WO2020199700A1 - Authentication method and communication apparatus - Google Patents

Authentication method and communication apparatus Download PDF

Info

Publication number
WO2020199700A1
WO2020199700A1 PCT/CN2020/070143 CN2020070143W WO2020199700A1 WO 2020199700 A1 WO2020199700 A1 WO 2020199700A1 CN 2020070143 W CN2020070143 W CN 2020070143W WO 2020199700 A1 WO2020199700 A1 WO 2020199700A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
type information
authentication vector
network element
vector
Prior art date
Application number
PCT/CN2020/070143
Other languages
French (fr)
Chinese (zh)
Inventor
李飞
李华
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020199700A1 publication Critical patent/WO2020199700A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/14Mobility data transfer between corresponding nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • This application relates to the field of communication technology, and in particular to an authentication method and communication device.
  • unified data management UDM
  • HSS home subscriber server
  • MME mobility management entity
  • UDM will request a 4G authentication vector and a 5G authentication vector from the HSS respectively, but the current HSS cannot distinguish which authentication vector is requested.
  • HSS may provide 4G authentication vector by default, which will cause UDM to obtain 4G authentication vector from HSS and fail to complete 5G authentication.
  • HSS is required to be service-oriented so that the HSS can support communication with UDM through a service-oriented interface, but the HSS changes are relatively large and complex.
  • the embodiments of the present application provide an authentication method and a communication device to solve the technical problem that UDM cannot complete 5G authentication in a scenario where UDM and HSS are deployed separately.
  • embodiments of the present application provide an authentication method, which can be applied to a data management network element, for example, UDM, and correspondingly, the home user server can be HSS.
  • the method includes: a data management network element sends an authentication vector acquisition request to a home user server, the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the authentication vector requested; the data management network The element receives the authentication vector sent by the home user server, and the authentication vector is generated by the home user server according to the authentication type information.
  • the data management network element can obtain the authentication type information in the request through the authentication vector to directly or indirectly indicate the type of the authentication vector currently requested, for example, it may be a 5G authentication vector. So that the home user server can provide 5G authentication vector to it, support the data management network element to complete 5G authentication, and solve the separate deployment of UDM and HSS, but the authentication data is stored in HSS. In the process of authenticating terminal equipment, UDM and HSS The problem of inconsistent calculation parameters. At the same time, it can also avoid the need to transform HSS into a service to support UDM for 5G authentication.
  • the authentication vector includes the first expected response XRES*, the first authentication token AUTN, the authentication service key Kausf, and the random number RAND.
  • the 5G authentication vector generated by the HSS can support UDM to complete 5G authentication in the manner of 5G AKA, thereby improving the applicability of the authentication method.
  • the authentication vector includes the second expected response XRES, the second authentication token AUTN, the first encryption key CK, the first integrity key IK, and The random number RAND, the AMF indicator of the authentication management field of the second AUTN is a set value, for example, it can be set to 1.
  • the data management network element can also determine the second encryption key CK' and The second integrity key IK'.
  • the data management network element may determine CK' and IK' after receiving the authentication vector.
  • the 5G authentication vector generated by HSS can support UDM to complete 5G authentication in the way of EAP-AKA', avoiding the problem of excessive calculation of 5G authentication vector generated by HSS and large changes to HSS, and improving the authentication method Applicability.
  • the authentication vector acquisition request includes the international mobile subscriber identity IMSI of the terminal device, and the IMSI is used To instruct the home user server to provide the authentication vector corresponding to the terminal device, the IMSI is obtained by the data management network element according to the user permanent identity SUPI of the terminal device.
  • UDM can carry the IMSI information of the terminal equipment to request an authentication vector from the HSS, thereby avoiding that the user ID at UDM is SUPI and the user ID at HSS is IMSI, and the user IDs used in the two locations are inconsistent, causing HSS to not know the request.
  • Which terminal device’s authentication vector is the problem.
  • the authentication type information may include the access mode type Information, service network type information, authentication vector type information, and authentication network element type information.
  • the authentication type information indicates that the type of authentication vector required can have multiple possible implementations. You can use the authentication vector to obtain the existing cell indication in the request, or use the new The cell indication can effectively improve the applicability of the authentication method.
  • the embodiments of the present application provide another authentication method, which can be applied to a home user server, such as an HSS, and correspondingly, the data management network element can be UDM.
  • the method includes: a home user server receives an authentication vector acquisition request sent by a data management network element, the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the requested authentication vector; the home user The server generates an authentication vector according to the authentication type information, and sends the authentication vector to the data management network element.
  • the authentication vector acquisition request sent by the data management network element includes authentication type information
  • the home user server can identify the authentication vector requested by the data management network element according to the authentication type information.
  • Type for example, 5G authentication vector, which supports UDM to complete 5G authentication and solves the separate deployment of UDM and HSS, but the authentication data is stored in HSS.
  • the calculation parameters of UDM and HSS are inconsistent problem. At the same time, it can also avoid the need to transform HSS into a service to support UDM for 5G authentication.
  • the authentication vector includes the first expected response XRES*, the first authentication token AUTN, the authentication service key Kausf, and the random number RAND.
  • the 5G authentication vector generated by the HSS can support UDM to complete 5G authentication in the manner of 5G AKA, thereby improving the applicability of the authentication method.
  • the authentication vector includes a second expected response XRES, a second authentication token AUTN, a first encryption key CK, a first integrity key IK, and Random number RAND
  • the AMF indicator of the authentication management domain of the second AUTN is a set value, for example, it can be set to 1
  • CK and IK are used by the data management network element to determine the second encryption key CK' and the second integrity The secret key IK'.
  • the data management network element may determine CK' and IK' according to CK and IK after receiving the authentication vector sent by the home user server.
  • the 5G authentication vector generated by HSS can support UDM to complete 5G authentication in the way of EAP-AKA', thereby avoiding the problem of excessive calculation of the 5G authentication vector generated by HSS and large changes to HSS, and improving authentication Applicability of the method.
  • the authentication vector acquisition request may include the international mobile subscriber identity IMSI of the terminal device,
  • the IMSI is used to instruct the home user server to provide the authentication vector corresponding to the terminal device.
  • the IMSI is obtained by the data management network element according to the user permanent identification SUPI of the terminal device.
  • the UDM can carry the IMSI information of the terminal equipment to request the authentication vector from the HSS, which can effectively avoid the fact that the user ID at UDM is SUPI and the user ID at HSS is IMSI, and the user IDs used in the two locations are inconsistent, causing HSS to not know It is a question of which terminal device's authentication vector is requested.
  • the authentication type information may include the access mode Any one of type information, service network type information, authentication vector type information, and authentication network element type information.
  • the authentication type information indicates that the type of authentication vector required can have multiple possible implementations. You can use the authentication vector to obtain the existing cell indication in the request, or use the new The cell indication can effectively improve the applicability of the authentication method.
  • an embodiment of the present application provides a communication device.
  • the communication device may have the function of realizing the data management network element in the first aspect or any of the possible designs of the first aspect.
  • the communication device may be a data management network element, such as UDM, or a data management network element.
  • the included chips may also be other communication devices used to implement the functions of data management network elements.
  • the communication device may also have the function of implementing the home user server in the second aspect or any of the possible designs of the second aspect.
  • the communication device may be the home user server or a chip included in the home user server. , Or other communication devices used to implement the home user server function.
  • the above-mentioned functions may be realized by hardware, or may be realized by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the communication device includes a processing module and a transceiver module, wherein the processing module is configured to support the communication device to perform the corresponding function in the first aspect or any one of the first aspects. , Or perform the corresponding function in the second aspect or any one of the second aspects mentioned above.
  • the transceiver module is used to support the communication between the communication device and other communication equipment. For example, when the communication device is a data management network element, the transceiver module sends an authentication vector acquisition request to the home user server, and when the communication device is a home user server, The module sends the authentication vector to the data management network element.
  • the communication device may also include a storage module, which is coupled with the processing module, which stores program instructions and data necessary for the communication device.
  • the processing module may be a processor
  • the communication module may be a transceiver
  • the storage module may be a memory.
  • the memory may be integrated with the processor or may be provided separately from the processor, which is not limited in this application.
  • the structure of the communication device includes a processor and a memory, and the processor is coupled to the memory and can be used to execute computer program instructions stored in the memory, so that the communication device executes the first aspect or the first aspect.
  • the communication device further includes a communication interface, and the processor is coupled with the communication interface.
  • the communication interface may be a transceiver or an input/output interface; when the communication device is a chip included in the first network device, the communication interface may be an input/output interface of the chip.
  • the transceiver may be a transceiver circuit, and the input/output interface may be an input/output circuit.
  • an embodiment of the present application provides a chip system, including: a processor, the processor is coupled to a memory, the memory is used to store a program or an instruction, when the program or instruction is executed by the processor , So that the chip system implements any possible design method of the foregoing first aspect, or implements any possible design method of the foregoing second aspect.
  • processors in the chip system there may be one or more processors in the chip system.
  • the processor can be implemented by hardware or software.
  • the processor may be a logic circuit, an integrated circuit, or the like.
  • the processor can be a general-purpose processor, implemented by reading software codes stored in the memory.
  • the memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application.
  • the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips.
  • the setting method of the processor is not specifically limited.
  • an embodiment of the present application provides a computer-readable storage medium, which stores computer-readable instructions.
  • the computer reads and executes the computer-readable instructions, the computer is caused to execute the first
  • the method in any possible design of the aspect, or the method in any possible design of the above-mentioned second aspect.
  • the embodiments of the present application provide a computer program product.
  • the computer reads and executes the computer program product, the computer executes any of the possible design methods in the first aspect, or executes the first Any of the two possible design methods.
  • an embodiment of the present application provides a communication system, which includes one or more network elements of the data management network element and the home user server described in the foregoing aspect.
  • FIG. 1 is a schematic diagram of a network architecture of a communication system to which an embodiment of this application is applicable;
  • FIG. 2 is a schematic flowchart of an authentication method provided by an embodiment of this application.
  • 3a and 3b are schematic diagrams of another flow of an authentication method provided by an embodiment of this application.
  • FIG. 4 is a schematic structural diagram of a communication device provided by an embodiment of this application.
  • FIG. 5 is a schematic diagram of another structure of a communication device provided by an embodiment of this application.
  • LTE long term evolution
  • LTE-A advanced long term evolution
  • UMTS universal mobile telecommunication systems
  • eLTE Evolved long-term evolution
  • 5G 5th Generation
  • eLTE Evolved long term evolution
  • FIG. 1 is a network architecture diagram of a communication system to which this embodiment of the application applies.
  • the communication system takes a 5G communication system as an example, including: authentication server function (authentication server function, AUSF) network elements, unified data management (unified data management (UDM) network element, access and mobility management function (AMF) network element, session management function (session management function, SMF) network element, policy control function (PCF) ) Network element, application function (AF) network element, user plane function (UPF) network element, data network (DN), (radio) access network, (R) AN) and terminal equipment (user equipment, UE).
  • authentication server function authentication server function, AUSF
  • UDM unified data management
  • AMF access and mobility management function
  • SMF session management function
  • PCF policy control function
  • AF application function
  • UPF user plane function
  • DN data network
  • R radio access network
  • AN terminal equipment
  • network elements are logically interconnected through service-oriented interfaces.
  • the terminal equipment and the AMF are interconnected through the N1 interface
  • (R)AN and AMF are interconnected through the N2 interface
  • (R)AN and UPF are interconnected through the N3 interface
  • UPF and SMF They are interconnected through N4 interface
  • PCF and AF are interconnected through N5 interface
  • UPF and DN are interconnected through N6 interface
  • SMF and PCF are interconnected through N7 interface
  • AMF and UDM are interconnected through N8 interface.
  • UPF and UPF are interconnected through N9 interface
  • UDM and SMF are interconnected through N10 interface
  • SMF and AMF are interconnected through N11 interface
  • AMF and AUSF are interconnected through N12 interface
  • AUSF and UDM The interconnection is achieved through the N13 interface
  • the AMF and the AMF are interconnected through the N14 interface
  • the AMF and the PCF are interconnected through the N15 interface.
  • the communication system provided by the embodiments of this application may also include a home subscriber server (HSS) reserved during the evolution of the 4G network to the 5G network, and the HSS is used to store user subscription data of the 4G network and location information of the mobile terminal , And used to generate the authentication vector.
  • HSS home subscriber server
  • the HSS can communicate with the UDM in the 5G network and the mobility management entity (MME) in the 4G network through different protocol interfaces.
  • MME mobility management entity
  • the authentication method provided in the embodiment of the present application mainly involves AMF, AUSF, UDM, and HSS in the above-mentioned network architecture.
  • AMF is used to be responsible for the access management and mobility management of terminal equipment, for example, the management of terminal equipment in terms of access authorization/authentication.
  • the AMF of the serving network will call the UE authentication request service provided by the home network AUSF, and receive the authentication vector returned by the home network AUSF as a response to the UE authentication request service, for example, 5G authentication Vector, complete the authentication of terminal equipment in the service network.
  • the AMF can initiate a registration process to obtain user subscription data in UDM.
  • the AUSF used for authentication. After the UE authentication request service provided by the home network AUSF is invoked, the AUSF may further invoke the UE authentication acquisition request service provided by UDM to apply for obtaining an authentication vector, for example, a 5G authentication vector.
  • UDM is used for unified data management, such as managing user subscription data for 5G networks.
