challenge message to the SSF/MM.
  • the authentication challenge message may be specifically a user authentication request message.
  • the authentication challenge message includes an authentication parameter, and the specific content of the authentication parameter is related to the selected authentication method.
  • the selected authentication method is EPS-AKA or NG-AKA
  • the authentication parameters in the authentication challenge message may be specifically RAND and AUTN
  • the weighting method is EAP-AKA or EAP-AKA'
  • the authentication parameter in the authentication challenge message may be specifically EAP-REQ, AKA-Challenge, EAP-REQ or AKA'-Challenge
  • the selected authentication method is selected For EAP-TLS, the authentication parameter in the authentication challenge message is EAP-REQ or Access-Challeng.
  • the communication protocol used may be specifically an air interface-access network interface protocol
  • the air interface-access network interface protocol may be specifically a NAS ( Non-Access Stratum (Non-Access Stratum) protocol, or other protocols in the 5G network; therefore, in the embodiment of the present invention, the CP-AU may specifically encapsulate the authentication parameters by using an air interface-access network interface protocol to generate an authentication parameter.
  • the challenge challenge message is sent and the encapsulated message is sent to the SSF/MM.
  • Step S47 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S48 The N3CNGW selects a forwarding mode for the authentication challenge message, where the forwarding mode is a mode for forwarding the authentication challenge message to the UE.
  • the N3CNGW may first obtain an authentication parameter in the authentication challenge message; and then, according to the authentication parameter, determine an authentication method used by the CP-AU and the UE when mutually authenticating, the method
  • the weighting method may be specifically an EAP authentication method or a non-EAP authentication method; finally, different forwarding modes are selected according to different selected authentication methods;
  • the IKEV2 message may be introduced.
  • the IKEV2 message may include an EAP payload and a non-EAP payload.
  • the EAP payload is used to carry related parameters of the EAP authentication method
  • the non-EAP payload is used to carry the EAP payload.
  • Other parameters outside the authentication method; and the entire authentication challenge message may include an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method;
  • the first type When the authentication method used by the CP-AU and the UE is mutually authenticated, the N3CNGW can use the non-EAP payload in the IKEV2 message to forward the authentication challenge message. Specifically, the authentication challenge message can be used. The entire authentication challenge message is encapsulated in the non-EAP payload of the IKEV2 message, that is, the non-EAP payload of the IKEV2 message carries the authentication challenge message.
  • the second type When the authentication method used by the CP-AU and the UE is mutually authenticated, the authentication method used by the N3CNGW encapsulates the authentication parameter of the authentication challenge message in the EAP of the IKEV2 message.
  • the EAP payload of the IKEV2 message carries the authentication parameter in the authentication challenge message.
  • the third type When the authentication method used by the CP-AU and the UE is mutually authenticated, the authentication method used in the authentication is the EAP authentication method, and the N3CNGW encapsulates the authentication parameter in the authentication challenge message in the EAP payload of the IKEV2 message.
  • the additional parameters in the QoS challenge message are encapsulated in the non-EAP payload of the IKEV2 message, that is, the EAP payload of the IKEV2 message carries the authentication parameter in the authentication challenge message, and the non-EAP payload carries the additional parameter in the authentication challenge message. .
  • the fourth type When the authentication method used by the CP-AU and the UE is the EAP authentication method, the N3CNGW can encapsulate the entire authentication challenge message in the EAP payload of the IKEV2 message, that is, the EAP of the IKEV2 message. The entire user authentication request message is carried in the payload.
  • Step S49 The N3CNGW forwards the authentication challenge message to the UE by using the selected forwarding mode.
  • Step S410 The UE authenticates the core network, and after the authentication is passed, sends an authentication message to the N3CNGW.
  • Step S411 The N3CNGW selects a forwarding mode.
  • the N3CNGW may select the same forwarding mode as in step S48, and forward the authentication message to the SSF/MM.
  • the N3CNGW selects the first forwarding mode in step S48, and forwards the authentication challenge message to the UE;
  • the N3CNGW can also select the first forwarding mode to forward the authentication message to the SSF/MM.
  • Step S412 The N3CNGW forwards the authentication message to the SSF/MM according to the selected forwarding mode.
