WO2019001509A1 - Network authentication method and system - Google Patents

Network authentication method and system Download PDF

Info

Publication number
WO2019001509A1
WO2019001509A1 PCT/CN2018/093319 CN2018093319W WO2019001509A1 WO 2019001509 A1 WO2019001509 A1 WO 2019001509A1 CN 2018093319 W CN2018093319 W CN 2018093319W WO 2019001509 A1 WO2019001509 A1 WO 2019001509A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
lte
mme
random number
encryption result
Prior art date
Application number
PCT/CN2018/093319
Other languages
French (fr)
Chinese (zh)
Inventor
李�赫
诸华林
靳维生
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2019001509A1 publication Critical patent/WO2019001509A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present application relates to the field of communications technologies, and in particular, to a network authentication method and system.
  • a Long Term Evolution-Unlicensed (LTE-U) network based on a long-term evolution refers to a network composed of network devices deployed by a third party in addition to network devices deployed by operators and users.
  • a hospital deploys network devices such as an LTE-U base station (Evolved Node B, eNB), an LTE-U Mobility Management Entity (MME), and an LTE-U gateway (Gateway, GW).
  • eNB LTE-U base station
  • MME LTE-U Mobility Management Entity
  • Gateway, GW LTE-U gateway
  • These network devices constitute an LTE-U network
  • user equipment (User Equipment, UE) in the hospital can communicate by accessing the LTE-U network.
  • UE User Equipment
  • the network device of the LTE-U network can be connected with the network device of the carrier network.
  • the UE is required to authenticate with the LTE-U network and the carrier network when the UE that is not currently connected to the carrier network accesses the LTE-U network.
  • the UE when the UE first accesses the LTE network, the UE first performs mutual authentication with the MME of the LTE network. If the UE determines that the LTE network is authentic and the MME determines that the UE is authentic, the two-way authentication succeeds. After the two-way authentication succeeds, the MME generates a non-access stratum (NAS) key and performs algorithm negotiation with the UE according to the NAS key.
  • the Evolved Node B (eNodeB) generates an Access Stratum (AS) key and performs algorithm negotiation with the UE according to the AS key. If the algorithm negotiation between the eNodeB and the UE is successful, the authentication between the UE and the LTE network is completed, and the UE can successfully access the LTE network.
  • NAS non-access stratum
  • AS Access Stratum
  • the related art only provides a method for directly authenticating a network device in a carrier network when the UE accesses the carrier network, and does not provide that when the LTE-U network exists, the UE accesses the carrier network and A method of network authentication when an LTE-U network is used.
  • the embodiment of the present invention provides a network authentication method and system, which can solve the problem that the method for the UE to access the LTE network and the LTE-U network for network authentication is not provided in the related art.
  • a network authentication method comprising:
  • the mobility management entity MME of the unlicensed LTE-U network based on the long-term evolution receives the first attach request from the user equipment UE, the network identifier of the LTE-U network is added in the first attach request to generate a second attach request, and sending the second attach request to an MME of a long term evolution LTE network;
  • the MME of the LTE network When the MME of the LTE network receives the second attach request, send an authentication data request to the home subscriber server HSS based on the second attach request, where the authentication data request carries the LTE-U a network identifier of the network and a network identifier of the LTE network;
  • the HSS receives the authentication data request, generating an authentication vector based on the network identifier of the LTE-U network and the network identifier of the LTE network, and sending the authentication to the MME of the LTE network.
  • a weight vector the authentication vector including parameters for authenticating the UE, the LTE-U network, and the LTE network;
  • the MME of the LTE network When the MME of the LTE network receives the authentication vector, interact with the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication.
  • the authentication vector includes a first basic key, a desired reply information, a first random number, and an authentication token AUTN, where the first basic key is a key corresponding to the LTE-U network;
  • the interaction between the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication including:
  • the MME of the LTE network stores the expected reply information, and sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first MME to the UE through the MME of the LTE-U network.
  • the first encryption result is generated by the MME of the LTE-U network based on the first base key;
  • the LTE is based on the first random number and the AUTN
  • the network performs verification, and performs verification on the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result;
  • the UE sends the second encryption result to the MME of the LTE-U network, and sends the reply information to the MME of the LTE network;
  • the UE When the MME of the LTE-U network receives the second encryption result, the UE is authenticated based on the second encryption result, and when the MME of the LTE network receives the reply information, based on the The expected reply information and the reply information verify the UE.
  • the MME of the LTE network sends the first random number, the AUTN, and the first encryption result to the UE by using an MME of the LTE-U network, including:
  • the MME of the LTE network stores the expected reply information, and sends the first base key, the first random number, and the AUTN to an MME of the LTE-U network;
  • the MME of the LTE-U network When the MME of the LTE-U network receives the first base key, the first random number, and the AUTN, storing the first base key, based on the first base key Generating a first encryption result, and transmitting the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
  • the generating the first encryption result based on the first basic key includes:
  • the MME of the LTE-U network generates a second random number, and encrypts the second random number by using the first basic key to obtain the first encryption result;
  • the sending, by the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE includes:
  • the MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number to the UE.
  • the AUTN includes a message authentication code MAC
  • the UE performs verification on the LTE network based on the first random number and the AUTN, including:
  • the UE determines to pass the verification of the LTE network.
  • the UE performs verification on the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, including:
  • the UE encrypts the second random number by using the second basic key to obtain a third encryption result
  • the UE determines that the verification of the LTE-U network passes.
  • the generating, according to the first random number, the AUTN, and the network identifier of the LTE-U network, a second encryption result including:
  • the UE generates a third random number, and performs overall encryption on the second random number and the third random number by using the second basic key to obtain a second encryption result;
  • the sending, by the UE, the second encryption result to the MME of the LTE-U network includes:
  • the MME of the LTE-U network performs verification on the UE based on the second encryption result, including:
  • the MME of the LTE-U network performs overall encryption on the second random number and the third random number by using the stored first basic key to obtain a fourth encryption result;
  • the MME of the LTE-U network determines that the verification of the UE passes.
  • the MME of the LTE network sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE by using the MME of the LTE-U network.
  • the MME of the LTE network sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE by using the MME of the LTE-U network.
  • the MME of the LTE network stores the expected reply information, and sends the first base key, the expected reply information, the first random number, and the AUTN to the LTE-U network.
  • the MME of the LTE-U network receives the first base key, the expected reply information, the first random number, and the AUTN, the first base key and the expected reply The information is stored, the first encryption result is generated based on the first basic key, and the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result are sent to the Said UE.
  • the AUTN includes a MAC
  • the generating the first encryption result based on the first basic key includes:
  • the MME of the LTE-U network encrypts the MAC by using the first basic key to obtain the first encryption result.
  • the UE performs verification on the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, including:
  • the UE encrypts the MAC by using the second basic key to obtain a fifth encryption result
  • the UE determines that the verification of the LTE-U network passes.
  • the generating, according to the first random number, the AUTN, and the network identifier of the LTE-U network, a second encryption result including:
  • the UE encrypts the reply information by using the second basic key to obtain a second encryption result
  • the MME of the LTE-U network performs verification on the UE based on the second encryption result, including:
  • the MME of the LTE-U network encrypts the reply information by using the stored first basic key to obtain a sixth encryption result
  • the MME of the LTE-U network determines the pair The verification of the UE is passed.
  • the second attach request carries a security algorithm of the UE, where the authentication vector includes a third base key, expected reply information, a first random number, an authentication token AUTN, and the third basis
  • the key is a key corresponding to the LTE network
  • the performing, by using the authentication vector, the UE and the MME of the LTE-U to perform network authentication including:
  • the MME of the LTE network interacts with the UE according to the third basic key, the expected reply information, the first random number, and the AUTN, to implement verification of the LTE network by the UE. And verifying, by the MME of the LTE network, the UE;
  • the MME of the LTE network determines that the verification of the UE passes, generates a second random number, and generates a first base key based on the network identifier of the LTE-U network and the third base key;
  • the MME of the LTE network generates a non-access stratum NAS key based on the security algorithm of the UE, and encrypts the second random number by using the NAS key to obtain a seventh encryption result;
  • the MME of the LTE network the first base key, the third base key, the NAS key, a network identifier of the LTE-U network, the second random number, and the seventh Sending the encryption result to the MME of the LTE-U network;
  • the MME of the LTE-U network encrypts the second random number by using the first basic key to obtain an eighth encryption result, and the third basic key, the NAS key, and the The network identifier, the seventh encryption result, and the eighth encryption result of the LTE-U network are sent to the UE;
  • the UE generates a second basic key based on the third basic key and the network identifier of the LTE-U network, and decrypts the eighth encryption result by using the second basic key to obtain the first Decrypting the result, decrypting the seventh encryption result by using the NAS key, to obtain a second decryption result;
  • the UE determines that the verification of the LTE-U network passes.
  • a network authentication system having a function of implementing the behavior of the network authentication method in the first aspect.
  • the network authentication system includes the UE, the MME of the LTE-U network, the MME of the LTE network, and the HSS, and the MME of the LTE-U network, the MME of the LTE network, and the HSS are used to implement the network provided by the foregoing first aspect. Authentication method.
  • a third aspect provides a network device, where the network device includes a processor and a memory, where the memory is used to store a program for supporting a network device to perform the network authentication method provided by the above first aspect, and storing The data involved in implementing the network authentication method provided by the above first aspect.
  • the processor is configured to execute a program stored in the memory.
  • the operating device of the storage device may further include a communication bus for establishing a connection between the processor and the memory.
  • a computer readable storage medium is provided, the instructions being stored in the computer readable storage medium, when executed on a computer, causing the computer to perform the network authentication method of the first aspect described above.
  • a computer program product comprising instructions for causing a computer to perform the network authentication method of the first aspect described above when executed on a computer is provided.
  • the technical solution provided by the present application has the beneficial effects that, in the embodiment of the present invention, when the UE accesses the LTE-U network, the UE may not send the first attachment request to the LTE.
  • the MME of the LTE-U network may join the network identifier of the LTE-U network in the first attach request, thereby generating a second attach request, and
  • the second attach request is sent to the MME of the LTE network, and the MME of the LTE network generates an authentication data request based on the second attach request to request an authentication vector from the HSS, and when the HSS receives the authentication data request, based on the authentication data
  • the request generates an authentication vector, and sends the authentication vector to the MME of the LTE network.
  • the MME of the LTE network can interact with the UE and the MME of the LTE-U network according to the received authentication vector to implement the network authentication. right. That is, with the network authentication method provided by the embodiment of the present invention, the UE can perform authentication with the operator network and the LTE-U network at one time when accessing the operator network and the LTE-U network, thereby The UE can smoothly access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
  • FIG. 1 is a system architecture diagram of a network authentication method according to an embodiment of the present invention.
  • FIG. 2 is a schematic structural diagram of a network device according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of a network authentication method according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of a method for performing network authentication by using an MME of an LTE network, an MME of an LTE-U network, and a UE according to an embodiment of the present invention
  • FIG. 5 is a flowchart of still another method for performing network authentication by using an MME of an LTE network, an MME of an LTE-U network, and a UE according to an embodiment of the present invention
  • FIG. 6 is a flowchart of another method for performing network authentication by using an MME of an LTE network, an MME of an LTE-U network, and a UE according to an embodiment of the present invention.
  • a hospital deploys LTE-U eNB, LTE-U MME, LTE-U GW and other network devices within the scope of the hospital, thereby forming an LTE-U network through which the hospital can
  • the user provides medical services, and the user accessing the LTE-U network can conveniently and quickly find information such as the doctor information, the number of queues, and the location of the department through the LTE-U network.
  • the third party can not only provide specific services to the user through the deployed LTE-U network, but also connect the network devices in the LTE-U network with the network devices in the carrier network.
  • the user accessing the LTE-U network can simultaneously use the network service provided by the carrier network.
  • the UE needs to authenticate with the LTE-U network and the carrier network.
  • the network authentication method and system provided by the present application can be used in the scenario where the UE that is not currently connected to the carrier network authenticates with the operator network and the LTE-U network when accessing the LTE-U network.
  • FIG. 1 is a system architecture diagram of a network authentication method according to an embodiment of the present invention.
  • the system includes a UE 101, an eNB 102 of an LTE-U network, an MME 103 of an LTE-U network, an MME 104 of an LTE network, and an HSS 105.
  • the UE 101 is connected to the eNB 102 of the LTE-U network
  • the MME 103 of the LTE-U network is connected to the MME 104 of the LTE network
  • the MME 104 of the LTE network is connected to the HSS 105.
  • the UE 101 may be a user equipment such as a smart phone or a tablet.
  • the UE 101 initiates an attach request to the eNB 102 of the LTE-U network, and the eNB 102 of the LTE-U network forwards the attach request sent by the UE 101 to the MME 103 of the LTE-U network, and the MME of the LTE-U network.
  • the MME 104 of the LTE network interacts with the UE according to the attach request sent by the UE to implement authentication between the UE 101, the MME 103 of the LTE-U network, and the MME 104 of the LTE network.
  • the MME 104 of the LTE network may request an authentication vector from the HSS according to the attach request sent by the UE 101, the network identifier of the LTE-U network, and the network identifier of the LTE network, and the HSS 105 generates an authentication according to the received information.
  • the vector is returned to the MME 104 of the LTE network such that the MME 103 of the LTE-U network and the MME 104 of the LTE network authenticate with the UE 101 based on the authentication vector.
  • FIG. 2 is a schematic structural diagram of a network device according to an embodiment of the present invention.
  • the network device may be the UE, eNB, MME or HSS in FIG.
  • the network device includes at least one processor 201, a communication bus 202, a memory 203, and at least one communication interface 204.
  • the processor 201 can be a general purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more for controlling the execution of the program of the present application. integrated circuit.
  • CPU general purpose central processing unit
  • ASIC application-specific integrated circuit
  • Communication bus 202 can include a path for communicating information between the components described above.
  • the memory 203 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (RAM), or other information that can store information and instructions.
  • ROM read-only memory
  • RAM random access memory
  • Type of dynamic storage device or Electro Scientific Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disc storage, optical disc Storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being Any other medium accessed by the computer, but is not limited thereto.
  • Memory 203 may be present independently and coupled to processor 201 via communication bus 202.
  • the memory 203 can also be integrated with the processor 201.
  • the communication interface 204 uses devices such as any transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN), and the like.
  • devices such as any transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN), and the like.
  • RAN Radio Access Network
  • WLAN Wireless Local Area Networks
  • processor 201 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG.
  • the network device can include multiple processors, such as processor 201 and processor 205 shown in FIG. Each of these processors can be a single-CPU processor or a multi-core processor.
  • a processor herein may refer to one or more devices, circuits, and/or processing cores for processing data, such as computer program instructions.
  • the network device may further include an output device 206 and an input device 207.
  • Output device 206 is in communication with processor 201 and can display information in a variety of ways.
  • the output device 206 can be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector.
  • Input device 207 is in communication with processor 201 and can receive user input in a variety of ways.
  • input device 207 can be a mouse, keyboard, touch screen device, or sensing device, and the like.
  • the network device described above may be a general purpose computer device or a special purpose computer device.
  • the network device may be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet, a wireless terminal device, a communication device, or an embedded device.
  • PDA personal digital assistant
  • the embodiment of the invention does not limit the type of the network device.
  • the memory 203 is used to store program code for executing the solution of the present application, and is controlled by the processor 201 for execution.
  • the processor 201 is configured to execute the program code 208 stored in the memory 203.
  • One or more software modules may be included in program code 208.
  • the network device shown in FIG. 1 can implement network authentication through the processor 201 and one or more of the program codes 208 in the memory 203.
  • FIG. 3 is a flowchart of a network authentication method according to an embodiment of the present invention. As shown in FIG. 3, the method includes the following steps:
  • Step 301 The UE sends the first attach request to the MME of the LTE-U network.
  • the UE may send a first attach request (Attach Request) to the eNB of the LTE-U network, and receive the eNB of the LTE-U network.
  • Attach Request a first attach request
  • the eNB of the LTE-U network forwards the first attach request to the MME of the LTE-U network.
  • the first attach request is a NAS message, and the eNB of the LTE-U network cannot parse the first attach request.
  • the first attach request may carry an International Mobile Subscriber Identification Number (IMSI) of the UE and a security algorithm of the UE.
  • IMSI International Mobile Subscriber Identification Number
  • the IMSI of the UE may be used to uniquely identify the UE, and the IMSI of the UE may determine the mobile network to which the UE currently belongs.
  • the security algorithm of the UE refers to an encryption algorithm and an integrity protection algorithm supported by the UE.
  • Step 302 When the MME of the LTE-U network receives the first attach request from the UE, add the network identifier of the LTE-U network in the first attach request to generate a second attach request.
  • the MME of the LTE-U network may add its own network identifier to the first attach request, thereby generating a second attach request.
  • the MME of the LTE-U network may determine the MME of the LTE network corresponding to the UE according to the IMSI of the UE carried in the first attach request.
  • Step 303 The MME of the LTE-U network sends a second attach request to the MME of the LTE network.
  • the MME of the LTE-U network may send the generated second attach request to the MME of the determined LTE network.
  • Step 304 When the MME of the LTE network receives the second attach request, send an authentication data request to the HSS based on the second attach request.
  • the MME of the LTE network When the MME of the LTE network receives the second attach request, it can be seen from the foregoing description that the second attach request carries the IMSI of the UE, the security capability, and the network identifier of the LTE-U network. At this time, the MME of the LTE network may The network identifier of the LTE network is added to the second attach request, thereby generating an authentication data request, and sending the authentication data request to the HSS.
  • Step 305 When the HSS receives the authentication data request, generate an authentication vector based on the network identifier of the LTE-U network and the network identifier of the LTE network.
  • the HSS may determine, according to the IMSI carried in the authentication data request, a long-term key corresponding to the IMSI of the UE from the stored plurality of long-term keys, and the long-term key may also be called For the mobile phone authentication code (Key identifier, Ki). Afterwards, the HSS may generate a third basic key corresponding to the LTE network according to the determined long-term key and the network identifier of the LTE network, and generate a corresponding LTE-U network by using the long-term key and the network identifier of the LTE-U network. A base key.
  • the HSS may also generate a first random number and a sequence number, and generate an Authentication Token (AUTN) and an expected reply message according to the first random number and the sequence number.
  • the AUTN includes a sequence number, a message authentication code (MAC), an Authentication Management Field (AMF), and the like.
  • the authentication vector may include the first basic key, the third basic key, the first random number, the expected reply information, and the AUTN, or may not include the first basic key, and only includes the third basic key. Key, first random number, expected reply information, and AUTN. Alternatively, the authentication vector may not include the third base key, but includes the first base key, the first random number, the expected reply information, and the AUTN. When the authentication vector does not include the first base key or the third base key, the HSS may not necessarily generate the first base key or the third base key in the above process.
  • Step 306 The HSS sends an authentication vector to the MME of the LTE network.
  • Step 307 When the MME of the LTE network receives the authentication vector, interact with the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication.
  • the MME of the LTE network When the MME of the LTE network receives the authentication vector, it can interact with the UE and the MME of the LTE-U network according to the authentication vector, thereby completing the verification of the UE by the LTE network, the verification of the UE by the LTE-U network, and the UE. Verification of LTE networks and LTE-U networks.
  • the UE may perform verification on the LTE-U network and the LTE network at the same time, or may mutually authenticate with the LTE network before performing mutual authentication with the LTE-U network.
  • the UE may also verify the LTE-U network by using different parameters in the authentication vector. A specific implementation process of performing network authentication based on the authentication vector interacting with the UE and the MME of the LTE-U network will be described in detail through subsequent embodiments.
  • the first attach request may be sent to the MME of the LTE-U network, and the MME of the LTE-U network.
  • the network identifier of the LTE-U network may be added to the first attach request, thereby generating a second attach request, and sending the second attach request to the MME of the LTE network, where the LTE network
  • the MME generates an authentication data request according to the second attach request to request an authentication vector from the HSS, and when the HSS receives the authentication data request, generates an authentication vector based on the authentication data request, and sends the authentication vector
  • the MME of the LTE network can interact with the UE and the MME of the LTE-U network according to the received authentication vector to implement network authentication.
  • the UE can perform authentication with the operator network and the LTE-U network at one time when accessing the operator network and the LTE-U network, thereby The UE can smoothly access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
  • the UE may perform verification on the LTE-U network and the LTE network at the same time, or may perform mutual authentication with the LTE-U network after verifying the mutual authentication with the LTE network.
  • the UE may also verify the LTE-U network by using different parameters in the authentication vector.
  • the MME of the LTE network interacts with the UE and the MME of the LTE-U network based on the authentication vector, and the three implementation manners of the network authentication are respectively explained.
  • FIG. 4 is a flowchart of a first method for network authentication based on an authentication vector according to an embodiment of the present invention. As shown in FIG. 4, the method includes the following steps:
  • Step 401 The MME of the LTE network stores the expected reply information in the authentication vector.
  • the authentication vector may include a first base key, a first random number, expected reply information, and an AUTN.
  • the authentication vector may be included in the authentication vector.
  • the expected reply information is stored, and the UE is verified afterwards.
  • the first base key, the first random number, and the AUTN in the authentication vector may be forwarded to the MME of the LTE-U network.
  • Step 402 The MME of the LTE network sends the first base key, the first random number, and the AUTN to the MME of the LTE-U network.
  • Step 403 When the MME of the LTE-U network receives the first basic key, the first random number, and the AUTN, storing the first basic key, generating a second random number, and based on the first basic key and the first The second random number generates a first encryption result.
  • the MME of the LTE-U network may store the first basic key for subsequent verification by the UE.
  • the MME of the LTE-U network may further generate a first encryption result based on the first basic key, where the first encryption result is used by the UE to verify the LTE-U network.
  • the MME of the LTE-U network may generate a second random number by using a random number generator and use the first base key to the second random number when receiving the first base key, the first random number, and the AUTN. Encryption is performed to obtain a first encryption result.
  • Step 404 The MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number to the UE.
  • the MME of the LTE-U network After the MME of the LTE-U network generates the first encryption result, the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number used to generate the first encryption result may be sent to The eNB of the LTE-U network forwards the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number to the UE by the eNB of the LTE-U network.
  • Step 405 When the UE receives the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number, the network identifier based on the first random number, the AUTN, and the LTE-U network, The LTE network and the LTE-U network are verified by an encryption result and a second random number.
  • the UE may perform verification on the LTE network according to the first random number and the AUTN, and perform LTE-U network according to the first random number, the AUTN, and the first encryption result. verification.
  • the UE may generate a desired message authentication code XMAC based on the first random number and other parameters in the AUTN except the MAC; if the XMAC and the MAC are the same, the UE determines to pass the verification of the LTE network.
  • the UE may calculate an Expected Message Authentication Code (XMAC) according to the stored Ki, the first random number, the sequence number in the AUTN, and the AMF. Based on the description of step 305 in the foregoing embodiment, the MAC is included in the AUTN, and the MAC is calculated by the HSS according to the determined Ki, the first random number, the sequence number in the AUTN, and the AMF. After the UE generates the XMAC, If the XMAC and the MAC are the same, it indicates that the Ki determined by the HSS is consistent with the Ki stored in the UE.
  • XMAC Expected Message Authentication Code
  • the Ki determined by the HSS is determined according to the IMSI of the UE, that is, the Ki determined by the HSS is actually the Ki stored by the UE on the LTE network side. Therefore, when the XMAC and the MAC are the same, the UE can determine the current LTE.
  • the network is real, that is, the UE passes the verification of the LTE network.
  • the UE may generate a second basic key according to the network identifier, the first random number, and the AUTN of the LTE-U network; the UE encrypts the second random number by using the second basic key, A third encryption result is obtained; if the first encryption result is equal to the third encryption result, the UE determines that the verification of the LTE-U network passes.