  • UDM can further send an authentication vector acquisition request message to the HSS, and receive the authentication vector returned by the HSS.
  • FIG. 2 is a schematic flowchart of an authentication method provided by an embodiment of this application.
  • the method includes the following steps S201 to S202:
  • Step S201 The data management network element sends an authentication vector acquisition request to the home user server, where the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the requested authentication vector.
  • the data management network element may be UDM
  • the home user server may be HSS.
  • the authentication vector acquisition request sent by UDM to HSS may include authentication type information, which is used to indicate the type of authentication vector requested by UDM, that is, the request is a 5G authentication vector, or the authentication vector
  • the acquisition request is related to 5G authentication.
  • the authentication vector refers to a set of parameters used for authentication.
  • the authentication type information can be an existing field or cell in the authentication vector obtaining request, or a newly added field or cell in the authentication vector obtaining request, which is not limited in this application.
  • the authentication type information can have multiple possible implementation modes.
  • the authentication type information can be access mode type information, service network type information, authentication vector type information, authentication network element type information, etc., so that it can This effectively improves the applicability of the authentication method provided in the embodiments of the present application.
  • the authentication type information is access mode type information
  • UDM can indicate that the current access mode is 5G access through the access mode type information, so that the HSS knows that it is requesting a 5G authentication vector.
  • the authentication type information is service network type information
  • UDM can indicate that the current service network is a 5G network through the service network type information, so that the HSS knows that it is requesting a 5G authentication vector.
  • the authentication type information is authentication vector type information
  • the UDM can indicate that a 5G authentication vector needs to be obtained through the authentication vector type information, so that the HSS can subsequently provide a 5G authentication vector.
  • UDM can indicate that it is UDM through the authentication network element type information, or indicate that the authentication vector acquisition request is sent by UDM, because UDM belongs to the 5G network Network element, therefore, after HSS receives this authentication vector acquisition request, it will provide UDM with 5G authentication vector.
  • UDM can obtain the authentication type information in the request through the authentication vector to directly or indirectly indicate that the current request is a 5G authentication vector, so that HSS can provide the corresponding 5G authentication vector and support UDM to complete 5G authentication, effectively avoiding The service-oriented transformation of HSS is needed to support UDM for 5G authentication.
  • the authentication vector acquisition request may also include the international mobile subscriber identity (IMSI) of the terminal device.
  • IMSI is UDM based on the user's permanent identity of the terminal device , SUPI) is used to instruct the HSS to provide the authentication vector of the terminal device.
  • SUPI permanent identity of the terminal device
  • UDM can remove the type in SUPI to extract the IMSI.
  • the UDM can carry the IMSI information of the terminal equipment to request the 5G authentication vector from the HSS, which can effectively avoid the user ID of the UDM being SUPI and the user ID of the HSS being the IMSI. The problem of knowing which terminal device's authentication vector is requested.
  • the AMF can call the UE authentication request service provided by the AUSF. Then, AUSF can invoke the UE authentication acquisition request service provided by UDM, and then trigger UDM to send an authentication vector acquisition request to HSS.
  • the authentication vector acquisition request may also be called an authentication vector acquisition request message, or it may have other names. This application is not limited.
  • Step S202 The home user server generates an authentication vector according to the authentication type information, and sends the authentication vector to the data management network element.
  • the HSS receives the authentication vector acquisition request, and according to the authentication type information in the authentication vector acquisition request, it can be determined that the current request is the 5G authentication vector. After that, the HSS can generate a 5G authentication vector based on the authentication type information, and send it to UDM.
  • the HSS may obtain the IMSI of the terminal device in the request and the authentication type information according to the authentication vector, and generate the 5G authentication vector of the terminal device.
  • 5G authentication and key agreement 5G-authentication and key agreement, 5G AKA
  • the 5G authentication vector issued by the HSS may include a first expected response (XRES*), a first authentication token (authentication vector, AUTN), an authentication service key Kausf, and a random number RAND.
  • XRES* is calculated by HSS with CK
  • AUTN is a parameter that the network provides to the UE and uses it to authenticate the network.
  • Kausf is UDM with CK
  • RAND is an unpredictable random number provided by the network to the UE.
  • KDF HMAC-SHA-256 (Key, S)
  • HMAC hash-based message authentication code
  • SHA secure hash
  • an extended authentication protocol authentication and key agreement (extensible authentication protocol-authentication and key agreement, EAP-AKA') method can be used for authentication.
  • the 5G authentication vector issued by the HSS may include the second expected response XRES (expected response, XRES), the second authentication token AUTN, the first encryption key CK (cipher key, CK), and the first The quintuple of the integrity key IK (integrity key, IK) and the random number RAND.
  • the authentication management field (AMF) indicator bit of the second AUTN in the quintuple is the set value, if possible Set to 1. After the UDM receives the 5-tuple, it calculates other authentication parameters, such as the second encryption key CK' and the second integrity key IK'.
  • the HSS provided in the embodiments of the present application can provide different 5G authentication vectors for different authentication methods.
  • the HSS can select which 5G authentication vector to generate according to the configuration, thereby making the authentication method provided in this application more flexible.
  • Step S203 The data management network element receives the authentication vector sent by the home user server.
  • UDM in the 5G AKA authentication mode, after UDM receives the 5G authentication vector (including XRES*, AUTN, Kausf, and RAND), as shown in Figure 3a, UDM can send UE to AUSF
  • the response of the authentication acquisition request service, the response including the above 5G authentication vector, triggers the subsequent authentication process.
  • the subsequent authentication process may include: after AUSF receives the above 5G authentication vector, temporarily saves XRES* and Kausf, and calculates HXRES* according to XRES*.
  • AUSF sends a UE authentication request service response to AMF, which carries AUTN, HXRES*, and RAND.
  • the AMF sends an authentication request message to the UE.
  • the authentication request message includes AUTN and RAND.
  • the UE confirms the freshness of the authentication vector by verifying whether the AUTN can be accepted. If the AUTN can be accepted, the UE calculates the authentication response RES* and sends an authentication request response to the AMF.
  • the authentication request response includes the RES* .
  • the AMF can calculate the corresponding HRES* according to the received RES*, and compare the HRES* with the stored HXRES*. If the HRES* is consistent with the HXRES*, it is considered that the UE has successfully authenticated in the access network. After that, the AMF can send an authentication request message to the AUSF, and the authentication request message includes the RES* received by the AMF from the UE. After receiving the authentication request message, the AUSF judges whether the authentication vector has expired. If it expires, the UE is considered to have failed authentication from the perspective of the home network. Otherwise, the RES* is compared with the saved XRES*.
  • the AUSF may send an authentication request response to the AMF, and the response includes the authentication result of the UE in the home network.
  • UDM In the EAP-AKA authentication mode, after UDM receives the 5G authentication vector (that is, the five-tuple including XRES, AUTN, CK, IK, and RAND), it can also use CK and IK in the five-tuple. , Determine the second encryption key CK' and the second integrity key IK', and replace the original CK and IK in the authentication vector with CK' and IK' to obtain the converted 5G authentication vector. After that, as shown in Figure 3b, UDM can send a response to the UE authentication and acquisition request service to AUSF. The response includes the converted 5G authentication vector, which is a five-tuple including XRES, AUTN, CK, IK, and RAND. Then trigger the subsequent authentication process.
  • the 5G authentication vector that is, the five-tuple including XRES, AUTN, CK, IK, and RAND
  • the subsequent authentication process may include: AUSF may send a UE authentication request service response to AMF, and the response includes AUTN and RAND.
  • the AMF sends an authentication request message to the UE, and the obtained RAND and AUTN are forwarded to the UE through the authentication request message.
  • the UE After the UE receives the authentication request message, it first verifies the freshness of the authentication vector by checking whether the AUTN can be received. If the AUTN is acceptable, it means that the UE has successfully authenticated the network, and the UE calculates an authentication response RES. Subsequently, the UE sends an authentication request response to the AMF, and the authentication request response includes the RES.
  • the AMF After the AMF receives the authentication request response, it sends an authentication request message to AUSF.
  • the authentication request message includes the RES returned by the UE.
  • AUSF verifies whether the RES is consistent with the stored XRES. If they are consistent, the UE authentication is considered successful. .
  • AUSF can also calculate the authentication service key Kausf based on CK’ and IK’, and notify UDM of the authentication result of the UE.
  • the UDM calculates the second encryption key CK' and the second integrity key IK' according to the quintuple sent by the HSS, which can effectively reduce the amount of calculation in the process of generating the 5G authentication vector by the HSS, and also change the HSS. Smaller.
  • FIG. 4 is a schematic structural diagram of a communication device provided in an embodiment of this application.
  • the communication device 400 includes a transceiver module 410 and a processing module 420.
  • the communication device can be used as a data management network element to implement the functions of any of the foregoing method embodiments related to data management network elements, and the communication device can also be used as a home user server to implement any of the foregoing method embodiments related to home The function of the user server.
  • the transceiver module 410 is configured to send an authentication vector acquisition request to the home user server and receive the authentication vector sent by the home user server.
  • the processing module 420 is used to perform the operation of generating an authentication vector acquisition request.
  • the transceiver module 410 is configured to receive the authentication vector acquisition request sent by the data management network element, and send the generated authentication vector to the data Manage the operation of the network element;
  • the processing module 420 is configured to perform the operation of generating an authentication vector according to the authentication type information.
  • processing module 420 involved in the communication device may be implemented by a processor or processor-related circuit components
  • transceiver module 410 may be implemented by a transceiver or transceiver-related circuit components.
  • the communication device 400 provided in the embodiment of the present application may correspond to the data management network element in the data transmission method S201 to S203 provided in the embodiment of the present application or the data transmission method provided in the embodiment of the present application.
  • the operation and/or function of each module in the communication device is to implement the corresponding process of the method shown in FIG. 2 respectively.
  • details are not repeated here.
  • the communication device 500 includes a processor 510, a memory 520, and a communication interface 530.
  • the communication apparatus 500 further includes an input device 540, an output device 550, and a bus 560.
  • the processor 510, the memory 520, the communication interface 530, the input device 540, and the output device 550 are connected to each other through a bus 560.
  • the memory 520 stores instructions or programs, and the processor 510 is configured to execute the instructions or programs stored in the memory 520.
  • the processor 510 is used to perform the operations performed by the processing module 420 in the foregoing method embodiment, and the communication interface 530 is used to perform the operations performed by the transceiver module 410 in the foregoing embodiment.
  • the communication device 500 provided by the embodiment of the present application may correspond to the data management network element or the home user server that executes the authentication methods S201 to S203 provided by the embodiment of the present invention, and the communication device 500 has the function of each module.
  • the operations and/or functions are used to implement the corresponding procedures of the methods shown in FIG. 2 or FIG. 3a, and FIG. 3b respectively. For the sake of brevity, they will not be repeated here.
  • An embodiment of the present application also provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or instruction, when the program or instruction is executed by the processor, the The chip system implements the method in any of the foregoing method embodiments.
  • processors in the chip system there may be one or more processors in the chip system.
  • the processor can be implemented by hardware or software.
  • the processor may be a logic circuit, an integrated circuit, or the like.
  • the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.
  • the memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application.
  • the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips.
  • the setting method of the processor is not specifically limited.
  • the chip system may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). It can also be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller).
  • the controller unit, MCU may also be a programmable controller (programmable logic device, PLD) or other integrated chips.
  • each step in the foregoing method embodiments may be completed by an integrated logic circuit of hardware in a processor or instructions in the form of software.
  • the steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.
  • the embodiment of the present application also provides a computer-readable storage medium, which stores computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute any of the foregoing method embodiments Method in.
  • the embodiments of the present application also provide a computer program product.
  • the computer reads and executes the computer program product, the computer is caused to execute the method in any of the foregoing method embodiments.
  • the embodiments of the present application also provide a communication system, which includes one or more of the data management network elements and the home user server described in the foregoing method embodiments.
  • processors mentioned in the embodiments of this application may be a central processing unit (CPU), or may be other general-purpose processors, digital signal processors (DSP), or application specific integrated circuits ( application specific integrated circuit (ASIC), ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the memory mentioned in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electronic Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • static random access memory static random access memory
  • dynamic RAM dynamic random access memory
  • synchronous dynamic random access memory synchronous DRAM, SDRAM
  • double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • synchronous connection dynamic random access memory serial DRAM, SLDRAM
  • direct rambus RAM direct rambus RAM, DR RAM
  • the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component
  • the memory storage module
  • the size of the sequence number of the foregoing processes does not mean the order of execution.
  • the execution order of each process should be determined by its function and internal logic, and should not be used in the embodiments of the present invention
  • the implementation process constitutes any limitation.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided in the embodiments of the present invention are an authentication method and a communication apparatus. The method comprises: a data management network element sending an authentication vector acquisition request to a home subscriber server, the authentication vector acquisition request comprising authentication type information; and the home subscriber server generating an authentication vector according to the authentication type information, and sending the authentication vector to the data management network element. As such, the data management network element may directly or indirectly indicate the type of the currently requested authentication vector by means of the authentication type information in the authentication vector acquisition request; for example, the authentication vector may be a 5G authentication vector so that the home subscriber server provides the 5G authentication vector to the data management network element to support the data management network element to complete 5G authentication, thus solving the problem wherein UDM and a HSS are deployed separately but authentication data is stored in the HSS, and in the process of authenticating a terminal device, calculation parameters of UDM and the HSS are inconsistent. At the same time, the problem wherein service-oriented transformation must be performed on an HSS in order to support UDM for 5G authentication is avoided.