  • Step S413 The SSF/MM forwards the authentication message to the CP-AU; at this time, the CP-AU can authenticate the validity of the UE.
  • Step S414 The CP-AU generates a key Kmm and sends it to the MM.
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm to MM;
  • the MM/SSF Based on the received Kmm, the MM/SSF initiates a NAS SMC (Security mode command, The security mode command) process, the SMC process is as follows:
  • Step S415 The MM/SSF sends an accept message to the N3CNGW.
  • the MM/SSF encapsulates the keys used by the NAS SMC, the Attach accept, and the N3cNGW in the EAP-success, forming an accept-attached message, and sending the N3CNGW;
  • the MM/SSF encapsulates the NAS SMC and the Attach accept in the V payload, the N payload, the CP payload, or the new payload of the IKEv2 message to form an acceptance. Attach a message to the N3CNGW;
  • Step S416 The N3CNGW forwards the accepting message to the UE by using any of the forwarding modes described above;
  • Step S417 The UE authenticates the N3CNGW, and after the authentication is passed, sends a complete attach message to the N3CNGW.
  • the UE may generate a corresponding key, and after verifying the SMC and the AUTH with the key, encapsulate the NAS SMP and the Attach accept to generate an completion attachment message.
  • Step S418 The N3CNGW forwards the complete attach message to the SSF/MM.
  • Step S419 The N3CNGW authenticates the UE, and after the authentication is passed, sends an authentication success message to the UE;
  • the UE can access the core network through a non-trusted non-3GPP manner.
  • the data can be sent only on the user plane.
  • the UE can also send information on the control plane, as follows:
  • Step S420 The UE sends a NAS message to the N3CNGW.
  • the UE may encapsulate the NAS message in the V payload, the N payload, the CP payload, or the new payload of the IKEv2, and the message type of the NAS is INFO (Information, message).
  • Step S421 The N3CNGW forwards the NAS message to the core network.
  • Step S422 The N3CNGW directly encapsulates the NAS message sent by the core network into the V payload, the N payload, the CP payload, or the new payload of the IKEv2_INFO message, and sends the message to the UE.
  • the UE in the 5G network, can pass the foregoing method.
  • the untrusted non-3GPP access mode accesses the core network; and the UE does not need to distinguish whether the current access to the core network is 3GPP access or non-3GPP access, and directly sends a NAS message to implement network access.
  • the present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 5, which is as follows:
  • Step S50 A secure tunnel is established between the UE and the N3CNGW.
  • Step S51 The UE sends an attach request to the N3CNGW, and the attach request may be specifically encapsulated in a V payload, an N payload, a CP payload, or a new payload of the IKEV2 message.
  • Step S52 The N3CNGW adds the EAP-RSP/Identity information to the attach request, and sends the attach request after adding the message to the SSF/MM.
  • the N3CNGW may specifically encapsulate the EAP-RSP/Identity information into the NAS message of the attach request.
  • Step S53 The SSF/MM sends an authentication request to the CP-AU.
  • the process of generating an authentication request by the SSF/MM may be specifically referred to the discussion in the foregoing Embodiment 1, and details are not described herein again.
  • Step S54 The CP-AU obtains an authentication vector set.
  • Step S55 The CP-AU determines that the authentication method is an EAP authentication method.
  • the authentication method since the EAP-RSP/Identity information is carried in the attach request, the authentication method may be determined as an EAP authentication method.
  • Step S56 The CP-AU sends an authentication challenge message to the SSF/MM.
  • the process of encapsulating the authentication parameter in the NAS message is as follows:
  • the authentication parameters such as EAP-REQ/AKA-Challenge or EAP-REQ/AKA'-Challenge are encapsulated in the authentication challenge message. If EAP-TLS authentication is used The method uses an authentication parameter such as EAP-REQ/Access-Challenge;
  • Step S57 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S58 The N3CNGW forwards the authentication challenge message to the UE.
  • the N3CNGW forwards the authentication challenge message
  • the authentication method is EAP
  • the EAP authentication method may be used in any embodiment of the present invention.
  • the forwarding mode forwards the authentication challenge message, and details are not described herein.
  • Step S59 The UE authenticates the core network, and after the authentication is passed, sends an authentication message to the N3CNGW.
  • Step S510 The N3CNGW forwards the authentication message to the SSF/MM.
  • the N3CNGW may select the same forwarding mode as the above step S58, and forward the authentication response message to the SSF/MM;
  • Step S511 The SSF/MM forwards the authentication message to the CP-AU, and the CP-AU authenticates the access of the UE.
  • Step S512 The CP-AU generates a key Kmm and sends it to the MM;
