WO2018126791A1 - Authentication method and device, and computer storage medium - Google Patents

Authentication method and device, and computer storage medium Download PDF

Info

Publication number
WO2018126791A1
WO2018126791A1 PCT/CN2017/110751 CN2017110751W WO2018126791A1 WO 2018126791 A1 WO2018126791 A1 WO 2018126791A1 CN 2017110751 W CN2017110751 W CN 2017110751W WO 2018126791 A1 WO2018126791 A1 WO 2018126791A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
handover
information
data
function entity
Prior art date
Application number
PCT/CN2017/110751
Other languages
French (fr)
Chinese (zh)
Inventor
谢振华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018126791A1 publication Critical patent/WO2018126791A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0016Hand-off preparation specially adapted for end-to-end data sessions

Definitions

  • the present application relates to the field of communications, and in particular, to an authentication method and apparatus for performing handover, and a computer storage medium.
  • the 3rd Generation Partnership Project (3GPP) proposes a mobile network authentication scheme. As shown in Figure 1, the process of the authentication scheme includes the following steps:
  • Step 101 The core network element (such as the mobility management entity MME) sends an authentication data request to the home network element (such as the home subscription service HSS), for example, sends an Authentication Data Request message, where the message carries the identifier of the user to be authenticated, such as international mobile.
  • the station identifies the IMSI and carries the public key PubK of the core network element;
  • Step 102 A home network element (such as an HSS) obtains an authentication vector of one or a group of users.
  • the authentication vector is composed of the following four parts: a random number RAND, a network authentication parameter AUTN, an expected response XRES, and a key Knp;
  • the network element generates an encryption key Ks and uses it to encrypt Knp in the authentication vector to prevent Knp from being leaked out during transmission, and then uses PubK to encrypt Ks to obtain E PubK (Ks) for the receiver to decrypt the authentication vector. Key and prevent it from being leaked out during transmission;
  • Step 103 The home network element (such as the HSS) sends an authentication data response to the core network element (such as the MME), for example, sends an Authentication Data Response message, and the message carries the processed authentication vector and the Ks encrypted by PubK—E PubK (Ks);
  • the core network element such as the MME
  • Step 104 The core network element (such as MME) decrypts E PubK (Ks) with its own private key corresponding to the public key PubK, obtains Ks, and uses Ks to decrypt the encrypted encrypted Ks in the received authentication vector. key;
  • Ks E PubK
  • Step 105 The core network element (such as the MME) sends a user authentication request to the terminal UE, for example, sends a User Authentication Request message, and carries part of the received information in an authentication vector to form an authentication parameter, such as RAND and AUTN;
  • the core network element such as the MME
  • sends a user authentication request to the terminal UE for example, sends a User Authentication Request message, and carries part of the received information in an authentication vector to form an authentication parameter, such as RAND and AUTN;
  • Step 106 The terminal UE verifies the network based on the AUTN.
  • the terminal UE calculates the response value RES based on the RAND, and sends a user authentication response to the core network element (such as the MME), for example, sends a User Authentication Response message, and the message carries the authentication information, that is, the RES.
  • the AUTN is used for the terminal UE to authenticate the network
  • the RAND is used for the user of the network authentication terminal UE.
  • the authentication process is not introduced in the handover process, so that the authentication operation can be performed after the handover, and the signaling efficiency is reduced.
  • the embodiment of the present application provides an authentication method and device, and a computer storage medium.
  • An embodiment of the present application provides an authentication method, where the method includes:
  • the first network function entity sends a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data;
  • the first network function entity receives a handover complete message from the terminal, where the handover complete message carries authentication information, and the authentication information is generated based on the authentication parameter;
  • the first network function entity verifies the authentication information based on the authentication data.
  • the first network function entity verifies the authentication information based on the authentication data, including:
  • the first network function entity compares the authentication information based on information in the authentication data
  • the verification is successful; if the information in the authentication data is different from the authentication information, the verification fails.
  • the method further includes:
  • the second network function entity sends a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data;
  • the authentication data includes one or more authentication sub-data;
  • the authentication parameter is generated based on the authentication data, and includes:
  • One or more authentication sub-data are selected from the authentication data as the authentication parameter.
  • the embodiment of the present application further provides an authentication device, where the device includes:
  • a handover preparation unit configured to send a handover preparation message to the network, where the handover preparation message carries the authentication data
  • the authentication data unit is configured to receive a handover preparation message, where the handover preparation message carries the authentication data, and sends a handover notification message to the network, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data. And for receiving a handover complete message from the terminal, where the handover complete message carries authentication information, and the authentication information is generated based on the authentication parameter;
  • the switching execution unit is configured to receive a handover notification message, where the handover notification message carries an authentication parameter, and sends a handover execution message carrying the authentication parameter to the terminal;
  • a verification unit configured to verify the authentication information based on the authentication data.
  • the verification unit is further configured to: compare the authentication information based on information in the authentication data; if the information in the authentication data is the same as the authentication information, the verification succeeds; If the information in the authentication data is different from the authentication information, the verification fails.
  • An embodiment of the present application provides an authentication apparatus, where the apparatus includes:
  • a receiving unit configured to receive a handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data, and is configured to receive a handover complete message from the terminal, where the handover complete message carries the authentication information, where The authentication information is generated based on the authentication parameter;
  • a sending unit configured to send a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data;
  • a verification unit configured to verify the authentication information based on the authentication data.
  • the verification unit is further configured to: compare the authentication information based on information in the authentication data; if the information in the authentication data is the same as the authentication information, the verification succeeds; If the information in the authentication data is different from the authentication information, the verification fails.
  • the sending unit is further configured to: send a path switch message to the core network element, where the path switch message carries the target base station system Information.
  • the embodiment of the present application further provides an authentication device, where the device includes:
  • a sending unit configured to send a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data, and is configured to send, to the terminal, a handover execution message carrying the authentication parameter, where the authentication parameter is based on the authentication Data generation
  • the receiving unit is configured to receive a handover notification message that carries the authentication parameter sent by the first network function entity.
  • the authentication data includes one or more authentication sub-data; the device further includes: a selecting unit configured to select one or more authentication sub-data from the authentication data as the authentication parameter.
  • the embodiment of the present application further provides a computer storage medium storing a computer program configured to execute the above authentication method.
  • the first network function entity receives the handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data, and the first network function entity sends the second network function
  • the entity sends a handover notification message, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data
  • the first network function entity receives a handover complete message from the terminal, where the handover complete message carries the authentication Information, the authentication information is generated based on the authentication parameter
  • the first network function entity verifies the authentication information based on the authentication data.
  • the technical solution of the embodiment of the present application combines the authentication process with the handover process to provide a new base station system, so that the base station system can initiate and execute the authentication process during the handover process, thereby improving signaling efficiency.
  • 1 is a schematic flow chart of an existing mobile network authentication method
  • FIG. 2 is a schematic flowchart 1 of an authentication method according to an embodiment of the present application.
  • FIG. 3 is a schematic flowchart 2 of an authentication method according to an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of an authentication method based on a core network handover according to an embodiment of the present application
  • FIG. 5 is a schematic flowchart of an authentication method according to an access network handover according to an embodiment of the present application
  • FIG. 6 is a first schematic structural diagram of an authentication device according to an embodiment of the present application.
  • FIG. 7 is a second schematic structural diagram of an authentication apparatus according to an embodiment of the present application.
  • FIG. 8 is a third schematic structural diagram of an authentication apparatus according to an embodiment of the present application.
  • FIG. 2 is a schematic flowchart 1 of an authentication method according to an embodiment of the present application. As shown in FIG. 2, the process includes:
  • Step 201 The first network function entity receives a handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data.
  • the first network function entity is a target base station system
  • the second network function entity is a source base station system or a core network element.
  • Step 202 The first network function entity sends a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data.
  • Step 203 The first network function entity receives a handover complete message from the terminal, where the handover complete message carries authentication information, and the authentication information is generated based on the authentication parameter.
  • Step 204 The first network function entity verifies the authentication information based on the authentication data.
  • the first network function entity verifies the authentication information based on the authentication data, and includes:
  • the first network function entity compares the authentication information based on information in the authentication data
  • the verification is successful; if the information in the authentication data is different from the authentication information, the verification fails.
  • the method further includes:
  • FIG. 3 is a second schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in FIG. 3, the process includes:
  • Step 301 The second network function entity sends a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data.
  • the second network function entity is a source base station system
  • the first network function entity is a target base station system or a core network element.
  • Step 302 The second network function entity sends a handover execution message carrying the authentication parameter to the terminal when receiving the handover notification message that carries the authentication parameter sent by the first network function entity, where the authentication parameter is based on the Authentication data generation.
  • the authentication data includes one or more authentication sub-data;
  • the authentication parameter is generated based on the authentication data, and includes:
  • One or more authentication sub-data are selected from the authentication data as the authentication parameter.
  • Embodiment 1 (The first network function entity is the target base station system, and the second network function entity is the core network element)
  • FIG. 4 is a schematic flowchart of an authentication method based on a core network switching according to an embodiment of the present application. As shown in FIG. 4, the process includes:
  • Step 401 The terminal UE accesses the mobile network, and the authentication data sending network element initiates the authentication process to the terminal UE by using the source base station system, or performs the handover process in the embodiment or the embodiment in FIG. 5, and the source base station system caches These certification data;
  • Step 402 The source base station system determines to initiate a handover process, and sends a handover requirement to the core network element (such as the mobility management function MMF, or the MME), for example, sends a Handover Required message, and carries the cached authentication data.
  • the core network element such as the mobility management function MMF, or the MME
  • Step 403 The core network element sends a handover request to the target base station system, for example, sends a Handover Request message, and carries the received authentication data.
  • Step 404 The target base station system sends a handover response to the core network element, for example, sending a Handover Response message, carrying an authentication parameter, and the authentication parameter is from the cached authentication data, such as RAND and AUTN;
  • Step 405 The core network element sends a handover command to the source base station system, for example, sends a Handover Command message, and carries the received authentication parameter.
  • Step 406 The source base station system sends a handover command to the terminal UE, for example, sends a Handover Command message, and carries the received authentication parameter.
  • Step 407 The terminal UE authenticates the network through the authentication parameter, and calculates the authentication information, such as the RES, and accesses the target base station system, and sends a handover confirmation to the target base station system, for example, sends a Handover Confirmed message, and carries the authentication information.
  • the authentication information such as the RES
  • Step 408 The target base station system receives the authentication information, and verifies the terminal UE, for example, calculates XRES by RAND, and compares whether XRES is equal to RES.
  • Embodiment 2 (The first network function entity is the target base station system, and the second network function entity is the source base station system)
  • FIG. 5 is a schematic flowchart of an authentication method based on an access network switching according to an embodiment of the present application. As shown in FIG. 5, the process includes:
  • Step 501 The terminal UE accesses the mobile network, and the authentication data is sent by the network element through the source base station system. Initiating an authentication process for the terminal UE, or performing a handover procedure in the embodiment or the embodiment in FIG. 4, the source base station system buffering the authentication data;
  • Step 502 The source base station system determines to initiate a handover process, and sends a handover request to the target base station system, for example, sends a Handover Request message, and carries the cached authentication data.
  • Step 503 The target base station system sends a handover response to the source base station system, for example, sending a Handover Response message, carrying an authentication parameter, and the authentication parameter is from the cached authentication data, such as RAND and AUTN;
  • Step 504 The source base station system sends a connection reconfiguration to the terminal UE, for example, sends an RRC Connection Reconfiguration message, and carries the received authentication parameter.
  • Step 505 The terminal UE authenticates the network through the authentication parameter, and calculates authentication information, such as RES, and accesses the target base station system, and sends a connection reconfiguration complete to the target base station system, for example, sending an RRC Connection Reconfiguration Complete message, carrying the authentication information;
  • authentication information such as RES
  • Step 506 The target base station system receives the authentication information, and verifies the terminal UE, for example, calculates XRES by RAND, and compares whether XRES is equal to RES;
  • Step 507 The target base station system sends a path switch to the core network element, for example, sends a Path Switch message.
  • FIG. 6 is a first schematic structural diagram of an authentication apparatus according to an embodiment of the present application. As shown in FIG. 6, the apparatus includes:
  • the receiving unit 61 is configured to receive a handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data, and is configured to receive a handover complete message from the terminal, where the handover complete message carries the authentication information, where The authentication information is generated based on the authentication parameter;
  • the sending unit 62 is configured to send a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data;
  • the verification unit 63 is configured to verify the authentication information based on the authentication data.
  • the authentication device is configured in a first network function entity, where the first The network function entity is a target base station system, and the second network function entity is a source base station system or a core network element.
  • the checking unit 63 is further configured to: compare the authentication information based on information in the authentication data; if the information in the authentication data is the same as the authentication information, verify Successful; if the information in the authentication data is different from the authentication information, the verification fails.
  • the sending unit 62 is further configured to: send a path switch message to the core network element, where the path switch message carries the Information of the target base station system.
  • the implementation functions of the units in the authentication apparatus shown in FIG. 6 can be understood by referring to the related description of the foregoing authentication method.
  • the functions of the units in the authentication apparatus shown in FIG. 6 can be realized by a program running on the processor, or can be realized by a specific logic circuit.
  • each unit in the authentication device may be implemented by a central processing unit (CPU) or a microprocessor (MPU, Micro Processor Unit) or a digital device located in the authentication device.
  • CPU central processing unit
  • MPU Micro Processor Unit
  • DSP Digital Signal Processor
  • FPGA Field Programmable Gate Array
  • FIG. 7 is a second schematic structural diagram of an authentication apparatus according to an embodiment of the present application. As shown in FIG. 7, the apparatus includes:
  • the sending unit 71 is configured to send a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data, and is configured to send a handover execution message carrying the authentication parameter to the terminal, where the authentication parameter is based on the Authentication data generation;
  • the receiving unit 72 is configured to receive a handover notification message that carries the authentication parameter sent by the first network function entity;
  • the authentication data includes one or more authentication sub-data; the apparatus further includes: a selecting unit configured to select one or more authentication sub-data from the authentication data as the authentication parameter.
  • the authentication device is configured in a second network function entity, where the second network function entity is a source base station system, and the first network function entity is a target base station system or a core network element.
  • each unit in the authentication device may be implemented by a CPU, an MPU, or a DSP, or an FPGA or the like located in the authentication device.
  • FIG. 8 is a third schematic structural diagram of an authentication apparatus according to an embodiment of the present application. As shown in FIG. 8, the apparatus includes:
  • the handover preparation unit 81 is configured to send a handover preparation message to the network, where the handover preparation message carries the authentication data.
  • the authentication data unit 82 is configured to receive a handover preparation message, where the handover preparation message carries the authentication data, and sends a handover notification message to the network, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data. And receiving, by the terminal, a handover complete message, where the handover complete message carries authentication information, where the authentication information is generated based on the authentication parameter;
  • the switching execution unit 83 is configured to receive a handover notification message, where the handover notification message carries an authentication parameter, and sends a handover execution message carrying the authentication parameter to the terminal;
  • the verification unit 84 is configured to verify the authentication information based on the authentication data.
  • the authentication device is disposed in a base station system.
  • the checking unit 84 is further configured to: compare the authentication information based on information in the authentication data; and if the information in the authentication data is the same as the authentication information, verify Successful; if the information in the authentication data is different from the authentication information, the verification fails.
  • each unit in the authentication device may be implemented by a CPU, an MPU, or a DSP, or an FPGA or the like located in the authentication device.
  • embodiments of the present application can be provided as a method, system, or computer program product. Accordingly, the application can take the form of a hardware embodiment, a software embodiment, or an embodiment in combination with software and hardware. Moreover, the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the computer is readable and stored
  • the instructions in the reservoir produce an article of manufacture comprising an instruction device that implements the functions specified in one or more blocks of the flow or in a flow or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • an embodiment of the present invention further provides a computer storage medium, wherein a computer program is configured, and the computer program is configured to execute the authentication method of the embodiment of the present invention.
  • the first network function entity receives the handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data, and the first network function entity sends the second network function entity to the second network function entity.
  • Sending a handover notification message where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data
  • the first network function entity receives a handover complete message from the terminal, where the handover complete message carries the authentication information And the authentication information is generated based on the authentication parameter
  • the first network function entity checks the authentication information based on the authentication data.
  • the technical solution of the embodiment of the present application combines the authentication process with the handover process to provide a new base station system, so that the base station system can initiate and execute the authentication process during the handover process, thereby improving signaling efficiency.