Description

一种鉴权方法及通信装置An authentication method and communication device
相关申请的交叉引用Cross references to related applications
本申请要求在2019年03月29日提交中国专利局、申请号为201910250742.2、申请名称为“一种鉴权方法及通信装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910250742.2, and the application name is "An authentication method and communication device" on March 29, 2019. The entire content of this application is incorporated into this application by reference. in.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种鉴权方法及通信装置。This application relates to the field of communication technology, and in particular to an authentication method and communication device.
背景技术Background technique
在4G网络向5G网络的过渡过程中,可能会分离部署统一数据管理(unified data management,UDM)和归属用户服务器(home subscriber server,HSS),并由HSS实现用户的密钥存储和鉴权向量计算。在应用场景中,移动性管理实体(mobility management entity,MME)和UDM分别会向HSS请求4G鉴权向量和5G鉴权向量,但目前的HSS无法区分请求的是哪种鉴权向量。HSS可能默认提供4G鉴权向量,这会导致UDM从HSS处获得4G鉴权向量,进而无法完成5G鉴权。In the transition from 4G network to 5G network, unified data management (UDM) and home subscriber server (HSS) may be deployed separately, and the user's key storage and authentication vector will be realized by HSS Calculation. In an application scenario, a mobility management entity (MME) and UDM will request a 4G authentication vector and a 5G authentication vector from the HSS respectively, but the current HSS cannot distinguish which authentication vector is requested. HSS may provide 4G authentication vector by default, which will cause UDM to obtain 4G authentication vector from HSS and fail to complete 5G authentication.
现有技术中采用服务化的方式来解决这一问题,要求对HSS进行服务化改造,以使HSS支持通过服务化接口与UDM通信,但对HSS的改动较大,复杂度高。In the prior art, a service-oriented approach is adopted to solve this problem, and HSS is required to be service-oriented so that the HSS can support communication with UDM through a service-oriented interface, but the HSS changes are relatively large and complex.
发明内容Summary of the invention
本申请实施例提供一种鉴权方法及通信装置,用以解决在UDM与HSS分离部署的场景下,UDM无法完成5G鉴权的技术问题。The embodiments of the present application provide an authentication method and a communication device to solve the technical problem that UDM cannot complete 5G authentication in a scenario where UDM and HSS are deployed separately.
第一方面,本申请实施例提供一种鉴权方法,该方法可应用于数据管理网元,例如可以是UDM,相应的,归属用户服务器可以是HSS。该方法包括:数据管理网元向归属用户服务器发送鉴权向量获取请求,该鉴权向量获取请求包括鉴权类型信息,该鉴权类型信息用于指示请求的鉴权向量的类型;数据管理网元接收归属用户服务器发送的鉴权向量,鉴权向量是归属用户服务器根据鉴权类型信息生成的。In the first aspect, embodiments of the present application provide an authentication method, which can be applied to a data management network element, for example, UDM, and correspondingly, the home user server can be HSS. The method includes: a data management network element sends an authentication vector acquisition request to a home user server, the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the authentication vector requested; the data management network The element receives the authentication vector sent by the home user server, and the authentication vector is generated by the home user server according to the authentication type information.
采用本申请实施例中的技术方案,数据管理网元可通过鉴权向量获取请求中的鉴权类型信息直接或间接地指示出当前请求的鉴权向量的类型,例如可以是5G鉴权向量,以便归属用户服务器对其提供5G鉴权向量,支持数据管理网元完成5G鉴权,解决UDM与HSS分离部署,但鉴权数据保存在HSS,在对终端设备进行鉴权过程中,UDM和HSS的计算参数不一致的问题。同时也可以避免需要对HSS进行服务化改造才能支持UDM进行5G鉴权的问题。Using the technical solution in the embodiment of the present application, the data management network element can obtain the authentication type information in the request through the authentication vector to directly or indirectly indicate the type of the authentication vector currently requested, for example, it may be a 5G authentication vector. So that the home user server can provide 5G authentication vector to it, support the data management network element to complete 5G authentication, and solve the separate deployment of UDM and HSS, but the authentication data is stored in HSS. In the process of authenticating terminal equipment, UDM and HSS The problem of inconsistent calculation parameters. At the same time, it can also avoid the need to transform HSS into a service to support UDM for 5G authentication.
结合第一方面,在第一方面的第一种可能的设计中,鉴权向量包括第一期望响应XRES*、第一认证令牌AUTN、认证服务秘钥Kausf和随机数RAND。这样,HSS生成的5G鉴权向量能够支持UDM以5G AKA的方式完成5G鉴权,从而提高鉴权方法的适用性。With reference to the first aspect, in the first possible design of the first aspect, the authentication vector includes the first expected response XRES*, the first authentication token AUTN, the authentication service key Kausf, and the random number RAND. In this way, the 5G authentication vector generated by the HSS can support UDM to complete 5G authentication in the manner of 5G AKA, thereby improving the applicability of the authentication method.
结合第一方面,在第一方面的第二种可能的设计中,鉴权向量包括第二期望响应XRES、 第二认证令牌AUTN、第一加密秘钥CK、第一完整性秘钥IK和随机数RAND,该第二AUTN的鉴权管理域AMF指示位为设定值,例如可以被设置为1;此外,数据管理网元还可根据CK和IK,确定第二加密秘钥CK’和第二完整性秘钥IK’。可选的,数据管理网元可在接收到鉴权向量之后,确定CK’和IK’。这样,HSS生成的5G鉴权向量能够支持UDM以EAP-AKA’的方式完成5G鉴权,避免HSS生成5G鉴权向量的计算量过大,以及对HSS改动较大的问题,提高鉴权方法的适用性。With reference to the first aspect, in the second possible design of the first aspect, the authentication vector includes the second expected response XRES, the second authentication token AUTN, the first encryption key CK, the first integrity key IK, and The random number RAND, the AMF indicator of the authentication management field of the second AUTN is a set value, for example, it can be set to 1. In addition, the data management network element can also determine the second encryption key CK' and The second integrity key IK'. Optionally, the data management network element may determine CK' and IK' after receiving the authentication vector. In this way, the 5G authentication vector generated by HSS can support UDM to complete 5G authentication in the way of EAP-AKA', avoiding the problem of excessive calculation of 5G authentication vector generated by HSS and large changes to HSS, and improving the authentication method Applicability.
结合第一方面及第一方面的第一种或第二种可能的设计,在第一方面第三种可能的设计中,鉴权向量获取请求包括终端设备的国际移动用户识别码IMSI,IMSI用于指示归属用户服务器提供终端设备对应的鉴权向量,该IMSI是数据管理网元根据终端设备的用户永久标识SUPI获得的。这样,UDM可携带终端设备的IMSI信息向HSS请求鉴权向量,从而避免因UDM处的用户标识为SUPI,HSS处的用户标识为IMSI,两处所使用的用户标识不一致,而导致HSS不知道请求的是哪个终端设备的鉴权向量的问题。Combining the first aspect and the first or second possible design of the first aspect, in the third possible design of the first aspect, the authentication vector acquisition request includes the international mobile subscriber identity IMSI of the terminal device, and the IMSI is used To instruct the home user server to provide the authentication vector corresponding to the terminal device, the IMSI is obtained by the data management network element according to the user permanent identity SUPI of the terminal device. In this way, UDM can carry the IMSI information of the terminal equipment to request an authentication vector from the HSS, thereby avoiding that the user ID at UDM is SUPI and the user ID at HSS is IMSI, and the user IDs used in the two locations are inconsistent, causing HSS to not know the request. Which terminal device’s authentication vector is the problem.
结合第一方面及第一方面的第一至第三种可能的设计中的任一种可能的设计,在第一方面的第四种可能的设计中,鉴权类型信息可以包括接入方式类型信息、服务网络类型信息、鉴权向量类型信息、鉴权网元类型信息中的任一种类型信息。这样,鉴权类型信息指示需要的鉴权向量的类型可具有多种可能的实现方式,可以利用鉴权向量获取请求中的已有的信元指示,也可以利用鉴权向量获取中新增的信元指示,可有效提高鉴权方法的适用性。Combining the first aspect and any one of the first to third possible designs of the first aspect, in the fourth possible design of the first aspect, the authentication type information may include the access mode type Information, service network type information, authentication vector type information, and authentication network element type information. In this way, the authentication type information indicates that the type of authentication vector required can have multiple possible implementations. You can use the authentication vector to obtain the existing cell indication in the request, or use the new The cell indication can effectively improve the applicability of the authentication method.
第二方面,本申请实施例提供另一种鉴权方法,该方法可应用于归属用户服务器,例如可以是HSS,相应的,数据管理网元可以是UDM。该方法包括:归属用户服务器接收数据管理网元发送的鉴权向量获取请求,该鉴权向量获取请求包括鉴权类型信息,该鉴权类型信息用于指示请求的鉴权向量的类型;归属用户服务器根据鉴权类型信息,生成鉴权向量,并将鉴权向量发送至数据管理网元。In the second aspect, the embodiments of the present application provide another authentication method, which can be applied to a home user server, such as an HSS, and correspondingly, the data management network element can be UDM. The method includes: a home user server receives an authentication vector acquisition request sent by a data management network element, the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the requested authentication vector; the home user The server generates an authentication vector according to the authentication type information, and sends the authentication vector to the data management network element.
采用本申请实施例中的技术方案,数据管理网元发送的鉴权向量获取请求中包括鉴权类型信息,归属用户服务器可根据该鉴权类型信息识别出数据管理网元请求的鉴权向量的类型,例如可以是5G鉴权向量,从而支持UDM完成5G鉴权,解决UDM与HSS分离部署,但鉴权数据保存在HSS,在对终端设备鉴权过程中,UDM和HSS的计算参数不一致的问题。同时也可以避免需要对HSS进行服务化改造才能支持UDM进行5G鉴权的问题。Using the technical solution in the embodiment of this application, the authentication vector acquisition request sent by the data management network element includes authentication type information, and the home user server can identify the authentication vector requested by the data management network element according to the authentication type information. Type, for example, 5G authentication vector, which supports UDM to complete 5G authentication and solves the separate deployment of UDM and HSS, but the authentication data is stored in HSS. During the authentication of terminal equipment, the calculation parameters of UDM and HSS are inconsistent problem. At the same time, it can also avoid the need to transform HSS into a service to support UDM for 5G authentication.
结合第二方面,在第二方面的第一种可能的设计中,鉴权向量包括第一期望响应XRES*、第一认证令牌AUTN、认证服务秘钥Kausf和随机数RAND。这样,HSS生成的5G鉴权向量能够支持UDM以5G AKA的方式完成5G鉴权,从而提高鉴权方法的适用性。With reference to the second aspect, in the first possible design of the second aspect, the authentication vector includes the first expected response XRES*, the first authentication token AUTN, the authentication service key Kausf, and the random number RAND. In this way, the 5G authentication vector generated by the HSS can support UDM to complete 5G authentication in the manner of 5G AKA, thereby improving the applicability of the authentication method.
结合第二方面,在第二方面的第二种可能的设计中,鉴权向量包括第二期望响应XRES、第二认证令牌AUTN、第一加密秘钥CK、第一完整性秘钥IK和随机数RAND,该第二AUTN的鉴权管理域AMF指示位为设定值,例如可以被设置为1,CK和IK用于数据管理网元确定第二加密秘钥CK’和第二完整性秘钥IK’。可选的,数据管理网元可在接收到归属用户服务器发送的鉴权向量后,根据CK和IK,确定CK’和IK’。这样,HSS生成的5G鉴权向量能够支持UDM以EAP-AKA’的方式完成5G鉴权,从而避免HSS生成5G鉴权向量的计算量过大,以及对HSS改动较大的问题,提高鉴权方法的适用性。With reference to the second aspect, in the second possible design of the second aspect, the authentication vector includes a second expected response XRES, a second authentication token AUTN, a first encryption key CK, a first integrity key IK, and Random number RAND, the AMF indicator of the authentication management domain of the second AUTN is a set value, for example, it can be set to 1, CK and IK are used by the data management network element to determine the second encryption key CK' and the second integrity The secret key IK'. Optionally, the data management network element may determine CK' and IK' according to CK and IK after receiving the authentication vector sent by the home user server. In this way, the 5G authentication vector generated by HSS can support UDM to complete 5G authentication in the way of EAP-AKA', thereby avoiding the problem of excessive calculation of the 5G authentication vector generated by HSS and large changes to HSS, and improving authentication Applicability of the method.
结合第二方面及第二方面的第一种或第二种可能的设计,在第二方面的第三种可能的设计中,鉴权向量获取请求可包括终端设备的国际移动用户识别码IMSI,IMSI用于指示 归属用户服务器提供终端设备对应的鉴权向量,IMSI是数据管理网元根据终端设备的用户永久标识SUPI获取到的。这样,UDM可携带终端设备的IMSI信息向HSS请求鉴权向量,可有效避免因UDM处的用户标识为SUPI,HSS处的用户标识为IMSI,两处所使用的用户标识不一致,而导致HSS不知道请求的是哪个终端设备的鉴权向量的问题。In combination with the second aspect and the first or second possible design of the second aspect, in the third possible design of the second aspect, the authentication vector acquisition request may include the international mobile subscriber identity IMSI of the terminal device, The IMSI is used to instruct the home user server to provide the authentication vector corresponding to the terminal device. The IMSI is obtained by the data management network element according to the user permanent identification SUPI of the terminal device. In this way, the UDM can carry the IMSI information of the terminal equipment to request the authentication vector from the HSS, which can effectively avoid the fact that the user ID at UDM is SUPI and the user ID at HSS is IMSI, and the user IDs used in the two locations are inconsistent, causing HSS to not know It is a question of which terminal device's authentication vector is requested.
结合第二方面及第二方面的第一种至第三种可能的设计中的任一种可能的设计,在第二方面的第四种可能的设计中,鉴权类型信息可以包括接入方式类型信息、服务网络类型信息、鉴权向量类型信息、鉴权网元类型信息中的任一种类型信息。这样,鉴权类型信息指示需要的鉴权向量的类型可具有多种可能的实现方式,可以利用鉴权向量获取请求中的已有的信元指示,也可以利用鉴权向量获取中新增的信元指示,可有效提高鉴权方法的适用性。Combining the second aspect and any one of the first to third possible designs of the second aspect, in the fourth possible design of the second aspect, the authentication type information may include the access mode Any one of type information, service network type information, authentication vector type information, and authentication network element type information. In this way, the authentication type information indicates that the type of authentication vector required can have multiple possible implementations. You can use the authentication vector to obtain the existing cell indication in the request, or use the new The cell indication can effectively improve the applicability of the authentication method.