  • the UE may generate a second basic key according to the network identifier, the first random number, and the AUTN of the Ki, the LTE-U network, and the AUTN, when the UE performs the verification on the LTE-U network. Thereafter, the second random number is encrypted by the second base key to obtain a third encryption result. Since the first basic key is a key corresponding to the LTE-U network, the first encryption result is obtained by encrypting the second random number by using the first basic key, and therefore, if the third encryption result and the first encryption result The same, the second basic key and the first basic key are the same, that is, the UE can determine the verification of the LTE-U network. On the other hand, if the third encryption result is different from the first encryption result, it indicates that the second basic key is different from the first basic key. At this time, the UE's verification of the LTE-U network will fail.
  • Step 406 When the UE determines to pass the verification of both the LTE network and the LTE-U network, generate reply information and a third random number, and generate the network identifier, the first random number, the AUTN, and the third random number based on the LTE-U network.
  • the second encryption result When the UE determines to pass the verification of both the LTE network and the LTE-U network, generate reply information and a third random number, and generate the network identifier, the first random number, the AUTN, and the third random number based on the LTE-U network.
  • the second encryption result When the UE determines to pass the verification of both the LTE network and the LTE-U network, generate reply information and a third random number, and generate the network identifier, the first random number, the AUTN, and the third random number based on the LTE-U network.
  • the reply information may be generated by using the stored Ki and the received first random number, and the reply information is used for verifying the UE by the subsequent LTE network.
  • the third random number may be generated, after which the UE may receive the second base key according to the network identifier, the first random number, and the AUTN generated by the LTE-U network.
  • the second random number obtained and the generated third random number are integrally encrypted to obtain a second encryption result.
  • Step 407 The UE sends the second encryption result, the third random number, and the reply information to the MME of the LTE-U network.
  • the second encryption result, the third random number, and the reply information may be sent to the eNB of the LTE-U network, and the second encryption result is obtained by the eNB of the LTE-U network, The third random number and reply information are forwarded to the MME of the LTE-U network.
  • Step 408 When the MME of the LTE-U network receives the second encryption result and the third random number, the UE is verified based on the second encryption result.
  • the MME is stored in the MME of the LTE-U network, and the second random number is generated by the MME of the LTE-U network and stored in the MME of the LTE-U network. Therefore, after the MME of the LTE-U network receives the second encryption result and the third random number, the stored second random number and the received third random number may be performed by using the stored first basic key. Encryption as a whole, resulting in a fourth encryption result. If the fourth encryption result and the second encryption result are the same, it is indicated that the second basic key generated by the UE is the same as the first basic key stored in the MME of the LTE-U network, that is, the LTE-U network. The MME may determine the verification of the UE. On the other hand, if the fourth encryption result is different from the second encryption result, the first basic key and the second basic key are different. At this time, the verification of the UE by the LTE-U network fails.
  • Step 409 When the MME of the LTE-U network receives the reply information, the MME sends the reply information to the MME of the LTE network.
  • the UE Based on the description in step 407, the UE sends the second encryption result, the third random number, and the reply information to the MME of the LTE-U network, where the MME of the LTE-U network can utilize the second encryption result and the third random number.
  • the UE is authenticated in the manner of the step 408, and the MME of the LTE-U network can forward the reply information directly to the received reply information, because the reply information is used for the LTE network to authenticate the UE. MME of the LTE network.
  • Step 410 When the MME of the LTE network receives the reply information, verify the UE based on the reply information.
  • the MME of the LTE network stores the expected reply information, which is generated by the HSS according to the determined Ki and the first random number. Therefore, when the MME of the LTE network receives the reply information, if the reply information and the expected reply information are the same, the MME of the LTE network may determine that the Ki for generating the desired reply information and the Ki for generating the reply information are The same is true, that is, the Ki stored on the LTE network side and the Ki stored by the UE are consistent. In this case, the MME of the LTE network can determine that the current UE is authentic and effective, that is, the LTE network. The MME may determine the verification of the UE.
  • the MME of the LTE network and the MME of the LTE-U network may send the first random number, the AUTN, and the first encryption result to the UE, when the UE receives After the first random number, the AUTN, and the first encryption result, the LTE-U network and the LTE network may be simultaneously verified according to the first random number, the AUTN, and the first encryption result, and then the MME and the LTE network of the LTE-U network. The MME then verifies the UE according to the reply information from the UE and the second encryption result.
  • the UE can simultaneously perform authentication with the operator network and the LTE-U network when accessing the carrier network and the LTE-U network, thereby enabling The UE can access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
  • the method for verifying the LTE-U network and the LTE network by using the second random number generated by the UE according to the LTE-U network and other parameters is described in the foregoing embodiment.
  • another UE is simultaneously introduced to the LTE-U network and A method of verifying an LTE network.
  • FIG. 5 is a flowchart of a second method for network authentication based on an authentication vector according to an embodiment of the present invention. As shown in FIG. 5, the method includes the following steps:
  • Step 501 The MME of the LTE network stores the expected reply information in the authentication vector.
  • the authentication vector includes the first base key, the first random number, the expected reply information, and the AUTN.
  • the expected reply information may be performed. Store for subsequent verification of the UE.
  • Step 502 The MME of the LTE network sends the first base key, the expected reply information, the first random number, and the AUTN to the MME of the LTE-U network.
  • the MME of the LTE network After the MME of the LTE network stores the expected reply information, in addition to transmitting the first base key, the first random number, and the AUTN remaining in the authentication vector to the MME of the LTE-U network, the expected reply information needs to be sent. MME of the LTE-U network.
  • Step 503 When the MME of the LTE-U network receives the first basic key, the expected reply information, the first random number, and the AUTN, the first basic key and the expected reply information are stored, and are generated based on the first basic key. The first encryption result.
  • the MME of the LTE-U network When the MME of the LTE-U network receives the first base key, the expected reply information, the first random number, and the AUTN, the first base key and the expected reply information may be stored for subsequent verification of the UE. At the same time, the MME of the LTE-U network may generate a first encryption result based on the first base key.
  • the MAC is included in the AUTN.
  • the MME of the LTE-U network receives the first basic key, the expected reply information, the first random number, and the AUTN,
  • the MAC in the AUTN is encrypted by the first base key to obtain a first encryption result.
  • Step 504 The MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
  • the MME of the LTE-U network may send the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the eNB of the LTE-U network, and by the LTE- The eNB of the U network forwards the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
  • Step 505 When the UE receives the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, the network identifier based on the first random number, the AUTN, the LTE-U network, and the first encryption result are used for LTE. The network and the LTE-U network are verified.
  • the UE may perform verification on the LTE network according to the first random number and the AUTN, according to the first random number, AUTN, and LTE-
  • the network identifier of the U network and the first encryption result verify the LTE-U network.
  • the UE to verify the LTE network For the specific implementation manner of the UE to verify the LTE network, refer to the method for the UE to verify the LTE network in the step 405, which is not described in the embodiment of the present invention.
  • the UE may generate a second basic key according to the network identifier, the first random number, and the AUTN of the LTE-U network; and encrypt the MAC by using the second basic key to obtain the fifth encryption. As a result; if the first encryption result is equal to the fifth encryption result, the UE determines that the verification of the LTE-U network passes.
  • the UE may generate a second basic key according to the network identifier of the Ki, the LTE-U network, the first random number, and the AUTN, and then pass the second basic key.
  • the key encrypts the MAC included in the AUTN to obtain a fifth encryption result. Since the first basic key is a key corresponding to the LTE-U network, the first encryption result is obtained by encrypting the MAC by the first basic key, and the fifth encryption result is obtained by encrypting the MAC by the second basic key. . Therefore, if the first encryption result and the fifth encryption result are the same, it indicates that the first basic key and the second basic key are the same, that is, the UE can determine that the verification of the LTE-U network passes. On the other hand, if the fifth encryption result is different from the first encryption result, it indicates that the second basic key is different from the first basic key. At this time, the UE's verification of the LTE-U network will fail.
  • Step 506 When the UE determines to pass the verification of both the LTE network and the LTE-U network, generate reply information, and generate a second encryption result based on the network identifier, the first random number, and the AUTN of the LTE-U network.
  • the reply information may be generated by the Ki stored by itself and the received first random number.
  • the UE may respond to the reply according to the network identifier of the LTE-U network, the first random number, and the second basic key generated by the AUTN in step 505.
  • the information is encrypted to obtain a second encrypted result.
  • Step 507 The UE sends the second encryption result and the reply information to the MME of the LTE-U network.
  • the reply information and the second encryption result may be sent to the eNB of the LTE-U network, and the eNB of the LTE-U network forwards the reply information and the second encryption result to the eNB.
  • MME of the LTE-U network may be sent to the eNB of the LTE-U network.
  • Step 508 When the MME of the LTE-U network receives the reply information and the second encryption result, the UE is verified based on the reply information and the second encryption result.
  • the MME of the LTE-U network stores a first base key and expected reply information, wherein the expected reply information is generated by the HSS according to the stored Ki and the first random number.
  • the MME of the LTE-U network may first compare the reply information with the expected reply information, and then the MME of the LTE-U network may use the first basic key pair stored by itself.
  • the reply message is encrypted to obtain a sixth encrypted result.
  • the UE Since the reply information is generated by the UE according to the Ki and the first random number stored by the UE, if the reply information and the expected reply information are the same, and the sixth encryption result is the same as the second encryption result, the UE generates The second base key is consistent with the first base key stored by the MME of the LTE-U network. At this time, the MME of the LTE-U network can confirm that the current UE is authentic and effective, that is, LTE- The MME of the U network may determine the verification of the UE. On the other hand, if the sixth encryption result is different from the second encryption result, it indicates that the first basic key and the second basic key are different. At this time, the verification of the UE by the LTE-U network fails.
  • Step 509 The MME of the LTE-U network sends the reply information to the MME of the LTE network.
  • the MME of the LTE-U network may send the reply information to the MME of the LTE network when receiving the reply information.
  • the MME may also send the reply information to the MME of the LTE network after completing the verification of the UE.
  • Step 510 When the MME of the LTE network receives the reply information, verify the UE based on the reply information.
  • the specific implementation manner of verifying the UE based on the reply information may refer to the implementation manner in the step 410, which is not repeatedly described in the embodiment of the present invention.
  • the MME of the LTE network and the MME of the LTE-U network may send the first random number, the AUTN, and the first encryption result to the UE, where the first The result of the encryption is obtained by the MME of the LTE-U network encrypting the MAC in the AUTN.
  • the UE may simultaneously obtain the first random number, the AUTN, and the first
  • the LTE-U network and the LTE network are verified by an encryption result, and then the MME of the LTE-U network and the MME of the LTE network authenticate the UE according to the reply information from the UE and the second encryption result, wherein the second encryption
  • the result is that the UE encrypts the reply message. That is, in the network authentication method provided by the embodiment of the present invention, the LTE-U network and the UE do not need to generate a random number any more, and only need to encrypt the parameters in the authentication vector to complete mutual authentication, which simplifies the operation. .
  • the UE can simultaneously perform authentication with the operator network and the LTE-U network when accessing the operator network and the LTE-U network, so that the UE can simultaneously connect. Entering the carrier network and the LTE-U network brings convenience to users.
  • the foregoing describes the two authentication methods for the UE to simultaneously verify the LTE-U network and the LTE network, and then the MME of the LTE-U network and the MME of the LTE network verify the UE, and then combine 6 is a network authentication method for the UE to mutually authenticate with the LTE network and then verify the LTE-U network.
  • FIG. 6 is a flowchart of a third method for performing network authentication based on an authentication vector according to an embodiment of the present invention.
  • an MME of an LTE network first performs a first random based on a third basic key and expected reply information.
  • the number and the AUTN interact with the UE through the method in steps 601-60 to complete mutual authentication with the UE. Thereafter, as shown in FIG. 6, the method includes the following steps:
  • Step 601 The MME of the LTE network stores the third basic key and the expected reply information in the authentication vector.
  • the authentication vector may include a third base key, expected reply information, a first random number, and an AUTN.
  • the MME of the LTE network may receive the third basic key in the authentication vector when receiving the authentication vector.
  • the expected reply information is stored for subsequent verification of the UE.
  • Step 602 The MME of the LTE network sends the first random number and the AUTN to the UE.
  • the MME of the LTE network may send the first random number and the AUTN in the authentication vector to the MME of the LTE-U network, and the LTE-U network After receiving the first random number and the AUTN, the MME may send the first random number and the AUTN to the eNB of the LTE-U network, and the eNB of the LTE-U network receives the first random number and the AUTN, and then The first random number and the AUTN are forwarded to the UE.
  • Step 603 When the UE receives the first random number and the AUTN, perform verification on the LTE network based on the first random number and the AUTN.
  • step 405 For a specific implementation of the step, reference may be made to the implementation manner of the UE performing the verification of the LTE network based on the first random number and the AUTN in the step 405, which is not repeatedly described in the embodiment of the present invention.
  • Step 604 Generate reply information when the UE determines that the verification of the LTE network passes.
  • step 406 For a specific implementation of the step, reference may be made to the description in the step 406 when the UE determines that the LTE network is authenticated, and the related information is not described herein.
  • Step 605 The UE sends the reply information to the MME of the LTE network.
  • the reply information may be sent to the MME of the LTE network via the eNB and the MME of the LTE-U network.
  • Step 606 When the MME of the LTE network receives the reply information, verify the UE based on the reply information.
  • step 410 For a specific implementation of this step, reference may be made to the description of the MME of the LTE network in step 410 for verifying the UE based on the reply information, which is not described in detail in the embodiment of the present invention.
  • Step 607 When the MME of the LTE network determines that the verification of the UE passes, generate a second random number, and generate a first basic key based on the network identifier of the LTE-U network and the third basic key, and the UE-based security algorithm The NAS key is generated, and the second random number is encrypted by the NAS key to obtain a seventh encryption result.
  • the MME of the LTE-U network Based on the description in step 302, the MME of the LTE-U network adds the network identifier of the LTE-U network to the first attach request, thereby generating a second attach request, and sending the second attach request to the LTE network.
  • the MME therefore, when the MME of the LTE network determines that the verification of the UE is passed, the first base key may be generated based on the network identity of the LTE-U network and the third base key.
  • the MME of the LTE network can generate a second random number using a random number generator.
  • the second attach request further includes the security algorithm of the UE
  • the MME of the LTE network may generate the second random number and the first basic key
  • the NAS key may be generated according to the security algorithm of the UE.
  • the MME of the LTE network may encrypt the second random number by using the NAS key to obtain a seventh encryption result.
  • Step 608 The MME of the LTE network sends the first basic key, the third basic key, the NAS key, the network identifier of the LTE-U network, the second random number, and the seventh encryption result to the MME of the LTE-U network.
  • Step 609 When the MME of the LTE-U network receives the first basic key, the third basic key, the NAS key, the network identifier of the LTE-U network, the second random number, and the seventh encryption result, the first The base key encrypts the second random number to obtain an eighth encryption result.
  • Step 610 The MME of the LTE-U network sends the third basic key, the NAS key, the network identifier of the LTE-U network, the seventh encryption result, and the eighth encryption result to the UE.
  • the MME of the LTE-U network sends the third base key, the NAS key, the network identifier of the LTE-U network, the seventh encryption result, and the eighth encryption result to the eNB of the LTE-U network, and then the LTE-U network The eNB forwards to the UE.
  • Step 611 When the UE receives the third basic key, the NAS key, the network identifier of the LTE-U network, the seventh encryption result, and the eighth encryption result, the network identifier based on the third basic key and the LTE-U network Generating a second base key, and decrypting the eighth encryption result by using the second base key to obtain a first decryption result, and decrypting the seventh encryption result by using the NAS key to obtain a second decryption result.
  • the first basic key is generated by the MME of the LTE network according to the third basic key and the network identifier of the LTE-U network
  • the second basic key may be generated according to the third basic key and the network identifier of the LTE-U network, so as to verify whether the second basic key and the first basic key are the same.
  • the MME of the LTE-U network does not directly send the first basic key to the UE, but passes the step 609.
  • the method encrypts the second random number by using the first basic key to obtain an eighth encryption result, and sends the eighth encryption result to the UE.
  • the UE may decrypt the eighth encryption result by using the second basic key to obtain a first decryption result, and decrypt the seventh encryption result by using the NAS key to obtain a second decryption result. .
  • Step 612 The UE verifies the LTE-U network based on the first decryption result and the second decryption result.
  • the eighth encryption result is obtained by the MME of the LTE-U network encrypting the second random number by using the first basic key
  • the seventh encryption result is that the MME of the LTE network encrypts the second random number by using the NAS key. Therefore, after the UE decrypts the eighth encryption result by using the second base key, after decrypting the seventh encryption result by the NAS key, if the first encryption result and the second encryption result are equal, the UE generates the second The base key and the first base key are the same, that is, the UE can determine that the LTE-U network is authentic, and at this time, the UE can determine the verification of the LTE-U network.
  • the MME of the LTE network may first perform the UE and the UE based on the third basic key, the first random number, the expected reply information, and the AUTN in the authentication vector. Interacting to complete mutual authentication with the UE, after which the MME of the LTE network may generate a first base key, a second random number to obtain a NAS key, and the first base key, the second random number, and the NAS key. After being sent to the MME of the LTE-U network, the MME and the UE of the LTE-U network can perform network authentication by using the first base key, the second random number, and the NAS key.
  • the UE can simultaneously perform authentication with the operator network and the LTE-U network when accessing the carrier network and the LTE-U network, thereby enabling The UE can access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
  • the network authentication system provided by the embodiment of the present invention is introduced.
  • An embodiment of the present invention provides a network authentication system, where the network authentication system includes a UE, an MME of an LTE-U network, an MME of an LTE network, and an HSS.
  • the MME of the LTE-U network is used to perform steps 302 and 303 in the foregoing embodiment
  • the MME of the LTE network is used to perform step 304 in the foregoing embodiment
  • the HSS is used to perform steps 305 and 306 in the above embodiment
  • the MME of the LTE network is used to perform step 307 in the above embodiment.
  • the authentication vector includes a first basic key, expected reply information, a first random number, and an authentication token AUTN, where the first basic key is a key corresponding to the LTE-U network;
  • the MME of the LTE network is specifically configured to store the expected reply information, and send the network identifier of the first random number, the AUTN, the LTE-U network, and the first encryption result to the UE through the MME of the LTE-U network, and the first encryption result is performed by the LTE-
  • the MME of the U network is generated based on the first base key;
  • the UE is configured to: when receiving the network identifier of the first random number, the AUTN, the LTE-U network, and the first encryption result, verify the LTE network based on the first random number and the AUTN, and based on the first random number, the AUTN, and the LTE -
  • the network identifier of the U network and the first encryption result verify the LTE-U network;
  • the UE is further configured to: when determining that both the LTE network and the LTE-U network pass the verification, generate reply information, and generate a second encryption result based on the network identifiers of the first random number, the AUTN, and the LTE-U network;
  • the UE is further configured to send the second encryption result to the MME of the LTE-U network, and send the reply information to the MME of the LTE network;
  • the MME of the LTE-U network is configured to perform verification on the UE based on the second encryption result when receiving the second encryption result, and verify the UE based on the expected reply information and the reply information when the MME of the LTE network receives the reply information.
  • the MME of the LTE network is specifically configured to:
  • the expected reply information is stored, and the first base key, the first random number, and the AUTN are sent to the MME of the LTE-U network;
  • the MME of the LTE-U network is further configured to: when receiving the first basic key, the first random number, and the AUTN, store the first basic key, generate a first encryption result based on the first basic key, and A network identifier of the random number, the AUTN, the LTE-U network, and the first encryption result are sent to the UE.
  • the MME of the LTE-U network is specifically configured to:
  • the AUTN includes a message authentication code MAC
  • the UE is specifically used to:
  • the UE is specifically configured to:
  • the UE is specifically configured to:
  • the MME of the LTE-U network is specifically used for:
  • the MME of the LTE network is specifically configured to:
  • the expected reply information is stored, and the first base key, the expected reply information, the first random number, and the AUTN are sent to the MME of the LTE-U network;
  • the MME of the LTE-U network is configured to store the first basic key and the expected reply information when receiving the first basic key, the expected reply information, the first random number, and the AUTN, based on the first basic key generation. And encrypting the result, and sending the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
  • the AUTN includes a MAC
  • the MME of the LTE-U network is specifically used to:
  • the MAC is encrypted by the first base key to obtain a first encryption result.
  • the UE is specifically configured to:
  • the UE is specifically configured to:
  • the MME of the LTE-U network is specifically used for:
  • the sixth encryption result is equal to the second encryption result, it is determined that the verification of the UE is passed.
  • the second attach request carries the security algorithm of the UE, where the authentication vector includes a third basic key, expected reply information, a first random number, an authentication token AUTN, and the third basic key is a secret corresponding to the LTE network. key;
  • the MME of the LTE network is specifically configured to perform interaction between the UE and the UE based on the third basic key, the expected reply information, the first random number, and the AUTN, to implement the UE to verify the LTE network, and the MME of the LTE network authenticates the UE;
  • the MME of the LTE network is further configured to: when determining that the verification of the UE passes, generate a second random number, and generate a first base key based on the network identifier of the LTE-U network and the third basic key;
  • the MME of the LTE network is further configured to generate a non-access stratum NAS key based on the UE security algorithm, and encrypt the second random number by using the NAS key to obtain a seventh encryption result;
  • the MME of the LTE network is further configured to send the first base key, the third base key, the NAS key, the network identifier of the LTE-U network, the second random number, and the seventh encryption result to the MME of the LTE-U network;
  • the MME of the LTE-U network is specifically configured to encrypt the second random number by using the first basic key to obtain an eighth encryption result, and the third basic key, the NAS key, the network identifier of the LTE-U network, and the third The seventh encryption result and the eighth encryption result are sent to the UE;
  • the UE is specifically configured to generate a second basic key based on the network identifier of the third basic key and the LTE-U network, and decrypt the eighth encryption result by using the second basic key to obtain a first decryption result, and obtain the first decryption result. Decrypting the seventh encryption result to obtain a second decryption result;
  • the UE is further configured to determine that the verification of the LTE-U network passes if the first decrypted result and the second decrypted result are the same.
  • the first attach request may be sent to the MME of the LTE-U network, when LTE When receiving the first attach request, the MME of the -U network may join the network identifier of the LTE-U network in the first attach request, thereby generating a second attach request, and sending the second attach request to the LTE network.
  • the MME, the MME of the LTE network generates an authentication data request based on the second attach request, to request an authentication vector from the HSS, and when the HSS receives the authentication data request, generates an authentication vector based on the authentication data request, and
  • the authentication vector is sent to the MME of the LTE network, and then the MME of the LTE network can interact with the UE and the MME of the LTE-U network according to the received authentication vector to implement network authentication.
  • the UE can perform authentication with the operator network and the LTE-U network at one time when accessing the operator network and the LTE-U network, thereby The UE can smoothly access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
  • the computer program product includes one or more computer instructions.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transfer to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a digital versatile disc (DVD)), or a semiconductor medium (for example, a solid state disk (SSD)). )Wait.
  • a magnetic medium for example, a floppy disk, a hard disk, a magnetic tape
  • an optical medium for example, a digital versatile disc (DVD)
  • DVD digital versatile disc
  • SSD solid state disk
  • a person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium.
  • the storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application relates to the technical field of communications. Disclosed are a network authentication method and system. The method comprises: when receiving a first attachment request, an MME of an LTE-U network adds a network identifier of the LTE-U network into the first attachment request, so as to generate a second attachment request and send the second attachment request to an MME of an LTE network; the MME of the LTE network sends, according to the second attachment request, an authentication data request carrying the network identifier of the LTE-U network and a network identifier of the LTE network, to an HSS; the HSS generates an authentication vector according to the authentication data request, and sends authentication vector to the MME of the LTE network; and The MME of the LTE network interacts with a UE and the MME of the LTE-U network according to the authentication vector, so as to implement network authentication. That is, by means of the method provided in the present application, a UE can implement network authentication with an operator network and an LTE-U network one time when the UE can access the operator network and the LTE-U network.