Abstract

The present application discloses an authentication method, device and computer storage medium. The method comprises: a first network functional entity receiving a handover preparation message transmitted by a second network functional entity, the handover preparation message carrying authentication data therein; the first network functional entity transmitting a handover notification message to the second network functional entity, the handover notification message carrying authentication parameters therein, the authentication parameters being generated on the basis of the authentication data; the first network functional entity receiving a handover completion message from a terminal, the handover completion message carrying authentication information therein, the authentication information being generated on the basis of the authentication parameters; and the first network functional entity verifying the authentication information on the basis of the authentication data.

Description

一种认证方法及装置、计算机存储介质Authentication method and device, computer storage medium
相关申请的交叉引用Cross-reference to related applications
本申请基于申请号为201710002692.7、申请日为2017年01月03日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。The present application is filed on the basis of a Chinese patent application filed on Jan. 3, 2017, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本申请涉及通信领域,尤其涉及一种执行切换时的认证方法及装置、计算机存储介质。The present application relates to the field of communications, and in particular, to an authentication method and apparatus for performing handover, and a computer storage medium.
背景技术Background technique
第三代合作伙伴计划(3GPP,3rd Generation Partnership Project)提出了一种移动网络认证方案,如图1所示,该认证方案的流程包括如下步骤:The 3rd Generation Partnership Project (3GPP) proposes a mobile network authentication scheme. As shown in Figure 1, the process of the authentication scheme includes the following steps:
步骤101:核心网网元(比如移动管理实体MME)向归属网网元(比如归属签约服务HSS)发送认证数据请求,比如发送Authentication Data Request消息,消息携带要认证的用户的标识,比如国际移动台标识IMSI,并携带核心网网元的公钥PubK;Step 101: The core network element (such as the mobility management entity MME) sends an authentication data request to the home network element (such as the home subscription service HSS), for example, sends an Authentication Data Request message, where the message carries the identifier of the user to be authenticated, such as international mobile. The station identifies the IMSI and carries the public key PubK of the core network element;
步骤102:归属网网元(比如HSS),获取一个或一组用户的认证向量,认证向量由如下4部分组成:随机数RAND,网络认证参数AUTN,期望响应XRES,以及密钥Knp;归属网网元生成一个加密密钥Ks,并用其加密认证向量中的Knp以防止Knp在传输过程中被泄漏出去,然后再用PubK加密Ks得到EPubK(Ks),用于接收方解密认证向量中的密钥,并防止其传输过程中被泄漏出去;Step 102: A home network element (such as an HSS) obtains an authentication vector of one or a group of users. The authentication vector is composed of the following four parts: a random number RAND, a network authentication parameter AUTN, an expected response XRES, and a key Knp; The network element generates an encryption key Ks and uses it to encrypt Knp in the authentication vector to prevent Knp from being leaked out during transmission, and then uses PubK to encrypt Ks to obtain E PubK (Ks) for the receiver to decrypt the authentication vector. Key and prevent it from being leaked out during transmission;
步骤103:归属网网元(比如HSS)向核心网网元(比如MME)发送 认证数据响应,比如发送Authentication Data Response消息,消息携带处理过的认证向量以及被PubK加密过的Ks——EPubK(Ks);Step 103: The home network element (such as the HSS) sends an authentication data response to the core network element (such as the MME), for example, sends an Authentication Data Response message, and the message carries the processed authentication vector and the Ks encrypted by PubK—E PubK (Ks);
步骤104:核心网网元(比如MME),使用自己的相应于公钥PubK的私钥解密EPubK(Ks),获得Ks,并使用Ks解密收到的认证向量中的被Ks加密过的密钥;Step 104: The core network element (such as MME) decrypts E PubK (Ks) with its own private key corresponding to the public key PubK, obtains Ks, and uses Ks to decrypt the encrypted encrypted Ks in the received authentication vector. key;
步骤105:核心网网元(比如MME),向终端UE发送用户认证请求,比如发送User Authentication Request消息,携带收到的一个认证向量中的部分信息组成认证参数,比如RAND和AUTN;Step 105: The core network element (such as the MME) sends a user authentication request to the terminal UE, for example, sends a User Authentication Request message, and carries part of the received information in an authentication vector to form an authentication parameter, such as RAND and AUTN;
步骤106:终端UE基于AUTN验证网络;终端UE基于RAND计算出响应值RES,并向核心网网元(比如MME),发送用户认证响应,比如发送User Authentication Response消息,消息携带认证信息,即RES;核心网网元比对RES和该认证向量中的XRES,如果RES=XRES则网络验证用户通过。Step 106: The terminal UE verifies the network based on the AUTN. The terminal UE calculates the response value RES based on the RAND, and sends a user authentication response to the core network element (such as the MME), for example, sends a User Authentication Response message, and the message carries the authentication information, that is, the RES. The core network element compares the RES with the XRES in the authentication vector, and if RES=XRES, the network authenticates the user.
在上述过程中,AUTN用于终端UE验证网络,RAND用于网络验证终端UE的用户。In the above process, the AUTN is used for the terminal UE to authenticate the network, and the RAND is used for the user of the network authentication terminal UE.
现有技术中,切换过程中并没有引入认证过程,导致切换后才能进行认证操作,降低了信令效率。In the prior art, the authentication process is not introduced in the handover process, so that the authentication operation can be performed after the handover, and the signaling efficiency is reduced.
申请内容Application content
为解决上述技术问题,本申请实施例提供了一种认证方法及装置、计算机存储介质。To solve the above technical problem, the embodiment of the present application provides an authentication method and device, and a computer storage medium.
本申请实施例提供一种认证方法,所述方法包括:An embodiment of the present application provides an authentication method, where the method includes:
第一网络功能实体接收第二网络功能实体发送的切换准备消息,所述切换准备消息中携带认证数据;Receiving, by the first network function entity, a handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data;
所述第一网络功能实体向所述第二网络功能实体发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成; The first network function entity sends a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data;
所述第一网络功能实体接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成;The first network function entity receives a handover complete message from the terminal, where the handover complete message carries authentication information, and the authentication information is generated based on the authentication parameter;
所述第一网络功能实体基于所述认证数据校验所述认证信息。The first network function entity verifies the authentication information based on the authentication data.
上述方案中,所述第一网络功能实体基于所述认证数据校验所述认证信息,包括:In the above solution, the first network function entity verifies the authentication information based on the authentication data, including:
所述第一网络功能实体基于所述认证数据中的信息比对所述认证信息;The first network function entity compares the authentication information based on information in the authentication data;
如果所述认证数据中的信息与所述认证信息相同,则校验成功;如果所述认证数据中的信息与所述认证信息不同,则校验失败。If the information in the authentication data is the same as the authentication information, the verification is successful; if the information in the authentication data is different from the authentication information, the verification fails.
上述方案中,在所述第二网络功能实体为源基站系统的情况下,所述方法还包括:In the foregoing solution, where the second network function entity is a source base station system, the method further includes:
在所述第一网络功能实体基于所述认证数据校验所述认证信息成功后,向核心网网元发送路径切换消息,所述路径切换消息携带所述目标基站系统的信息。And after the first network function entity successfully verifies the authentication information based on the authentication data, sending a path switch message to the core network element, where the path switch message carries information about the target base station system.
上述方案中,第二网络功能实体向第一网络功能实体发送切换准备消息,所述切换准备消息中携带认证数据;In the above solution, the second network function entity sends a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data;
所述第二网络功能实体接收到所述第一网络功能实体发送的携带认证参数的切换通知消息时,向终端发送携带所述认证参数的切换执行消息,所述认证参数基于所述认证数据生成。And receiving, by the second network function entity, a handover notification message that carries the authentication parameter, where the first network function entity sends a handover execution message carrying the authentication parameter, where the authentication parameter is generated based on the authentication data. .
上述方案中,所述认证数据包括一个或多个认证子数据;所述认证参数基于所述认证数据生成,包括:In the above solution, the authentication data includes one or more authentication sub-data; the authentication parameter is generated based on the authentication data, and includes:
从所述认证数据中选择出一个或多个认证子数据,作为所述认证参数。One or more authentication sub-data are selected from the authentication data as the authentication parameter.
本申请实施例还提供一种认证装置,所述装置包括:The embodiment of the present application further provides an authentication device, where the device includes:
切换准备单元,配置为向网络发送切换准备消息,所述切换准备消息中携带认证数据; a handover preparation unit, configured to send a handover preparation message to the network, where the handover preparation message carries the authentication data;