第三方面,本申请实施例提供一种通信装置。该通信装置可具有实现上述第一方面或第一方面的任一种可能的设计中数据管理网元的功能,该通信装置可以为数据管理网元,例如UDM,也可以为数据管理网元中包含的芯片,也可以为用于实现数据管理网元功能的其他通信装置。或者,该通信装置也可具有实现上述第二方面或第二方面的任一种可能的设计中归属用户服务器的功能,该通信装置可为归属用户服务器,也可以为归属用户服务器中包含的芯片,也可以为用于实现归属用户服务器功能的其他通信装置。上述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现,所述硬件或软件包括一个或多个与上述功能相对应的模块。In the third aspect, an embodiment of the present application provides a communication device. The communication device may have the function of realizing the data management network element in the first aspect or any of the possible designs of the first aspect. The communication device may be a data management network element, such as UDM, or a data management network element. The included chips may also be other communication devices used to implement the functions of data management network elements. Alternatively, the communication device may also have the function of implementing the home user server in the second aspect or any of the possible designs of the second aspect. The communication device may be the home user server or a chip included in the home user server. , Or other communication devices used to implement the home user server function. The above-mentioned functions may be realized by hardware, or may be realized by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
在一种可能的设计中,该通信装置的结构中包括处理模块和收发模块,其中,处理模块被配置为支持该通信装置执行上述第一方面或第一方面的任一种设计中相应的功能、或执行上述第二方面或第二方面的任一种设计中相应的功能。收发模块用于支持该通信装置与其他通信设备之间的通信,例如,通信装置为数据管理网元时,收发模块向归属用户服务器发送鉴权向量获取请求,通信装置为归属用户服务器时,收发模块向数据管理网元发送鉴权向量。该通信装置还可以包括存储模块,存储模块与处理模块耦合,其保存有通信装置必要的程序指令和数据。作为一种示例,处理模块可以为处理器,通信模块可以为收发器,存储模块可以为存储器,存储器可以和处理器集成在一起,也可以和处理器分离设置,本申请并不限定。In a possible design, the structure of the communication device includes a processing module and a transceiver module, wherein the processing module is configured to support the communication device to perform the corresponding function in the first aspect or any one of the first aspects. , Or perform the corresponding function in the second aspect or any one of the second aspects mentioned above. The transceiver module is used to support the communication between the communication device and other communication equipment. For example, when the communication device is a data management network element, the transceiver module sends an authentication vector acquisition request to the home user server, and when the communication device is a home user server, The module sends the authentication vector to the data management network element. The communication device may also include a storage module, which is coupled with the processing module, which stores program instructions and data necessary for the communication device. As an example, the processing module may be a processor, the communication module may be a transceiver, and the storage module may be a memory. The memory may be integrated with the processor or may be provided separately from the processor, which is not limited in this application.
在另一种可能的设计中,该通信装置的结构中包括处理器和存储器,处理器与存储器耦合,可用于执行存储器中存储的计算机程序指令,以使通信装置执行上述第一方面或第一方面的任一种可能的设计中的方法,或使通信装置执行上述第二方面或第二方面的任一种可能的设计中的方法。可选地,该通信装置还包括通信接口,处理器与通信接口耦合。当通信装置为第一网络设备时,该通信接口可以是收发器或输入/输出接口;当该通信装置为第一网络设备中包含的芯片时,该通信接口可以是芯片的输入/输出接口。可选地,收发器可以为收发电路,输入/输出接口可以是输入/输出电路。In another possible design, the structure of the communication device includes a processor and a memory, and the processor is coupled to the memory and can be used to execute computer program instructions stored in the memory, so that the communication device executes the first aspect or the first aspect. The method in any possible design of the aspect, or the communication device executes the second aspect or the method in any possible design of the second aspect. Optionally, the communication device further includes a communication interface, and the processor is coupled with the communication interface. When the communication device is a first network device, the communication interface may be a transceiver or an input/output interface; when the communication device is a chip included in the first network device, the communication interface may be an input/output interface of the chip. Optionally, the transceiver may be a transceiver circuit, and the input/output interface may be an input/output circuit.
第四方面,本申请实施例提供一种芯片系统,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储程序或指令,当所述程序或指令被所述处理器执行时,使得该芯片系统实现上述第一方面的任一种可能的设计中的方法、或实现上述第二方面的任一种可能的设计中的方法。In a fourth aspect, an embodiment of the present application provides a chip system, including: a processor, the processor is coupled to a memory, the memory is used to store a program or an instruction, when the program or instruction is executed by the processor , So that the chip system implements any possible design method of the foregoing first aspect, or implements any possible design method of the foregoing second aspect.
可选地,该芯片系统中的处理器可以为一个或多个。该处理器可以通过硬件实现也可以通过软件实现。当通过硬件实现时,该处理器可以是逻辑电路、集成电路等。当通过软 件实现时,该处理器可以是一个通用处理器,通过读取存储器中存储的软件代码来实现。Optionally, there may be one or more processors in the chip system. The processor can be implemented by hardware or software. When implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented by software, the processor can be a general-purpose processor, implemented by reading software codes stored in the memory.
可选地,该芯片系统中的存储器也可以为一个或多个。该存储器可以与处理器集成在一起,也可以和处理器分离设置,本申请并不限定。示例性的,存储器可以是非瞬时性处理器,例如只读存储器ROM,其可以与处理器集成在同一块芯片上,也可以分别设置在不同的芯片上,本申请对存储器的类型,以及存储器与处理器的设置方式不作具体限定。Optionally, there may be one or more memories in the chip system. The memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application. Exemplarily, the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips. The setting method of the processor is not specifically limited.
第五方面,本申请实施例提供一种计算机可读存储介质,所述计算机存储介质中存储有计算机可读指令,当计算机读取并执行所述计算机可读指令时,使得计算机执行上述第一方面的任一种可能的设计中的方法、或实现上述第二方面的任一种可能的设计中的方法。In a fifth aspect, an embodiment of the present application provides a computer-readable storage medium, which stores computer-readable instructions. When the computer reads and executes the computer-readable instructions, the computer is caused to execute the first The method in any possible design of the aspect, or the method in any possible design of the above-mentioned second aspect.
第六方面,本申请实施例提供一种计算机程序产品,当计算机读取并执行所述计算机程序产品时,使得计算机执行上述第一方面的任一种可能的设计中的方法、或执行上述第二方面的任一种可能的设计中的方法。In a sixth aspect, the embodiments of the present application provide a computer program product. When the computer reads and executes the computer program product, the computer executes any of the possible design methods in the first aspect, or executes the first Any of the two possible design methods.
第七方面,本申请实施例提供一种通信系统,该通信系统包括上述方面所述的数据管理网元和归属用户服务器中的一个或多个网元。In a seventh aspect, an embodiment of the present application provides a communication system, which includes one or more network elements of the data management network element and the home user server described in the foregoing aspect.
附图说明Description of the drawings
图1为本申请实施例适用的一种通信系统的网络架构示意图;FIG. 1 is a schematic diagram of a network architecture of a communication system to which an embodiment of this application is applicable;
图2为本申请实施例提供的一种鉴权方法的流程示意图;2 is a schematic flowchart of an authentication method provided by an embodiment of this application;
图3a和图3b为本申请实施例提供的一种鉴权方法的另一流程示意图;3a and 3b are schematic diagrams of another flow of an authentication method provided by an embodiment of this application;
图4为本申请实施例提供的一种通信装置的结构示意图;4 is a schematic structural diagram of a communication device provided by an embodiment of this application;
图5为本申请实施例提供的一种通信装置的另一结构示意图。FIG. 5 is a schematic diagram of another structure of a communication device provided by an embodiment of this application.
具体实施方式detailed description
为了使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施例作进一步地详细描述。In order to make the objectives, technical solutions, and advantages of the embodiments of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.
本申请实施例提供的技术方案可以应用于长期演进(long term evolution,LTE)系统、先进的长期演进(advanced long term evolution,LTE-A)系统、通用移动通信系统(universal mobile telecommunication system,UMTS)、演进的长期演进(evolved long term evolution,eLTE)系统、5G系统,或未来演进的其它移动通信系统等通信系统。The technical solutions provided by the embodiments of this application can be applied to long term evolution (LTE) systems, advanced long term evolution (LTE-A) systems, and universal mobile telecommunication systems (UMTS) , Evolved long-term evolution (evolved long term evolution, eLTE) system, 5G system, or other mobile communication systems that will evolve in the future.
请参阅图1,为本申请实施例适用的一种通信系统的网络架构图,该通信系统以5G通信系统作为示例,包括:认证服务器功能(authentication server function,AUSF)网元、统一数据管理(unified data management,UDM)网元、接入和移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、策略控制功能(policy control function,PCF)网元、应用功能(application function,AF)网元、用户面功能(user plane function,UPF)网元、数据网络(data network,DN)、(无线)接入网((radio)access network,(R)AN)和终端设备(user equipment,UE)。Please refer to Figure 1, which is a network architecture diagram of a communication system to which this embodiment of the application applies. The communication system takes a 5G communication system as an example, including: authentication server function (authentication server function, AUSF) network elements, unified data management ( unified data management (UDM) network element, access and mobility management function (AMF) network element, session management function (session management function, SMF) network element, policy control function (PCF) ) Network element, application function (AF) network element, user plane function (UPF) network element, data network (DN), (radio) access network, (R) AN) and terminal equipment (user equipment, UE).
这些网元通过服务化接口实现逻辑上的两两互联。如图1所示,终端设备与AMF之间通过N1接口实现互联,(R)AN与AMF之间通过N2接口实现互联,(R)AN与UPF之间通过N3接口实现互联,UPF与SMF之间通过N4接口实现互联,PCF与AF之间通过N5接口实现互联,UPF与DN之间通过N6接口实现互联,SMF与PCF之间通过N7 接口实现互联,AMF与UDM之间通过N8接口实现互联,UPF与UPF之间通过N9接口实现互联,UDM与SMF之间通过N10接口实现互联,SMF与AMF之间通过N11接口实现互联,AMF与AUSF之间通过N12接口实现互联,AUSF与UDM之间通过N13接口实现互联,AMF与AMF之间通过N14接口实现互联,AMF与PCF通过N15接口实现互联。These network elements are logically interconnected through service-oriented interfaces. As shown in Figure 1, the terminal equipment and the AMF are interconnected through the N1 interface, (R)AN and AMF are interconnected through the N2 interface, (R)AN and UPF are interconnected through the N3 interface, and between UPF and SMF They are interconnected through N4 interface, PCF and AF are interconnected through N5 interface, UPF and DN are interconnected through N6 interface, SMF and PCF are interconnected through N7 interface, and AMF and UDM are interconnected through N8 interface. , UPF and UPF are interconnected through N9 interface, UDM and SMF are interconnected through N10 interface, SMF and AMF are interconnected through N11 interface, AMF and AUSF are interconnected through N12 interface, and between AUSF and UDM The interconnection is achieved through the N13 interface, the AMF and the AMF are interconnected through the N14 interface, and the AMF and the PCF are interconnected through the N15 interface.
本申请实施例提供的通信系统中还可包括在4G网络向5G网络演进过程中保留的归属用户服务器(home subscriber server,HSS),HSS用于保存4G网络的用户签约数据和移动终端的位置信息,并用于生成鉴权向量。HSS可通过不同的协议接口与5G网络中的UDM、4G网络中的移动性管理实体(mobility management entity,MME)通信。The communication system provided by the embodiments of this application may also include a home subscriber server (HSS) reserved during the evolution of the 4G network to the 5G network, and the HSS is used to store user subscription data of the 4G network and location information of the mobile terminal , And used to generate the authentication vector. The HSS can communicate with the UDM in the 5G network and the mobility management entity (MME) in the 4G network through different protocol interfaces.
本申请实施例提供的鉴权方法主要涉及上述网络架构中的AMF、AUSF、UDM,以及HSS。其中,AMF,用于负责终端设备的接入管理和移动性管理,例如,对终端设备在接入授权/鉴权方面的管理。当终端设备注册到服务网络时,服务网络的AMF会调用归属网络AUSF提供的UE认证请求服务,并接收归属网络AUSF返回的作为UE认证请求服务的响应的鉴权向量,例如可以是5G鉴权向量,完成对终端设备在服务网络的鉴权。当终端设备在服务网络的鉴权通过后,AMF可发起注册流程,到UDM中获取用户签约数据。The authentication method provided in the embodiment of the present application mainly involves AMF, AUSF, UDM, and HSS in the above-mentioned network architecture. Among them, AMF is used to be responsible for the access management and mobility management of terminal equipment, for example, the management of terminal equipment in terms of access authorization/authentication. When the terminal device is registered to the serving network, the AMF of the serving network will call the UE authentication request service provided by the home network AUSF, and receive the authentication vector returned by the home network AUSF as a response to the UE authentication request service, for example, 5G authentication Vector, complete the authentication of terminal equipment in the service network. After the terminal device is authenticated in the service network, the AMF can initiate a registration process to obtain user subscription data in UDM.
AUSF,用于进行鉴权认证。归属网络AUSF提供的UE认证请求服务被调用后,AUSF可进一步调用UDM提供的UE认证获取请求服务,申请获取鉴权向量,例如可以是5G鉴权向量。AUSF, used for authentication. After the UE authentication request service provided by the home network AUSF is invoked, the AUSF may further invoke the UE authentication acquisition request service provided by UDM to apply for obtaining an authentication vector, for example, a 5G authentication vector.