Description

一种网络鉴权方法及系统Network authentication method and system
本申请要求于2017年6月28日提交中华人民共和国国家知识产权局、申请号为201710510229.3、申请名称为“一种网络鉴权方法及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application submitted to the State Intellectual Property Office of the People's Republic of China on June 28, 2017, the application number is 201710510229.3, and the application name is "a network authentication method and system", the entire contents of which are incorporated by reference. Combined in this application.
技术领域Technical field
本申请涉及通信技术领域,特别涉及一种网络鉴权方法及系统。The present application relates to the field of communications technologies, and in particular, to a network authentication method and system.
背景技术Background technique
基于长期演进的无牌照(Long Term Evolution-Unlicensed,LTE-U)网络是指除了运营商、用户部署的网络设备之外,由第三方部署的网络设备组成的网络。例如,某医院在该医院范围内,部署了LTE-U基站(Evolved Node B,eNB)、LTE-U移动管理实体(Mobility Management Entity,MME),LTE-U网关(Gateway,GW)等网络设备,这些网络设备即组成了LTE-U网络,处于该医院范围内的用户设备(User Equipment,UE)可以通过接入该LTE-U网络进行通信。为了保证UE在接入LTE-U网络的同时还能使用运营商网络如长期演进(Long Term Evolution,LTE)网络提供的网络服务,LTE-U网络的网络设备可以与运营商网络的网络设备进行连接,这样,当当前未接入运营商网络的UE接入LTE-U网络时,UE需要与该LTE-U网络和运营商网络进行鉴权。A Long Term Evolution-Unlicensed (LTE-U) network based on a long-term evolution refers to a network composed of network devices deployed by a third party in addition to network devices deployed by operators and users. For example, a hospital deploys network devices such as an LTE-U base station (Evolved Node B, eNB), an LTE-U Mobility Management Entity (MME), and an LTE-U gateway (Gateway, GW). These network devices constitute an LTE-U network, and user equipment (User Equipment, UE) in the hospital can communicate by accessing the LTE-U network. In order to ensure that the UE can access the LTE-U network and also use the network service provided by the operator network, such as a Long Term Evolution (LTE) network, the network device of the LTE-U network can be connected with the network device of the carrier network. The UE is required to authenticate with the LTE-U network and the carrier network when the UE that is not currently connected to the carrier network accesses the LTE-U network.
相关技术中,当UE初次接入LTE网络时,UE首先与LTE网络的MME之间进行双向认证,如果UE确定LTE网络是真实的,而MME也确定UE是真实的,那么,双向认证成功。当双向认证成功后,MME会生成非接入层(Non-Access Stratum,NAS)密钥,并根据该NAS密钥,与UE进行算法协商。当MME与UE之间的算法协商成功之后,LTE网络的基站(Evolved Node B,eNodeB)会生成接入层(Access Stratum,AS)密钥,并根据该AS密钥与UE之间进行算法协商,如果eNodeB与UE之间的算法协商成功,则UE与LTE网络之间的鉴权完成,UE可以成功接入该LTE网络。In the related art, when the UE first accesses the LTE network, the UE first performs mutual authentication with the MME of the LTE network. If the UE determines that the LTE network is authentic and the MME determines that the UE is authentic, the two-way authentication succeeds. After the two-way authentication succeeds, the MME generates a non-access stratum (NAS) key and performs algorithm negotiation with the UE according to the NAS key. The Evolved Node B (eNodeB) generates an Access Stratum (AS) key and performs algorithm negotiation with the UE according to the AS key. If the algorithm negotiation between the eNodeB and the UE is successful, the authentication between the UE and the LTE network is completed, and the UE can successfully access the LTE network.
由上述描述可知,相关技术中仅提供了UE接入运营商网络时与运营商网络中的网络设备直接鉴权的方法,并没有提供当存在LTE-U网络时,UE接入运营商网络和LTE-U网络时进行网络鉴权的方法。It can be seen from the foregoing description that the related art only provides a method for directly authenticating a network device in a carrier network when the UE accesses the carrier network, and does not provide that when the LTE-U network exists, the UE accesses the carrier network and A method of network authentication when an LTE-U network is used.
发明内容Summary of the invention
本申请实施例提供了一种网络鉴权方法及系统,可以解决相关技术中未提供UE接入LTE网络和LTE-U网络进行网络鉴权的方法的问题。The embodiment of the present invention provides a network authentication method and system, which can solve the problem that the method for the UE to access the LTE network and the LTE-U network for network authentication is not provided in the related art.
第一方面,提供了一种网络鉴权方法,该方法包括:In a first aspect, a network authentication method is provided, the method comprising:
当基于长期演进的无牌照LTE-U网络的移动管理实体MME接收到来自用户设备UE的第一附着请求时,在所述第一附着请求中添加所述LTE-U网络的网络标识,以生成第二 附着请求,并将所述第二附着请求发送至长期演进LTE网络的MME;When the mobility management entity MME of the unlicensed LTE-U network based on the long-term evolution receives the first attach request from the user equipment UE, the network identifier of the LTE-U network is added in the first attach request to generate a second attach request, and sending the second attach request to an MME of a long term evolution LTE network;
当所述LTE网络的MME接收到所述第二附着请求时,基于所述第二附着请求,向归属签约用户服务器HSS发送鉴权数据请求,所述鉴权数据请求中携带所述LTE-U网络的网络标识和所述LTE网络的网络标识;When the MME of the LTE network receives the second attach request, send an authentication data request to the home subscriber server HSS based on the second attach request, where the authentication data request carries the LTE-U a network identifier of the network and a network identifier of the LTE network;
当所述HSS接收到所述鉴权数据请求时,基于所述LTE-U网络的网络标识和所述LTE网络的网络标识,生成鉴权向量,并向所述LTE网络的MME发送所述鉴权向量,所述鉴权向量包括用于对所述UE、所述LTE-U网络和所述LTE网络进行鉴权的参数;And when the HSS receives the authentication data request, generating an authentication vector based on the network identifier of the LTE-U network and the network identifier of the LTE network, and sending the authentication to the MME of the LTE network. a weight vector, the authentication vector including parameters for authenticating the UE, the LTE-U network, and the LTE network;
当所述LTE网络的MME接收到所述鉴权向量时,基于所述鉴权向量与所述UE以及所述LTE-U网络的MME进行交互,以实现网络鉴权。When the MME of the LTE network receives the authentication vector, interact with the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication.
可选地,所述鉴权向量包括第一基础密钥、期望回复信息、第一随机数和鉴权标记AUTN,所述第一基础密钥为所述LTE-U网络对应的密钥;Optionally, the authentication vector includes a first basic key, a desired reply information, a first random number, and an authentication token AUTN, where the first basic key is a key corresponding to the LTE-U network;
所述基于所述鉴权向量与所述UE以及所述LTE-U网络的MME进行交互,以实现网络鉴权,包括:The interaction between the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication, including:
所述LTE网络的MME存储所述期望回复信息,并通过所述LTE-U网络的MME向所述UE发送所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和第一加密结果,所述第一加密结果由所述LTE-U网络的MME基于所述第一基础密钥生成;The MME of the LTE network stores the expected reply information, and sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first MME to the UE through the MME of the LTE-U network. As a result of the encryption, the first encryption result is generated by the MME of the LTE-U network based on the first base key;
当所述UE接收到所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果时,基于所述第一随机数和所述AUTN对所述LTE网络进行验证,并基于所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果对所述LTE-U网络进行验证;And when the UE receives the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, the LTE is based on the first random number and the AUTN The network performs verification, and performs verification on the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result;
当所述UE确定对所述LTE网络和所述LTE-U网络均验证通过时,生成回复信息,并基于所述第一随机数、所述AUTN和所述LTE-U网络的网络标识生成第二加密结果;And generating, when the UE determines to pass the LTE network and the LTE-U network, the reply information, and generating, according to the first random number, the AUTN, and the network identifier of the LTE-U network. Second encryption result;
所述UE将所述第二加密结果发送至所述LTE-U网络的MME,并将所述回复信息发送至LTE网络的MME;The UE sends the second encryption result to the MME of the LTE-U network, and sends the reply information to the MME of the LTE network;
当所述LTE-U网络的MME接收到所述第二加密结果时,基于所述第二加密结果对所述UE进行验证,当所述LTE网络的MME接收到所述回复信息时,基于所述期望回复信息和所述回复信息对所述UE进行验证。When the MME of the LTE-U network receives the second encryption result, the UE is authenticated based on the second encryption result, and when the MME of the LTE network receives the reply information, based on the The expected reply information and the reply information verify the UE.
可选地,所述LTE网络的MME通过所述LTE-U网络的MME向所述UE发送所述第一随机数、所述AUTN和第一加密结果,包括:Optionally, the MME of the LTE network sends the first random number, the AUTN, and the first encryption result to the UE by using an MME of the LTE-U network, including:
所述LTE网络的MME将所述期望回复信息进行存储,并将所述第一基础密钥、所述第一随机数和所述AUTN发送至所述LTE-U网络的MME;The MME of the LTE network stores the expected reply information, and sends the first base key, the first random number, and the AUTN to an MME of the LTE-U network;
当所述LTE-U网络的MME接收到所述第一基础密钥、所述第一随机数和所述AUTN时,将所述第一基础密钥进行存储,基于所述第一基础密钥生成第一加密结果,并将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果发送至所述UE。When the MME of the LTE-U network receives the first base key, the first random number, and the AUTN, storing the first base key, based on the first base key Generating a first encryption result, and transmitting the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
可选地,所述基于所述第一基础密钥生成第一加密结果,包括:Optionally, the generating the first encryption result based on the first basic key includes:
所述LTE-U网络的MME生成第二随机数,并通过所述第一基础密钥对所述第二随机数进行加密,得到所述第一加密结果;The MME of the LTE-U network generates a second random number, and encrypts the second random number by using the first basic key to obtain the first encryption result;
相应地,所述将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果发送至所述UE,包括:Correspondingly, the sending, by the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE, includes:
所述LTE-U网络的MME将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识、所述第一加密结果和所述第二随机数发送至所述UE。The MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number to the UE.
可选地,所述AUTN包括消息鉴权码MAC;Optionally, the AUTN includes a message authentication code MAC;
所述UE基于所述第一随机数和所述AUTN对所述LTE网络进行验证,包括:The UE performs verification on the LTE network based on the first random number and the AUTN, including:
所述UE基于所述第一随机数和所述AUTN中除所述MAC之外的其他参数生成期望消息鉴权码XMAC;Generating, by the UE, a desired message authentication code XMAC based on the first random number and other parameters in the AUTN except the MAC;
如果所述XMAC和所述MAC相同,则所述UE确定对所述LTE网络的验证通过。If the XMAC and the MAC are the same, the UE determines to pass the verification of the LTE network.
可选地,所述UE基于所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果对所述LTE-U网络进行验证,包括:Optionally, the UE performs verification on the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, including:
所述UE根据所述LTE-U网络的网络标识、所述第一随机数和所述AUTN生成第二基础密钥;Generating, by the UE, a second basic key according to the network identifier of the LTE-U network, the first random number, and the AUTN;
所述UE通过所述第二基础密钥对所述第二随机数进行加密,得到第三加密结果;The UE encrypts the second random number by using the second basic key to obtain a third encryption result;
如果所述第一加密结果等于所述第三加密结果,则所述UE确定对所述LTE-U网络的验证通过。If the first encryption result is equal to the third encryption result, the UE determines that the verification of the LTE-U network passes.
可选地,所述基于所述第一随机数、所述AUTN和所述LTE-U网络的网络标识生成第二加密结果,包括:Optionally, the generating, according to the first random number, the AUTN, and the network identifier of the LTE-U network, a second encryption result, including:
所述UE生成第三随机数,并通过所述第二基础密钥对所述第二随机数和所述第三随机数进行整体加密,得到第二加密结果;The UE generates a third random number, and performs overall encryption on the second random number and the third random number by using the second basic key to obtain a second encryption result;
相应地,所述UE将所述第二加密结果发送至所述LTE-U网络的MME,包括:Correspondingly, the sending, by the UE, the second encryption result to the MME of the LTE-U network includes:
所述UE将所述第二加密结果和所述第三随机数发送至所述LTE-U网络的MME;Transmitting, by the UE, the second encryption result and the third random number to an MME of the LTE-U network;
相应地,所述LTE-U网络的MME基于所述第二加密结果对所述UE进行验证,包括:Correspondingly, the MME of the LTE-U network performs verification on the UE based on the second encryption result, including:
所述LTE-U网络的MME通过存储的所述第一基础密钥对所述第二随机数和所述第三随机数进行整体加密,得到第四加密结果;The MME of the LTE-U network performs overall encryption on the second random number and the third random number by using the stored first basic key to obtain a fourth encryption result;
如果所述第二加密结果和所述第四加密结果相等,则所述LTE-U网络的MME确定对所述UE的验证通过。If the second encryption result and the fourth encryption result are equal, the MME of the LTE-U network determines that the verification of the UE passes.
可选地,所述LTE网络的MME通过所述LTE-U网络的MME向所述UE发送所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和第一加密结果,包括:Optionally, the MME of the LTE network sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE by using the MME of the LTE-U network. include:
所述LTE网络的MME将所述期望回复信息进行存储,并将所述第一基础密钥、所述期望回复信息、所述第一随机数和所述AUTN发送至所述LTE-U网络的MME;The MME of the LTE network stores the expected reply information, and sends the first base key, the expected reply information, the first random number, and the AUTN to the LTE-U network. MME;
当所述LTE-U网络的MME接收到所述第一基础密钥、所述期望回复信息、所述第一随机数和所述AUTN时,将所述第一基础密钥和所述期望回复信息进行存储,基于所述第一基础密钥生成第一加密结果,并将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果发送至所述UE。And when the MME of the LTE-U network receives the first base key, the expected reply information, the first random number, and the AUTN, the first base key and the expected reply The information is stored, the first encryption result is generated based on the first basic key, and the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result are sent to the Said UE.
可选地,所述AUTN包括MAC;Optionally, the AUTN includes a MAC;
所述基于所述第一基础密钥生成第一加密结果,包括:The generating the first encryption result based on the first basic key includes:
所述LTE-U网络的MME通过所述第一基础密钥对所述MAC进行加密,得到所述第一加密结果。The MME of the LTE-U network encrypts the MAC by using the first basic key to obtain the first encryption result.
可选地,所述UE基于所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果对所述LTE-U网络进行验证,包括:Optionally, the UE performs verification on the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, including:
所述UE根据所述LTE-U网络的网络标识、所述第一随机数和所述AUTN生成第二基础密钥;Generating, by the UE, a second basic key according to the network identifier of the LTE-U network, the first random number, and the AUTN;
所述UE通过所述第二基础密钥对所述MAC进行加密,得到第五加密结果;The UE encrypts the MAC by using the second basic key to obtain a fifth encryption result;
如果所述第一加密结果等于所述第五加密结果,则所述UE确定对所述LTE-U网络的验证通过。If the first encryption result is equal to the fifth encryption result, the UE determines that the verification of the LTE-U network passes.
可选地,所述基于所述第一随机数、所述AUTN和所述LTE-U网络的网络标识生成第二加密结果,包括:Optionally, the generating, according to the first random number, the AUTN, and the network identifier of the LTE-U network, a second encryption result, including:
所述UE通过所述第二基础密钥对所述回复信息进行加密,得到第二加密结果;The UE encrypts the reply information by using the second basic key to obtain a second encryption result;
相应地,所述LTE-U网络的MME基于所述第二加密结果对所述UE进行验证,包括:Correspondingly, the MME of the LTE-U network performs verification on the UE based on the second encryption result, including:
所述LTE-U网络的MME通过存储的所述第一基础密钥对所述回复信息加密,得到第六加密结果;The MME of the LTE-U network encrypts the reply information by using the stored first basic key to obtain a sixth encryption result;
如果所述LTE-U网络的MME存储的所述期望回复信息与所述回复信息相同,且所述第六加密结果与所述第二加密结果相等,则所述LTE-U网络的MME确定对所述UE的验证通过。If the expected reply information stored by the MME of the LTE-U network is the same as the reply information, and the sixth encryption result is equal to the second encryption result, the MME of the LTE-U network determines the pair The verification of the UE is passed.
可选地,所述第二附着请求中携带所述UE的安全算法,所述鉴权向量包括第三基础密钥、期望回复信息、第一随机数、鉴权标记AUTN,所述第三基础密钥为所述LTE网络对应的密钥;Optionally, the second attach request carries a security algorithm of the UE, where the authentication vector includes a third base key, expected reply information, a first random number, an authentication token AUTN, and the third basis The key is a key corresponding to the LTE network;
所述基于所述鉴权向量与所述UE以及所述LTE-U的MME进行交互,以实现网络鉴权,包括:The performing, by using the authentication vector, the UE and the MME of the LTE-U to perform network authentication, including:
所述LTE网络的MME基于所述第三基础密钥、所述期望回复信息、所述第一随机数和所述AUTN与所述UE进行交互,以实现所述UE对所述LTE网络的验证,以及所述LTE网络的MME对所述UE的验证;The MME of the LTE network interacts with the UE according to the third basic key, the expected reply information, the first random number, and the AUTN, to implement verification of the LTE network by the UE. And verifying, by the MME of the LTE network, the UE;
当所述LTE网络的MME确定对所述UE的验证通过时,生成第二随机数,并基于所述LTE-U网络的网络标识和所述第三基础密钥,生成第一基础密钥;When the MME of the LTE network determines that the verification of the UE passes, generates a second random number, and generates a first base key based on the network identifier of the LTE-U network and the third base key;
所述LTE网络的MME基于所述UE的安全算法生成非接入层NAS密钥,并通过所述NAS密钥对所述第二随机数进行加密,得到第七加密结果;The MME of the LTE network generates a non-access stratum NAS key based on the security algorithm of the UE, and encrypts the second random number by using the NAS key to obtain a seventh encryption result;
所述LTE网络的MME将所述第一基础密钥、所述第三基础密钥、所述NAS密钥、所述LTE-U网络的网络标识、所述第二随机数和所述第七加密结果发送至所述LTE-U网络的MME;The MME of the LTE network, the first base key, the third base key, the NAS key, a network identifier of the LTE-U network, the second random number, and the seventh Sending the encryption result to the MME of the LTE-U network;
所述LTE-U网络的MME通过所述第一基础密钥对所述第二随机数进行加密,得到第八加密结果,并将所述第三基础密钥、所述NAS密钥、所述LTE-U网络的网络标识、所述第七加密结果和所述第八加密结果发送至所述UE;The MME of the LTE-U network encrypts the second random number by using the first basic key to obtain an eighth encryption result, and the third basic key, the NAS key, and the The network identifier, the seventh encryption result, and the eighth encryption result of the LTE-U network are sent to the UE;
所述UE基于所述第三基础密钥和所述LTE-U网络的网络标识生成第二基础密钥,并通过所述第二基础密钥对所述第八加密结果进行解密,得到第一解密结果,通过所述NAS密钥对第七加密结果进行解密,得到第二解密结果;The UE generates a second basic key based on the third basic key and the network identifier of the LTE-U network, and decrypts the eighth encryption result by using the second basic key to obtain the first Decrypting the result, decrypting the seventh encryption result by using the NAS key, to obtain a second decryption result;
如果所述第一解密结果和所述第二解密结果相同,则所述UE确定对所述LTE-U网络的验证通过。If the first decryption result and the second decryption result are the same, the UE determines that the verification of the LTE-U network passes.
第二方面,提供了一种网络鉴权系统,所述网络鉴权系统具有实现上述第一方面中网 络鉴权方法行为的功能。所述网络鉴权系统包括UE、LTE-U网络的MME、LTE网络的MME、HSS,该UE、LTE-U网络的MME、LTE网络的MME、HSS用于实现上述第一方面所提供的网络鉴权方法。In a second aspect, a network authentication system is provided, the network authentication system having a function of implementing the behavior of the network authentication method in the first aspect. The network authentication system includes the UE, the MME of the LTE-U network, the MME of the LTE network, and the HSS, and the MME of the LTE-U network, the MME of the LTE network, and the HSS are used to implement the network provided by the foregoing first aspect. Authentication method.
第三方面,提供了一种网络设备,所述网络设备的结构中包括处理器和存储器,所述存储器用于存储支持网络设备执行上述第一方面所提供的网络鉴权方法的程序,以及存储用于实现上述第一方面所提供的网络鉴权方法所涉及的数据。所述处理器被配置为用于执行所述存储器中存储的程序。所述存储设备的操作装置还可以包括通信总线,该通信总线用于该处理器与存储器之间建立连接。A third aspect provides a network device, where the network device includes a processor and a memory, where the memory is used to store a program for supporting a network device to perform the network authentication method provided by the above first aspect, and storing The data involved in implementing the network authentication method provided by the above first aspect. The processor is configured to execute a program stored in the memory. The operating device of the storage device may further include a communication bus for establishing a connection between the processor and the memory.
第四方面,提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述第一方面所述的网络鉴权方法。In a fourth aspect, a computer readable storage medium is provided, the instructions being stored in the computer readable storage medium, when executed on a computer, causing the computer to perform the network authentication method of the first aspect described above.
第五方面,提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面所述的网络鉴权方法。In a fifth aspect, a computer program product comprising instructions for causing a computer to perform the network authentication method of the first aspect described above when executed on a computer is provided.
上述第二方面、第三方面、第四方面和第五方面所获得的技术效果与第一方面中对应的技术手段获得的技术效果近似,在这里不再赘述。The technical effects obtained by the second aspect, the third aspect, the fourth aspect, and the fifth aspect are similar to those obtained by the corresponding technical means in the first aspect, and are not described herein again.
本申请提供的技术方案带来的有益效果是:在本发明实施例中,对于未接入运营商网络的UE,当该UE接入LTE-U网络时,可以将第一附着请求发送至LTE-U网络的MME,当LTE-U网络的MME接收到该第一附着请求时,可以在第一附着请求中加入该LTE-U网络的网络标识,从而生成第二附着请求,并将该第二附着请求发送至LTE网络的MME,LTE网络的MME基于该第二附着请求生成鉴权数据请求,以向HSS请求鉴权向量,当HSS接收到该鉴权数据请求时,基于该鉴权数据请求生成鉴权向量,并将该鉴权向量发送至LTE网络的MME,之后,LTE网络的MME即可以根据接收到的鉴权向量与UE以及LTE-U网络的MME进行交互,以实现网络鉴权。也即是,通过本发明实施例提供的网络鉴权方法,UE可以在接入运营商网络和LTE-U网络时,一次性完成与运营商网络和LTE-U网络之间的鉴权,从而使UE可以同时顺利的接入运营商网络和LTE-U网络,为用户的使用带来了方便。The technical solution provided by the present application has the beneficial effects that, in the embodiment of the present invention, when the UE accesses the LTE-U network, the UE may not send the first attachment request to the LTE. When the MME of the LTE-U network receives the first attach request, the MME of the LTE-U network may join the network identifier of the LTE-U network in the first attach request, thereby generating a second attach request, and The second attach request is sent to the MME of the LTE network, and the MME of the LTE network generates an authentication data request based on the second attach request to request an authentication vector from the HSS, and when the HSS receives the authentication data request, based on the authentication data The request generates an authentication vector, and sends the authentication vector to the MME of the LTE network. After that, the MME of the LTE network can interact with the UE and the MME of the LTE-U network according to the received authentication vector to implement the network authentication. right. That is, with the network authentication method provided by the embodiment of the present invention, the UE can perform authentication with the operator network and the LTE-U network at one time when accessing the operator network and the LTE-U network, thereby The UE can smoothly access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
附图说明DRAWINGS
图1是本发明实施例提供的一种网络鉴权方法的系统架构图;1 is a system architecture diagram of a network authentication method according to an embodiment of the present invention;
图2是本发明实施例提供的一种网络设备的结构示意图;2 is a schematic structural diagram of a network device according to an embodiment of the present invention;
图3是本发明实施例提供的一种网络鉴权方法的流程图;3 is a flowchart of a network authentication method according to an embodiment of the present invention;
图4是本发明实施例提供的一种LTE网络的MME、LTE-U网络的MME和UE之间交互进行网络鉴权方法的流程图;4 is a flowchart of a method for performing network authentication by using an MME of an LTE network, an MME of an LTE-U network, and a UE according to an embodiment of the present invention;
图5是本发明实施例提供的又一种LTE网络的MME、LTE-U网络的MME和UE之间交互进行网络鉴权方法的流程图;FIG. 5 is a flowchart of still another method for performing network authentication by using an MME of an LTE network, an MME of an LTE-U network, and a UE according to an embodiment of the present invention;
图6是本发明实施例提供的另一种LTE网络的MME、LTE-U网络的MME和UE之间交互进行网络鉴权方法的流程图。FIG. 6 is a flowchart of another method for performing network authentication by using an MME of an LTE network, an MME of an LTE-U network, and a UE according to an embodiment of the present invention.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objects, technical solutions and advantages of the present application more clear, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.
在对本发明实施例进行详细的解释说明之前,先对本发明实施例的应用场景予以介绍。当前,诸如企业、医院、政府单位等组织为了便于内部员工交流通信,或者为了向服务的用户推送特定的信息和业务,可以在一定的区域内部署属于自己的网络设备,并采用未授权的频谱,通过部署的网络设备进行通信,其中未授权的频谱可以为与无线保真(WIreless-Fidelity,WIFI)频谱相同的频谱。这些由第三方部署的网络设备组成且采用未授权频谱进行通信的网络即为LTE-U网络。部署该LTE-U网络的第三方可以通过对部署的网络设备的控制,向接入该LTE-U网络的用户提供特定的业务。例如,某医院在该医院所在的范围内,部署了LTE-U eNB、LTE-U MME,LTE-U GW等网络设备,从而组成了一个LTE-U网络,医院可以通过该LTE-U网络向用户提供医疗服务,接入该LTE-U网络的用户则可以通过该LTE-U网络方便快捷的查找该医院的医生信息、排队人数和科室位置等信息。Before the detailed description of the embodiments of the present invention, the application scenarios of the embodiments of the present invention are introduced. Currently, organizations such as enterprises, hospitals, and government agencies can deploy their own network devices and use unauthorized spectrum in a certain area in order to facilitate communication between internal employees or to push specific information and services to users of the service. Communicate through deployed network devices, where the unlicensed spectrum can be the same spectrum as the WIreless-Fidelity (WIFI) spectrum. These networks consisting of network devices deployed by third parties and communicating using unlicensed spectrum are LTE-U networks. The third party deploying the LTE-U network can provide specific services to users accessing the LTE-U network by controlling the deployed network device. For example, a hospital deploys LTE-U eNB, LTE-U MME, LTE-U GW and other network devices within the scope of the hospital, thereby forming an LTE-U network through which the hospital can The user provides medical services, and the user accessing the LTE-U network can conveniently and quickly find information such as the doctor information, the number of queues, and the location of the department through the LTE-U network.