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
  • Step S513 MM selects a security algorithm
  • Step S514 MM sends the NAS SMC to the N3CNGW;
  • Step S515 The N3CNGW sends a NAS SMC message to the UE;
  • the MM may specifically encapsulate the NAS SMC to generate a NAS SMC message.
  • Step S516 The UE authenticates the core network, and after the authentication is passed, sends a NAS SMP message to the N3CNGW.
  • Step S517 The N3CNGW forwards the NAS SMP message to the MM;
  • Step S518 The MM authenticates the UE, and after the authentication is passed, sends an accept message to the N3CNGW.
  • Step S519 The N3CNGW forwards the accept message to the UE.
  • the UE can implement access to the core network.
  • signaling is sent on the control plane.
  • the specific process refer to the method in the first embodiment. Related steps are not described here.
  • the UE in the 5G network, can access the core network through the non-trusted non-3GPP access mode.
  • the present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 6, which is as follows:
  • Step S61 The UE sends an initial security negotiation message to the N3CNGW, where the initial security negotiation message may carry an attach request.
  • the attach request may be specifically encapsulated in a V load, an N load, a CP load, or a new load of the initial security negotiation message.
  • Step S62 The N3CNGW sends an initial security negotiation response message to the UE, and sends an attach request to the SSF/MM.
  • the order of the initial security negotiation response message and the attach request sent by the N3CNGW is not limited, and the N3CNGW may simultaneously send the initial security negotiation response message and the attach request, or may send the initial security negotiation response message first, and then send the attached.
  • the request may also send an attach request first, and then send an initial security negotiation response message.
  • Step S63 The SSF/MM sends an authentication request message, where the authentication request message carries EAP-Res/Identity;
  • Step S64 The CP-AU obtains an authentication vector set.
  • Step S65 The CP-AU determines that the authentication method is an EAP authentication method.
  • Step S66 The CP-AU sends an authentication challenge message to the SSF/MM.
  • the authentication challenge message is encapsulated with EAP-REQ/EAP-Challenge;
  • Step S67 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S68 The N3CNGW forwards the authentication challenge message to the UE.
  • Step S69 The UE authenticates the core network, and after the authentication is passed, sends an authentication message to the N3CNGW.
  • Step S610 The N3CNGW forwards the authentication message to the SSF/MM.
  • Step S611 The SSF/MM forwards the authentication message to the CP-AU; and the CP-AU authenticates the access of the UE;
  • Step S612 After the authentication of the UE is passed, the CP-AU sends an authentication success message to the SSF/MM.
  • the authentication success message is encapsulated with EAP-Success;
  • Step S613 The SSF/MM forwards the authentication success message to the N3CNGW.
  • Step S614 The N3CNGW forwards the authentication success message to the UE.
  • the N3CNGW may specifically leave the key in the authentication success message, and the remaining information is forwarded to the UE;
  • Step S615 The CP-AU generates a key Kmm and sends it to the MM;
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
  • Step S616 MM selects a security algorithm
  • Step S617 The MM sends the NAS SMC to the N3CNGW;
  • Step S618 The N3CNGW forwards the NAS SMC message to the UE.
  • the N3CNGW may encapsulate the NAS SMC message in a V payload, an N payload, a CP payload, or a new payload of the IKEv2 message.
  • Step S619 The UE authenticates the N3CNGW, and after the authentication is passed, sends an SMP message to the N3CNGW, where the SMP message may be specifically encapsulated in the V payload, the N payload, the CP payload, or the new payload of the IKEv2 message.
  • Step S620 The N3CNGW sends an SMP message to the MM.
  • Step S621 The MM sends an accept message to the N3CNGW.
  • Step S622 The N3CNGW forwards the accept message to the UE.
  • the attach request message may be specifically encapsulated in a V payload, an N payload, a CP payload, or a new payload of the IKEV2 message.
  • the UE can implement access to the core network; in the embodiment of the present invention, After the UE accesses the core network, the signaling is sent by the control plane.
  • the control plane For the specific process, refer to the related steps in the first embodiment, and details are not described herein.
  • the UE in the 5G network, can access the core network through the non-trusted non-3GPP access mode.
  • the present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 7, which is as follows:
  • Step S71 The UE sends an initial security negotiation message to the N3CNGW, where the initial security negotiation message may carry an attach request.
  • the attach request may be specifically encapsulated in a V load, an N load, a CP load, or a new load of the initial security negotiation message.