认证数据单元,配置为接收切换准备消息,所述切换准备消息中携带认证数据,并向网络发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成,以及用于接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成;The authentication data unit is configured to receive a handover preparation message, where the handover preparation message carries the authentication data, and sends a handover notification message to the network, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data. And for receiving a handover complete message from the terminal, where the handover complete message carries authentication information, and the authentication information is generated based on the authentication parameter;
切换执行单元,配置为接收切换通知消息,所述切换通知消息中携带认证参数,并向终端发送携带所述认证参数的切换执行消息;The switching execution unit is configured to receive a handover notification message, where the handover notification message carries an authentication parameter, and sends a handover execution message carrying the authentication parameter to the terminal;
校验单元,配置为基于所述认证数据校验所述认证信息。a verification unit configured to verify the authentication information based on the authentication data.
上述方案中,所述校验单元,还配置为:基于所述认证数据中的信息比对所述认证信息;如果所述认证数据中的信息与所述认证信息相同,则校验成功;如果所述认证数据中的信息与所述认证信息不同,则校验失败。In the above solution, the verification unit is further configured to: compare the authentication information based on information in the authentication data; if the information in the authentication data is the same as the authentication information, the verification succeeds; If the information in the authentication data is different from the authentication information, the verification fails.
本申请实施例提供一种认证装置,所述装置包括:An embodiment of the present application provides an authentication apparatus, where the apparatus includes:
接收单元,配置为接收第二网络功能实体发送的切换准备消息,所述切换准备消息中携带认证数据,以及用于接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成;a receiving unit, configured to receive a handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data, and is configured to receive a handover complete message from the terminal, where the handover complete message carries the authentication information, where The authentication information is generated based on the authentication parameter;
发送单元,配置为向所述第二网络功能实体发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成;a sending unit, configured to send a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data;
校验单元,配置为基于所述认证数据校验所述认证信息。a verification unit configured to verify the authentication information based on the authentication data.
上述方案中,所述校验单元,还配置为:基于所述认证数据中的信息比对所述认证信息;如果所述认证数据中的信息与所述认证信息相同,则校验成功;如果所述认证数据中的信息与所述认证信息不同,则校验失败。In the above solution, the verification unit is further configured to: compare the authentication information based on information in the authentication data; if the information in the authentication data is the same as the authentication information, the verification succeeds; If the information in the authentication data is different from the authentication information, the verification fails.
上述方案中,在所述第二网络功能实体为源基站系统的情况下,所述发送单元,还配置为:向核心网网元发送路径切换消息,所述路径切换消息携带所述目标基站系统的信息。In the above solution, in a case where the second network function entity is a source base station system, the sending unit is further configured to: send a path switch message to the core network element, where the path switch message carries the target base station system Information.
本申请实施例还提供一种认证装置,所述装置包括: The embodiment of the present application further provides an authentication device, where the device includes:
发送单元,配置为向第一网络功能实体发送切换准备消息,所述切换准备消息中携带认证数据,以及用于向终端发送携带所述认证参数的切换执行消息,所述认证参数基于所述认证数据生成;a sending unit, configured to send a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data, and is configured to send, to the terminal, a handover execution message carrying the authentication parameter, where the authentication parameter is based on the authentication Data generation
接收单元,配置为接收到所述第一网络功能实体发送的携带认证参数的切换通知消息。The receiving unit is configured to receive a handover notification message that carries the authentication parameter sent by the first network function entity.
上述方案中,所述认证数据包括一个或多个认证子数据;所述装置还包括:选择单元,配置为从所述认证数据中选择出一个或多个认证子数据,作为所述认证参数。In the above solution, the authentication data includes one or more authentication sub-data; the device further includes: a selecting unit configured to select one or more authentication sub-data from the authentication data as the authentication parameter.
本申请实施例还提供一种计算机存储介质,该计算机存储介质存储有计算机程序,该计算机程序配置为执行上述认证方法。The embodiment of the present application further provides a computer storage medium storing a computer program configured to execute the above authentication method.
本申请实施例的技术方案中,第一网络功能实体接收第二网络功能实体发送的切换准备消息,所述切换准备消息中携带认证数据;所述第一网络功能实体向所述第二网络功能实体发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成;所述第一网络功能实体接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成;所述第一网络功能实体基于所述认证数据校验所述认证信息。采用本申请实施例的技术方案,将认证流程与切换过程结合,提供一种新的基站系统,从而使得基站系统可以在切换过程中发起并执行认证过程,提高了信令效率。In the technical solution of the embodiment of the present application, the first network function entity receives the handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data, and the first network function entity sends the second network function The entity sends a handover notification message, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data; the first network function entity receives a handover complete message from the terminal, where the handover complete message carries the authentication Information, the authentication information is generated based on the authentication parameter; the first network function entity verifies the authentication information based on the authentication data. The technical solution of the embodiment of the present application combines the authentication process with the handover process to provide a new base station system, so that the base station system can initiate and execute the authentication process during the handover process, thereby improving signaling efficiency.
附图说明DRAWINGS
附图以示例而非限制的方式大体示出了本文中所讨论的各个实施例。The drawings generally illustrate the various embodiments discussed herein by way of example and not limitation.
图1为现有的移动网络认证方法的流程示意图;1 is a schematic flow chart of an existing mobile network authentication method;
图2为本申请实施例的认证方法的流程示意图一;2 is a schematic flowchart 1 of an authentication method according to an embodiment of the present application;
图3为本申请实施例的认证方法的流程示意图二;3 is a schematic flowchart 2 of an authentication method according to an embodiment of the present application;
图4为本申请实施例的基于核心网切换时的认证方法的流程示意图; 4 is a schematic flowchart of an authentication method based on a core network handover according to an embodiment of the present application;
图5为本申请实施例的基于接入网切换时的认证方法的流程示意图;FIG. 5 is a schematic flowchart of an authentication method according to an access network handover according to an embodiment of the present application;
图6为本申请实施例的认证装置的结构组成示意图一;6 is a first schematic structural diagram of an authentication device according to an embodiment of the present application;
图7为本申请实施例的认证装置的结构组成示意图二;FIG. 7 is a second schematic structural diagram of an authentication apparatus according to an embodiment of the present application;
图8为本申请实施例的认证装置的结构组成示意图三。FIG. 8 is a third schematic structural diagram of an authentication apparatus according to an embodiment of the present application.
具体实施方式detailed description
为了能够更加详尽地了解本申请实施例的特点与技术内容,下面结合附图对本申请实施例的实现进行详细阐述,所附附图仅供参考说明之用,并非用来限定本申请实施例。The embodiments of the present application are described in detail with reference to the accompanying drawings.
图2为本申请实施例的认证方法的流程示意图一,如图2所示,该流程包括:2 is a schematic flowchart 1 of an authentication method according to an embodiment of the present application. As shown in FIG. 2, the process includes:
步骤201:第一网络功能实体接收第二网络功能实体发送的切换准备消息,所述切换准备消息中携带认证数据。Step 201: The first network function entity receives a handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data.
本申请实施例中,所述第一网络功能实体为目标基站系统,所述第二网络功能实体为源基站系统或者核心网网元。In this embodiment, the first network function entity is a target base station system, and the second network function entity is a source base station system or a core network element.
步骤202:所述第一网络功能实体向所述第二网络功能实体发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成。Step 202: The first network function entity sends a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data.
步骤203:所述第一网络功能实体接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成。Step 203: The first network function entity receives a handover complete message from the terminal, where the handover complete message carries authentication information, and the authentication information is generated based on the authentication parameter.
步骤204:所述第一网络功能实体基于所述认证数据校验所述认证信息。Step 204: The first network function entity verifies the authentication information based on the authentication data.
本申请实施例中,所述第一网络功能实体基于所述认证数据校验所述认证信息,包括:In this embodiment, the first network function entity verifies the authentication information based on the authentication data, and includes:
所述第一网络功能实体基于所述认证数据中的信息比对所述认证信息; The first network function entity compares the authentication information based on information in the authentication data;
如果所述认证数据中的信息与所述认证信息相同,则校验成功;如果所述认证数据中的信息与所述认证信息不同,则校验失败。If the information in the authentication data is the same as the authentication information, the verification is successful; if the information in the authentication data is different from the authentication information, the verification fails.
本申请实施例中,在所述第二网络功能实体为源基站系统的情况下,所述方法还包括:In the embodiment of the present application, in a case where the second network function entity is a source base station system, the method further includes:
在所述第一网络功能实体基于所述认证数据校验所述认证信息成功后,向核心网网元发送路径切换消息,所述路径切换消息携带所述目标基站系统的信息。And after the first network function entity successfully verifies the authentication information based on the authentication data, sending a path switch message to the core network element, where the path switch message carries information about the target base station system.
图3为本申请实施例的认证方法的流程示意图二,如图3所示,该流程包括:FIG. 3 is a second schematic flowchart of an authentication method according to an embodiment of the present disclosure. As shown in FIG. 3, the process includes:
步骤301:第二网络功能实体向第一网络功能实体发送切换准备消息,所述切换准备消息中携带认证数据。Step 301: The second network function entity sends a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data.
本申请实施例中,所述第二网络功能实体为源基站系统,所述第一网络功能实体为目标基站系统或者核心网网元。In this embodiment, the second network function entity is a source base station system, and the first network function entity is a target base station system or a core network element.
步骤302:所述第二网络功能实体接收到所述第一网络功能实体发送的携带认证参数的切换通知消息时,向终端发送携带所述认证参数的切换执行消息,所述认证参数基于所述认证数据生成。Step 302: The second network function entity sends a handover execution message carrying the authentication parameter to the terminal when receiving the handover notification message that carries the authentication parameter sent by the first network function entity, where the authentication parameter is based on the Authentication data generation.
这里,所述认证数据包括一个或多个认证子数据;所述认证参数基于所述认证数据生成,包括:Here, the authentication data includes one or more authentication sub-data; the authentication parameter is generated based on the authentication data, and includes:
从所述认证数据中选择出一个或多个认证子数据,作为所述认证参数。One or more authentication sub-data are selected from the authentication data as the authentication parameter.
下面结合具体应用场景对本申请实施例的技术方案作进一步详细描述。The technical solutions of the embodiments of the present application are further described in detail below with reference to specific application scenarios.
实施例一(第一网络功能实体为目标基站系统、第二网络功能实体为核心网网元)Embodiment 1 (The first network function entity is the target base station system, and the second network function entity is the core network element)
图4为本申请实施例的基于核心网切换时的认证方法的流程示意图,如图4所示,该流程包括: FIG. 4 is a schematic flowchart of an authentication method based on a core network switching according to an embodiment of the present application. As shown in FIG. 4, the process includes:
步骤401:终端UE接入移动网络,认证数据下发网元通过源基站系统发起对终端UE的认证过程,或执行了本实施例或图5中的实施例中的切换过程,源基站系统缓存这些认证数据;Step 401: The terminal UE accesses the mobile network, and the authentication data sending network element initiates the authentication process to the terminal UE by using the source base station system, or performs the handover process in the embodiment or the embodiment in FIG. 5, and the source base station system caches These certification data;
步骤402:源基站系统决定发起切换过程,向核心网网元(比如移动管理功能MMF,或MME)发送切换需求,比如发送Handover Required消息,携带缓存的认证数据;Step 402: The source base station system determines to initiate a handover process, and sends a handover requirement to the core network element (such as the mobility management function MMF, or the MME), for example, sends a Handover Required message, and carries the cached authentication data.
步骤403:核心网网元向目标基站系统发送切换请求,比如发送Handover Request消息,携带收到的认证数据;Step 403: The core network element sends a handover request to the target base station system, for example, sends a Handover Request message, and carries the received authentication data.
步骤404:目标基站系统向核心网网元发送切换响应,比如发送Handover Response消息,携带认证参数,认证参数来自缓存的认证数据,比如RAND和AUTN;Step 404: The target base station system sends a handover response to the core network element, for example, sending a Handover Response message, carrying an authentication parameter, and the authentication parameter is from the cached authentication data, such as RAND and AUTN;
步骤405:核心网网元向源基站系统发送切换命令,比如发送Handover Command消息,携带收到的认证参数;Step 405: The core network element sends a handover command to the source base station system, for example, sends a Handover Command message, and carries the received authentication parameter.
步骤406:源基站系统向终端UE发送切换命令,比如发送Handover Command消息,携带收到的认证参数;Step 406: The source base station system sends a handover command to the terminal UE, for example, sends a Handover Command message, and carries the received authentication parameter.
步骤407:终端UE通过认证参数认证网络,并计算出认证信息,比如RES,同时接入到目标基站系统,向目标基站系统发送切换确认,比如发送Handover Confirmed消息,携带认证信息;Step 407: The terminal UE authenticates the network through the authentication parameter, and calculates the authentication information, such as the RES, and accesses the target base station system, and sends a handover confirmation to the target base station system, for example, sends a Handover Confirmed message, and carries the authentication information.
步骤408:目标基站系统收到认证信息,验证终端UE,比如通过RAND计算XRES,比较XRES是否等于RES。Step 408: The target base station system receives the authentication information, and verifies the terminal UE, for example, calculates XRES by RAND, and compares whether XRES is equal to RES.
实施例二(第一网络功能实体为目标基站系统、第二网络功能实体为源基站系统)Embodiment 2 (The first network function entity is the target base station system, and the second network function entity is the source base station system)
图5为本申请实施例的基于接入网切换时的认证方法的流程示意图,如图5所示,该流程包括:FIG. 5 is a schematic flowchart of an authentication method based on an access network switching according to an embodiment of the present application. As shown in FIG. 5, the process includes:
步骤501:终端UE接入移动网络,认证数据下发网元通过源基站系统 发起对终端UE的认证过程,或执行了本实施例或图4中的实施例中的切换过程,源基站系统缓存这些认证数据;Step 501: The terminal UE accesses the mobile network, and the authentication data is sent by the network element through the source base station system. Initiating an authentication process for the terminal UE, or performing a handover procedure in the embodiment or the embodiment in FIG. 4, the source base station system buffering the authentication data;
步骤502:源基站系统决定发起切换过程,向目标基站系统发送切换请求,比如发送Handover Request消息,携带缓存的认证数据;Step 502: The source base station system determines to initiate a handover process, and sends a handover request to the target base station system, for example, sends a Handover Request message, and carries the cached authentication data.
步骤503:目标基站系统向源基站系统发送切换响应,比如发送Handover Response消息,携带认证参数,认证参数来自缓存的认证数据,比如RAND和AUTN;Step 503: The target base station system sends a handover response to the source base station system, for example, sending a Handover Response message, carrying an authentication parameter, and the authentication parameter is from the cached authentication data, such as RAND and AUTN;
步骤504:源基站系统向终端UE发送连接重配,比如发送RRC Connection Reconfiguration消息,携带收到的认证参数;Step 504: The source base station system sends a connection reconfiguration to the terminal UE, for example, sends an RRC Connection Reconfiguration message, and carries the received authentication parameter.
步骤505:终端UE通过认证参数认证网络,并计算出认证信息,比如RES,同时接入到目标基站系统,向目标基站系统发送连接重配完成,比如发送RRC Connection Reconfiguration Complete消息,携带认证信息;Step 505: The terminal UE authenticates the network through the authentication parameter, and calculates authentication information, such as RES, and accesses the target base station system, and sends a connection reconfiguration complete to the target base station system, for example, sending an RRC Connection Reconfiguration Complete message, carrying the authentication information;
步骤506:目标基站系统收到认证信息,验证终端UE,比如通过RAND计算XRES,比较XRES是否等于RES;Step 506: The target base station system receives the authentication information, and verifies the terminal UE, for example, calculates XRES by RAND, and compares whether XRES is equal to RES;
步骤507:目标基站系统向核心网网元发送路径切换,比如发送Path Switch消息。Step 507: The target base station system sends a path switch to the core network element, for example, sends a Path Switch message.
图6为本申请实施例的认证装置的结构组成示意图一,如图6所示,所述装置包括:FIG. 6 is a first schematic structural diagram of an authentication apparatus according to an embodiment of the present application. As shown in FIG. 6, the apparatus includes:
接收单元61,配置为接收第二网络功能实体发送的切换准备消息,所述切换准备消息中携带认证数据;以及用于接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成;The receiving unit 61 is configured to receive a handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data, and is configured to receive a handover complete message from the terminal, where the handover complete message carries the authentication information, where The authentication information is generated based on the authentication parameter;
发送单元62,配置为向所述第二网络功能实体发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成;The sending unit 62 is configured to send a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data;
校验单元63,配置为基于所述认证数据校验所述认证信息。The verification unit 63 is configured to verify the authentication information based on the authentication data.
本申请实施例中,所述认证装置设置在第一网络功能实体,所述第一 网络功能实体为目标基站系统,所述第二网络功能实体为源基站系统或者核心网网元。In the embodiment of the present application, the authentication device is configured in a first network function entity, where the first The network function entity is a target base station system, and the second network function entity is a source base station system or a core network element.
本申请实施例中,所述校验单元63,还配置为:基于所述认证数据中的信息比对所述认证信息;如果所述认证数据中的信息与所述认证信息相同,则校验成功;如果所述认证数据中的信息与所述认证信息不同,则校验失败。In the embodiment of the present application, the checking unit 63 is further configured to: compare the authentication information based on information in the authentication data; if the information in the authentication data is the same as the authentication information, verify Successful; if the information in the authentication data is different from the authentication information, the verification fails.