需要说明的是,第三方不仅可以通过部署的LTE-U网络向用户提供特定的业务,而且,还可以将该LTE-U网络中的网络设备与运营商网络中的网路设备进行连接,以使接入该LTE-U网络的用户可以同时使用运营商网络提供的网络服务。在此前提下,当当前未接入运营商网络的UE接入LTE-U网络时,UE需要与该LTE-U网络和运营商网络进行鉴权。而本申请提供的网络鉴权方法及系统即可以用于当前未接入运营商网络的UE在接入LTE-U网络时,与运营商网络和LTE-U网络进行鉴权的场景中。It should be noted that the third party can not only provide specific services to the user through the deployed LTE-U network, but also connect the network devices in the LTE-U network with the network devices in the carrier network. The user accessing the LTE-U network can simultaneously use the network service provided by the carrier network. On this premise, when a UE that is not currently connected to the carrier network accesses the LTE-U network, the UE needs to authenticate with the LTE-U network and the carrier network. The network authentication method and system provided by the present application can be used in the scenario where the UE that is not currently connected to the carrier network authenticates with the operator network and the LTE-U network when accessing the LTE-U network.
在对本发明实施例的应用场景进行介绍之后,接下来对本发明实施例涉及的系统架构进行说明。After the application scenario of the embodiment of the present invention is introduced, the system architecture involved in the embodiment of the present invention is described next.
图1是本发明实施例提供的一种网络鉴权方法的系统架构图。如图1所示,该系统中包括UE 101,LTE-U网络的eNB 102,LTE-U网络的MME 103,LTE网络的MME 104和HSS 105。其中UE 101与LTE-U网络的eNB 102连接,LTE-U网络的MME 103与LTE网络的MME 104连接,LTE网络的MME 104和HSS 105连接。FIG. 1 is a system architecture diagram of a network authentication method according to an embodiment of the present invention. As shown in FIG. 1, the system includes a UE 101, an eNB 102 of an LTE-U network, an MME 103 of an LTE-U network, an MME 104 of an LTE network, and an HSS 105. The UE 101 is connected to the eNB 102 of the LTE-U network, the MME 103 of the LTE-U network is connected to the MME 104 of the LTE network, and the MME 104 of the LTE network is connected to the HSS 105.
其中,UE 101可以为诸如智能手机、平板电脑等用户设备。当进行网络鉴权时,UE 101向LTE-U网络的eNB 102发起附着请求,LTE-U网络的eNB 102将UE 101发送的附着请求转发给LTE-U网络的MME 103,LTE-U网络的MME 103和LTE网络的MME 104根据UE发送的该附着请求与UE进行交互,以实现UE 101、LTE-U网络的MME 103以及LTE网络的MME 104之间的鉴权。在这个过程中,LTE网络的MME 104可以根据UE 101发送的附着请求、LTE-U网络的网络标识和LTE网络的网络标识,向HSS请求鉴权向量,HSS 105根据接收到的信息生成鉴权向量,并将该鉴权向量返回至LTE网络的MME 104,以使LTE-U网络的MME 103和LTE网络的MME 104根据该鉴权向量与UE 101进行鉴权。The UE 101 may be a user equipment such as a smart phone or a tablet. When performing network authentication, the UE 101 initiates an attach request to the eNB 102 of the LTE-U network, and the eNB 102 of the LTE-U network forwards the attach request sent by the UE 101 to the MME 103 of the LTE-U network, and the MME of the LTE-U network. The MME 104 of the LTE network interacts with the UE according to the attach request sent by the UE to implement authentication between the UE 101, the MME 103 of the LTE-U network, and the MME 104 of the LTE network. In this process, the MME 104 of the LTE network may request an authentication vector from the HSS according to the attach request sent by the UE 101, the network identifier of the LTE-U network, and the network identifier of the LTE network, and the HSS 105 generates an authentication according to the received information. The vector is returned to the MME 104 of the LTE network such that the MME 103 of the LTE-U network and the MME 104 of the LTE network authenticate with the UE 101 based on the authentication vector.
图2是本发明实施例提供的一种网络设备结构示意图。该网络设备可以为图1中的UE、eNB、MME或HSS。参见图2,该网络设备包括至少一个处理器201,通信总线202,存储器203以及至少一个通信接口204。FIG. 2 is a schematic structural diagram of a network device according to an embodiment of the present invention. The network device may be the UE, eNB, MME or HSS in FIG. Referring to FIG. 2, the network device includes at least one processor 201, a communication bus 202, a memory 203, and at least one communication interface 204.
处理器201可以是一个通用中央处理器(Central Processing Unit,CPU),微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制本申请方案程序执行的集成电路。The processor 201 can be a general purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more for controlling the execution of the program of the present application. integrated circuit.
通信总线202可包括一通路,在上述组件之间传送信息。 Communication bus 202 can include a path for communicating information between the components described above.
存储器203可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其它类型的静态存储设备,随机存取存储器(random access memory,RAM))或者可存储信息和指令的其它类型的动态存储设备,也可以是电可擦可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、只读光盘(Compact Disc Read-Only Memory,CD-ROM)或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其它磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其它介质,但不限于此。存储器203可以是独立存在,通过通信总线202与处理器201相连接。存储器203也可以和处理器201集成在一起。The memory 203 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (RAM), or other information that can store information and instructions. Type of dynamic storage device, or Electro Scientific Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disc storage, optical disc Storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being Any other medium accessed by the computer, but is not limited thereto. Memory 203 may be present independently and coupled to processor 201 via communication bus 202. The memory 203 can also be integrated with the processor 201.
通信接口204,使用任何收发器一类的装置,用于与其它设备或通信网络通信,如以太网,无线接入网(RAN),无线局域网(Wireless Local Area Networks,WLAN)等。The communication interface 204 uses devices such as any transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN), and the like.
在具体实现中,作为一种实施例,处理器201可以包括一个或多个CPU,例如图2中所示的CPU0和CPU1。In a particular implementation, as an embodiment, processor 201 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG.
在具体实现中,作为一种实施例,网络设备可以包括多个处理器,例如图2中所示的处理器201和处理器205。这些处理器中的每一个可以是一个单核(single-CPU)处理器,也可以是一个多核(multi-CPU)处理器。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。In a particular implementation, as an embodiment, the network device can include multiple processors, such as processor 201 and processor 205 shown in FIG. Each of these processors can be a single-CPU processor or a multi-core processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data, such as computer program instructions.
在具体实现中,作为一种实施例,网络设备还可以包括输出设备206和输入设备207。输出设备206和处理器201通信,可以以多种方式来显示信息。例如,输出设备206可以是液晶显示器(liquid crystal display,LCD),发光二级管(light emitting diode,LED)显示设备,阴极射线管(cathode ray tube,CRT)显示设备,或投影仪(projector)等。输入设备207和处理器201通信,可以以多种方式接收用户的输入。例如,输入设备207可以是鼠标、键盘、触摸屏设备或传感设备等。In a specific implementation, as an embodiment, the network device may further include an output device 206 and an input device 207. Output device 206 is in communication with processor 201 and can display information in a variety of ways. For example, the output device 206 can be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector. Wait. Input device 207 is in communication with processor 201 and can receive user input in a variety of ways. For example, input device 207 can be a mouse, keyboard, touch screen device, or sensing device, and the like.
上述的网络设备可以是一个通用计算机设备或者是一个专用计算机设备。在具体实现中,该网络设备可以是台式机、便携式电脑、网络服务器、掌上电脑(Personal Digital Assistant,PDA)、移动手机、平板电脑、无线终端设备、通信设备或者嵌入式设备。本发明实施例不限定网络设备的类型。The network device described above may be a general purpose computer device or a special purpose computer device. In a specific implementation, the network device may be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet, a wireless terminal device, a communication device, or an embedded device. The embodiment of the invention does not limit the type of the network device.
其中,存储器203用于存储执行本申请方案的程序代码,并由处理器201来控制执行。处理器201用于执行存储器203中存储的程序代码208。程序代码208中可以包括一个或多个软件模块。图1中所示的网络设备可以通过处理器201以及存储器203中的程序代码208中的一个或多个软件模块,来实现网络鉴权。The memory 203 is used to store program code for executing the solution of the present application, and is controlled by the processor 201 for execution. The processor 201 is configured to execute the program code 208 stored in the memory 203. One or more software modules may be included in program code 208. The network device shown in FIG. 1 can implement network authentication through the processor 201 and one or more of the program codes 208 in the memory 203.
通过上述描述,对本发明实施例涉及的应用场景和系统架构进行解释说明之后,接下来对本发明实施例的具体实现过程进行详细说明。After the application scenario and system architecture involved in the embodiments of the present invention are explained, the specific implementation process of the embodiment of the present invention is described in detail below.
图3是本发明实施例提供的一种网络鉴权方法的流程图,如图3所示,该方法包括以 下步骤:FIG. 3 is a flowchart of a network authentication method according to an embodiment of the present invention. As shown in FIG. 3, the method includes the following steps:
步骤301:UE将第一附着请求发送至LTE-U网络的MME。Step 301: The UE sends the first attach request to the MME of the LTE-U network.
其中,对于未接入运营商网络的UE,当该UE接入LTE-U网络时,UE可以发送第一附着请求(Attach Request)至LTE-U网络的eNB,当LTE-U网络的eNB接收到该第一附着请求时,LTE-U网络的eNB将该第一附着请求转发给LTE-U网络的MME。For the UE that is not connected to the carrier network, when the UE accesses the LTE-U network, the UE may send a first attach request (Attach Request) to the eNB of the LTE-U network, and receive the eNB of the LTE-U network. Upon the first attach request, the eNB of the LTE-U network forwards the first attach request to the MME of the LTE-U network.
需要说明的是,该第一附着请求为NAS消息,LTE-U网络的eNB无法解析该第一附着请求。并且,该第一附着请求中可以携带该UE的国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)以及该UE的安全算法。其中,该UE的IMSI可以用于唯一标识该UE,并且,通过该UE的IMSI可以确定该UE当前所属的移动网络。另外,该UE的安全算法是指该UE所支持的加密算法和完整性保护算法。It should be noted that the first attach request is a NAS message, and the eNB of the LTE-U network cannot parse the first attach request. Moreover, the first attach request may carry an International Mobile Subscriber Identification Number (IMSI) of the UE and a security algorithm of the UE. The IMSI of the UE may be used to uniquely identify the UE, and the IMSI of the UE may determine the mobile network to which the UE currently belongs. In addition, the security algorithm of the UE refers to an encryption algorithm and an integrity protection algorithm supported by the UE.
步骤302:当LTE-U网络的MME接收到来自UE的第一附着请求时,在第一附着请求中添加LTE-U网络的网络标识,以生成第二附着请求。Step 302: When the MME of the LTE-U network receives the first attach request from the UE, add the network identifier of the LTE-U network in the first attach request to generate a second attach request.
当LTE-U网络的MME接收到第一附着请求时,可以将自身的网络标识添加到该第一附着请求中,从而生成第二附着请求。当生成第二附着请求之后,LTE-U网络的MME可以根据该第一附着请求中携带的该UE的IMSI,确定该UE对应的LTE网络的MME。When the MME of the LTE-U network receives the first attach request, the MME may add its own network identifier to the first attach request, thereby generating a second attach request. After the second attach request is generated, the MME of the LTE-U network may determine the MME of the LTE network corresponding to the UE according to the IMSI of the UE carried in the first attach request.
步骤303:LTE-U网络的MME将第二附着请求发送至LTE网络的MME。Step 303: The MME of the LTE-U network sends a second attach request to the MME of the LTE network.
当确定该UE对应的LTE网络的MME之后,LTE-U网络的MME可以将生成的第二附着请求发送至确定的LTE网络的MME。After determining the MME of the LTE network corresponding to the UE, the MME of the LTE-U network may send the generated second attach request to the MME of the determined LTE network.
步骤304:当LTE网络的MME接收到第二附着请求时,基于第二附着请求,向HSS发送鉴权数据请求。Step 304: When the MME of the LTE network receives the second attach request, send an authentication data request to the HSS based on the second attach request.
当LTE网络的MME接收到第二附着请求时,由前述描述可知,该第二附着请求中携带有UE的IMSI、安全能力和LTE-U网络的网络标识,此时,LTE网络的MME可以将该第二附着请求中添加LTE网络的网络标识,从而生成鉴权数据请求,并将该鉴权数据请求发送至HSS。When the MME of the LTE network receives the second attach request, it can be seen from the foregoing description that the second attach request carries the IMSI of the UE, the security capability, and the network identifier of the LTE-U network. At this time, the MME of the LTE network may The network identifier of the LTE network is added to the second attach request, thereby generating an authentication data request, and sending the authentication data request to the HSS.
步骤305:当HSS接收到该鉴权数据请求时,基于LTE-U网络的网络标识和LTE网络的网络标识,生成鉴权向量。Step 305: When the HSS receives the authentication data request, generate an authentication vector based on the network identifier of the LTE-U network and the network identifier of the LTE network.
当接收到该鉴权数据请求时,HSS可以根据该鉴权数据请求中携带的IMSI,从存储的多个长期密钥中确定该UE的IMSI对应的长期密钥,该长期密钥也可以称为手机鉴权码(Key identifier,Ki)。之后,HSS可以根据确定的长期密钥和LTE网络的网络标识,生成LTE网络对应的第三基础密钥,并利用该长期密钥和LTE-U网络的网络标识生成LTE-U网络对应的第一基础密钥。除此之外,当Ki之后,HSS还可以生成第一随机数和序列号,并根据该第一随机数和序列号生成鉴权标记(Authentication Token,AUTN)和期望回复信息。其中,AUTN包括序列号、消息鉴权码(Message authentication code,MAC)、鉴权管理域(Authentication Management Field,AMF)等。When receiving the authentication data request, the HSS may determine, according to the IMSI carried in the authentication data request, a long-term key corresponding to the IMSI of the UE from the stored plurality of long-term keys, and the long-term key may also be called For the mobile phone authentication code (Key identifier, Ki). Afterwards, the HSS may generate a third basic key corresponding to the LTE network according to the determined long-term key and the network identifier of the LTE network, and generate a corresponding LTE-U network by using the long-term key and the network identifier of the LTE-U network. A base key. In addition, after Ki, the HSS may also generate a first random number and a sequence number, and generate an Authentication Token (AUTN) and an expected reply message according to the first random number and the sequence number. The AUTN includes a sequence number, a message authentication code (MAC), an Authentication Management Field (AMF), and the like.
需要说明的是,该鉴权向量可以包括第一基础密钥、第三基础密钥、第一随机数、期望回复信息和AUTN,也可以不包括第一基础密钥,只包括第三基础密钥、第一随机数、期望回复信息和AUTN。或者,该鉴权向量还可以不包括第三基础密钥,而包括第一基础密钥、第一随机数、期望回复信息和AUTN。当该鉴权向量不包括第一基础密钥或第三基础密钥时时,在上述过程中HSS可以不必生成该第一基础密钥或第三基础密钥。It should be noted that the authentication vector may include the first basic key, the third basic key, the first random number, the expected reply information, and the AUTN, or may not include the first basic key, and only includes the third basic key. Key, first random number, expected reply information, and AUTN. Alternatively, the authentication vector may not include the third base key, but includes the first base key, the first random number, the expected reply information, and the AUTN. When the authentication vector does not include the first base key or the third base key, the HSS may not necessarily generate the first base key or the third base key in the above process.
步骤306:HSS向LTE网络的MME发送鉴权向量。Step 306: The HSS sends an authentication vector to the MME of the LTE network.
步骤307:当LTE网络的MME接收到该鉴权向量时,基于该鉴权向量与UE以及LTE-U网络的MME进行交互,以实现网络鉴权。Step 307: When the MME of the LTE network receives the authentication vector, interact with the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication.
当LTE网络的MME接收到该鉴权向量时,可以根据该鉴权向量与UE以及LTE-U网络的MME进行交互,从而完成LTE网络对UE的验证、LTE-U网络对UE的验证以及UE对LTE网络、LTE-U网络的验证。When the MME of the LTE network receives the authentication vector, it can interact with the UE and the MME of the LTE-U network according to the authentication vector, thereby completing the verification of the UE by the LTE network, the verification of the UE by the LTE-U network, and the UE. Verification of LTE networks and LTE-U networks.
需要说明的是,在本发明实施例中,UE可以同时对LTE-U网络和LTE网络进行验证,也可以先与LTE网络互相验证成功之后,再与LTE-U网络进行相互验证。另外,当UE同时对LTE-U网络和LTE网络进行验证时,UE也可以采用鉴权向量中不同的参数对LTE-U网络进行验证。具体的基于该鉴权向量与UE以及LTE-U网络的MME进行交互来进行网络鉴权的实现过程将通过后续实施例进行详细的介绍。It should be noted that, in the embodiment of the present invention, the UE may perform verification on the LTE-U network and the LTE network at the same time, or may mutually authenticate with the LTE network before performing mutual authentication with the LTE-U network. In addition, when the UE performs verification on the LTE-U network and the LTE network at the same time, the UE may also verify the LTE-U network by using different parameters in the authentication vector. A specific implementation process of performing network authentication based on the authentication vector interacting with the UE and the MME of the LTE-U network will be described in detail through subsequent embodiments.
在本发明实施例中,对于未接入运营商网络的UE,当该UE接入LTE-U网络时,可以将第一附着请求发送至LTE-U网络的MME,当LTE-U网络的MME接收到该第一附着请求时,可以在第一附着请求中加入该LTE-U网络的网络标识,从而生成第二附着请求,并将该第二附着请求发送至LTE网络的MME,LTE网络的MME基于该第二附着请求生成鉴权数据请求,以向HSS请求鉴权向量,当HSS接收到该鉴权数据请求时,基于该鉴权数据请求生成鉴权向量,并将该鉴权向量发送至LTE网络的MME,之后,LTE网络的MME即可以根据接收到的鉴权向量与UE以及LTE-U网络的MME进行交互,以实现网络鉴权。也即是,通过本发明实施例提供的网络鉴权方法,UE可以在接入运营商网络和LTE-U网络时,一次性完成与运营商网络和LTE-U网络之间的鉴权,从而使UE可以同时顺利的接入运营商网络和LTE-U网络,为用户的使用带来了方便。In the embodiment of the present invention, for a UE that is not connected to the carrier network, when the UE accesses the LTE-U network, the first attach request may be sent to the MME of the LTE-U network, and the MME of the LTE-U network. Upon receiving the first attach request, the network identifier of the LTE-U network may be added to the first attach request, thereby generating a second attach request, and sending the second attach request to the MME of the LTE network, where the LTE network The MME generates an authentication data request according to the second attach request to request an authentication vector from the HSS, and when the HSS receives the authentication data request, generates an authentication vector based on the authentication data request, and sends the authentication vector After the MME of the LTE network, the MME of the LTE network can interact with the UE and the MME of the LTE-U network according to the received authentication vector to implement network authentication. That is, with the network authentication method provided by the embodiment of the present invention, the UE can perform authentication with the operator network and the LTE-U network at one time when accessing the operator network and the LTE-U network, thereby The UE can smoothly access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
基于前述描述,UE可以同时对LTE-U网络和LTE网络进行验证,也可以先与LTE网络互相验证成功之后,再与LTE-U网络进行相互验证。另外,当UE同时对LTE-U网络和LTE网络进行验证时,UE也可以采用鉴权向量中不同的参数对LTE-U网络进行验证。下面将结合附图,对LTE网络的MME基于该鉴权向量与UE以及LTE-U网络的MME进行交互,以实现网络鉴权的三种实现方式分别进行解释说明。Based on the foregoing description, the UE may perform verification on the LTE-U network and the LTE network at the same time, or may perform mutual authentication with the LTE-U network after verifying the mutual authentication with the LTE network. In addition, when the UE performs verification on the LTE-U network and the LTE network at the same time, the UE may also verify the LTE-U network by using different parameters in the authentication vector. In the following, the MME of the LTE network interacts with the UE and the MME of the LTE-U network based on the authentication vector, and the three implementation manners of the network authentication are respectively explained.
图4是本发明实施例提供的第一种基于鉴权向量进行网络鉴权的方法的流程图,如图4所示,该方法包括以下步骤:FIG. 4 is a flowchart of a first method for network authentication based on an authentication vector according to an embodiment of the present invention. As shown in FIG. 4, the method includes the following steps:
步骤401:LTE网络的MME将鉴权向量中的期望回复信息进行存储。Step 401: The MME of the LTE network stores the expected reply information in the authentication vector.
基于前述实施例中的描述,鉴权向量可以包括第一基础密钥、第一随机数、期望回复信息和AUTN,当LTE网络的MME接收到该鉴权向量时,可以将该鉴权向量中的期望回复信息进行存储,留待之后对UE进行验证。而该鉴权向量中的第一基础密钥、第一随机数和AUTN则可以被转发给LTE-U网络的MME。Based on the description in the foregoing embodiment, the authentication vector may include a first base key, a first random number, expected reply information, and an AUTN. When the MME of the LTE network receives the authentication vector, the authentication vector may be included in the authentication vector. The expected reply information is stored, and the UE is verified afterwards. The first base key, the first random number, and the AUTN in the authentication vector may be forwarded to the MME of the LTE-U network.
步骤402:LTE网络的MME将第一基础密钥、第一随机数和AUTN发送至LTE-U网络的MME。Step 402: The MME of the LTE network sends the first base key, the first random number, and the AUTN to the MME of the LTE-U network.
步骤403:当LTE-U网络的MME接收到第一基础密钥、第一随机数和AUTN时,将第一基础密钥进行存储,生成第二随机数,并基于第一基础密钥和第二随机数生成第一加密结果。Step 403: When the MME of the LTE-U network receives the first basic key, the first random number, and the AUTN, storing the first basic key, generating a second random number, and based on the first basic key and the first The second random number generates a first encryption result.
当接收到LTE网络发送的第一基础密钥、第一随机数和AUTN时,LTE-U网络的MME可以将第一基础密钥进行存储,留待后续对UE进行验证。与此同时,LTE-U网络的MME还可以基于第一基础密钥生成第一加密结果,该第一加密结果用于UE对LTE-U网络进行验证。When receiving the first basic key, the first random number, and the AUTN sent by the LTE network, the MME of the LTE-U network may store the first basic key for subsequent verification by the UE. At the same time, the MME of the LTE-U network may further generate a first encryption result based on the first basic key, where the first encryption result is used by the UE to verify the LTE-U network.
其中,当接收到第一基础密钥、第一随机数和AUTN时,LTE-U网络的MME可以利用随机数发生器生成第二随机数,并通过第一基础密钥对该第二随机数进行加密,从而得到第一加密结果。The MME of the LTE-U network may generate a second random number by using a random number generator and use the first base key to the second random number when receiving the first base key, the first random number, and the AUTN. Encryption is performed to obtain a first encryption result.
步骤404:LTE-U网络的MME将第一随机数、AUTN、LTE-U网络的网络标识、第一加密结果和第二随机数发送至UE。Step 404: The MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number to the UE.
当LTE-U网络的MME生成第一加密结果之后,可以将第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果以及用于生成第一加密结果的第二随机数发送至LTE-U网络的eNB,再由LTE-U网络的eNB将该第一随机数、AUTN、LTE-U网络的网络标识、第一加密结果和第二随机数转发给UE。After the MME of the LTE-U network generates the first encryption result, the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number used to generate the first encryption result may be sent to The eNB of the LTE-U network forwards the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number to the UE by the eNB of the LTE-U network.
步骤405:当UE接收到第一随机数、AUTN、LTE-U网络的网络标识、第一加密结果和第二随机数时,基于第一随机数、AUTN、LTE-U网络的网络标识、第一加密结果和第二随机数对LTE网络和LTE-U网络进行验证。Step 405: When the UE receives the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number, the network identifier based on the first random number, the AUTN, and the LTE-U network, The LTE network and the LTE-U network are verified by an encryption result and a second random number.
当UE接收到第一随机数、AUTN和第一加密结果时,UE可以根据第一随机数和AUTN对LTE网络进行验证,根据第一随机数、AUTN和第一加密结果对LTE-U网络进行验证。When the UE receives the first random number, the AUTN, and the first encryption result, the UE may perform verification on the LTE network according to the first random number and the AUTN, and perform LTE-U network according to the first random number, the AUTN, and the first encryption result. verification.
当UE对LTE网络进行验证时,UE可以基于第一随机数和AUTN中除MAC之外的其他参数生成期望消息鉴权码XMAC;如果XMAC和MAC相同,则UE确定对LTE网络的验证通过。When the UE performs verification on the LTE network, the UE may generate a desired message authentication code XMAC based on the first random number and other parameters in the AUTN except the MAC; if the XMAC and the MAC are the same, the UE determines to pass the verification of the LTE network.
其中,UE可以根据自身存储的Ki、第一随机数、AUTN中的序列号和AMF计算得到期望消息鉴权码(Expected Message Authentication Code,XMAC)。基于前述实施例中步骤305的描述可知,该AUTN中包括有MAC,而该MAC是HSS根据确定的Ki、第一随机数、AUTN中的序列号和AMF计算得到的,当UE生成XMAC之后,如果该XMAC和MAC相同,则说明HSS确定的Ki和该UE中存储的Ki是一致的。而HSS确定的Ki是根据UE的IMSI确定的,也即是,HSS确定的Ki实际上是该UE在LTE网络侧存储的Ki,因此,当XMAC和MAC相同时,UE就可以确定当前的LTE网络是真实的,也即是,UE对LTE网络的验证通过。The UE may calculate an Expected Message Authentication Code (XMAC) according to the stored Ki, the first random number, the sequence number in the AUTN, and the AMF. Based on the description of step 305 in the foregoing embodiment, the MAC is included in the AUTN, and the MAC is calculated by the HSS according to the determined Ki, the first random number, the sequence number in the AUTN, and the AMF. After the UE generates the XMAC, If the XMAC and the MAC are the same, it indicates that the Ki determined by the HSS is consistent with the Ki stored in the UE. The Ki determined by the HSS is determined according to the IMSI of the UE, that is, the Ki determined by the HSS is actually the Ki stored by the UE on the LTE network side. Therefore, when the XMAC and the MAC are the same, the UE can determine the current LTE. The network is real, that is, the UE passes the verification of the LTE network.