  • Step S72 The N3CNGW forwards the attach request to the SSF/MM.
  • Step S73 The SSF/MM sends an authentication request message to the CP-AU.
  • Step S74 The CP-AU obtains an authentication vector set.
  • Step S75 The CP-AU determines that the authentication method is UMTS-AKA, EPS-AKA or NG-AKA;
  • Step S76 The CP-AU sends an authentication challenge message to the SSF/MM.
  • Step S77 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S78 The N3CNGW encapsulates the authentication challenge message in the initial security negotiation response message and sends the message to the UE, which may be specifically encapsulated in the V payload, the N payload, the CP payload, or the new payload of the initial security negotiation response message.
  • Step S79 The UE authenticates the core network, and after the authentication succeeds, generates a key that is mutually authenticated and used by the N3CNGW, and calculates the AUTH by using the key;
  • Step S710 The UE generates an authentication message, and sends an authentication message to the N3CNGW.
  • the UE may send the generated content that needs to be verified by the core network and the N3CNGW to the V payload, the N payload, the CP payload, or the new payload of the authentication message, and send the content to the N3CNGW.
  • Step S711 The N3CNGW generates a key used to verify the AUTH, and verifies the AUTH.
  • Step S712 After the AUTH verification succeeds, the N3CNGW sends an authentication response message to the SSF/MM.
  • Step S713 The SSF/MM forwards the authentication response message to the CP-AU; and the CP-AU authenticates the access of the UE;
  • Step S714 The CP-AU generates a key Kmm and sends it to the MM;
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
  • Step S715 MM selects a security algorithm
  • Step S716 The MM sends the NAS SMC to the N3CNGW.
  • Step S717 The N3CNGW sends a NAS SMC message to the UE.
  • the N3CNGW may encapsulate the NAS SMC message in a V payload, an N payload, a CP payload, or a new payload of the IKEv2 message.
  • Step S718 The UE verifies the SMC and simultaneously verifies the correctness of the AUTH. Reply to SMP if everything is correct.
  • Step S719 The UE replies to the SMP message to the N3CNGW, and the SMP message may be encapsulated in a V payload or an N payload, a CP payload or a new payload of the IKE_INFO message.
  • Step S720 The N3CNGW forwards the SMP message to the MM.
  • Step S721 The MM sends an accept message to the N3CNGW.
  • Step S722 The N3CNGW forwards the accept message to the UE, and may specifically encapsulate the attach request message in the V payload or the N payload, the CP payload, or the new payload of the IKE_INFO.
  • the UE may implement access to the core network.
  • the signaling may be sent to the control plane after the UE accesses the core network.
  • the specific process refer to the related steps in the first embodiment. , will not repeat them here.
  • the UE in the 5G network, can access the core network through the non-trusted non-3GPP access mode.
  • the present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 8, which is as follows:
  • Step S81 The UE sends an initial security negotiation message to the N3CNGW, where the initial security negotiation message may carry an attach request.
  • the attach request may be specifically encapsulated in a V load, an N load, a CP load, or a new load of the initial security negotiation message.
  • Step S82 The N3CNGW forwards the attach request to the SSF/MM.
  • Step S83 The SF/MM sends an authentication request message to the CP-AU.
  • Step S84 The CP-AU obtains an authentication vector set.
  • Step S85 The CP-AU determines that the authentication method is UMTS-AKA, EPS-AKA or NG-AKA;
  • Step S86 The CP-AU sends an authentication challenge message to the SSF/MM.
  • Step S87 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S88 The N3CNGW encapsulates the authentication challenge message in the initial security negotiation response message, and may be specifically encapsulated in the V payload, the N payload, the CP payload, or the new payload of the initial security negotiation response message.
  • Step S89 The UE authenticates the core network, and after the authentication succeeds, generates a key that is mutually authenticated and used by the N3CNGW, and calculates the AUTH by using the key;
  • Step S810 The UE generates an authentication message, and sends an authentication message to the N3CNGW.
  • Step S811 The N3CNGW generates a key used to verify the AUTH, and verifies the AUTH.
  • Step S812 After the AUTH verification succeeds, the N3CNGW sends an authentication response message to the SSF/MM.
  • Step S813 The SSF/MM forwards the authentication response message to the CP-AU; and the CP-AU authenticates the access of the UE;
  • Step S814 After the authentication of the UE is passed, the CP-AU sends an authentication success message to the SSF/MM.
  • Step S815 The SSF/MM forwards the authentication success message to the N3CNGW.
  • Step S816 The N3CNGW forwards the authentication success message to the UE.
  • Step S817 The UE verifies the AUTH and completes the authentication of the N3CNGW.