UDM,用于进行统一数据管理,例如管理5G网络的用户签约数据等。AUSF调用UDM提供的UE认证获取请求服务后,UDM可进一步地向HSS发送鉴权向量获取请求消息,并接收HSS返回的鉴权向量。UDM is used for unified data management, such as managing user subscription data for 5G networks. After the AUSF invokes the UE authentication acquisition request service provided by UDM, UDM can further send an authentication vector acquisition request message to the HSS, and receive the authentication vector returned by the HSS.
请参阅图2,为本申请实施例提供的一种鉴权方法的流程示意图,该方法包括如下的步骤S201至步骤S202:Please refer to FIG. 2, which is a schematic flowchart of an authentication method provided by an embodiment of this application. The method includes the following steps S201 to S202:
步骤S201:数据管理网元向归属用户服务器发送鉴权向量获取请求,该鉴权向量获取请求包括鉴权类型信息,该鉴权类型信息用于指示请求的鉴权向量的类型。Step S201: The data management network element sends an authentication vector acquisition request to the home user server, where the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the requested authentication vector.
本申请实施例中,数据管理网元可以是UDM,归属用户服务器可以是HSS。UDM向HSS发送的鉴权向量获取请求中可包括鉴权类型信息,该鉴权类型信息用于指示UDM所请求的鉴权向量的类型,即请求的是5G鉴权向量,或者该鉴权向量获取请求与5G鉴权相关。鉴权向量是指一组用于鉴权的参数。In the embodiment of the present application, the data management network element may be UDM, and the home user server may be HSS. The authentication vector acquisition request sent by UDM to HSS may include authentication type information, which is used to indicate the type of authentication vector requested by UDM, that is, the request is a 5G authentication vector, or the authentication vector The acquisition request is related to 5G authentication. The authentication vector refers to a set of parameters used for authentication.
鉴权类型信息可以是鉴权向量获取请求中已有的字段或信元,也可以是在鉴权向量获取请求中新增的字段或信元,本申请并不限定。鉴权类型信息可具有多种可能的实现方式,例如,该鉴权类型信息可以是接入方式类型信息、服务网络类型信息、鉴权向量类型信息、鉴权网元类型信息等信息,从而能够有效提高本申请实施例提供的鉴权方法的适用性。The authentication type information can be an existing field or cell in the authentication vector obtaining request, or a newly added field or cell in the authentication vector obtaining request, which is not limited in this application. The authentication type information can have multiple possible implementation modes. For example, the authentication type information can be access mode type information, service network type information, authentication vector type information, authentication network element type information, etc., so that it can This effectively improves the applicability of the authentication method provided in the embodiments of the present application.
示例性地,若鉴权类型信息为接入方式类型信息,UDM可通过该接入方式类型信息指示出当前的接入方式为5G接入,以便HSS获知其请求的是5G鉴权向量。若鉴权类型信息为服务网络类型信息,UDM可通过该服务网络类型信息指示出当前的服务网络为5G网络,以便HSS获知其请求的是5G鉴权向量。若鉴权类型信息为鉴权向量类型信息,UDM可通过该鉴权向量类型信息指示出需要获取5G鉴权向量,以便HSS后续提供5G鉴权向量。若鉴权类型信息为鉴权网元类型信息,UDM可通过该鉴权网元类型信息指示自己是UDM,或者指示该鉴权向量获取请求是由UDM发送的,由于UDM是属于5G网络中的 网元,因此,HSS在接收到该鉴权向量获取请求后,会向UDM提供5G鉴权向量。Exemplarily, if the authentication type information is access mode type information, UDM can indicate that the current access mode is 5G access through the access mode type information, so that the HSS knows that it is requesting a 5G authentication vector. If the authentication type information is service network type information, UDM can indicate that the current service network is a 5G network through the service network type information, so that the HSS knows that it is requesting a 5G authentication vector. If the authentication type information is authentication vector type information, the UDM can indicate that a 5G authentication vector needs to be obtained through the authentication vector type information, so that the HSS can subsequently provide a 5G authentication vector. If the authentication type information is authentication network element type information, UDM can indicate that it is UDM through the authentication network element type information, or indicate that the authentication vector acquisition request is sent by UDM, because UDM belongs to the 5G network Network element, therefore, after HSS receives this authentication vector acquisition request, it will provide UDM with 5G authentication vector.
如此,UDM可通过鉴权向量获取请求中的鉴权类型信息直接或间接地指示出当前请求的是5G鉴权向量,以便HSS提供对应的5G鉴权向量,支持UDM完成5G鉴权,有效避免需要对HSS进行服务化改造才能支持UDM进行5G鉴权的问题。In this way, UDM can obtain the authentication type information in the request through the authentication vector to directly or indirectly indicate that the current request is a 5G authentication vector, so that HSS can provide the corresponding 5G authentication vector and support UDM to complete 5G authentication, effectively avoiding The service-oriented transformation of HSS is needed to support UDM for 5G authentication.
在一种可能的设计中,该鉴权向量获取请求中还可包括终端设备的国际移动用户识别码(international mobile subscriber identity,IMSI),该IMSI是UDM根据终端设备的用户永久标识(subscription permanent identfier,SUPI)获得的,用于指示HSS提供该终端设备的鉴权向量。示例性地,UDM可将SUPI中的类型type去掉,提取出该IMSI。如此,UDM可携带终端设备的IMSI信息向HSS请求5G鉴权向量,可有效避免因UDM处的用户标识为SUPI,HSS处的用户标识为IMSI,两处所使用的用户标识不一致,而导致HSS不知道请求的是哪个终端设备的鉴权向量的问题。In a possible design, the authentication vector acquisition request may also include the international mobile subscriber identity (IMSI) of the terminal device. The IMSI is UDM based on the user's permanent identity of the terminal device , SUPI) is used to instruct the HSS to provide the authentication vector of the terminal device. Exemplarily, UDM can remove the type in SUPI to extract the IMSI. In this way, the UDM can carry the IMSI information of the terminal equipment to request the 5G authentication vector from the HSS, which can effectively avoid the user ID of the UDM being SUPI and the user ID of the HSS being the IMSI. The problem of knowing which terminal device's authentication vector is requested.
如图3a、图3b所示,在UDM发送鉴权向量获取请求之前,AMF可调用AUSF提供的UE认证请求服务。然后,AUSF可调用UDM提供的UE认证获取请求服务,进而触发UDM向HSS发送鉴权向量获取请求,该鉴权向量获取请求还可以称为鉴权向量获取请求消息,或者也可以具有其他名称,本申请并不限定。As shown in Figure 3a and Figure 3b, before the UDM sends the authentication vector acquisition request, the AMF can call the UE authentication request service provided by the AUSF. Then, AUSF can invoke the UE authentication acquisition request service provided by UDM, and then trigger UDM to send an authentication vector acquisition request to HSS. The authentication vector acquisition request may also be called an authentication vector acquisition request message, or it may have other names. This application is not limited.
步骤S202:归属用户服务器根据鉴权类型信息,生成鉴权向量,并将鉴权向量发送至数据管理网元。Step S202: The home user server generates an authentication vector according to the authentication type information, and sends the authentication vector to the data management network element.
本申请实施例中,HSS接收到鉴权向量获取请求,根据鉴权向量获取请求中的鉴权类型信息,可确定当前请求的是5G鉴权向量。之后,HSS可根据鉴权类型信息,生成5G鉴权向量,并发送给UDM。可选的,HSS可根据鉴权向量获取请求中的终端设备的IMSI,和鉴权类型信息,生成该终端设备的5G鉴权向量。In this embodiment of the application, the HSS receives the authentication vector acquisition request, and according to the authentication type information in the authentication vector acquisition request, it can be determined that the current request is the 5G authentication vector. After that, the HSS can generate a 5G authentication vector based on the authentication type information, and send it to UDM. Optionally, the HSS may obtain the IMSI of the terminal device in the request and the authentication type information according to the authentication vector, and generate the 5G authentication vector of the terminal device.
在一种可能的实现方式中,可采用5G认证和秘钥协商(5G-authentication and key agreement,5G AKA)的方式进行鉴权。在该方式中,HSS下发的5G鉴权向量可包括,第一期望响应(expected response,XRES*)、第一认证令牌(authentication vector,AUTN)、认证服务秘钥Kausf和随机数RAND。In a possible implementation manner, 5G authentication and key agreement (5G-authentication and key agreement, 5G AKA) can be used for authentication. In this manner, the 5G authentication vector issued by the HSS may include a first expected response (XRES*), a first authentication token (authentication vector, AUTN), an authentication service key Kausf, and a random number RAND.
其中,XRES*是HSS以CK||IK为Key,以SN||RAND||XRES为S,根据秘钥生成函数(key derivation functions,KDF)计算得到的,是期望的UE鉴权响应参数,用于与UE返回的响应RES*比较以决定鉴权是否成功。AUTN为网络提供给UE,使用来对网络进行鉴权的参数。Kausf是UDM以CK||IK为Key,
Figure PCTCN2020070143-appb-000001
为S,根据秘钥生成函数KDF计算得到的。RAND为网络提供给UE的不可预知的随机数。CK为加密密钥,IK为完整性密钥,SN为服务网络名称(serving network name,SN),SQN为序列号(sequence number,SQN),AK为匿名秘钥(anonymity key,AK),符号||表示串接,
Figure PCTCN2020070143-appb-000002
表示异或运算。KDF的具体表达式为:KDF=HMAC-SHA-256(Key,S),HMAC为基于哈希算法的消息认证码(hash-based message authentication code,HMAC),SHA为安全哈希算法(secure hash algorithms,SHA)。 Among them, XRES* is calculated by HSS with CK||IK as Key and SN||RAND||XRES as S, calculated according to key derivation functions (KDF), and is the expected UE authentication response parameter. It is used to compare with the response RES* returned by the UE to determine whether the authentication is successful. AUTN is a parameter that the network provides to the UE and uses it to authenticate the network. Kausf is UDM with CK||IK as the key,
Figure PCTCN2020070143-appb-000001
S is calculated according to the key generation function KDF. RAND is an unpredictable random number provided by the network to the UE. CK is the encryption key, IK is the integrity key, SN is the serving network name (SN), SQN is the sequence number (SQN), AK is the anonymous key (AK), symbol || means concatenation,
Figure PCTCN2020070143-appb-000002
Represents exclusive OR operation. The specific expression of KDF is: KDF = HMAC-SHA-256 (Key, S), HMAC is a hash-based message authentication code (HMAC), and SHA is a secure hash algorithm (secure hash). algorithms, SHA).
在另一种可能的实现方式中,可采用扩展认证协议认证和秘钥协商(extensible authentication protocol-authentication and key agreement,EAP-AKA’)的方式进行鉴权。在该方式中,HSS下发的5G鉴权向量可为包括第二期望响应XRES(expected response,XRES)、第二认证令牌AUTN、第一加密秘钥CK(cipher key,CK)、第一完整性秘钥IK(integrity key,IK)和随机数RAND的五元组,该五元组中的第二AUTN的鉴权管理域(authentication  management field,AMF)指示位为设定值,如可以置为1。UDM在接收到该五元组后,再计算其它鉴权参数,如第二加密秘钥CK’和第二完整性秘钥IK’。In another possible implementation manner, an extended authentication protocol authentication and key agreement (extensible authentication protocol-authentication and key agreement, EAP-AKA') method can be used for authentication. In this manner, the 5G authentication vector issued by the HSS may include the second expected response XRES (expected response, XRES), the second authentication token AUTN, the first encryption key CK (cipher key, CK), and the first The quintuple of the integrity key IK (integrity key, IK) and the random number RAND. The authentication management field (AMF) indicator bit of the second AUTN in the quintuple is the set value, if possible Set to 1. After the UDM receives the 5-tuple, it calculates other authentication parameters, such as the second encryption key CK' and the second integrity key IK'.
如此,本申请实施例提供中HSS可针对不同的鉴权方式,提供不同的5G鉴权向量。在实际应用场景中,HSS可根据配置选择生成哪种5G鉴权向量,从而使得本申请提供的鉴权方法更加灵活。In this way, the HSS provided in the embodiments of the present application can provide different 5G authentication vectors for different authentication methods. In actual application scenarios, the HSS can select which 5G authentication vector to generate according to the configuration, thereby making the authentication method provided in this application more flexible.
步骤S203:数据管理网元接收归属用户服务器发送的鉴权向量。Step S203: The data management network element receives the authentication vector sent by the home user server.
本申请实施例中,在采用5G AKA的鉴权方式下,UDM在接收到该5G鉴权向量(包括XRES*、AUTN、Kausf和RAND)后,如图3a所示,UDM可向AUSF发送UE认证获取请求服务的响应,该响应中包括上述5G鉴权向量,触发后续的鉴权过程。In the embodiment of this application, in the 5G AKA authentication mode, after UDM receives the 5G authentication vector (including XRES*, AUTN, Kausf, and RAND), as shown in Figure 3a, UDM can send UE to AUSF The response of the authentication acquisition request service, the response including the above 5G authentication vector, triggers the subsequent authentication process.
示例性的,后续的鉴权过程可包括:AUSF接收到上述5G鉴权向量后,暂时保存XRES*和Kausf,并根据XRES*计算HXRES*。AUSF向AMF发送UE认证请求服务的响应,在该响应中携带AUTN、HXRES*和RAND。随后,AMF向UE发送鉴权请求消息,该鉴权请求消息中包括AUTN和RAND。UE通过验证AUTN是否可被接受来确认鉴权向量的新鲜度,若AUTN能够被接受,UE计算鉴权响应RES*,并向AMF发送鉴权请求响应,该鉴权请求响应中包括该RES*。AMF可根据接收到的RES*计算对应的HRES*,并将该HRES*与存储的HXRES*相比较,若HRES*与HXRES*一致,则认为UE在访问网络中鉴权成功。之后,AMF可向AUSF发送鉴权请求消息,该鉴权请求消息中包括AMF从UE处接收到的RES*。AUSF接收到该鉴权请求消息后,判断鉴权向量是否过期,若过期了则认为UE在归属网络的角度上鉴权失败,否则将RES*与保存的XRES*比较,如果RES*与保存的XRES*一致,则认为UE在归属网络中鉴权成功。AUSF可向AMF发送鉴权请求响应,该响应中包括UE在归属网络的鉴权结果。Exemplarily, the subsequent authentication process may include: after AUSF receives the above 5G authentication vector, temporarily saves XRES* and Kausf, and calculates HXRES* according to XRES*. AUSF sends a UE authentication request service response to AMF, which carries AUTN, HXRES*, and RAND. Subsequently, the AMF sends an authentication request message to the UE. The authentication request message includes AUTN and RAND. The UE confirms the freshness of the authentication vector by verifying whether the AUTN can be accepted. If the AUTN can be accepted, the UE calculates the authentication response RES* and sends an authentication request response to the AMF. The authentication request response includes the RES* . The AMF can calculate the corresponding HRES* according to the received RES*, and compare the HRES* with the stored HXRES*. If the HRES* is consistent with the HXRES*, it is considered that the UE has successfully authenticated in the access network. After that, the AMF can send an authentication request message to the AUSF, and the authentication request message includes the RES* received by the AMF from the UE. After receiving the authentication request message, the AUSF judges whether the authentication vector has expired. If it expires, the UE is considered to have failed authentication from the perspective of the home network. Otherwise, the RES* is compared with the saved XRES*. If RES* is with the saved XRES* If XRES* is consistent, it is considered that the UE has successfully authenticated in the home network. The AUSF may send an authentication request response to the AMF, and the response includes the authentication result of the UE in the home network.