当UE对LTE-U网络进行验证时,UE可以根据LTE-U网络的网络标识、第一随机数和AUTN生成第二基础密钥;UE通过第二基础密钥对第二随机数进行加密,得到第三加密结果;如果第一加密结果等于第三加密结果,则UE确定对LTE-U网络的验证通过。When the UE performs the verification on the LTE-U network, the UE may generate a second basic key according to the network identifier, the first random number, and the AUTN of the LTE-U network; the UE encrypts the second random number by using the second basic key, A third encryption result is obtained; if the first encryption result is equal to the third encryption result, the UE determines that the verification of the LTE-U network passes.
其中,当UE对LTE-U网络进行验证时,UE可以根据自身存储的Ki、LTE-U网络的网络标识、第一随机数和AUTN生成第二基础密钥。之后,通过第二基础密钥对该第二随机数进行加密,从而得到第三加密结果。由于第一基础密钥是LTE-U网络对应的密钥,第一加密结果是通过第一基础密钥对第二随机数进行加密得到的,因此,如果该第三加密结果和第一加密结果相同,则说明该第二基础密钥和第一基础密钥是相同的,也即是,UE可以确定对LTE-U网络的验证通过。反之,如果第三加密结果和第一加密结果不同,则说明第二基础密钥和第一基础密钥不同,此时,UE对LTE-U网络的验证将失败。The UE may generate a second basic key according to the network identifier, the first random number, and the AUTN of the Ki, the LTE-U network, and the AUTN, when the UE performs the verification on the LTE-U network. Thereafter, the second random number is encrypted by the second base key to obtain a third encryption result. Since the first basic key is a key corresponding to the LTE-U network, the first encryption result is obtained by encrypting the second random number by using the first basic key, and therefore, if the third encryption result and the first encryption result The same, the second basic key and the first basic key are the same, that is, the UE can determine the verification of the LTE-U network. On the other hand, if the third encryption result is different from the first encryption result, it indicates that the second basic key is different from the first basic key. At this time, the UE's verification of the LTE-U network will fail.
步骤406:当UE确定对LTE网络和LTE-U网络均验证通过时,生成回复信息和第三随机数,并基于LTE-U网络的网络标识、第一随机数、AUTN和第三随机数生成第二加密结果。Step 406: When the UE determines to pass the verification of both the LTE network and the LTE-U network, generate reply information and a third random number, and generate the network identifier, the first random number, the AUTN, and the third random number based on the LTE-U network. The second encryption result.
当UE确定对LTE网络的验证通过之后,可以通过自身存储的Ki和接收到的第一随机数生成回复信息,该回复信息用于后续LTE网络对UE进行验证。After the UE determines that the verification of the LTE network is passed, the reply information may be generated by using the stored Ki and the received first random number, and the reply information is used for verifying the UE by the subsequent LTE network.
当UE确定对LTE-U网络的验证通过之后,可以生成第三随机数,之后,UE可以根据通过LTE-U网络的网络标识、第一随机数和AUTN生成的第二基础密钥,对接收到的第二随机数和生成的第三随机数进行整体加密,从而得到第二加密结果。After the UE determines that the verification of the LTE-U network is passed, the third random number may be generated, after which the UE may receive the second base key according to the network identifier, the first random number, and the AUTN generated by the LTE-U network. The second random number obtained and the generated third random number are integrally encrypted to obtain a second encryption result.
步骤407:UE将第二加密结果、第三随机数和回复信息发送至LTE-U网络的MME。Step 407: The UE sends the second encryption result, the third random number, and the reply information to the MME of the LTE-U network.
当UE生成回复信息和第二加密结果之后,可以将第二加密结果、第三随机数和回复信息发送至LTE-U网络的eNB,并由LTE-U网络的eNB将该第二加密结果、第三随机数和回复信息转发至LTE-U网络的MME。After the UE generates the reply information and the second encryption result, the second encryption result, the third random number, and the reply information may be sent to the eNB of the LTE-U network, and the second encryption result is obtained by the eNB of the LTE-U network, The third random number and reply information are forwarded to the MME of the LTE-U network.
步骤408:当LTE-U网络的MME接收到第二加密结果和第三随机数时,基于第二加密结果对UE进行验证。Step 408: When the MME of the LTE-U network receives the second encryption result and the third random number, the UE is verified based on the second encryption result.
基于前述步骤403中的描述可知,LTE-U网络的MME中存储有第一基础密钥,并且,第二随机数是由LTE-U网络的MME生成,并存储在该LTE-U网络的MME中的,因此,当LTE-U网络的MME接收到第二加密结果和第三随机数之后,可以通过存储的第一基础密钥对存储的第二随机数和接收到的第三随机数进行整体加密,从而得到第四加密结果。如果该第四加密结果和第二加密结果相同,则说明UE生成的第二基础密钥和LTE-U网络的MME中存储的第一基础密钥是相同的,也即是,LTE-U网络的MME可以确定对UE的验证通过。反之,如果第四加密结果和第二加密结果不同,则说明第一基础密钥和第二基础密钥是不同的,此时,LTE-U网络对UE的验证失败。Based on the description in the foregoing step 403, the MME is stored in the MME of the LTE-U network, and the second random number is generated by the MME of the LTE-U network and stored in the MME of the LTE-U network. Therefore, after the MME of the LTE-U network receives the second encryption result and the third random number, the stored second random number and the received third random number may be performed by using the stored first basic key. Encryption as a whole, resulting in a fourth encryption result. If the fourth encryption result and the second encryption result are the same, it is indicated that the second basic key generated by the UE is the same as the first basic key stored in the MME of the LTE-U network, that is, the LTE-U network. The MME may determine the verification of the UE. On the other hand, if the fourth encryption result is different from the second encryption result, the first basic key and the second basic key are different. At this time, the verification of the UE by the LTE-U network fails.
步骤409:当LTE-U网络的MME接收到回复信息时,将回复信息发送至LTE网络的MME。Step 409: When the MME of the LTE-U network receives the reply information, the MME sends the reply information to the MME of the LTE network.
基于步骤407中的描述,UE将第二加密结果、第三随机数和回复信息发送至LTE-U网络的MME,其中,LTE-U网络的MME可以利用第二加密结果和第三随机数,通过步骤408中的方式对UE进行验证,而对于接收到的回复信息,由于该回复信息是用于LTE网络对UE进行验证的,因此,LTE-U网络的MME可以直接将该回复信息转发给LTE网络的MME。Based on the description in step 407, the UE sends the second encryption result, the third random number, and the reply information to the MME of the LTE-U network, where the MME of the LTE-U network can utilize the second encryption result and the third random number. The UE is authenticated in the manner of the step 408, and the MME of the LTE-U network can forward the reply information directly to the received reply information, because the reply information is used for the LTE network to authenticate the UE. MME of the LTE network.
步骤410:当LTE网络的MME接收到回复信息时,基于回复信息对UE进行验证。Step 410: When the MME of the LTE network receives the reply information, verify the UE based on the reply information.
基于步骤401中的描述可知,LTE网络的MME中存储有期望回复信息,而该期望回复信息是由HSS根据确定的Ki和第一随机数生成的。因此,当LTE网络的MME接收到该回复信息时,如果该回复信息和期望回复信息相同,那么,LTE网络的MME则可以确定用于生成期望回复信息的Ki和用于生成回复信息的Ki是相同的,也即是,LTE网络侧存储的Ki和该UE自身存储的Ki是一致的,此时,该LTE网络的MME即可以确定当前的UE是真实有效地,也即是,该LTE网络的MME可以确定对UE的验证通过。Based on the description in step 401, the MME of the LTE network stores the expected reply information, which is generated by the HSS according to the determined Ki and the first random number. Therefore, when the MME of the LTE network receives the reply information, if the reply information and the expected reply information are the same, the MME of the LTE network may determine that the Ki for generating the desired reply information and the Ki for generating the reply information are The same is true, that is, the Ki stored on the LTE network side and the Ki stored by the UE are consistent. In this case, the MME of the LTE network can determine that the current UE is authentic and effective, that is, the LTE network. The MME may determine the verification of the UE.
在本发明实施例中,当LTE网络的MME接收到鉴权向量之后,LTE网络的MME和LTE-U网络的MME可以向UE发送第一随机数、AUTN和第一加密结果,当UE接收到该第一随机数、AUTN和第一加密结果之后,可以同时根据第一随机数、AUTN和第一加密结果对LTE-U网络和LTE网络进行验证,之后,LTE-U网络的MME和LTE网络的MME 再根据来自UE的回复信息和第二加密结果对UE进行验证。也即是,通过本发明实施例提供的网络鉴权方法,UE可以在接入运营商网络和LTE-U网络时,同时完成与运营商网络和LTE-U网络之间的鉴权,从而使UE可以同时接入运营商网络和LTE-U网络,为用户的使用带来了方便。In the embodiment of the present invention, after the MME of the LTE network receives the authentication vector, the MME of the LTE network and the MME of the LTE-U network may send the first random number, the AUTN, and the first encryption result to the UE, when the UE receives After the first random number, the AUTN, and the first encryption result, the LTE-U network and the LTE network may be simultaneously verified according to the first random number, the AUTN, and the first encryption result, and then the MME and the LTE network of the LTE-U network. The MME then verifies the UE according to the reply information from the UE and the second encryption result. That is, with the network authentication method provided by the embodiment of the present invention, the UE can simultaneously perform authentication with the operator network and the LTE-U network when accessing the carrier network and the LTE-U network, thereby enabling The UE can access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
通过上述实施例介绍了UE根据LTE-U网络生成的第二随机数以及其他参数同时对LTE-U网络和LTE网络进行验证的方法,接下来将介绍另一种UE同时对LTE-U网络和LTE网络进行验证的方法。The method for verifying the LTE-U network and the LTE network by using the second random number generated by the UE according to the LTE-U network and other parameters is described in the foregoing embodiment. Next, another UE is simultaneously introduced to the LTE-U network and A method of verifying an LTE network.
图5是本发明实施例提供的第二种基于鉴权向量进行网络鉴权的方法的流程图,如图5所示,该方法包括以下步骤:FIG. 5 is a flowchart of a second method for network authentication based on an authentication vector according to an embodiment of the present invention. As shown in FIG. 5, the method includes the following steps:
步骤501:LTE网络的MME将鉴权向量中的期望回复信息进行存储。Step 501: The MME of the LTE network stores the expected reply information in the authentication vector.
基于前述实施例中步骤305的描述可知,鉴权向量包括第一基础密钥、第一随机数、期望回复信息和AUTN,当LTE网络的MME接收到鉴权向量时,可以将期望回复信息进行存储,以便后续对UE进行验证。Based on the description of step 305 in the foregoing embodiment, the authentication vector includes the first base key, the first random number, the expected reply information, and the AUTN. When the MME of the LTE network receives the authentication vector, the expected reply information may be performed. Store for subsequent verification of the UE.
步骤502:LTE网络的MME将第一基础密钥、期望回复信息、第一随机数和AUTN发送至LTE-U网络的MME。Step 502: The MME of the LTE network sends the first base key, the expected reply information, the first random number, and the AUTN to the MME of the LTE-U network.
LTE网络的MME将期望回复信息进行存储之后,除了向LTE-U网络的MME发送鉴权向量中剩余的第一基础密钥、第一随机数和AUTN之外,还需要将期望回复信息也发送LTE-U网络的MME。After the MME of the LTE network stores the expected reply information, in addition to transmitting the first base key, the first random number, and the AUTN remaining in the authentication vector to the MME of the LTE-U network, the expected reply information needs to be sent. MME of the LTE-U network.
步骤503:当LTE-U网络的MME接收到第一基础密钥、期望回复信息、第一随机数和AUTN时,将第一基础密钥和期望回复信息进行存储,基于第一基础密钥生成第一加密结果。Step 503: When the MME of the LTE-U network receives the first basic key, the expected reply information, the first random number, and the AUTN, the first basic key and the expected reply information are stored, and are generated based on the first basic key. The first encryption result.
当LTE-U网络的MME接收到第一基础密钥、期望回复信息、第一随机数和AUTN时,可以将第一基础密钥和期望回复信息进行存储,以便后续对UE进行验证。与此同时,LTE-U网络的MME可以基于第一基础密钥生成第一加密结果。When the MME of the LTE-U network receives the first base key, the expected reply information, the first random number, and the AUTN, the first base key and the expected reply information may be stored for subsequent verification of the UE. At the same time, the MME of the LTE-U network may generate a first encryption result based on the first base key.
需要说明的是,由前述实施例中步骤305的描述中可知,AUTN中包括MAC,当LTE-U网络的MME接收到第一基础密钥、期望回复信息、第一随机数和AUTN时,可以通过第一基础密钥对AUTN中的MAC加密,从而得到第一加密结果。It should be noted that, in the description of step 305 in the foregoing embodiment, the MAC is included in the AUTN. When the MME of the LTE-U network receives the first basic key, the expected reply information, the first random number, and the AUTN, The MAC in the AUTN is encrypted by the first base key to obtain a first encryption result.
步骤504:LTE-U网络的MME将第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果发送至UE。Step 504: The MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
当生成第一加密结果之后,LTE-U网络的MME可以将第一随机数、AUTN、LTE-U网络的网络标识和该第一加密结果发送至LTE-U网络的eNB,并由该LTE-U网络的eNB将第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果转发给UE。After generating the first encryption result, the MME of the LTE-U network may send the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the eNB of the LTE-U network, and by the LTE- The eNB of the U network forwards the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
步骤505:当UE接收到第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果时,基于第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果对LTE网络和LTE-U网络进行验证。Step 505: When the UE receives the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, the network identifier based on the first random number, the AUTN, the LTE-U network, and the first encryption result are used for LTE. The network and the LTE-U network are verified.
当UE接收到第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果时,UE可以根据第一随机数和AUTN对LTE网络进行验证,根据第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果对LTE-U网络进行验证。When the UE receives the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, the UE may perform verification on the LTE network according to the first random number and the AUTN, according to the first random number, AUTN, and LTE- The network identifier of the U network and the first encryption result verify the LTE-U network.
其中,UE对LTE网络进行验证的具体实现方式可以参考步骤405中UE对LTE网络的验证方式,本发明实施例不再赘述。For the specific implementation manner of the UE to verify the LTE network, refer to the method for the UE to verify the LTE network in the step 405, which is not described in the embodiment of the present invention.
当UE对LTE-U网络进行验证时,UE可以根据LTE-U网络的网络标识、第一随机数和AUTN生成第二基础密钥;通过第二基础密钥对MAC进行加密,得到第五加密结果;如果第一加密结果等于第五加密结果,则UE确定对LTE-U网络的验证通过。When the UE performs the verification on the LTE-U network, the UE may generate a second basic key according to the network identifier, the first random number, and the AUTN of the LTE-U network; and encrypt the MAC by using the second basic key to obtain the fifth encryption. As a result; if the first encryption result is equal to the fifth encryption result, the UE determines that the verification of the LTE-U network passes.
其中,当UE对LTE-U网络进行验证时,UE可以根据自身存储的Ki、LTE-U网络的网络标识、第一随机数和AUTN生成第二基础密钥,之后,通过该第二基础密钥对AUTN中包括的MAC进行加密,从而得到第五加密结果。由于第一基础密钥是LTE-U网络对应的密钥,第一加密结果是通过第一基础密钥对MAC加密得到的,而第五加密结果是通过第二基础密钥对MAC加密得到的。因此,如果第一加密结果和第五加密结果相同,则说明第一基础密钥和第二基础密钥是相同的,也即是,UE可以确定对LTE-U网络的验证通过。反之,如果第五加密结果和第一加密结果不同,则说明第二基础密钥和第一基础密钥不同,此时,UE对LTE-U网络的验证将失败。The UE may generate a second basic key according to the network identifier of the Ki, the LTE-U network, the first random number, and the AUTN, and then pass the second basic key. The key encrypts the MAC included in the AUTN to obtain a fifth encryption result. Since the first basic key is a key corresponding to the LTE-U network, the first encryption result is obtained by encrypting the MAC by the first basic key, and the fifth encryption result is obtained by encrypting the MAC by the second basic key. . Therefore, if the first encryption result and the fifth encryption result are the same, it indicates that the first basic key and the second basic key are the same, that is, the UE can determine that the verification of the LTE-U network passes. On the other hand, if the fifth encryption result is different from the first encryption result, it indicates that the second basic key is different from the first basic key. At this time, the UE's verification of the LTE-U network will fail.
步骤506:当UE确定对LTE网络和LTE-U网络均验证通过时,生成回复信息,并基于LTE-U网络的网络标识、第一随机数和AUTN生成第二加密结果。Step 506: When the UE determines to pass the verification of both the LTE network and the LTE-U network, generate reply information, and generate a second encryption result based on the network identifier, the first random number, and the AUTN of the LTE-U network.
当UE确定对LTE网络的验证通过时,可以通过自身存储的Ki和接收到的第一随机数生成回复信息。When the UE determines that the verification of the LTE network is passed, the reply information may be generated by the Ki stored by itself and the received first random number.
当UE确定对LTE-U网络的验证通过,且生成回复信息之后,UE可以通过步骤505中根据LTE-U网络的网络标识、第一随机数和AUTN生成的第二基础密钥,对该回复信息进行加密,从而得到第二加密结果。After the UE determines that the verification of the LTE-U network passes, and generates the reply information, the UE may respond to the reply according to the network identifier of the LTE-U network, the first random number, and the second basic key generated by the AUTN in step 505. The information is encrypted to obtain a second encrypted result.
步骤507:UE将第二加密结果和回复信息发送至LTE-U网络的MME。Step 507: The UE sends the second encryption result and the reply information to the MME of the LTE-U network.
当UE生成回复信息和第二加密结果之后,可以将该回复信息和第二加密结果发送至LTE-U网络的eNB,并由LTE-U网络的eNB将该回复信息和第二加密结果转发给LTE-U网络的MME。After the UE generates the reply information and the second encryption result, the reply information and the second encryption result may be sent to the eNB of the LTE-U network, and the eNB of the LTE-U network forwards the reply information and the second encryption result to the eNB. MME of the LTE-U network.
步骤508:当LTE-U网络的MME接收到回复信息和第二加密结果时,基于该回复信息和第二加密结果对UE进行验证。Step 508: When the MME of the LTE-U network receives the reply information and the second encryption result, the UE is verified based on the reply information and the second encryption result.
基于步骤503中的描述可知,LTE-U网络的MME中存储有第一基础密钥和期望回复信息,其中,该期望回复信息是由HSS根据存储的Ki和第一随机数生成。当LTE-U网络的MME接收到回复信息和第二解密结果之后,首先可以将该回复信息与期望回复信息进行比较,之后,LTE-U网络的MME可以通过自身存储的第一基础密钥对该回复信息进行加密,得到第六加密结果。由于该回复信息是由UE根据自身存储的Ki和第一随机数生成的,因此,如果该回复信息和期望回复信息相同,且该第六加密结果与第二加密结果也相同,则说明UE生成的第二基础密钥和LTE-U网络的MME存储的第一基础密钥是一致的,此时,LTE-U网络的MME就可以确认当前的UE是真实有效的,也即是,LTE-U网络的MME可以确定对UE的验证通过。反之,如果该第六加密结果和第二加密结果不同,则说明第一基础密钥和第二基础密钥是不同的,此时,LTE-U网络对UE的验证失败。Based on the description in step 503, the MME of the LTE-U network stores a first base key and expected reply information, wherein the expected reply information is generated by the HSS according to the stored Ki and the first random number. After receiving the reply information and the second decryption result, the MME of the LTE-U network may first compare the reply information with the expected reply information, and then the MME of the LTE-U network may use the first basic key pair stored by itself. The reply message is encrypted to obtain a sixth encrypted result. Since the reply information is generated by the UE according to the Ki and the first random number stored by the UE, if the reply information and the expected reply information are the same, and the sixth encryption result is the same as the second encryption result, the UE generates The second base key is consistent with the first base key stored by the MME of the LTE-U network. At this time, the MME of the LTE-U network can confirm that the current UE is authentic and effective, that is, LTE- The MME of the U network may determine the verification of the UE. On the other hand, if the sixth encryption result is different from the second encryption result, it indicates that the first basic key and the second basic key are different. At this time, the verification of the UE by the LTE-U network fails.
步骤509:LTE-U网络的MME将回复信息发送至LTE网络的MME。Step 509: The MME of the LTE-U network sends the reply information to the MME of the LTE network.
LTE-U网络的MME可以在接收到回复信息时,即将该回复信息发送至LTE网络的MME,当然,也可以在完成对UE的验证之后,将该回复信息发送至LTE网络的MME.The MME of the LTE-U network may send the reply information to the MME of the LTE network when receiving the reply information. Of course, the MME may also send the reply information to the MME of the LTE network after completing the verification of the UE.
步骤510:当LTE网络的MME接收到回复信息时,基于回复信息对UE进行验证。Step 510: When the MME of the LTE network receives the reply information, verify the UE based on the reply information.
当LTE网络的MME接收到回复信息时,基于该回复信息对UE进行验证的具体实现方式可以参考步骤410中的实现方式,本发明实施例不再赘述。When the MME of the LTE network receives the reply information, the specific implementation manner of verifying the UE based on the reply information may refer to the implementation manner in the step 410, which is not repeatedly described in the embodiment of the present invention.
在本发明实施例中,当LTE网络的MME接收到鉴权向量之后,LTE网络的MME和LTE-U网络的MME可以向UE发送第一随机数、AUTN和第一加密结果,其中,该第一加密结果是LTE-U网络的MME对AUTN中的MAC进行加密后得到的,当UE接收到该第一随机数、AUTN和第一加密结果之后,可以同时根据第一随机数、AUTN和第一加密结果对LTE-U网络和LTE网络进行验证,之后,LTE-U网络的MME和LTE网络的MME再根据来自UE的回复信息和第二加密结果对UE进行验证,其中,该第二加密结果是UE对回复信息进行加密得到的。也即是,在本发明实施例提供的网络鉴权方法中,LTE-U网络和UE都不必再生成随机数,只需对鉴权向量中的参数进行加密即可完成互相验证,简化了操作。通过本发明实施例提供的网络鉴权方法,UE可以在接入运营商网络和LTE-U网络时,同时完成与运营商网络和LTE-U网络之间的鉴权,从而使UE可以同时接入运营商网络和LTE-U网络,为用户的使用带来了方便。In the embodiment of the present invention, after the MME of the LTE network receives the authentication vector, the MME of the LTE network and the MME of the LTE-U network may send the first random number, the AUTN, and the first encryption result to the UE, where the first The result of the encryption is obtained by the MME of the LTE-U network encrypting the MAC in the AUTN. After receiving the first random number, the AUTN and the first encryption result, the UE may simultaneously obtain the first random number, the AUTN, and the first The LTE-U network and the LTE network are verified by an encryption result, and then the MME of the LTE-U network and the MME of the LTE network authenticate the UE according to the reply information from the UE and the second encryption result, wherein the second encryption The result is that the UE encrypts the reply message. That is, in the network authentication method provided by the embodiment of the present invention, the LTE-U network and the UE do not need to generate a random number any more, and only need to encrypt the parameters in the authentication vector to complete mutual authentication, which simplifies the operation. . With the network authentication method provided by the embodiment of the present invention, the UE can simultaneously perform authentication with the operator network and the LTE-U network when accessing the operator network and the LTE-U network, so that the UE can simultaneously connect. Entering the carrier network and the LTE-U network brings convenience to users.
前述结合附图4和5介绍了UE同时对LTE-U网络和LTE网络进行验证,之后,LTE-U网络的MME和LTE网络的MME对UE进行验证的两种验证方法,接下来,将结合附图6介绍UE先与LTE网络互相验证,再对LTE-U网络进行验证的网络鉴权方法。The foregoing describes the two authentication methods for the UE to simultaneously verify the LTE-U network and the LTE network, and then the MME of the LTE-U network and the MME of the LTE network verify the UE, and then combine 6 is a network authentication method for the UE to mutually authenticate with the LTE network and then verify the LTE-U network.
图6是本发明实施例提供的第三种基于鉴权向量进行网络鉴权的方法的流程图,在该方法中,LTE网络的MME首先基于第三基础密钥、期望回复信息,第一随机数和AUTN通过步骤601-步骤60中的方法与UE交互,从而完成与UE之间的互相验证,之后,进行如图6所示,该方法包括以下步骤:FIG. 6 is a flowchart of a third method for performing network authentication based on an authentication vector according to an embodiment of the present invention. In this method, an MME of an LTE network first performs a first random based on a third basic key and expected reply information. The number and the AUTN interact with the UE through the method in steps 601-60 to complete mutual authentication with the UE. Thereafter, as shown in FIG. 6, the method includes the following steps:
步骤601:LTE网络的MME将鉴权向量中的第三基础密钥和期望回复信息进行存储。Step 601: The MME of the LTE network stores the third basic key and the expected reply information in the authentication vector.
基于前述实施例中步骤305的描述,鉴权向量可以包括第三基础密钥、期望回复信息、第一随机数和AUTN。当鉴权向量中包括第三基础密钥、期望回复信息、第一随机数和AUTN时,LTE网络的MME可以在接收到该鉴权向量时,将该鉴权向量中的第三基础密钥和期望回复信息进行存储,以便后续对UE进行验证。Based on the description of step 305 in the foregoing embodiment, the authentication vector may include a third base key, expected reply information, a first random number, and an AUTN. When the third base key, the expected reply information, the first random number, and the AUTN are included in the authentication vector, the MME of the LTE network may receive the third basic key in the authentication vector when receiving the authentication vector. The expected reply information is stored for subsequent verification of the UE.
步骤602:LTE网络的MME将第一随机数和AUTN发送至UE。Step 602: The MME of the LTE network sends the first random number and the AUTN to the UE.