  • Step S818 The CP-AU generates a key Kmm and sends it to the MM.
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
  • Step S819 MM selects a security algorithm
  • Step S820 The MM sends the NAS SMC to the N3CNGW.
  • Step S821 The N3CNGW sends a NAS SMC message to the UE.
  • the N3CNGW may encapsulate the NAS SMC message in a V payload, an N payload, a CP payload, or a new payload of the IKEv2 message.
  • Step S822 The UE verifies the SMC and simultaneously verifies the correctness of the AUTH. Reply to SMP if everything is correct.
  • Step S823 The UE replies to the SMP message to the N3CNGW, and the SMP message may be encapsulated in the V payload or the N payload, the CP payload or the new payload of the IKE_INFO message.
  • Step S824 The N3CNGW forwards the SMP message to the MM.
  • Step S825 The MM sends an accept message to the N3CNGW.
  • Step S826 The N3CNGW forwards the accept message to the UE, and may specifically encapsulate the attach request message in the V payload or the N payload, the CP payload, or the new payload of the IKE_INFO.
  • the UE may implement access to the core network.
  • the signaling may be sent to the control plane after the UE accesses the core network.
  • the specific process refer to the related steps in the first embodiment. , will not repeat them here.
  • the UE in the 5G network, can access the core network through the non-trusted non-3GPP access mode.
  • the present invention further provides a device for message forwarding.
  • the message forwarding device 900 includes at least:
  • the first receiving unit 901 is configured to receive a user authentication request message sent by the core network element.
  • the first forwarding unit 902 is configured to use the non-EAP payload in the IKEV2 second version key exchange protocol message when determining that the authentication method selected by the core network element is a non-EAP extensible authentication protocol authentication method. Forwarding the user authentication request message, where the IKEV2 message includes at least a non-EAP payload, and the non-EAP payload is used to carry other parameters except the EAP authentication method.
  • the first forwarding unit 902 is specifically configured to: send an IKEV2 message to the user side device, where the non-EAP payload of the IKEV2 message carries the user authentication request message.
  • the user side device can access the core network in a non-3GPP non-trusted manner.
  • the present invention further provides an apparatus for forwarding a data packet.
  • the apparatus 100 for message forwarding includes:
  • the second receiving unit 101 is configured to receive a user authentication request message sent by the core network element.
  • the second forwarding unit 102 is configured to: when determining that the authentication method selected by the core network element is an EAP extensible authentication protocol authentication method, use at least an EAP payload forwarding of the IKEV2 second version key exchange protocol message.
  • the user authentication request message, the IKEV2 message includes at least an EAP payload, and the EAP payload is used to carry related parameters of the EAP authentication method.
  • the second forwarding unit 102 when the second forwarding unit 102 includes the authentication parameter related to the authentication method, the second forwarding unit is specifically configured to: send the IKEV2 message to the user side device, where The EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message.
  • the second forwarding unit 102 includes, in the user authentication request, an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method, where the second forwarding unit is specifically configured to: send an IKEV2 message.
  • the EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message
  • the non-EAP payload of the IKEV2 message carries the additional parameter in the user authentication request message.
  • the second forwarding unit 102 is specifically configured to: send an IKEV2 message to the user side device,
  • the EAP payload of the IKEV2 message carries the entire user authentication request message.
  • the user side device can access the core network in a non-3GPP non-trusted manner.
  • the present invention also provides an apparatus for selecting an authentication method.
  • the selection apparatus 110 of the authentication method includes at least:
  • the third receiving unit 111 is configured to receive an attach request sent by the access gateway, where the attach request does not carry the indication information, where the indication information may indicate a manner in which the user side device accesses the core network;
  • the first determining unit 112 is configured to determine, according to the set of authentication vectors, an authentication method used when the core network element and the user side device mutually authenticate each other.
  • the set of the authentication vector includes at least the indication bit
  • the first determining unit 112 is specifically configured to: obtain the indication bit of the authentication vector set; and the indication bit in the authentication vector set is the first data.