本申请实施例中,在所述第二网络功能实体为源基站系统的情况下,所述发送单元62,还配置为:向核心网网元发送路径切换消息,所述路径切换消息携带所述目标基站系统的信息。In the embodiment of the present application, when the second network function entity is the source base station system, the sending unit 62 is further configured to: send a path switch message to the core network element, where the path switch message carries the Information of the target base station system.
本领域技术人员应当理解,图6所示的认证装置中的各单元的实现功能可参照前述认证方法的相关描述而理解。图6所示的认证装置中的各单元的功能可通过运行于处理器上的程序而实现,也可通过具体的逻辑电路而实现。It will be understood by those skilled in the art that the implementation functions of the units in the authentication apparatus shown in FIG. 6 can be understood by referring to the related description of the foregoing authentication method. The functions of the units in the authentication apparatus shown in FIG. 6 can be realized by a program running on the processor, or can be realized by a specific logic circuit.
在实际应用中,所述认证装置中的各个单元所实现的功能,均可由位于认证装置中的中央处理器(CPU,Central Processing Unit)、或微处理器(MPU,Micro Processor Unit)、或数字信号处理器(DSP,Digital Signal Processor)、或现场可编程门阵列(FPGA,Field Programmable Gate Array)等实现。In practical applications, the functions implemented by each unit in the authentication device may be implemented by a central processing unit (CPU) or a microprocessor (MPU, Micro Processor Unit) or a digital device located in the authentication device. Implemented by a signal processor (DSP, Digital Signal Processor) or a Field Programmable Gate Array (FPGA).
图7为本申请实施例的认证装置的结构组成示意图二,如图7所示,所述装置包括:FIG. 7 is a second schematic structural diagram of an authentication apparatus according to an embodiment of the present application. As shown in FIG. 7, the apparatus includes:
发送单元71,配置为向第一网络功能实体发送切换准备消息,所述切换准备消息中携带认证数据,以及用于向终端发送携带所述认证参数的切换执行消息,所述认证参数基于所述认证数据生成;The sending unit 71 is configured to send a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data, and is configured to send a handover execution message carrying the authentication parameter to the terminal, where the authentication parameter is based on the Authentication data generation;
接收单元72,配置为接收到所述第一网络功能实体发送的携带认证参数的切换通知消息; The receiving unit 72 is configured to receive a handover notification message that carries the authentication parameter sent by the first network function entity;
这里,所述认证数据包括一个或多个认证子数据;所述装置还包括:选择单元,配置为从所述认证数据中选择出一个或多个认证子数据,作为所述认证参数。Here, the authentication data includes one or more authentication sub-data; the apparatus further includes: a selecting unit configured to select one or more authentication sub-data from the authentication data as the authentication parameter.
本申请实施例中,所述认证装置设置在第二网络功能实体中,所述第二网络功能实体为源基站系统,所述第一网络功能实体为目标基站系统或者核心网网元。In the embodiment of the present application, the authentication device is configured in a second network function entity, where the second network function entity is a source base station system, and the first network function entity is a target base station system or a core network element.
本领域技术人员应当理解,图7所示的认证装置中的各单元的实现功能可参照前述认证方法的相关描述而理解。图7所示的认证装置中的各单元的功能可通过运行于处理器上的程序而实现,也可通过具体的逻辑电路而实现。Those skilled in the art should understand that the implementation functions of the units in the authentication apparatus shown in FIG. 7 can be understood by referring to the related description of the foregoing authentication method. The functions of the respective units in the authentication apparatus shown in FIG. 7 can be realized by a program running on the processor, or can be realized by a specific logic circuit.
在实际应用中,所述认证装置中的各个单元所实现的功能,均可由位于认证装置中的CPU、或MPU、或DSP、或FPGA等实现。In practical applications, the functions implemented by each unit in the authentication device may be implemented by a CPU, an MPU, or a DSP, or an FPGA or the like located in the authentication device.
图8为本申请实施例的认证装置的结构组成示意图三,如图8所示,所述装置包括:FIG. 8 is a third schematic structural diagram of an authentication apparatus according to an embodiment of the present application. As shown in FIG. 8, the apparatus includes:
切换准备单元81,配置为向网络发送切换准备消息,所述切换准备消息中携带认证数据;The handover preparation unit 81 is configured to send a handover preparation message to the network, where the handover preparation message carries the authentication data.
认证数据单元82,配置为接收切换准备消息,所述切换准备消息中携带认证数据,并向网络发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成,以及用于接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成;The authentication data unit 82 is configured to receive a handover preparation message, where the handover preparation message carries the authentication data, and sends a handover notification message to the network, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data. And receiving, by the terminal, a handover complete message, where the handover complete message carries authentication information, where the authentication information is generated based on the authentication parameter;
切换执行单元83,配置为接收切换通知消息,所述切换通知消息中携带认证参数,并向终端发送携带所述认证参数的切换执行消息;The switching execution unit 83 is configured to receive a handover notification message, where the handover notification message carries an authentication parameter, and sends a handover execution message carrying the authentication parameter to the terminal;
校验单元84,配置为基于所述认证数据校验所述认证信息。The verification unit 84 is configured to verify the authentication information based on the authentication data.
本申请实施例中,所述认证装置设置在基站系统。 In the embodiment of the present application, the authentication device is disposed in a base station system.
本申请实施例中,所述校验单元84,还配置为:基于所述认证数据中的信息比对所述认证信息;如果所述认证数据中的信息与所述认证信息相同,则校验成功;如果所述认证数据中的信息与所述认证信息不同,则校验失败。In the embodiment of the present application, the checking unit 84 is further configured to: compare the authentication information based on information in the authentication data; and if the information in the authentication data is the same as the authentication information, verify Successful; if the information in the authentication data is different from the authentication information, the verification fails.
本领域技术人员应当理解,图8所示的认证装置中的各单元的实现功能可参照前述认证方法的相关描述而理解。图8所示的认证装置中的各单元的功能可通过运行于处理器上的程序而实现,也可通过具体的逻辑电路而实现。It will be understood by those skilled in the art that the implementation functions of the units in the authentication apparatus shown in FIG. 8 can be understood by referring to the related description of the foregoing authentication method. The functions of the respective units in the authentication apparatus shown in FIG. 8 can be realized by a program running on the processor, or can be realized by a specific logic circuit.
在实际应用中,所述认证装置中的各个单元所实现的功能,均可由位于认证装置中的CPU、或MPU、或DSP、或FPGA等实现。In practical applications, the functions implemented by each unit in the authentication device may be implemented by a CPU, an MPU, or a DSP, or an FPGA or the like located in the authentication device.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present application can be provided as a method, system, or computer program product. Accordingly, the application can take the form of a hardware embodiment, a software embodiment, or an embodiment in combination with software and hardware. Moreover, the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存 储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the computer is readable and stored The instructions in the reservoir produce an article of manufacture comprising an instruction device that implements the functions specified in one or more blocks of the flow or in a flow or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
相应地,本发明实施例还提供一种计算机存储介质,其中存储有计算机程序,该计算机程序配置为执行本发明实施例的认证方法。Correspondingly, an embodiment of the present invention further provides a computer storage medium, wherein a computer program is configured, and the computer program is configured to execute the authentication method of the embodiment of the present invention.
以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。The above is only the preferred embodiment of the present application and is not intended to limit the scope of the present application.
工业实用性Industrial applicability
本申请实施例的技术方案,第一网络功能实体接收第二网络功能实体发送的切换准备消息,所述切换准备消息中携带认证数据;所述第一网络功能实体向所述第二网络功能实体发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成;所述第一网络功能实体接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成;所述第一网络功能实体基于所述认证数据校验所述认证信息。采用本申请实施例的技术方案,将认证流程与切换过程结合,提供一种新的基站系统,从而使得基站系统可以在切换过程中发起并执行认证过程,提高了信令效率。 In the technical solution of the embodiment of the present application, the first network function entity receives the handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data, and the first network function entity sends the second network function entity to the second network function entity. Sending a handover notification message, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data; the first network function entity receives a handover complete message from the terminal, where the handover complete message carries the authentication information And the authentication information is generated based on the authentication parameter; the first network function entity checks the authentication information based on the authentication data. The technical solution of the embodiment of the present application combines the authentication process with the handover process to provide a new base station system, so that the base station system can initiate and execute the authentication process during the handover process, thereby improving signaling efficiency.