在采用EAP-AKA的鉴权方式下,UDM在接收到该5G鉴权向量(即包括XRES、AUTN、CK、IK和RAND的五元组)之后,还可根据五元组中的CK和IK,确定第二加密秘钥CK’和第二完整性秘钥IK’,并以CK’和IK’替换该鉴权向量中原有的CK和IK,得到转换后的5G鉴权向量。之后,如图3b所示,UDM可向AUSF发送UE认证获取请求服务的响应,该响应中包括转换后的5G鉴权向量,即为包括XRES、AUTN、CK、IK和RAND的五元组,进而触发后续的鉴权过程。In the EAP-AKA authentication mode, after UDM receives the 5G authentication vector (that is, the five-tuple including XRES, AUTN, CK, IK, and RAND), it can also use CK and IK in the five-tuple. , Determine the second encryption key CK' and the second integrity key IK', and replace the original CK and IK in the authentication vector with CK' and IK' to obtain the converted 5G authentication vector. After that, as shown in Figure 3b, UDM can send a response to the UE authentication and acquisition request service to AUSF. The response includes the converted 5G authentication vector, which is a five-tuple including XRES, AUTN, CK, IK, and RAND. Then trigger the subsequent authentication process.
示例性的,后续的鉴权过程可包括:AUSF可向AMF发送UE认证请求服务的响应,该响应中包括AUTN和RAND。随后,AMF向UE发送向UE发送鉴权请求消息,通过该鉴权请求消息将得到的RAND和AUTN转发给UE。UE接收到鉴权请求消息后,首先通过检查AUTN是否可被接收来验证鉴权向量的新鲜度,如果AUTN能够接受,表示UE对网络鉴权成功,UE计算鉴权响应RES。随后,UE向AMF发送鉴权请求响应,该鉴权请求响应中包括RES。AMF接收到该鉴权请求响应后,向AUSF发送鉴权请求消息,该鉴权请求消息中包括UE返回的RES,AUSF验证该RES与保存的XRES是否一致,若一致,则认为UE鉴权成功。AUSF还可根据CK’和IK’,计算认证服务秘钥Kausf,以及向UDM通知UE的鉴权结果。Exemplarily, the subsequent authentication process may include: AUSF may send a UE authentication request service response to AMF, and the response includes AUTN and RAND. Subsequently, the AMF sends an authentication request message to the UE, and the obtained RAND and AUTN are forwarded to the UE through the authentication request message. After the UE receives the authentication request message, it first verifies the freshness of the authentication vector by checking whether the AUTN can be received. If the AUTN is acceptable, it means that the UE has successfully authenticated the network, and the UE calculates an authentication response RES. Subsequently, the UE sends an authentication request response to the AMF, and the authentication request response includes the RES. After the AMF receives the authentication request response, it sends an authentication request message to AUSF. The authentication request message includes the RES returned by the UE. AUSF verifies whether the RES is consistent with the stored XRES. If they are consistent, the UE authentication is considered successful. . AUSF can also calculate the authentication service key Kausf based on CK’ and IK’, and notify UDM of the authentication result of the UE.
如此,由UDM根据HSS发送的五元组,计算第二加密秘钥CK’和第二完整性秘钥IK’,可有效减少HSS生成5G鉴权向量过程中的计算量,对HSS的改动也较小。In this way, the UDM calculates the second encryption key CK' and the second integrity key IK' according to the quintuple sent by the HSS, which can effectively reduce the amount of calculation in the process of generating the 5G authentication vector by the HSS, and also change the HSS. Smaller.
本申请实施例还提供一种通信装置,请参阅图4,为本申请实施例提供的一种通信装 置的结构示意图,该通信装置400包括:收发模块410和处理模块420。该通信装置可以作为数据管理网元,用于实现上述任一方法实施例中涉及数据管理网元的功能,该通信装置也可以作为归属用户服务器,用于实现上述任一方法实施例中涉及归属用户服务器的功能。An embodiment of the present application also provides a communication device. Please refer to FIG. 4, which is a schematic structural diagram of a communication device provided in an embodiment of this application. The communication device 400 includes a transceiver module 410 and a processing module 420. The communication device can be used as a data management network element to implement the functions of any of the foregoing method embodiments related to data management network elements, and the communication device can also be used as a home user server to implement any of the foregoing method embodiments related to home The function of the user server.
当该通信装置作为数据管理网元,执行图2中所示的方法实施例时,收发模块410,用于执行向归属用户服务器发送鉴权向量获取请求,接收归属用户服务器发送的鉴权向量的操作;处理模块420用于执行生成鉴权向量获取请求的操作。When the communication device is used as a data management network element to execute the method embodiment shown in FIG. 2, the transceiver module 410 is configured to send an authentication vector acquisition request to the home user server and receive the authentication vector sent by the home user server. Operation: The processing module 420 is used to perform the operation of generating an authentication vector acquisition request.
当该通信装置作为归属用户服务器,执行图2中所示的方法实施例时,收发模块410,用于执行接收数据管理网元发送的鉴权向量获取请求,将生成的鉴权向量发送至数据管理网元的操作;处理模块420用于执行根据鉴权类型信息,生成鉴权向量的操作。When the communication device serves as the home user server and executes the method embodiment shown in FIG. 2, the transceiver module 410 is configured to receive the authentication vector acquisition request sent by the data management network element, and send the generated authentication vector to the data Manage the operation of the network element; the processing module 420 is configured to perform the operation of generating an authentication vector according to the authentication type information.
应理解,本申请实施例中提供的通信装置中涉及的处理模块420可以由处理器或处理器相关电路组件实现,收发模块410可以由收发器或收发器相关电路组件实现。It should be understood that the processing module 420 involved in the communication device provided in the embodiments of the present application may be implemented by a processor or processor-related circuit components, and the transceiver module 410 may be implemented by a transceiver or transceiver-related circuit components.
需要说明的是,本申请实施例提供的通信装置400可对应于执行本申请实施例提供的数据传输方法S201至S203中的数据管理网元、或对应于执行本申请实施例提供的数据传输方法S201至S203中的归属用户服务器,该通信装置中的各个模块的操作和/或功能分别为了实现图2中所示方法的相应流程,为了简洁,在此不再赘述。It should be noted that the communication device 400 provided in the embodiment of the present application may correspond to the data management network element in the data transmission method S201 to S203 provided in the embodiment of the present application or the data transmission method provided in the embodiment of the present application. For the home user server in S201 to S203, the operation and/or function of each module in the communication device is to implement the corresponding process of the method shown in FIG. 2 respectively. For the sake of brevity, details are not repeated here.
请参阅图5,为本申请实施例中提供的通信装置的另一结构示意图。如图5所示,该通信装置500包括处理器510,存储器520、和通信接口530。可选地,该通信装置500还包括输入设备540、输出设备550和总线560。其中,处理器510、存储器520、通信接口530以及输入设备540、输出设备550通过总线560相互连接。存储器520中存储指令或程序,处理器510用于执行存储器520中存储的指令或程序。存储器520中存储的指令或程序被执行时,该处理器510用于执行上述方法实施例中处理模块420执行的操作,通信接口530用于执行上述实施例中收发模块410执行的操作。Please refer to FIG. 5, which is another schematic structural diagram of the communication device provided in the embodiment of the application. As shown in FIG. 5, the communication device 500 includes a processor 510, a memory 520, and a communication interface 530. Optionally, the communication apparatus 500 further includes an input device 540, an output device 550, and a bus 560. The processor 510, the memory 520, the communication interface 530, the input device 540, and the output device 550 are connected to each other through a bus 560. The memory 520 stores instructions or programs, and the processor 510 is configured to execute the instructions or programs stored in the memory 520. When the instructions or programs stored in the memory 520 are executed, the processor 510 is used to perform the operations performed by the processing module 420 in the foregoing method embodiment, and the communication interface 530 is used to perform the operations performed by the transceiver module 410 in the foregoing embodiment.
需要说明的是,本申请实施例提供的通信装置500可对应于执行本发明实施例提供的鉴权方法S201至S203的数据管理网元或归属用户服务器,并且该通信装置500中的各个模块的操作和/或功能分别为了实现图2或图3a、图3b中所示方法的相应流程,为了简洁,在此不再赘述。It should be noted that the communication device 500 provided by the embodiment of the present application may correspond to the data management network element or the home user server that executes the authentication methods S201 to S203 provided by the embodiment of the present invention, and the communication device 500 has the function of each module. The operations and/or functions are used to implement the corresponding procedures of the methods shown in FIG. 2 or FIG. 3a, and FIG. 3b respectively. For the sake of brevity, they will not be repeated here.
本申请实施例还提供一种芯片系统,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储程序或指令,当所述程序或指令被所述处理器执行时,使得该芯片系统实现上述任一方法实施例中的方法。An embodiment of the present application also provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or instruction, when the program or instruction is executed by the processor, the The chip system implements the method in any of the foregoing method embodiments.
可选地,该芯片系统中的处理器可以为一个或多个。该处理器可以通过硬件实现也可以通过软件实现。当通过硬件实现时,该处理器可以是逻辑电路、集成电路等。当通过软件实现时,该处理器可以是一个通用处理器,通过读取存储器中存储的软件代码来实现。Optionally, there may be one or more processors in the chip system. The processor can be implemented by hardware or software. When implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented by software, the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.
可选地,该芯片系统中的存储器也可以为一个或多个。该存储器可以与处理器集成在一起,也可以和处理器分离设置,本申请并不限定。示例性的,存储器可以是非瞬时性处理器,例如只读存储器ROM,其可以与处理器集成在同一块芯片上,也可以分别设置在不同的芯片上,本申请对存储器的类型,以及存储器与处理器的设置方式不作具体限定。Optionally, there may be one or more memories in the chip system. The memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application. Exemplarily, the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips. The setting method of the processor is not specifically limited.
示例性的,该芯片系统可以是现场可编程门阵列(field programmable gate array,FPGA),可以是专用集成芯片(application specific integrated circuit,ASIC),还可以是系统芯片(system on chip,SoC),还可以是中央处理器(central processor unit,CPU),还可以是网 络处理器(network processor,NP),还可以是数字信号处理电路(digital signal processor,DSP),还可以是微控制器(micro controller unit,MCU),还可以是可编程控制器(programmable logic device,PLD)或其他集成芯片。Exemplarily, the chip system may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). It can also be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller). The controller unit, MCU), may also be a programmable controller (programmable logic device, PLD) or other integrated chips.
应理解,上述方法实施例中的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例所公开的方法步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。It should be understood that each step in the foregoing method embodiments may be completed by an integrated logic circuit of hardware in a processor or instructions in the form of software. The steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.
本申请实施例还提供一种计算机可读存储介质,所述计算机存储介质中存储有计算机可读指令,当计算机读取并执行所述计算机可读指令时,使得计算机执行上述任一方法实施例中的方法。The embodiment of the present application also provides a computer-readable storage medium, which stores computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute any of the foregoing method embodiments Method in.
本申请实施例还提供一种计算机程序产品,当计算机读取并执行所述计算机程序产品时,使得计算机执行上述任一方法实施例中的方法。The embodiments of the present application also provide a computer program product. When the computer reads and executes the computer program product, the computer is caused to execute the method in any of the foregoing method embodiments.
本申请实施例还提供一种通信系统,该通信系统包括上述各方法实施例中所述的数据管理网元和归属用户服务器中的一个或多个网元。The embodiments of the present application also provide a communication system, which includes one or more of the data management network elements and the home user server described in the foregoing method embodiments.
应理解,本申请实施例中提及的处理器可以是中央处理单元(central processing unit,CPU),还可以是其他通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that the processor mentioned in the embodiments of this application may be a central processing unit (CPU), or may be other general-purpose processors, digital signal processors (DSP), or application specific integrated circuits ( application specific integrated circuit (ASIC), ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
还应理解,本申请实施例中提及的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。It should also be understood that the memory mentioned in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electronic Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) ) And direct memory bus random access memory (direct rambus RAM, DR RAM).
需要说明的是,当处理器为通用处理器、DSP、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件时,存储器(存储模块)集成在处理器中。It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, the memory (storage module) is integrated in the processor.
应注意,本文描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.
应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in the various embodiments of the present application, the size of the sequence number of the foregoing processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not be used in the embodiments of the present invention The implementation process constitutes any limitation.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。A person of ordinary skill in the art may be aware that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims (20)