  • the method used is an EAP method; when the indication bit of the authentication vector set is the second data, the core network element and the user are determined.
  • the method adopted is a non-EAP method.
  • the device of the present invention can determine the authentication method used when the core network element and the user side device mutually authenticate each other when the indication information is not carried in the attachment request.
  • the present invention also provides a device for selecting an authentication method.
  • the device 120 for selecting an authentication method includes at least:
  • the fourth receiving unit 121 is configured to receive an attach request sent by the access gateway, where the attach request carries indication information, where the indication information may indicate a manner in which the user side device accesses the core network;
  • the second determining unit 122 is configured to determine, according to the access method corresponding to the indication information in the attach request, an authentication method used when the core network element and the user side device mutually authenticate each other.
  • the second determining unit 122 is specifically configured to: indicate information in the attach request When the corresponding access mode is the 3GPP third-generation partner plan access mode, it is determined that the core network element and the user-side device use a non-EAP authentication method when authenticating each other; the indication information in the attach request When the corresponding access mode is the non-3GPP access mode, the EAP authentication method is adopted when the core network element and the user side device are mutually authenticated.
  • the authentication method used when the core network element and the user side device mutually authenticate are determined.
  • the present invention also provides an access gateway. As shown in FIG. 13, the access gateway 130 includes at least:
  • the transceiver 131 is configured to receive a user authentication request message sent by the core network element, and forward the encapsulated IKEV2 second version key exchange protocol message to the user side device;
  • At least one processor 132 configured to encapsulate the user authentication request message into a non-EAP payload in the IKEV2 message when determining that the authentication method selected by the core network is a non-EAP extensible authentication protocol authentication method Or, when determining that the authentication method selected by the core network is an EAP authentication method, the user authentication request message is encapsulated in an EAP payload of the IKEV2 message.
  • the user authentication request message can be forwarded to the user side device.
  • the present invention further provides a core network element.
  • the core network element 140 includes at least:
  • the transceiver 141 receives an attach request sent by the access gateway
  • the at least one processor 142 does not carry the indication information in the attach request, determining, according to the authentication vector set, the authentication method used when the core network element and the user side device mutually authenticate, or When the indication request carries the indication information, the authentication method used when the core network element and the user side device mutually authenticate are determined according to the access method corresponding to the indication information in the attachment request;
  • the indication information may indicate the manner in which the user side device accesses the core network.
  • the core network element of the present invention can determine the authentication method used when the user side device and the user side device authenticate each other.
  • FIG. 1 These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé et un appareil de transmission de message, et une passerelle d'accès. Le procédé comprend les étapes suivantes : une passerelle d'accès reçoit un message de demande d'authentification d'utilisateur envoyé par un élément de réseau central ; la passerelle d'accès transmet le message de demande d'authentification d'utilisateur à l'aide d'une charge de protocole d'authentification non extensible (EAP) dans un message de protocole d'échange de clé Internet version 2 (IKEv2) lorsqu'il est déterminé que le procédé d'authentification sélectionné par l'élément de réseau central est un procédé d'authentification non EAP, le message IKEv2 contenant au moins une charge non EAP qui est utilisée pour supporter d'autres paramètres à l'exception du procédé d'authentification EAP. Au moyen du procédé et de l'appareil, et de la passerelle d'accès, de la présente invention, le message de demande d'authentification d'utilisateur envoyé par un élément de réseau central peut être transmis à un dispositif d'utilisateur.
PCT/CN2016/100173 2016-09-26 2016-09-26 Procédé et appareil de transmission de message, et passerelle d'accès WO2018053856A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/100173 WO2018053856A1 (fr) 2016-09-26 2016-09-26 Procédé et appareil de transmission de message, et passerelle d'accès