Claims (13)

  1. 一种认证方法,所述方法包括:An authentication method, the method comprising:
    第一网络功能实体接收第二网络功能实体发送的切换准备消息,所述切换准备消息中携带认证数据;Receiving, by the first network function entity, a handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data;
    所述第一网络功能实体向所述第二网络功能实体发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成;The first network function entity sends a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data;
    所述第一网络功能实体接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成;The first network function entity receives a handover complete message from the terminal, where the handover complete message carries authentication information, and the authentication information is generated based on the authentication parameter;
    所述第一网络功能实体基于所述认证数据校验所述认证信息。The first network function entity verifies the authentication information based on the authentication data.
  2. 根据权利要求1所述的认证方法,其中,所述第一网络功能实体基于所述认证数据校验所述认证信息,包括:The authentication method according to claim 1, wherein the first network function entity verifies the authentication information based on the authentication data, including:
    所述第一网络功能实体基于所述认证数据中的信息比对所述认证信息;The first network function entity compares the authentication information based on information in the authentication data;
    如果所述认证数据中的信息与所述认证信息相同,则校验成功;如果所述认证数据中的信息与所述认证信息不同,则校验失败。If the information in the authentication data is the same as the authentication information, the verification is successful; if the information in the authentication data is different from the authentication information, the verification fails.
  3. 根据权利要求1或2所述的认证方法,其中,在所述第二网络功能实体为源基站系统的情况下,所述方法还包括:The authentication method according to claim 1 or 2, wherein, in the case that the second network function entity is a source base station system, the method further includes:
    在所述第一网络功能实体基于所述认证数据校验所述认证信息成功后,向核心网网元发送路径切换消息,所述路径切换消息携带所述目标基站系统的信息。And after the first network function entity successfully verifies the authentication information based on the authentication data, sending a path switch message to the core network element, where the path switch message carries information about the target base station system.
  4. 一种认证方法,所述方法包括:An authentication method, the method comprising:
    第二网络功能实体向第一网络功能实体发送切换准备消息,所述切换准备消息中携带认证数据;The second network function entity sends a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data;
    所述第二网络功能实体接收到所述第一网络功能实体发送的携带认 证参数的切换通知消息时,向终端发送携带所述认证参数的切换执行消息,所述认证参数基于所述认证数据生成。Receiving, by the second network function entity, the portable identity sent by the first network function entity And transmitting, by the terminal, a handover execution message carrying the authentication parameter, where the authentication parameter is generated based on the authentication data.
  5. 根据权利要求4所述的认证方法,其中,所述认证数据包括一个或多个认证子数据;所述认证参数基于所述认证数据生成,包括:The authentication method according to claim 4, wherein the authentication data includes one or more authentication sub-data; the authentication parameter is generated based on the authentication data, and includes:
    从所述认证数据中选择出一个或多个认证子数据,作为所述认证参数。One or more authentication sub-data are selected from the authentication data as the authentication parameter.
  6. 一种认证装置,所述装置包括:An authentication device, the device comprising:
    切换准备单元,配置为向网络发送切换准备消息,所述切换准备消息中携带认证数据;a handover preparation unit, configured to send a handover preparation message to the network, where the handover preparation message carries the authentication data;
    认证数据单元,配置为接收切换准备消息,所述切换准备消息中携带认证数据,并向网络发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成,以及用于接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参数生成;The authentication data unit is configured to receive a handover preparation message, where the handover preparation message carries the authentication data, and sends a handover notification message to the network, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data. And for receiving a handover complete message from the terminal, where the handover complete message carries authentication information, and the authentication information is generated based on the authentication parameter;
    切换执行单元,配置为接收切换通知消息,所述切换通知消息中携带认证参数,并向终端发送携带所述认证参数的切换执行消息;The switching execution unit is configured to receive a handover notification message, where the handover notification message carries an authentication parameter, and sends a handover execution message carrying the authentication parameter to the terminal;
    校验单元,配置为基于所述认证数据校验所述认证信息。a verification unit configured to verify the authentication information based on the authentication data.
  7. 根据权利要求6所述的认证装置,其中,所述校验单元,还配置为:基于所述认证数据中的信息比对所述认证信息;如果所述认证数据中的信息与所述认证信息相同,则校验成功;如果所述认证数据中的信息与所述认证信息不同,则校验失败。The authentication apparatus according to claim 6, wherein the verification unit is further configured to: compare the authentication information based on information in the authentication data; and if the information in the authentication data and the authentication information If the information is the same, the verification is successful; if the information in the authentication data is different from the authentication information, the verification fails.
  8. 一种认证装置,所述装置包括:An authentication device, the device comprising:
    接收单元,配置为接收第二网络功能实体发送的切换准备消息,所述切换准备消息中携带认证数据,以及用于接收来自终端的切换完成消息,所述切换完成消息中携带认证信息,所述认证信息基于所述认证参 数生成;a receiving unit, configured to receive a handover preparation message sent by the second network function entity, where the handover preparation message carries the authentication data, and is configured to receive a handover complete message from the terminal, where the handover complete message carries the authentication information, where The authentication information is based on the authentication parameter Number generation
    发送单元,配置为向所述第二网络功能实体发送切换通知消息,所述切换通知消息中携带认证参数,所述认证参数基于所述认证数据生成;a sending unit, configured to send a handover notification message to the second network function entity, where the handover notification message carries an authentication parameter, and the authentication parameter is generated based on the authentication data;
    校验单元,配置为基于所述认证数据校验所述认证信息。a verification unit configured to verify the authentication information based on the authentication data.
  9. 根据权利要求8所述的认证装置,其中,所述校验单元,还配置为:基于所述认证数据中的信息比对所述认证信息;如果所述认证数据中的信息与所述认证信息相同,则校验成功;如果所述认证数据中的信息与所述认证信息不同,则校验失败。The authentication apparatus according to claim 8, wherein the verification unit is further configured to: compare the authentication information based on information in the authentication data; and if information in the authentication data and the authentication information If the information is the same, the verification is successful; if the information in the authentication data is different from the authentication information, the verification fails.
  10. 根据权利要求8或9所述的认证装置,其中,在所述第二网络功能实体为源基站系统的情况下,所述发送单元,还配置为:向核心网网元发送路径切换消息,所述路径切换消息携带所述目标基站系统的信息。The authentication device according to claim 8 or 9, wherein, in the case that the second network function entity is a source base station system, the sending unit is further configured to: send a path switch message to the core network element, The path switch message carries information of the target base station system.
  11. 一种认证装置,所述装置包括:An authentication device, the device comprising:
    发送单元,配置为向第一网络功能实体发送切换准备消息,所述切换准备消息中携带认证数据,以及用于向终端发送携带所述认证参数的切换执行消息,所述认证参数基于所述认证数据生成;a sending unit, configured to send a handover preparation message to the first network function entity, where the handover preparation message carries the authentication data, and is configured to send, to the terminal, a handover execution message carrying the authentication parameter, where the authentication parameter is based on the authentication Data generation
    接收单元,配置为接收到所述第一网络功能实体发送的携带认证参数的切换通知消息。The receiving unit is configured to receive a handover notification message that carries the authentication parameter sent by the first network function entity.
  12. 根据权利要求11所述的认证装置,其中,所述认证数据包括一个或多个认证子数据;所述装置还包括:选择单元,配置为从所述认证数据中选择出一个或多个认证子数据,作为所述认证参数。The authentication device according to claim 11, wherein said authentication data includes one or more authentication sub-data; said device further comprising: a selecting unit configured to select one or more authenticators from said authentication data Data as the authentication parameter.
  13. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,该计算机可执行指令配置为执行权利要求1-3任一项所述的认证方法,或者权利要求4-5任一项所述的认证方法。 A computer storage medium having stored therein computer executable instructions configured to perform the authentication method of any of claims 1-3, or any one of claims 4-5 The authentication method described.
PCT/CN2017/110751 2017-01-03 2017-11-13 Authentication method and device, and computer storage medium WO2018126791A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710002692.7A CN108271154B (en) 2017-01-03 2017-01-03 Authentication method and device
CN201710002692.7 2017-01-03