  1. 一种鉴权方法,其特征在于,所述方法包括:An authentication method, characterized in that the method includes:
    数据管理网元向归属用户服务器发送鉴权向量获取请求,所述鉴权向量获取请求包括鉴权类型信息,所述鉴权类型信息用于指示请求的鉴权向量的类型;The data management network element sends an authentication vector acquisition request to the home user server, where the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the requested authentication vector;
    所述数据管理网元接收所述归属用户服务器发送的鉴权向量,所述鉴权向量是所述归属用户服务器根据所述鉴权类型信息生成的。The data management network element receives an authentication vector sent by the home user server, where the authentication vector is generated by the home user server according to the authentication type information.
  2. 根据权利要求1所述的方法,其特征在于,所述鉴权向量包括第一期望响应XRES*、第一认证令牌AUTN、认证服务秘钥Kausf和随机数RAND。The method according to claim 1, wherein the authentication vector includes a first expected response XRES*, a first authentication token AUTN, an authentication service key Kausf, and a random number RAND.
  3. 根据权利要求1所述的方法,其特征在于,所述鉴权向量包括第二期望响应XRES、第二认证令牌AUTN、第一加密秘钥CK、第一完整性秘钥IK和随机数RAND,所述第二AUTN的鉴权管理域AMF指示位为设定值;The method according to claim 1, wherein the authentication vector includes a second expected response XRES, a second authentication token AUTN, a first encryption key CK, a first integrity key IK, and a random number RAND , The AMF indicator bit of the authentication management domain of the second AUTN is a set value;
    所述方法还包括:The method also includes:
    所述数据管理网元根据所述CK和所述IK,确定第二加密秘钥CK’和第二完整性秘钥IK’。The data management network element determines a second encryption key CK' and a second integrity key IK' according to the CK and the IK.
  4. 根据权利要求1至3中任一项所述的方法,其特征在于,所述鉴权向量获取请求包括终端设备的国际移动用户识别码IMSI,所述IMSI用于指示所述归属用户服务器提供所述终端设备对应的鉴权向量,所述IMSI是所述数据管理网元根据所述终端设备的用户永久标识SUPI获得的。The method according to any one of claims 1 to 3, wherein the authentication vector acquisition request includes the international mobile subscriber identity IMSI of the terminal device, and the IMSI is used to instruct the home user server to provide For the authentication vector corresponding to the terminal device, the IMSI is obtained by the data management network element according to the user permanent identity SUPI of the terminal device.
  5. 根据权利要求1至4中任一项所述的方法,其特征在于,所述鉴权类型信息包括下列的任一种类型信息:The method according to any one of claims 1 to 4, wherein the authentication type information includes any one of the following types of information:
    接入方式类型信息、服务网络类型信息、鉴权向量类型信息、鉴权网元类型信息。Access mode type information, service network type information, authentication vector type information, and authentication network element type information.
  6. 一种鉴权方法,其特征在于,所述方法包括:An authentication method, characterized in that the method includes:
    归属用户服务器接收数据管理网元发送的鉴权向量获取请求,所述鉴权向量获取请求包括鉴权类型信息,所述鉴权类型信息用于指示请求的鉴权向量的类型;The home user server receives an authentication vector acquisition request sent by a data management network element, where the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the requested authentication vector;
    所述归属用户服务器根据所述鉴权类型信息,生成鉴权向量,并将所述鉴权向量发送至所述数据管理网元。The home user server generates an authentication vector according to the authentication type information, and sends the authentication vector to the data management network element.
  7. 根据权利要求6所述的方法,其特征在于,所述鉴权向量包括第一期望响应XRES*、第一认证令牌AUTN、认证服务秘钥Kausf和随机数RAND。The method according to claim 6, wherein the authentication vector includes a first expected response XRES*, a first authentication token AUTN, an authentication service key Kausf, and a random number RAND.
  8. 根据权利要求6所述的方法,其特征在于,所述鉴权向量包括第二期望响应XRES、第二认证令牌AUTN、第一加密秘钥CK、第一完整性秘钥IK和随机数RAND,所述第二AUTN的鉴权管理域AMF指示位为设定值,所述CK和IK用于所述数据管理网元确定第二加密秘钥CK’和第二完整性秘钥IK’。The method according to claim 6, wherein the authentication vector includes a second expected response XRES, a second authentication token AUTN, a first encryption key CK, a first integrity key IK, and a random number RAND The AMF indicator bit of the authentication management field of the second AUTN is a set value, and the CK and IK are used by the data management network element to determine the second encryption key CK' and the second integrity key IK'.
  9. 根据权利要求6至8中任一项所述的方法,其特征在于,所述鉴权向量获取请求包括终端设备的国际移动用户识别码IMSI,所述IMSI用于指示所述归属用户服务器提供所述终端设备对应的鉴权向量,所述IMSI是所述数据管理网元根据所述终端设备的用户永久标识SUPI获得的。The method according to any one of claims 6 to 8, wherein the authentication vector acquisition request includes the international mobile subscriber identity code IMSI of the terminal device, and the IMSI is used to instruct the home subscriber server to provide For the authentication vector corresponding to the terminal device, the IMSI is obtained by the data management network element according to the user permanent identity SUPI of the terminal device.
  10. 根据权利要求6至9中任一项所述的方法,其特征在于,所述鉴权类型信息包括下列的任一种类型信息:The method according to any one of claims 6 to 9, wherein the authentication type information includes any one of the following types of information:
    接入方式类型信息、服务网络类型信息、鉴权向量类型信息、鉴权网元类型信息。Access mode type information, service network type information, authentication vector type information, and authentication network element type information.
  11. 一种通信装置,其特征在于,所述通信装置包括:A communication device, characterized in that the communication device includes:
    处理模块,用于生成鉴权向量获取请求;Processing module, used to generate authentication vector acquisition request;
    收发模块,用于向归属用户服务器发送所述鉴权向量获取请求,所述鉴权向量获取请求包括鉴权类型信息,所述鉴权类型信息用于指示请求的鉴权向量的类型;A transceiver module, configured to send the authentication vector acquisition request to the home user server, the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the authentication vector requested;
    所述收发模块,还用于接收所述归属用户服务器发送的鉴权向量,所述鉴权向量是所述归属用户服务器根据所述鉴权类型信息生成的。The transceiver module is further configured to receive an authentication vector sent by the home user server, where the authentication vector is generated by the home user server according to the authentication type information.
  12. 根据权利要求11所述的通信装置,其特征在于,所述鉴权向量包括第一期望响应XRES*、第一认证令牌AUTN、认证服务秘钥Kausf和随机数RAND。The communication device according to claim 11, wherein the authentication vector includes a first expected response XRES*, a first authentication token AUTN, an authentication service key Kausf, and a random number RAND.
  13. 根据权利要求11所述的通信装置,其特征在于,所述鉴权向量包括第二期望响应XRES、第二认证令牌AUTN、第一加密秘钥CK、第一完整性秘钥IK和随机数RAND,所述第二AUTN的鉴权管理域AMF指示位为设定值;The communication device according to claim 11, wherein the authentication vector includes a second expected response XRES, a second authentication token AUTN, a first encryption key CK, a first integrity key IK, and a random number RAND, the AMF indicator bit of the authentication management domain of the second AUTN is a set value;
    所述处理模块还用于:The processing module is also used for:
    根据所述CK和所述IK,确定第二加密秘钥CK’和第二完整性秘钥IK’。According to the CK and the IK, the second encryption key CK' and the second integrity key IK' are determined.
  14. 根据权利要求11至13中任一项所述的通信装置,其特征在于,所述鉴权向量获取请求包括所述终端设备的国际移动用户识别码IMSI,所述IMSI用于指示所述归属用户服务器提供所述终端设备对应的鉴权向量,所述IMSI是所述处理模块根据所述终端设备的用户永久标识SUPI获得的。The communication device according to any one of claims 11 to 13, wherein the authentication vector acquisition request includes the international mobile subscriber identity IMSI of the terminal device, and the IMSI is used to indicate the home user The server provides an authentication vector corresponding to the terminal device, and the IMSI is obtained by the processing module according to the user permanent identity SUPI of the terminal device.
  15. 根据权利要求11至14中任一项所述的通信装置,其特征在于,所述鉴权类型信息包括下列的任一种类型信息:The communication device according to any one of claims 11 to 14, wherein the authentication type information includes any one of the following types of information:
    接入方式类型信息、服务网络类型信息、鉴权向量类型信息、鉴权网元类型信息。Access mode type information, service network type information, authentication vector type information, and authentication network element type information.
  16. 一种通信装置,其特征在于,所述通信装置包括:A communication device, characterized in that the communication device includes:
    收发模块,用于接收数据管理网元发送的鉴权向量获取请求,所述鉴权向量获取请求包括鉴权类型信息,所述鉴权类型信息用于指示请求的鉴权向量的类型;A transceiver module, configured to receive an authentication vector acquisition request sent by a data management network element, where the authentication vector acquisition request includes authentication type information, and the authentication type information is used to indicate the type of the requested authentication vector;
    处理模块,用于根据所述鉴权类型信息,生成鉴权向量,并通过所述收发模块将所述鉴权向量发送至所述数据管理网元。The processing module is configured to generate an authentication vector according to the authentication type information, and send the authentication vector to the data management network element through the transceiver module.
  17. 根据权利要求16所述的通信装置,其特征在于,所述鉴权向量包括第一期望响应XRES*、第一认证令牌AUTN、认证服务秘钥Kausf和随机数RAND。The communication device according to claim 16, wherein the authentication vector includes a first expected response XRES*, a first authentication token AUTN, an authentication service key Kausf, and a random number RAND.
  18. 根据权利要求16所述的通信装置,其特征在于,所述鉴权向量包括第二期望响应XRES、第二认证令牌AUTN、第一加密秘钥CK、第一完整性秘钥IK和随机数RAND,所述第二AUTN的鉴权管理域AMF指示位为设定值,所述CK和IK用于所述数据管理网元确定第二加密秘钥CK’和第二完整性秘钥IK’。The communication device according to claim 16, wherein the authentication vector includes a second expected response XRES, a second authentication token AUTN, a first encryption key CK, a first integrity key IK, and a random number RAND, the AMF indicator of the authentication management domain of the second AUTN is a set value, and the CK and IK are used by the data management network element to determine the second encryption key CK' and the second integrity key IK' .
  19. 根据权利要求16至18中任一项所述的通信装置,其特征在于,所述鉴权向量获取请求包括所述终端设备的国际移动用户识别码IMSI,所述IMSI用于指示所述通信装置提供所述终端设备对应的鉴权向量,所述IMSI是所述数据管理网元根据所述终端设备的用户永久标识SUPI获得的。The communication device according to any one of claims 16 to 18, wherein the authentication vector acquisition request includes the International Mobile Subscriber Identity (IMSI) of the terminal device, and the IMSI is used to indicate the communication device An authentication vector corresponding to the terminal device is provided, and the IMSI is obtained by the data management network element according to the user permanent identity SUPI of the terminal device.
  20. 根据权利要求16至19中任一项所述的通信装置,其特征在于,所述鉴权类型信息包括下列的任一种类型信息:The communication device according to any one of claims 16 to 19, wherein the authentication type information includes any one of the following types of information:
    接入方式类型信息、服务网络类型信息、鉴权向量类型信息、鉴权网元类型信息。Access mode type information, service network type information, authentication vector type information, and authentication network element type information.
PCT/CN2020/070143 2019-03-29 2020-01-02 Authentication method and communication apparatus WO2020199700A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910250742.2 2019-03-29
CN201910250742.2A CN111757311B (en) 2019-03-29 2019-03-29 Authentication method and communication device