当LTE网络的MME将第三基础密钥和期望回复信息进行存储之后,LTE网络的MME可以将该鉴权向量中的第一随机数和AUTN发送至LTE-U网络的MME,LTE-U网络的MME在接收到该第一随机数和AUTN之后,可以将该第一随机数和AUTN发送至LTE-U网络的eNB,LTE-U网络的eNB在接收到第一随机数和AUTN之后,再将该第一随机数和AUTN转发给UE。After the MME of the LTE network stores the third base key and the expected reply information, the MME of the LTE network may send the first random number and the AUTN in the authentication vector to the MME of the LTE-U network, and the LTE-U network After receiving the first random number and the AUTN, the MME may send the first random number and the AUTN to the eNB of the LTE-U network, and the eNB of the LTE-U network receives the first random number and the AUTN, and then The first random number and the AUTN are forwarded to the UE.
步骤603:当UE接收到第一随机数和AUTN时,基于第一随机数和AUTN,对LTE网络进行验证。Step 603: When the UE receives the first random number and the AUTN, perform verification on the LTE network based on the first random number and the AUTN.
本步骤的具体实现方式可以参考步骤405中UE基于第一随机数和AUTN对LTE网络进行验证的实现方式,本发明实施例不再赘述。For a specific implementation of the step, reference may be made to the implementation manner of the UE performing the verification of the LTE network based on the first random number and the AUTN in the step 405, which is not repeatedly described in the embodiment of the present invention.
步骤604:当UE确定对LTE网络的验证通过时,生成回复信息。Step 604: Generate reply information when the UE determines that the verification of the LTE network passes.
本步骤的具体实现方式可以参考步骤406中当UE确定对LTE网络的验证通过时,生 成回复信息的相关说明,本发明实施例不再赘述。For a specific implementation of the step, reference may be made to the description in the step 406 when the UE determines that the LTE network is authenticated, and the related information is not described herein.
步骤605:UE将回复信息发送至LTE网络的MME。Step 605: The UE sends the reply information to the MME of the LTE network.
当UE生成回复信息之后,可以将该回复信息经由LTE-U网络的eNB和MME,发送至LTE网络的MME。After the UE generates the reply information, the reply information may be sent to the MME of the LTE network via the eNB and the MME of the LTE-U network.
步骤606:当LTE网络的MME接收到回复信息时,基于该回复信息对UE进行验证。Step 606: When the MME of the LTE network receives the reply information, verify the UE based on the reply information.
本步骤的具体实现方式可以参考步骤410中LTE网络的MME基于回复信息对UE进行验证的相关说明,本发明实施例不再赘述。For a specific implementation of this step, reference may be made to the description of the MME of the LTE network in step 410 for verifying the UE based on the reply information, which is not described in detail in the embodiment of the present invention.
步骤607:当LTE网络的MME确定对UE的验证通过时,生成第二随机数,并基于LTE-U网络的网络标识和第三基础密钥,生成第一基础密钥,基于UE的安全算法生成NAS密钥,并通过NAS密钥对第二随机数进行加密,得到第七加密结果。Step 607: When the MME of the LTE network determines that the verification of the UE passes, generate a second random number, and generate a first basic key based on the network identifier of the LTE-U network and the third basic key, and the UE-based security algorithm The NAS key is generated, and the second random number is encrypted by the NAS key to obtain a seventh encryption result.
基于步骤302中的描述可知,LTE-U网络的MME在第一附着请求中添加了LTE-U网络的网络标识,从而生成了第二附着请求,并将该第二附着请求发送给了LTE网络的MME,因此,当LTE网络的MME确定对UE的验证通过时,可以基于LTE-U网络的网络标识和第三基础密钥,生成第一基础密钥。与此同时,LTE网络的MME可以利用随机数发生器生成第二随机数。Based on the description in step 302, the MME of the LTE-U network adds the network identifier of the LTE-U network to the first attach request, thereby generating a second attach request, and sending the second attach request to the LTE network. The MME, therefore, when the MME of the LTE network determines that the verification of the UE is passed, the first base key may be generated based on the network identity of the LTE-U network and the third base key. At the same time, the MME of the LTE network can generate a second random number using a random number generator.
需要说明的是,由于第二附着请求中还包括该UE的安全算法,因此,当LTE网络的MME生成第二随机数和第一基础密钥之后,可以根据该UE的安全算法生成NAS密钥。之后,LTE网络的MME可以通过该NAS密钥对第二随机数进行加密,得到第七加密结果。It should be noted that, since the second attach request further includes the security algorithm of the UE, after the MME of the LTE network generates the second random number and the first basic key, the NAS key may be generated according to the security algorithm of the UE. . Thereafter, the MME of the LTE network may encrypt the second random number by using the NAS key to obtain a seventh encryption result.
步骤608:LTE网络的MME将第一基础密钥、第三基础密钥、NAS密钥、LTE-U网络的网络标识、第二随机数和第七加密结果发送至LTE-U网络的MME。Step 608: The MME of the LTE network sends the first basic key, the third basic key, the NAS key, the network identifier of the LTE-U network, the second random number, and the seventh encryption result to the MME of the LTE-U network.
步骤609:当LTE-U网络的MME接收到第一基础密钥、第三基础密钥、NAS密钥、LTE-U网络的网络标识、第二随机数和第七加密结果时,通过第一基础密钥对第二随机数进行加密,得到第八加密结果。Step 609: When the MME of the LTE-U network receives the first basic key, the third basic key, the NAS key, the network identifier of the LTE-U network, the second random number, and the seventh encryption result, the first The base key encrypts the second random number to obtain an eighth encryption result.
步骤610:LTE-U网络的MME将第三基础密钥、NAS密钥、LTE-U网络的网络标识、第七加密结果和第八加密结果发送至UE。Step 610: The MME of the LTE-U network sends the third basic key, the NAS key, the network identifier of the LTE-U network, the seventh encryption result, and the eighth encryption result to the UE.
LTE-U网络的MME将第三基础密钥、NAS密钥、LTE-U网络的网络标识、第七加密结果和第八加密结果发送至LTE-U网络的eNB,再由LTE-U网络的eNB转发给UE。The MME of the LTE-U network sends the third base key, the NAS key, the network identifier of the LTE-U network, the seventh encryption result, and the eighth encryption result to the eNB of the LTE-U network, and then the LTE-U network The eNB forwards to the UE.
步骤611:当UE接收到第三基础密钥、NAS密钥、LTE-U网络的网络标识、第七加密结果和第八加密结果时,基于第三基础密钥和LTE-U网络的网络标识生成第二基础密钥,并通过第二基础密钥对第八加密结果进行解密,得到第一解密结果,通过NAS密钥对第七加密结果进行解密,得到第二解密结果。Step 611: When the UE receives the third basic key, the NAS key, the network identifier of the LTE-U network, the seventh encryption result, and the eighth encryption result, the network identifier based on the third basic key and the LTE-U network Generating a second base key, and decrypting the eighth encryption result by using the second base key to obtain a first decryption result, and decrypting the seventh encryption result by using the NAS key to obtain a second decryption result.
由于第一基础密钥是LTE网络的MME根据第三基础密钥和LTE-U网络的网络标识生成的,因此,为了验证LTE-U网络的真实性,当UE接收到第三基础密钥和LTE-U网络的网络标识时,可以根据该第三基础密钥和LTE-U网络的网络标识生成第二基础密钥,从而验证第二基础密钥和第一基础密钥是否相同,以此来实现对LTE-U网络的验证。Since the first basic key is generated by the MME of the LTE network according to the third basic key and the network identifier of the LTE-U network, in order to verify the authenticity of the LTE-U network, when the UE receives the third basic key and When the network identifier of the LTE-U network is used, the second basic key may be generated according to the third basic key and the network identifier of the LTE-U network, so as to verify whether the second basic key and the first basic key are the same. To verify the LTE-U network.
需要说明的是,为了防止LTE-U网络的MME向UE传递信息的过程中信息被篡改,LTE-U网络的MME并没有将第一基础密钥直接发送至UE,而是通过步骤609中的方法利用第一基础密钥对第二随机数进行加密得到第八加密结果,并将该第八加密结果发送至UE。当UE接收到第八加密结果之后,UE可以通过该第二基础密钥对第八加密结果进行解 密,得到第一解密结果,并通过NAS密钥对第七加密结果解密,得到第二解密结果。It should be noted that, in order to prevent the MME of the LTE-U network from being tampered with during the process of transmitting information to the UE, the MME of the LTE-U network does not directly send the first basic key to the UE, but passes the step 609. The method encrypts the second random number by using the first basic key to obtain an eighth encryption result, and sends the eighth encryption result to the UE. After receiving the eighth encryption result, the UE may decrypt the eighth encryption result by using the second basic key to obtain a first decryption result, and decrypt the seventh encryption result by using the NAS key to obtain a second decryption result. .
步骤612:UE基于第一解密结果和第二解密结果,对LTE-U网络进行验证。Step 612: The UE verifies the LTE-U network based on the first decryption result and the second decryption result.
由于第八加密结果是LTE-U网络的MME通过第一基础密钥对第二随机数进行加密得到的,而第七加密结果是LTE网络的MME通过NAS密钥对第二随机数进行加密得到的,因此,当UE通过第二基础密钥对第八加密结果解密,通过NAS密钥对第七加密结果解密之后,如果第一加密结果和第二加密结果相等,则说明UE生成的第二基础密钥和第一基础密钥是相同的,也即是,UE可以确定该LTE-U网络是真实可信的,此时,UE即可以确定对LTE-U网络的验证通过。The eighth encryption result is obtained by the MME of the LTE-U network encrypting the second random number by using the first basic key, and the seventh encryption result is that the MME of the LTE network encrypts the second random number by using the NAS key. Therefore, after the UE decrypts the eighth encryption result by using the second base key, after decrypting the seventh encryption result by the NAS key, if the first encryption result and the second encryption result are equal, the UE generates the second The base key and the first base key are the same, that is, the UE can determine that the LTE-U network is authentic, and at this time, the UE can determine the verification of the LTE-U network.
在本发明实施例中,当LTE网络的MME接收到鉴权向量之后,LTE网络的MME可以先基于鉴权向量中的第三基础密钥、第一随机数、期望回复信息和AUTN与UE进行交互,以完成与UE的互相认证,之后,LTE网络的MME可以生成第一基础密钥、第二随机数获得NAS密钥,并将该第一基础密钥、第二随机数和NAS密钥发送至LTE-U网络的MME,之后,LTE-U网络的MME和UE可以通过该第一基础密钥、第二随机数和NAS密钥进行网络鉴权。也即是,通过本发明实施例提供的网络鉴权方法,UE可以在接入运营商网络和LTE-U网络时,同时完成与运营商网络和LTE-U网络之间的鉴权,从而使UE可以同时接入运营商网络和LTE-U网络,为用户的使用带来了方便。In the embodiment of the present invention, after the MME of the LTE network receives the authentication vector, the MME of the LTE network may first perform the UE and the UE based on the third basic key, the first random number, the expected reply information, and the AUTN in the authentication vector. Interacting to complete mutual authentication with the UE, after which the MME of the LTE network may generate a first base key, a second random number to obtain a NAS key, and the first base key, the second random number, and the NAS key. After being sent to the MME of the LTE-U network, the MME and the UE of the LTE-U network can perform network authentication by using the first base key, the second random number, and the NAS key. That is, with the network authentication method provided by the embodiment of the present invention, the UE can simultaneously perform authentication with the operator network and the LTE-U network when accessing the carrier network and the LTE-U network, thereby enabling The UE can access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
在对本发明实施例提供的网络鉴权方法进行介绍之后,接下来对本发明实施例提供的网络鉴权系统进行介绍。After the network authentication method provided by the embodiment of the present invention is introduced, the network authentication system provided by the embodiment of the present invention is introduced.
本发明实施例提供了一种网络鉴权系统,该网络鉴权系统包括UE、LTE-U网络的MME、LTE网络的MME和HSS。An embodiment of the present invention provides a network authentication system, where the network authentication system includes a UE, an MME of an LTE-U network, an MME of an LTE network, and an HSS.
LTE-U网络的MME用于执行上述实施例中的步骤302和303;The MME of the LTE-U network is used to perform steps 302 and 303 in the foregoing embodiment;
LTE网络的MME用于执行上述实施例中的步骤304;The MME of the LTE network is used to perform step 304 in the foregoing embodiment;
HSS用于执行上述实施例中的步骤305和306;The HSS is used to perform steps 305 and 306 in the above embodiment;
LTE网络的MME用于执行上述实施例中的步骤307。The MME of the LTE network is used to perform step 307 in the above embodiment.
可选地,鉴权向量包括第一基础密钥、期望回复信息、第一随机数和鉴权标记AUTN,第一基础密钥为LTE-U网络对应的密钥;Optionally, the authentication vector includes a first basic key, expected reply information, a first random number, and an authentication token AUTN, where the first basic key is a key corresponding to the LTE-U network;
LTE网络的MME具体用于存储期望回复信息,并通过LTE-U网络的MME向UE发送第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果,第一加密结果由LTE-U网络的MME基于第一基础密钥生成;The MME of the LTE network is specifically configured to store the expected reply information, and send the network identifier of the first random number, the AUTN, the LTE-U network, and the first encryption result to the UE through the MME of the LTE-U network, and the first encryption result is performed by the LTE- The MME of the U network is generated based on the first base key;
UE用于当接收到第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果时,基于第一随机数和AUTN对LTE网络进行验证,并基于第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果对LTE-U网络进行验证;The UE is configured to: when receiving the network identifier of the first random number, the AUTN, the LTE-U network, and the first encryption result, verify the LTE network based on the first random number and the AUTN, and based on the first random number, the AUTN, and the LTE - The network identifier of the U network and the first encryption result verify the LTE-U network;
UE还用于当确定对LTE网络和LTE-U网络均验证通过时,生成回复信息,并基于第一随机数、AUTN和LTE-U网络的网络标识生成第二加密结果;The UE is further configured to: when determining that both the LTE network and the LTE-U network pass the verification, generate reply information, and generate a second encryption result based on the network identifiers of the first random number, the AUTN, and the LTE-U network;
UE还用于将第二加密结果发送至LTE-U网络的MME,并将回复信息发送至LTE网络的MME;The UE is further configured to send the second encryption result to the MME of the LTE-U network, and send the reply information to the MME of the LTE network;
LTE-U网络的MME用于当接收到第二加密结果时,基于第二加密结果对UE进行验证,当LTE网络的MME接收到回复信息时,基于期望回复信息和回复信息对UE进行验证。The MME of the LTE-U network is configured to perform verification on the UE based on the second encryption result when receiving the second encryption result, and verify the UE based on the expected reply information and the reply information when the MME of the LTE network receives the reply information.
可选地,LTE网络的MME具体用于:Optionally, the MME of the LTE network is specifically configured to:
将期望回复信息进行存储,并将第一基础密钥、第一随机数和AUTN发送至LTE-U网络的MME;The expected reply information is stored, and the first base key, the first random number, and the AUTN are sent to the MME of the LTE-U network;
LTE-U网络的MME还用于当接收到第一基础密钥、第一随机数和AUTN时,将第一基础密钥进行存储,基于第一基础密钥生成第一加密结果,并将第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果发送至UE。The MME of the LTE-U network is further configured to: when receiving the first basic key, the first random number, and the AUTN, store the first basic key, generate a first encryption result based on the first basic key, and A network identifier of the random number, the AUTN, the LTE-U network, and the first encryption result are sent to the UE.
可选地,LTE-U网络的MME具体用于:Optionally, the MME of the LTE-U network is specifically configured to:
生成第二随机数,并通过第一基础密钥对第二随机数进行加密,得到第一加密结果;Generating a second random number, and encrypting the second random number by using the first basic key to obtain a first encryption result;
将第一随机数、AUTN、LTE-U网络的网络标识、第一加密结果和第二随机数发送至UE。Transmitting the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number to the UE.
可选地,AUTN包括消息鉴权码MAC;Optionally, the AUTN includes a message authentication code MAC;
UE具体用于:The UE is specifically used to:
基于第一随机数和AUTN中除MAC之外的其他参数生成期望消息鉴权码XMAC;Generating a desired message authentication code XMAC based on the first random number and other parameters in the AUTN other than the MAC;
如果XMAC和MAC相同,则确定对LTE网络的验证通过。If the XMAC and the MAC are the same, it is determined that the verification of the LTE network is passed.
可选地,UE具体用于:Optionally, the UE is specifically configured to:
根据LTE-U网络的网络标识、第一随机数和AUTN生成第二基础密钥;Generating a second base key according to the network identifier of the LTE-U network, the first random number, and the AUTN;
通过第二基础密钥对第二随机数进行加密,得到第三加密结果;Encrypting the second random number by using the second basic key to obtain a third encryption result;
如果第一加密结果等于第三加密结果,则确定对LTE-U网络的验证通过。If the first encryption result is equal to the third encryption result, it is determined that the verification of the LTE-U network is passed.
可选地,UE具体用于:Optionally, the UE is specifically configured to:
生成第三随机数,并通过第二基础密钥对第二随机数和第三随机数进行整体加密,得到第二加密结果;Generating a third random number, and performing overall encryption on the second random number and the third random number by using the second basic key to obtain a second encryption result;
将第二加密结果和第三随机数发送至LTE-U网络的MME;Transmitting the second encryption result and the third random number to the MME of the LTE-U network;
相应地,LTE-U网络的MME具体用于:Correspondingly, the MME of the LTE-U network is specifically used for:
通过存储的第一基础密钥对第二随机数和第三随机数进行整体加密,得到第四加密结果;And encrypting the second random number and the third random number by using the stored first basic key to obtain a fourth encryption result;
如果第二加密结果和第四加密结果相等,则确定对UE的验证通过。If the second encryption result and the fourth encryption result are equal, it is determined that the verification of the UE is passed.
可选地,LTE网络的MME具体用于:Optionally, the MME of the LTE network is specifically configured to:
将期望回复信息进行存储,并将第一基础密钥、期望回复信息、第一随机数和AUTN发送至LTE-U网络的MME;The expected reply information is stored, and the first base key, the expected reply information, the first random number, and the AUTN are sent to the MME of the LTE-U network;
LTE-U网络的MME用于当接收到第一基础密钥、期望回复信息、第一随机数和AUTN时,将第一基础密钥和期望回复信息进行存储,基于第一基础密钥生成第一加密结果,并将第一随机数、AUTN、LTE-U网络的网络标识和第一加密结果发送至UE。The MME of the LTE-U network is configured to store the first basic key and the expected reply information when receiving the first basic key, the expected reply information, the first random number, and the AUTN, based on the first basic key generation. And encrypting the result, and sending the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
可选地,AUTN包括MAC;Optionally, the AUTN includes a MAC;
LTE-U网络的MME具体用于:The MME of the LTE-U network is specifically used to:
通过第一基础密钥对MAC进行加密,得到第一加密结果。The MAC is encrypted by the first base key to obtain a first encryption result.
可选地,UE具体用于:Optionally, the UE is specifically configured to:
根据LTE-U网络的网络标识、第一随机数和AUTN生成第二基础密钥;Generating a second base key according to the network identifier of the LTE-U network, the first random number, and the AUTN;
通过第二基础密钥对MAC进行加密,得到第五加密结果;Encrypting the MAC by using the second basic key to obtain a fifth encryption result;
如果第一加密结果等于第五加密结果,则确定对LTE-U网络的验证通过。If the first encryption result is equal to the fifth encryption result, it is determined that the verification of the LTE-U network is passed.
可选地,UE具体用于:Optionally, the UE is specifically configured to:
通过第二基础密钥对回复信息进行加密,得到第二加密结果;Encrypting the reply information by using the second basic key to obtain a second encryption result;
相应地,LTE-U网络的MME具体用于:Correspondingly, the MME of the LTE-U network is specifically used for:
通过存储的第一基础密钥对回复信息加密,得到第六加密结果;Encrypting the reply information by using the stored first basic key to obtain a sixth encryption result;
如果LTE-U网络的MME存储的期望回复信息与回复信息相同,且第六加密结果与第二加密结果相等,则确定对UE的验证通过。If the expected reply information stored by the MME of the LTE-U network is the same as the reply information, and the sixth encryption result is equal to the second encryption result, it is determined that the verification of the UE is passed.
可选地,第二附着请求中携带UE的安全算法,鉴权向量包括第三基础密钥、期望回复信息、第一随机数、鉴权标记AUTN,第三基础密钥为LTE网络对应的密钥;Optionally, the second attach request carries the security algorithm of the UE, where the authentication vector includes a third basic key, expected reply information, a first random number, an authentication token AUTN, and the third basic key is a secret corresponding to the LTE network. key;
LTE网络的MME具体用于,基于第三基础密钥、期望回复信息、第一随机数和AUTN与UE进行交互,以实现UE对LTE网络的验证,以及LTE网络的MME对UE的验证;The MME of the LTE network is specifically configured to perform interaction between the UE and the UE based on the third basic key, the expected reply information, the first random number, and the AUTN, to implement the UE to verify the LTE network, and the MME of the LTE network authenticates the UE;
LTE网络的MME还用于当确定对UE的验证通过时,生成第二随机数,并基于LTE-U网络的网络标识和第三基础密钥,生成第一基础密钥;The MME of the LTE network is further configured to: when determining that the verification of the UE passes, generate a second random number, and generate a first base key based on the network identifier of the LTE-U network and the third basic key;
LTE网络的MME还用于基于UE的安全算法生成非接入层NAS密钥,并通过NAS密钥对第二随机数进行加密,得到第七加密结果;The MME of the LTE network is further configured to generate a non-access stratum NAS key based on the UE security algorithm, and encrypt the second random number by using the NAS key to obtain a seventh encryption result;
LTE网络的MME还用于将第一基础密钥、第三基础密钥、NAS密钥、LTE-U网络的网络标识、第二随机数和第七加密结果发送至LTE-U网络的MME;The MME of the LTE network is further configured to send the first base key, the third base key, the NAS key, the network identifier of the LTE-U network, the second random number, and the seventh encryption result to the MME of the LTE-U network;
LTE-U网络的MME具体用于通过第一基础密钥对第二随机数进行加密,得到第八加密结果,并将第三基础密钥、NAS密钥、LTE-U网络的网络标识、第七加密结果和第八加密结果发送至UE;The MME of the LTE-U network is specifically configured to encrypt the second random number by using the first basic key to obtain an eighth encryption result, and the third basic key, the NAS key, the network identifier of the LTE-U network, and the third The seventh encryption result and the eighth encryption result are sent to the UE;
UE具体用于基于第三基础密钥和LTE-U网络的网络标识生成第二基础密钥,并通过第二基础密钥对第八加密结果进行解密,得到第一解密结果,通过NAS密钥对第七加密结果进行解密,得到第二解密结果;The UE is specifically configured to generate a second basic key based on the network identifier of the third basic key and the LTE-U network, and decrypt the eighth encryption result by using the second basic key to obtain a first decryption result, and obtain the first decryption result. Decrypting the seventh encryption result to obtain a second decryption result;
UE还用于如果第一解密结果和第二解密结果相同,则确定对LTE-U网络的验证通过。The UE is further configured to determine that the verification of the LTE-U network passes if the first decrypted result and the second decrypted result are the same.
综上所述,在本发明实施例中,对于未接入运营商网络的UE,当该UE接入LTE-U网络时,可以将第一附着请求发送至LTE-U网络的MME,当LTE-U网络的MME接收到该第一附着请求时,可以在第一附着请求中加入该LTE-U网络的网络标识,从而生成第二附着请求,并将该第二附着请求发送至LTE网络的MME,LTE网络的MME基于该第二附着请求生成鉴权数据请求,以向HSS请求鉴权向量,当HSS接收到该鉴权数据请求时,基于该鉴权数据请求生成鉴权向量,并将该鉴权向量发送至LTE网络的MME,之后,LTE网络的MME即可以根据接收到的鉴权向量与UE以及LTE-U网络的MME进行交互,以实现网络鉴权。也即是,通过本发明实施例提供的网络鉴权方法,UE可以在接入运营商网络和LTE-U网络时,一次性完成与运营商网络和LTE-U网络之间的鉴权,从而使UE可以同时顺利的接入运营商网络和LTE-U网络,为用户的使用带来了方便。In the embodiment of the present invention, for a UE that is not connected to the operator network, when the UE accesses the LTE-U network, the first attach request may be sent to the MME of the LTE-U network, when LTE When receiving the first attach request, the MME of the -U network may join the network identifier of the LTE-U network in the first attach request, thereby generating a second attach request, and sending the second attach request to the LTE network. The MME, the MME of the LTE network generates an authentication data request based on the second attach request, to request an authentication vector from the HSS, and when the HSS receives the authentication data request, generates an authentication vector based on the authentication data request, and The authentication vector is sent to the MME of the LTE network, and then the MME of the LTE network can interact with the UE and the MME of the LTE-U network according to the received authentication vector to implement network authentication. That is, with the network authentication method provided by the embodiment of the present invention, the UE can perform authentication with the operator network and the LTE-U network at one time when accessing the operator network and the LTE-U network, thereby The UE can smoothly access the carrier network and the LTE-U network at the same time, which brings convenience to the user.
需要说明的是:上述实施例提供的网络鉴权系统在进行网络鉴权时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的网络鉴权系统与网络鉴权方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that, in the network authentication system provided by the foregoing embodiment, only the division of the foregoing functional modules is illustrated in the network authentication. In actual applications, the function allocation may be completed by different functional modules as needed. The internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the network authentication system and the network authentication method are provided in the same embodiment. For details, refer to the method embodiment, and details are not described herein.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意结合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如:同轴电缆、光纤、数据用户线(Digital Subscriber Line,DSL))或无线(例如:红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如:软盘、硬盘、磁带)、光介质(例如:数字通用光盘(Digital Versatile Disc,DVD))、或者半导体介质(例如:固态硬盘(Solid State Disk,SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transfer to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a digital versatile disc (DVD)), or a semiconductor medium (for example, a solid state disk (SSD)). )Wait.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。A person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium. The storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.
以上所述为本申请提供的实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above description of the embodiments of the present application is not intended to limit the application, and any modifications, equivalents, improvements, etc. made within the spirit and principles of the present application are included in the scope of the present application. Inside.