Publications (1)

Publication Number Publication Date
WO2018126791A1 true WO2018126791A1 (en) 2018-07-12

Family

ID=62771592

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/110751 WO2018126791A1 (en) 2017-01-03 2017-11-13 Authentication method and device, and computer storage medium

Country Status (2)

Country Link
CN (1) CN108271154B (en)
WO (1) WO2018126791A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111163493B (en) * 2018-11-08 2022-08-19 中国电信股份有限公司 Communication configuration method, system and related equipment
CN114071624B (en) * 2020-07-31 2024-01-12 维沃移动通信有限公司 Switching method, switching device and communication equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635923A (en) * 2009-08-05 2010-01-27 中兴通讯股份有限公司 EAP authentication method and system supporting fast switching
US20100098247A1 (en) * 2008-10-20 2010-04-22 Nokia Corporation Method, Apparatus And Computer Program Product For Generating An Encryption Key And An Authentication Code Key Utilizing A Generic Key Counter
CN101779391A (en) * 2007-08-12 2010-07-14 Lg电子株式会社 Handover method with link failure recovery, wireless device and base station for implementing such method
US20100268951A1 (en) * 2007-11-27 2010-10-21 Ki Seon Ryu Method of handover

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100450285C (en) * 2005-06-06 2009-01-07 华为技术有限公司 Method of switching terminal between base station
CN101193427A (en) * 2006-11-24 2008-06-04 中兴通讯股份有限公司 Pre-authentication method for supporting quick switch
CN101420691A (en) * 2008-11-24 2009-04-29 华为技术有限公司 Authentication method, system and apparatus for communication
CN101765167A (en) * 2008-12-24 2010-06-30 中国移动通信集团公司 Method, system and terminal for realizing roaming service among different standard networks
CN101552985B (en) * 2009-05-05 2011-04-06 广州杰赛科技股份有限公司 Pre-authentication method for mobile communication system switching
US8385549B2 (en) * 2009-08-21 2013-02-26 Industrial Technology Research Institute Fast authentication between heterogeneous wireless networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101779391A (en) * 2007-08-12 2010-07-14 Lg电子株式会社 Handover method with link failure recovery, wireless device and base station for implementing such method
US20100268951A1 (en) * 2007-11-27 2010-10-21 Ki Seon Ryu Method of handover
US20100098247A1 (en) * 2008-10-20 2010-04-22 Nokia Corporation Method, Apparatus And Computer Program Product For Generating An Encryption Key And An Authentication Code Key Utilizing A Generic Key Counter
CN101635923A (en) * 2009-08-05 2010-01-27 中兴通讯股份有限公司 EAP authentication method and system supporting fast switching

Also Published As

Publication number Publication date
CN108271154A (en) 2018-07-10
CN108271154B (en) 2022-04-15

Similar Documents

Publication Publication Date Title
US11405780B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
JP6492115B2 (en) Encryption key generation
CN112566112B (en) Apparatus, method, and storage medium for wireless communication
EP3605942B1 (en) Key agreement for wireless communication
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
CN109302412B (en) VoIP communication processing method based on CPK, terminal, server and storage medium
EP2296392A1 (en) Authentication method, re-certification method and communication device
KR20160078426A (en) Method and apparatus to identity verification using asymmetric keys in wireless direct communication network
JP2017535998A5 (en)
KR20180057665A (en) Access method, device and system for user equipment (UE)
CN111865603A (en) Authentication method, authentication device and authentication system
CA2929173A1 (en) Key configuration method, system, and apparatus
KR20140066230A (en) Systems and methods for encoding exchanges with a set of shared ephemeral key data
WO2019095990A1 (en) Communication method and device
WO2016011588A1 (en) Mobility management entity, home server, terminal, and identity authentication system and method
CN108353279B (en) Authentication method and authentication system
WO2018120217A1 (en) Verification method and apparatus for key requester
CA3137389A1 (en) Parameter sending method and apparatus
WO2021103772A1 (en) Data transmission method and apparatus
CN110831002B (en) Method and device for key deduction and computing storage medium
WO2018126791A1 (en) Authentication method and device, and computer storage medium
CN111835691B (en) Authentication information processing method, terminal and network equipment
WO2019192275A1 (en) Authentication method and network element
CN108270560B (en) Key transmission method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17890729

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17890729

Country of ref document: EP

Kind code of ref document: A1