Publications (1)

Publication Number Publication Date
WO2020199700A1 true WO2020199700A1 (en) 2020-10-08

Family

ID=72664893

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/070143 WO2020199700A1 (en) 2019-03-29 2020-01-02 Authentication method and communication apparatus

Country Status (2)

Country Link
CN (1) CN111757311B (en)
WO (1) WO2020199700A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114221751A (en) * 2022-01-26 2022-03-22 全球能源互联网研究院有限公司 Internet of things communication authentication method and system and computer equipment
CN114301879A (en) * 2021-12-23 2022-04-08 中国电信股份有限公司 Authentication message forwarding method, HDRA equipment and storage medium
CN115515136A (en) * 2022-09-28 2022-12-23 成都魔光数码科技有限公司 HSS authentication algorithm and system for LTE mobile network
WO2023071836A1 (en) * 2021-10-29 2023-05-04 华为技术有限公司 Communication method and apparatus

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114554474A (en) * 2020-11-18 2022-05-27 中国电信股份有限公司 Access method, system and network intercommunication function entity for NSA user roaming to SA
CN113453213B (en) * 2021-06-02 2022-09-16 中国联合网络通信集团有限公司 Authentication data synchronization method and device
CN113573346B (en) * 2021-07-12 2023-10-20 中国联合网络通信集团有限公司 Data processing method and device
CN115379449A (en) * 2022-09-06 2022-11-22 中国联合网络通信集团有限公司 One-number multi-terminal service processing method, network element and system
CN117793710A (en) * 2022-09-21 2024-03-29 华为技术有限公司 Authentication method, communication device and communication system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607709A (en) * 2013-12-09 2014-02-26 中国联合网络通信集团有限公司 Method and device for managing user data
WO2018204235A1 (en) * 2017-05-05 2018-11-08 Nokia Technologies Oy Privacy indicators for controlling authentication requests
CN109041057A (en) * 2018-08-08 2018-12-18 兴唐通信科技有限公司 Authorizing procedure safety Enhancement Method between a kind of core network element based on 5G AKA
CN109104727A (en) * 2018-08-08 2018-12-28 兴唐通信科技有限公司 One kind is based on authorizing procedure safety Enhancement Method between the core network element of EAP-AKA '
CN109756896A (en) * 2017-11-02 2019-05-14 中国移动通信有限公司研究院 A kind of information processing method, the network equipment and computer readable storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101043701B (en) * 2006-03-23 2012-03-21 华为技术有限公司 Method for IP multimedia subsystem to provide register and call continuousness for mobile circuit domain user and system thereof
US10574462B2 (en) * 2017-07-29 2020-02-25 Nokia Technologies Oy Interfaces for privacy management as service or function

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607709A (en) * 2013-12-09 2014-02-26 中国联合网络通信集团有限公司 Method and device for managing user data
WO2018204235A1 (en) * 2017-05-05 2018-11-08 Nokia Technologies Oy Privacy indicators for controlling authentication requests
CN109756896A (en) * 2017-11-02 2019-05-14 中国移动通信有限公司研究院 A kind of information processing method, the network equipment and computer readable storage medium
CN109041057A (en) * 2018-08-08 2018-12-18 兴唐通信科技有限公司 Authorizing procedure safety Enhancement Method between a kind of core network element based on 5G AKA
CN109104727A (en) * 2018-08-08 2018-12-28 兴唐通信科技有限公司 One kind is based on authorizing procedure safety Enhancement Method between the core network element of EAP-AKA '

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023071836A1 (en) * 2021-10-29 2023-05-04 华为技术有限公司 Communication method and apparatus
CN114301879A (en) * 2021-12-23 2022-04-08 中国电信股份有限公司 Authentication message forwarding method, HDRA equipment and storage medium
CN114221751A (en) * 2022-01-26 2022-03-22 全球能源互联网研究院有限公司 Internet of things communication authentication method and system and computer equipment
CN114221751B (en) * 2022-01-26 2024-03-29 全球能源互联网研究院有限公司 Internet of things communication authentication method, system and computer equipment
CN115515136A (en) * 2022-09-28 2022-12-23 成都魔光数码科技有限公司 HSS authentication algorithm and system for LTE mobile network

Also Published As

Publication number Publication date
CN111757311A (en) 2020-10-09
CN111757311B (en) 2021-10-22

Similar Documents

Publication Publication Date Title
WO2020199700A1 (en) Authentication method and communication apparatus
US20230007475A1 (en) Method for Performing Verification by Using Shared Key, Method for Performing Verification by Using Public Key and Private Key, and Apparatus
US11496320B2 (en) Registration method and apparatus based on service-based architecture
JP6732095B2 (en) Unified authentication for heterogeneous networks
US11582602B2 (en) Key obtaining method and device, and communications system
US11937079B2 (en) Communication terminal, core network device, core network node, network node, and key deriving method
CN111630882B (en) User equipment, authentication server, medium, and method and system for determining key
KR20160127170A (en) Methods and systems for authenticating a user of a wireless unit
US9807088B2 (en) Method and network node for obtaining a permanent identity of an authenticating wireless device
JP6962432B2 (en) Communication method, control plane device, method for control plane device or communication terminal, and communication terminal
US11082843B2 (en) Communication method and communications apparatus
US20210168139A1 (en) Network Slice Authentication Method and Communications Apparatus
AU2020200523A1 (en) Methods and arrangements for authenticating a communication device
US20210165885A1 (en) Extended Authentication Method And Apparatus For Generic Bootstrapping Architecture, And Storage Medium
CN112822678A (en) Method for authorizing service architecture
CN111769944B (en) Data processing method, visiting network element and terminal equipment
US20190149326A1 (en) Key obtaining method and apparatus
CN112788598B (en) Method and device for protecting parameters in authentication process
WO2022237741A1 (en) Communication method and apparatus
US20220030428A1 (en) Communication Method and Communications Device
JP2024517897A (en) Method, device and storage medium for authentication of NSWO services
WO2019141135A1 (en) Trusted service management method and apparatus capable of supporting wireless network switching
WO2018137239A1 (en) Authentication method, authentication server, and core network equipment
TWI755951B (en) Communication system and communication method
CN111866870B (en) Key management method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20782877

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20782877

Country of ref document: EP

Kind code of ref document: A1