Claims (24)

  1. 一种网络鉴权方法,其特征在于,所述方法包括:A network authentication method, the method comprising:
    当基于长期演进的无牌照LTE-U网络的移动管理实体MME接收到来自用户设备UE的第一附着请求时,在所述第一附着请求中添加所述LTE-U网络的网络标识,以生成第二附着请求,并将所述第二附着请求发送至长期演进LTE网络的MME;When the mobility management entity MME of the unlicensed LTE-U network based on the long-term evolution receives the first attach request from the user equipment UE, the network identifier of the LTE-U network is added in the first attach request to generate a second attach request, and sending the second attach request to an MME of a long term evolution LTE network;
    当所述LTE网络的MME接收到所述第二附着请求时,基于所述第二附着请求,向归属签约用户服务器HSS发送鉴权数据请求,所述鉴权数据请求中携带所述LTE-U网络的网络标识和所述LTE网络的网络标识;When the MME of the LTE network receives the second attach request, send an authentication data request to the home subscriber server HSS based on the second attach request, where the authentication data request carries the LTE-U a network identifier of the network and a network identifier of the LTE network;
    当所述HSS接收到所述鉴权数据请求时,基于所述LTE-U网络的网络标识和所述LTE网络的网络标识,生成鉴权向量,并向所述LTE网络的MME发送所述鉴权向量,所述鉴权向量包括用于对所述UE、所述LTE-U网络和所述LTE网络进行鉴权的参数;And when the HSS receives the authentication data request, generating an authentication vector based on the network identifier of the LTE-U network and the network identifier of the LTE network, and sending the authentication to the MME of the LTE network. a weight vector, the authentication vector including parameters for authenticating the UE, the LTE-U network, and the LTE network;
    当所述LTE网络的MME接收到所述鉴权向量时,基于所述鉴权向量与所述UE以及所述LTE-U网络的MME进行交互,以实现网络鉴权。When the MME of the LTE network receives the authentication vector, interact with the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication.
  2. 如权利要求1所述的方法,其特征在于,所述鉴权向量包括第一基础密钥、期望回复信息、第一随机数和鉴权标记AUTN,所述第一基础密钥为所述LTE-U网络对应的密钥;The method of claim 1, wherein the authentication vector comprises a first base key, expected reply information, a first random number, and an authentication token AUTN, the first base key being the LTE a key corresponding to the -U network;
    所述基于所述鉴权向量与所述UE以及所述LTE-U网络的MME进行交互,以实现网络鉴权,包括:The interaction between the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication, including:
    所述LTE网络的MME存储所述期望回复信息,并通过所述LTE-U网络的MME向所述UE发送所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和第一加密结果,所述第一加密结果由所述LTE-U网络的MME基于所述第一基础密钥生成;The MME of the LTE network stores the expected reply information, and sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first MME to the UE through the MME of the LTE-U network. As a result of the encryption, the first encryption result is generated by the MME of the LTE-U network based on the first base key;
    当所述UE接收到所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果时,基于所述第一随机数和所述AUTN对所述LTE网络进行验证,并基于所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果对所述LTE-U网络进行验证;And when the UE receives the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, the LTE is based on the first random number and the AUTN The network performs verification, and performs verification on the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result;
    当所述UE确定对所述LTE网络和所述LTE-U网络均验证通过时,生成回复信息,并基于所述第一随机数、所述AUTN和所述LTE-U网络的网络标识生成第二加密结果;And generating, when the UE determines to pass the LTE network and the LTE-U network, the reply information, and generating, according to the first random number, the AUTN, and the network identifier of the LTE-U network. Second encryption result;
    所述UE将所述第二加密结果发送至所述LTE-U网络的MME,并将所述回复信息发送至LTE网络的MME;The UE sends the second encryption result to the MME of the LTE-U network, and sends the reply information to the MME of the LTE network;
    当所述LTE-U网络的MME接收到所述第二加密结果时,基于所述第二加密结果对所述UE进行验证,当所述LTE网络的MME接收到所述回复信息时,基于所述期望回复信息和所述回复信息对所述UE进行验证。When the MME of the LTE-U network receives the second encryption result, the UE is authenticated based on the second encryption result, and when the MME of the LTE network receives the reply information, based on the The expected reply information and the reply information verify the UE.
  3. 如权利要求2所述的方法,其特征在于,所述LTE网络的MME通过所述LTE-U网络的MME向所述UE发送所述第一随机数、所述AUTN和第一加密结果,包括:The method according to claim 2, wherein the MME of the LTE network sends the first random number, the AUTN and the first encryption result to the UE by using an MME of the LTE-U network, including :
    所述LTE网络的MME将所述期望回复信息进行存储,并将所述第一基础密钥、所述第一随机数和所述AUTN发送至所述LTE-U网络的MME;The MME of the LTE network stores the expected reply information, and sends the first base key, the first random number, and the AUTN to an MME of the LTE-U network;
    当所述LTE-U网络的MME接收到所述第一基础密钥、所述第一随机数和所述AUTN时, 将所述第一基础密钥进行存储,基于所述第一基础密钥生成第一加密结果,并将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果发送至所述UE。When the MME of the LTE-U network receives the first base key, the first random number, and the AUTN, storing the first base key, based on the first base key Generating a first encryption result, and transmitting the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
  4. 如权利要求3所述的方法,其特征在于,所述基于所述第一基础密钥生成第一加密结果,包括:The method of claim 3, wherein the generating the first encryption result based on the first base key comprises:
    所述LTE-U网络的MME生成第二随机数,并通过所述第一基础密钥对所述第二随机数进行加密,得到所述第一加密结果;The MME of the LTE-U network generates a second random number, and encrypts the second random number by using the first basic key to obtain the first encryption result;
    相应地,所述将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果发送至所述UE,包括:Correspondingly, the sending, by the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE, includes:
    所述LTE-U网络的MME将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识、所述第一加密结果和所述第二随机数发送至所述UE。The MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number to the UE.
  5. 如权利要求3或4所述的方法,其特征在于,所述AUTN包括消息鉴权码MAC;The method according to claim 3 or 4, wherein the AUTN comprises a message authentication code MAC;
    所述UE基于所述第一随机数和所述AUTN对所述LTE网络进行验证,包括:The UE performs verification on the LTE network based on the first random number and the AUTN, including:
    所述UE基于所述第一随机数和所述AUTN中除所述MAC之外的其他参数生成期望消息鉴权码XMAC;Generating, by the UE, a desired message authentication code XMAC based on the first random number and other parameters in the AUTN except the MAC;
    如果所述XMAC和所述MAC相同,则所述UE确定对所述LTE网络的验证通过。If the XMAC and the MAC are the same, the UE determines to pass the verification of the LTE network.
  6. 如权利要求4所述的方法,其特征在于,所述UE基于所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果对所述LTE-U网络进行验证,包括:The method according to claim 4, wherein the UE performs the LTE-U based on the first random number, the AUTN, a network identifier of the LTE-U network, and the first encryption result. The network is verified, including:
    所述UE根据所述LTE-U网络的网络标识、所述第一随机数和所述AUTN生成第二基础密钥;Generating, by the UE, a second basic key according to the network identifier of the LTE-U network, the first random number, and the AUTN;
    所述UE通过所述第二基础密钥对所述第二随机数进行加密,得到第三加密结果;The UE encrypts the second random number by using the second basic key to obtain a third encryption result;
    如果所述第一加密结果等于所述第三加密结果,则所述UE确定对所述LTE-U网络的验证通过。If the first encryption result is equal to the third encryption result, the UE determines that the verification of the LTE-U network passes.
  7. 如权利要求6所述的方法,其特征在于,所述基于所述第一随机数、所述AUTN和所述LTE-U网络的网络标识生成第二加密结果,包括:The method according to claim 6, wherein the generating the second encryption result based on the first random number, the AUTN, and the network identifier of the LTE-U network includes:
    所述UE生成第三随机数,并通过所述第二基础密钥对所述第二随机数和所述第三随机数进行整体加密,得到第二加密结果;The UE generates a third random number, and performs overall encryption on the second random number and the third random number by using the second basic key to obtain a second encryption result;
    相应地,所述UE将所述第二加密结果发送至所述LTE-U网络的MME,包括:Correspondingly, the sending, by the UE, the second encryption result to the MME of the LTE-U network includes:
    所述UE将所述第二加密结果和所述第三随机数发送至所述LTE-U网络的MME;Transmitting, by the UE, the second encryption result and the third random number to an MME of the LTE-U network;
    相应地,所述LTE-U网络的MME基于所述第二加密结果对所述UE进行验证,包括:Correspondingly, the MME of the LTE-U network performs verification on the UE based on the second encryption result, including:
    所述LTE-U网络的MME通过存储的所述第一基础密钥对所述第二随机数和所述第三随机数进行整体加密,得到第四加密结果;The MME of the LTE-U network performs overall encryption on the second random number and the third random number by using the stored first basic key to obtain a fourth encryption result;
    如果所述第二加密结果和所述第四加密结果相等,则所述LTE-U网络的MME确定对所述UE的验证通过。If the second encryption result and the fourth encryption result are equal, the MME of the LTE-U network determines that the verification of the UE passes.
  8. 如权利要求2所述的方法,其特征在于,所述LTE网络的MME通过所述LTE-U网 络的MME向所述UE发送所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和第一加密结果,包括:The method according to claim 2, wherein the MME of the LTE network sends the first random number, the AUTN, and the LTE-U network to the UE through an MME of the LTE-U network. Network identification and first encryption results, including:
    所述LTE网络的MME将所述期望回复信息进行存储,并将所述第一基础密钥、所述期望回复信息、所述第一随机数和所述AUTN发送至所述LTE-U网络的MME;The MME of the LTE network stores the expected reply information, and sends the first base key, the expected reply information, the first random number, and the AUTN to the LTE-U network. MME;
    当所述LTE-U网络的MME接收到所述第一基础密钥、所述期望回复信息、所述第一随机数和所述AUTN时,将所述第一基础密钥和所述期望回复信息进行存储,基于所述第一基础密钥生成第一加密结果,并将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果发送至所述UE。And when the MME of the LTE-U network receives the first base key, the expected reply information, the first random number, and the AUTN, the first base key and the expected reply The information is stored, the first encryption result is generated based on the first basic key, and the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result are sent to the Said UE.
  9. 如权利要求8所述的方法,其特征在于,所述AUTN包括MAC;The method of claim 8 wherein said AUTN comprises a MAC;
    所述基于所述第一基础密钥生成第一加密结果,包括:The generating the first encryption result based on the first basic key includes:
    所述LTE-U网络的MME通过所述第一基础密钥对所述MAC进行加密,得到所述第一加密结果。The MME of the LTE-U network encrypts the MAC by using the first basic key to obtain the first encryption result.
  10. 如权利要求9所述的方法,其特征在于,所述UE基于所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果对所述LTE-U网络进行验证,包括:The method according to claim 9, wherein the UE performs the LTE-U based on the first random number, the AUTN, a network identifier of the LTE-U network, and the first encryption result. The network is verified, including:
    所述UE根据所述LTE-U网络的网络标识、所述第一随机数和所述AUTN生成第二基础密钥;Generating, by the UE, a second basic key according to the network identifier of the LTE-U network, the first random number, and the AUTN;
    所述UE通过所述第二基础密钥对所述MAC进行加密,得到第五加密结果;The UE encrypts the MAC by using the second basic key to obtain a fifth encryption result;
    如果所述第一加密结果等于所述第五加密结果,则所述UE确定对所述LTE-U网络的验证通过。If the first encryption result is equal to the fifth encryption result, the UE determines that the verification of the LTE-U network passes.
  11. 如权利要求10所述的方法,其特征在于,所述基于所述第一随机数、所述AUTN和所述LTE-U网络的网络标识生成第二加密结果,包括:The method according to claim 10, wherein the generating the second encryption result based on the first random number, the AUTN, and the network identifier of the LTE-U network comprises:
    所述UE通过所述第二基础密钥对所述回复信息进行加密,得到第二加密结果;The UE encrypts the reply information by using the second basic key to obtain a second encryption result;
    相应地,所述LTE-U网络的MME基于所述第二加密结果对所述UE进行验证,包括:Correspondingly, the MME of the LTE-U network performs verification on the UE based on the second encryption result, including:
    所述LTE-U网络的MME通过存储的所述第一基础密钥对所述回复信息加密,得到第六加密结果;The MME of the LTE-U network encrypts the reply information by using the stored first basic key to obtain a sixth encryption result;
    如果所述LTE-U网络的MME存储的所述期望回复信息与所述回复信息相同,且所述第六加密结果与所述第二加密结果相等,则所述LTE-U网络的MME确定对所述UE的验证通过。If the expected reply information stored by the MME of the LTE-U network is the same as the reply information, and the sixth encryption result is equal to the second encryption result, the MME of the LTE-U network determines the pair The verification of the UE is passed.
  12. 如权利要求1所述的方法,其特征在于,所述第二附着请求中携带所述UE的安全算法,所述鉴权向量包括第三基础密钥、期望回复信息、第一随机数、鉴权标记AUTN,所述第三基础密钥为所述LTE网络对应的密钥;The method according to claim 1, wherein the second attach request carries a security algorithm of the UE, and the authentication vector includes a third base key, expected reply information, a first random number, and a The right identifier is AUTN, and the third basic key is a key corresponding to the LTE network;
    所述基于所述鉴权向量与所述UE以及所述LTE-U网络的MME进行交互,以实现网络鉴权,包括:The interaction between the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication, including:
    所述LTE网络的MME基于所述第三基础密钥、所述期望回复信息、所述第一随机数和所述AUTN与所述UE进行交互,以实现所述UE对所述LTE网络的验证,以及所述LTE网 络的MME对所述UE的验证;The MME of the LTE network interacts with the UE according to the third basic key, the expected reply information, the first random number, and the AUTN, to implement verification of the LTE network by the UE. And verifying, by the MME of the LTE network, the UE;
    当所述LTE网络的MME确定对所述UE的验证通过时,生成第二随机数,并基于所述LTE-U网络的网络标识和所述第三基础密钥,生成第一基础密钥;When the MME of the LTE network determines that the verification of the UE passes, generates a second random number, and generates a first base key based on the network identifier of the LTE-U network and the third base key;
    所述LTE网络的MME基于所述UE的安全算法生成非接入层NAS密钥,并通过所述NAS密钥对所述第二随机数进行加密,得到第七加密结果;The MME of the LTE network generates a non-access stratum NAS key based on the security algorithm of the UE, and encrypts the second random number by using the NAS key to obtain a seventh encryption result;
    所述LTE网络的MME将所述第一基础密钥、所述第三基础密钥、所述NAS密钥、所述LTE-U网络的网络标识、所述第二随机数和所述第七加密结果发送至所述LTE-U网络的MME;The MME of the LTE network, the first base key, the third base key, the NAS key, a network identifier of the LTE-U network, the second random number, and the seventh Sending the encryption result to the MME of the LTE-U network;
    所述LTE-U网络的MME通过所述第一基础密钥对所述第二随机数进行加密,得到第八加密结果,并将所述第三基础密钥、所述NAS密钥、所述LTE-U网络的网络标识、所述第七加密结果和所述第八加密结果发送至所述UE;The MME of the LTE-U network encrypts the second random number by using the first basic key to obtain an eighth encryption result, and the third basic key, the NAS key, and the The network identifier, the seventh encryption result, and the eighth encryption result of the LTE-U network are sent to the UE;
    所述UE基于所述第三基础密钥和所述LTE-U网络的网络标识生成第二基础密钥,并通过所述第二基础密钥对所述第八加密结果进行解密,得到第一解密结果,通过所述NAS密钥对第七加密结果进行解密,得到第二解密结果;The UE generates a second basic key based on the third basic key and the network identifier of the LTE-U network, and decrypts the eighth encryption result by using the second basic key to obtain the first Decrypting the result, decrypting the seventh encryption result by using the NAS key, to obtain a second decryption result;
    如果所述第一解密结果和所述第二解密结果相同,则所述UE确定对所述LTE-U网络的验证通过。If the first decryption result and the second decryption result are the same, the UE determines that the verification of the LTE-U network passes.
  13. 一种网络鉴权系统,其特征在于,所述系统包括:A network authentication system, characterized in that the system comprises:
    基于长期演进的无牌照LTE-U网络的移动管理实体MME,用于当接收到来自用户设备UE的第一附着请求时,在所述第一附着请求中添加所述LTE-U网络的网络标识,以生成第二附着请求,并将所述第二附着请求发送至长期演进LTE网络的MME;The mobility management entity MME of the unlicensed LTE-U network is configured to add the network identifier of the LTE-U network in the first attach request when receiving the first attach request from the user equipment UE Generating a second attach request and transmitting the second attach request to an MME of a Long Term Evolution (LTE) network;
    所述LTE网络的MME,用于当所述接收到所述第二附着请求时,基于所述第二附着请求,向归属签约用户服务器HSS发送鉴权数据请求,所述鉴权数据请求中携带所述LTE-U网络的网络标识和所述LTE网络的网络标识;The MME of the LTE network is configured to: when the receiving the second attach request, send an authentication data request to the home subscription subscriber server HSS based on the second attach request, where the authentication data request is carried a network identifier of the LTE-U network and a network identifier of the LTE network;
    所述HSS,用于当接收到所述鉴权数据请求时,基于所述LTE-U网络的网络标识和所述LTE网络的网络标识,生成鉴权向量,并向所述LTE网络的MME发送所述鉴权向量,所述鉴权向量包括用于对所述UE、所述LTE-U网络和所述LTE网络进行鉴权的参数;The HSS is configured to generate an authentication vector based on the network identifier of the LTE-U network and the network identifier of the LTE network when the authentication data request is received, and send the authentication vector to the MME of the LTE network. The authentication vector, where the authentication vector includes parameters for authenticating the UE, the LTE-U network, and the LTE network;
    所述LTE网络的MME,用于当接收到所述鉴权向量时,基于所述鉴权向量与所述UE以及所述LTE-U网络的MME进行交互,以实现网络鉴权。The MME of the LTE network is configured to interact with the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication when receiving the authentication vector.
  14. 如权利要求13所述的系统,其特征在于,所述鉴权向量包括第一基础密钥、期望回复信息、第一随机数和鉴权标记AUTN,所述第一基础密钥为所述LTE-U网络对应的密钥;The system according to claim 13, wherein said authentication vector comprises a first base key, expected reply information, a first random number, and an authentication token AUTN, said first base key being said LTE a key corresponding to the -U network;
    所述LTE网络的MME具体用于存储所述期望回复信息,并通过所述LTE-U网络的MME向所述UE发送所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和第一加密结果,所述第一加密结果由所述LTE-U网络的MME基于所述第一基础密钥生成;The MME of the LTE network is specifically configured to store the expected reply information, and send the first random number, the AUTN, and the network of the LTE-U network to the UE by using an MME of the LTE-U network. Identifying and the first encryption result, the first encryption result is generated by the MME of the LTE-U network based on the first base key;
    所述UE用于当接收到所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果时,基于所述第一随机数和所述AUTN对所述LTE网络进行验证,并基于所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果对所述LTE-U网络进行验证;The UE is configured to: when receiving the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, based on the first random number and the AUTN pair The LTE network performs verification, and performs verification on the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result;
    所述UE还用于当确定对所述LTE网络和所述LTE-U网络均验证通过时,生成回复信息,并基于所述第一随机数、所述AUTN和所述LTE-U网络的网络标识生成第二加密结果;The UE is further configured to: when it is determined that both the LTE network and the LTE-U network are verified to pass, generate reply information, and based on the first random number, the AUTN, and the network of the LTE-U network The identifier generates a second encryption result;
    所述UE还用于将所述第二加密结果发送至所述LTE-U网络的MME,并将所述回复信息发送至LTE网络的MME;The UE is further configured to send the second encryption result to an MME of the LTE-U network, and send the reply information to an MME of an LTE network;
    所述LTE-U网络的MME用于当接收到所述第二加密结果时,基于所述第二加密结果对所述UE进行验证,当所述LTE网络的MME接收到所述回复信息时,基于所述期望回复信息和所述回复信息对所述UE进行验证。The MME of the LTE-U network is configured to perform verification on the UE based on the second encryption result when receiving the second encryption result, when the MME of the LTE network receives the reply information, The UE is authenticated based on the expected reply information and the reply information.
  15. 如权利要求14所述的系统,其特征在于,所述LTE网络的MME具体用于:The system of claim 14, wherein the MME of the LTE network is specifically configured to:
    将所述期望回复信息进行存储,并将所述第一基础密钥、所述第一随机数和所述AUTN发送至所述LTE-U网络的MME;And storing the expected reply information, and sending the first base key, the first random number, and the AUTN to an MME of the LTE-U network;
    所述LTE-U网络的MME还用于当接收到所述第一基础密钥、所述第一随机数和所述AUTN时,将所述第一基础密钥进行存储,基于所述第一基础密钥生成第一加密结果,并将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果发送至所述UE。The MME of the LTE-U network is further configured to store the first base key when receiving the first base key, the first random number, and the AUTN, based on the first The base key generates a first encryption result, and sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.
  16. 如权利要求15所述的系统,其特征在于,所述所述LTE-U网络的MME具体用于:The system of claim 15, wherein the MME of the LTE-U network is specifically configured to:
    生成第二随机数,并通过所述第一基础密钥对所述第二随机数进行加密,得到所述第一加密结果;Generating a second random number, and encrypting the second random number by using the first basic key to obtain the first encryption result;
    将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识、所述第一加密结果和所述第二随机数发送至所述UE。Transmitting the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number to the UE.
  17. 如权利要求15或16所述的系统,其特征在于,所述AUTN包括消息鉴权码MAC;The system according to claim 15 or 16, wherein the AUTN comprises a message authentication code MAC;
    所述UE具体用于:The UE is specifically configured to:
    基于所述第一随机数和所述AUTN中除所述MAC之外的其他参数生成期望消息鉴权码XMAC;Generating a desired message authentication code XMAC based on the first random number and other parameters in the AUTN other than the MAC;
    如果所述XMAC和所述MAC相同,则所述对所述LTE网络的验证通过。If the XMAC and the MAC are the same, the verification of the LTE network is passed.
  18. 如权利要求16所述的系统,其特征在于,所述UE具体用于:The system of claim 16 wherein said UE is specifically configured to:
    根据所述LTE-U网络的网络标识、所述第一随机数和所述AUTN生成第二基础密钥;Generating a second base key according to the network identifier of the LTE-U network, the first random number, and the AUTN;
    通过所述第二基础密钥对所述第二随机数进行加密,得到第三加密结果;Encrypting the second random number by using the second basic key to obtain a third encryption result;
    如果所述第一加密结果等于所述第三加密结果,则确定对所述LTE-U网络的验证通过。If the first encryption result is equal to the third encryption result, it is determined that the verification of the LTE-U network passes.
  19. 如权利要求18所述的系统,其特征在于,所述UE具体用于:The system of claim 18, wherein the UE is specifically configured to:
    生成第三随机数,并通过所述第二基础密钥对所述第二随机数和所述第三随机数进行整体加密,得到第二加密结果;Generating a third random number, and performing overall encryption on the second random number and the third random number by using the second basic key to obtain a second encryption result;
    将所述第二加密结果和所述第三随机数发送至所述LTE-U网络的MME;Transmitting the second encryption result and the third random number to an MME of the LTE-U network;
    相应地,所述LTE-U网络的MME具体用于:Correspondingly, the MME of the LTE-U network is specifically configured to:
    通过存储的所述第一基础密钥对所述第二随机数和所述第三随机数进行整体加密,得到 第四加密结果;And encrypting the second random number and the third random number by using the stored first basic key to obtain a fourth encryption result;
    如果所述第二加密结果和所述第四加密结果相等,则确定对所述UE的验证通过。If the second encryption result and the fourth encryption result are equal, it is determined that the verification of the UE is passed.
  20. 如权利要求14所述的系统,其特征在于,所述LTE网络的MME具体用于:The system of claim 14, wherein the MME of the LTE network is specifically configured to:
    将所述期望回复信息进行存储,并将所述第一基础密钥、所述期望回复信息、所述第一随机数和所述AUTN发送至所述LTE-U网络的MME;And storing the expected reply information, and sending the first basic key, the expected reply information, the first random number, and the AUTN to an MME of the LTE-U network;
    所述LTE-U网络的MME用于当接收到所述第一基础密钥、所述期望回复信息、所述第一随机数和所述AUTN时,将所述第一基础密钥和所述期望回复信息进行存储,基于所述第一基础密钥生成第一加密结果,并将所述第一随机数、所述AUTN、所述LTE-U网络的网络标识和所述第一加密结果发送至所述UE。The MME of the LTE-U network is configured to: when the first base key, the expected reply information, the first random number, and the AUTN are received, the first base key and the Desiring that the reply information is stored, generating a first encryption result based on the first base key, and transmitting the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result To the UE.
  21. 如权利要求20所述的系统,其特征在于,所述AUTN包括MAC;The system of claim 20 wherein said AUTN comprises a MAC;
    所述LTE-U网络的MME具体用于:The MME of the LTE-U network is specifically configured to:
    通过所述第一基础密钥对所述MAC进行加密,得到所述第一加密结果。And encrypting the MAC by using the first basic key to obtain the first encryption result.
  22. 如权利要求21所述的系统,其特征在于,所述UE具体用于:The system of claim 21, wherein the UE is specifically configured to:
    根据所述LTE-U网络的网络标识、所述第一随机数和所述AUTN生成第二基础密钥;Generating a second base key according to the network identifier of the LTE-U network, the first random number, and the AUTN;
    通过所述第二基础密钥对所述MAC进行加密,得到第五加密结果;Encrypting the MAC by using the second basic key to obtain a fifth encryption result;
    如果所述第一加密结果等于所述第五加密结果,则确定对所述LTE-U网络的验证通过。If the first encryption result is equal to the fifth encryption result, it is determined that the verification of the LTE-U network passes.
  23. 如权利要求22所述的系统,其特征在于,所述UE具体用于:The system of claim 22, wherein the UE is specifically configured to:
    通过所述第二基础密钥对所述回复信息进行加密,得到第二加密结果;Encrypting the reply information by using the second basic key to obtain a second encryption result;
    相应地,所述LTE-U网络的MME具体用于:Correspondingly, the MME of the LTE-U network is specifically configured to:
    通过存储的所述第一基础密钥对所述回复信息加密,得到第六加密结果;Encrypting the reply information by using the stored first basic key to obtain a sixth encryption result;
    如果所述LTE-U网络的MME存储的所述期望回复信息与所述回复信息相同,且所述第六加密结果与所述第二加密结果相等,则确定对所述UE的验证通过。If the expected reply information stored by the MME of the LTE-U network is the same as the reply information, and the sixth encryption result is equal to the second encryption result, it is determined that the verification of the UE is passed.
  24. 如权利要求13所述的系统,其特征在于,所述第二附着请求中携带所述UE的安全算法,所述鉴权向量包括第三基础密钥、期望回复信息、第一随机数、鉴权标记AUTN,所述第三基础密钥为所述LTE网络对应的密钥;The system according to claim 13, wherein the second attach request carries a security algorithm of the UE, and the authentication vector includes a third base key, expected reply information, a first random number, and a reference. The right identifier is AUTN, and the third basic key is a key corresponding to the LTE network;
    所述LTE网络的MME具体用于,基于所述第三基础密钥、所述期望回复信息、所述第一随机数和所述AUTN与所述UE进行交互,以实现所述UE对所述LTE网络的验证,以及所述LTE网络的MME对所述UE的验证;The MME of the LTE network is specifically configured to perform interaction with the UE based on the third basic key, the expected reply information, the first random number, and the AUTN, to implement the UE to the Verification of the LTE network, and verification of the UE by the MME of the LTE network;
    所述LTE网络的MME还用于当确定对所述UE的验证通过时,生成第二随机数,并基于所述LTE-U网络的网络标识和所述第三基础密钥,生成第一基础密钥;The MME of the LTE network is further configured to: when determining that the verification of the UE passes, generate a second random number, and generate a first basis based on the network identifier of the LTE-U network and the third basic key Key
    所述LTE网络的MME还用于基于所述UE的安全算法生成非接入层NAS密钥,并通过所述NAS密钥对所述第二随机数进行加密,得到第七加密结果;The MME of the LTE network is further configured to generate a non-access stratum NAS key based on the security algorithm of the UE, and encrypt the second random number by using the NAS key to obtain a seventh encryption result;
    所述LTE网络的MME还用于将所述第一基础密钥、所述第三基础密钥、所述NAS密钥、所述LTE-U网络的网络标识、所述第二随机数和所述第七加密结果发送至所述LTE-U网络的 MME;The MME of the LTE network is further configured to use the first base key, the third base key, the NAS key, a network identifier of the LTE-U network, the second random number, and Transmitting the seventh encryption result to the MME of the LTE-U network;
    所述LTE-U网络的MME具体用于通过所述第一基础密钥对所述第二随机数进行加密,得到第八加密结果,并将所述第三基础密钥、所述NAS密钥、所述LTE-U网络的网络标识、所述第七加密结果和所述第八加密结果发送至所述UE;The MME of the LTE-U network is specifically configured to encrypt the second random number by using the first basic key to obtain an eighth encryption result, and the third basic key and the NAS key. The network identifier of the LTE-U network, the seventh encryption result, and the eighth encryption result are sent to the UE;
    所述UE具体用于基于所述第三基础密钥和所述LTE-U网络的网络标识生成第二基础密钥,并通过所述第二基础密钥对所述第八加密结果进行解密,得到第一解密结果,通过所述NAS密钥对第七加密结果进行解密,得到第二解密结果;The UE is specifically configured to generate a second basic key based on the third basic key and the network identifier of the LTE-U network, and decrypt the eighth encryption result by using the second basic key, Obtaining a first decryption result, and decrypting the seventh encryption result by using the NAS key to obtain a second decryption result;
    所述UE还用于如果所述第一解密结果和所述第二解密结果相同,则确定对所述LTE-U网络的验证通过。The UE is further configured to determine that the verification of the LTE-U network passes if the first decryption result and the second decryption result are the same.
PCT/CN2018/093319 2017-06-28 2018-06-28 Network authentication method and system WO2019001509A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710510229.3 2017-06-28
CN201710510229.3A CN109151816B (en) 2017-06-28 2017-06-28 Network authentication method and system