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/100173 WO2018053856A1 (fr) 2016-09-26 2016-09-26 Procédé et appareil de transmission de message, et passerelle d'accès

Publications (1)

Publication Number Publication Date
WO2018053856A1 true WO2018053856A1 (fr) 2018-03-29

Family

ID=61689839

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/100173 WO2018053856A1 (fr) 2016-09-26 2016-09-26 Procédé et appareil de transmission de message, et passerelle d'accès

Country Status (1)

Country Link
WO (1) WO2018053856A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006135217A1 (fr) * 2005-06-16 2006-12-21 Samsung Electronics Co., Ltd. Systeme et procede pour l'optimisation de procedure d'authentification de tunnel sur systeme d'interfonctionnement 3g-reseau local sans fil
CN101083839A (zh) * 2007-06-29 2007-12-05 中兴通讯股份有限公司 在不同移动接入系统中切换时的密钥处理方法
CN101160924A (zh) * 2005-05-09 2008-04-09 诺基亚公司 在通信系统中分发证书的方法
CN102281524A (zh) * 2007-05-11 2011-12-14 华为技术有限公司 一种注册处理方法和用户终端

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101160924A (zh) * 2005-05-09 2008-04-09 诺基亚公司 在通信系统中分发证书的方法
WO2006135217A1 (fr) * 2005-06-16 2006-12-21 Samsung Electronics Co., Ltd. Systeme et procede pour l'optimisation de procedure d'authentification de tunnel sur systeme d'interfonctionnement 3g-reseau local sans fil
CN102281524A (zh) * 2007-05-11 2011-12-14 华为技术有限公司 一种注册处理方法和用户终端
CN101083839A (zh) * 2007-06-29 2007-12-05 中兴通讯股份有限公司 在不同移动接入系统中切换时的密钥处理方法

Similar Documents

Publication Publication Date Title
CN108141754B (zh) 用于涉及移动性管理实体重定位的移动性过程的装置和方法
KR102033465B1 (ko) 통신 디바이스와 네트워크 디바이스 사이의 통신에서의 보안 설비
JP2019512942A (ja) 5g技術のための認証機構
US10798082B2 (en) Network authentication triggering method and related device
CN107211273B (zh) 涉及用于网络信令的快速初始链路建立fils发现帧的无线通信
EP3175639B1 (fr) Authentication durant un transfer intercellulaire entre deux réseaux différents de communication sans fil
US20170134947A1 (en) Methods And Arrangements For Identification Of User Equipments For Authentication Purposes
CN114145032B (zh) 获取安全上下文的方法、装置和通信系统
EP2648437B1 (fr) Procédé, appareil et système de génération de clé
WO2020094475A1 (fr) Accord d'authentification et de chiffrement pour dispositif terminal
KR20230124621A (ko) 비-3gpp 서비스 액세스를 위한 ue 인증 방법 및 시스템
US11316670B2 (en) Secure communications using network access identity
JP2017524273A (ja) Twagとueとの間でのwlcpメッセージ交換の保護
WO2018053856A1 (fr) Procédé et appareil de transmission de message, et passerelle d'accès
WO2017000620A1 (fr) Procédé de ré-authentification et de reconnaissance, et passerelle évoluée de données en paquets et système
KR102144023B1 (ko) Ft 프로토콜을 이용한 인증 방법 및 이를 수행하기 위한 장치
EP4369760A1 (fr) Procédé et appareil de communication sécurisée

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16916595

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16916595

Country of ref document: EP

Kind code of ref document: A1