Publications (1)

Publication Number Publication Date
WO2019001509A1 true WO2019001509A1 (en) 2019-01-03

Family

ID=64741115

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/093319 WO2019001509A1 (en) 2017-06-28 2018-06-28 Network authentication method and system

Country Status (2)

Country Link
CN (1) CN109151816B (en)
WO (1) WO2019001509A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106455065A (en) * 2015-08-06 2017-02-22 阿尔卡特朗讯 Method and device to control the use of unauthorized frequency band
CN106851662A (en) * 2017-01-18 2017-06-13 京信通信技术(广州)有限公司 A kind of unlicensed spectrum resource allocation methods and device
CN106888482A (en) * 2015-12-15 2017-06-23 展讯通信(上海)有限公司 The method of terminal, LTE-U base stations and its communication

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9942762B2 (en) * 2014-03-28 2018-04-10 Qualcomm Incorporated Provisioning credentials in wireless communications
US20150326612A1 (en) * 2014-05-06 2015-11-12 Qualcomm Incorporated Techniques for network selection in unlicensed frequency bands
US20170339626A1 (en) * 2014-11-12 2017-11-23 Nokia Solutions And Networks Oy Method, apparatus and system
US10349338B2 (en) * 2015-02-25 2019-07-09 Kyocera Corporation Determining whether to configure a user terminal in a country based on authentication
CN106470382A (en) * 2015-08-14 2017-03-01 中兴通讯股份有限公司 Authority checking method, configuration information method of reseptance, device, base station and terminal

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106455065A (en) * 2015-08-06 2017-02-22 阿尔卡特朗讯 Method and device to control the use of unauthorized frequency band
CN106888482A (en) * 2015-12-15 2017-06-23 展讯通信(上海)有限公司 The method of terminal, LTE-U base stations and its communication
CN106851662A (en) * 2017-01-18 2017-06-13 京信通信技术(广州)有限公司 A kind of unlicensed spectrum resource allocation methods and device

Also Published As

Publication number Publication date
CN109151816B (en) 2020-08-07
CN109151816A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US10003966B2 (en) Key configuration method and apparatus
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US11178584B2 (en) Access method, device and system for user equipment (UE)
US7370350B1 (en) Method and apparatus for re-authenticating computing devices
JP4897215B2 (en) Key generation method and apparatus in communication system
US20160269176A1 (en) Key Configuration Method, System, and Apparatus
US10305684B2 (en) Secure connection method for network device, related apparatus, and system
US20230344626A1 (en) Network connection management method and apparatus, readable medium, program product, and electronic device
WO2018076740A1 (en) Data transmission method and related device
WO2022100356A1 (en) Identity authentication system, method and apparatus, device, and computer readable storage medium
WO2018010150A1 (en) Authentication method and authentication system
CN111866881A (en) Wireless local area network authentication method and wireless local area network connection method
JP7231010B2 (en) CONTROL DEVICE, WIRELESS COMMUNICATION SYSTEM, CONTROL METHOD AND PROGRAM
WO2018076298A1 (en) Security capability negotiation method and related device
WO2020029735A1 (en) Extensible authentication method and device based on generic bootstrapping architecture, and storage medium
WO2019001509A1 (en) Network authentication method and system
CN105721403B (en) For providing the method, equipment and system of wireless network resource
Singh et al. Securing data privacy on mobile devices in emergency health situations
WO2019024937A1 (en) Key negotiation method, apparatus and system
CN117135634A (en) Wireless network access method, device, system, storage medium and electronic equipment
TWI514189B (en) Network certification system and method thereof
CN116137711A (en) User privacy protection method, device and system
Londe et al. A new lightweight eap-pk authentication method for ieee 802. 11 standard wireless network
Nguyen Securely accessing encrypted cloud storage from multiple devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18824492

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18824492

Country of ref document: EP

Kind code of ref document: A1