WO2020253736A1 - Procédé, appareil et système d'authentification - Google Patents

Procédé, appareil et système d'authentification Download PDF

Info

Publication number
WO2020253736A1
WO2020253736A1 PCT/CN2020/096618 CN2020096618W WO2020253736A1 WO 2020253736 A1 WO2020253736 A1 WO 2020253736A1 CN 2020096618 W CN2020096618 W CN 2020096618W WO 2020253736 A1 WO2020253736 A1 WO 2020253736A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
terminal device
server
algorithm
network element
Prior art date
Application number
PCT/CN2020/096618
Other languages
English (en)
Chinese (zh)
Inventor
郭龙华
李�赫
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020253736A1 publication Critical patent/WO2020253736A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Definitions

  • This application relates to the field of communication technology, and in particular to an authentication method, device and system.
  • authentication is an important step to realize the secure interaction between the terminal device side and the network side, and the terminal device side and the data network side; the terminal device needs to be authenticated before interacting with the core network and the data network to ensure information security .
  • the existing authentication there are two types of authentication, namely, primary authentication and secondary authentication.
  • the primary authentication is the two-way authentication between the terminal device and the core network, which is performed after the terminal device initiates the registration process.
  • the secondary authentication is carried out in the protocol data unit (protocol data unit, PDU) session establishment process to realize the two-way authentication between the terminal device and the server in the data network.
  • protocol data unit protocol data unit
  • the number of authentication methods supported by terminal equipment, core networks and data networks will increase, forming a variety of different authentication methods.
  • the types of authentication methods supported by the terminal device and the core network, and the types of authentication methods supported by the terminal device and the data network are different, and there may be cases where the authentication methods are inconsistent.
  • the present application provides an authentication method, device, and system to solve the problem of low efficiency of two-way authentication between the terminal equipment side and the network side.
  • the embodiments of the present application provide an authentication method, which can be executed by a terminal device or a chip of the terminal device, and the method includes:
  • the terminal device initiates the registration process and sends a registration request to the security anchor function network element, and then performs two-way authentication with the unified data management network element based on the first authentication algorithm; if the terminal device fails the two-way authentication with the unified data management network element based on the first authentication algorithm
  • the terminal device and the security anchor function network element can perform two-way authentication again.
  • the terminal device performs two-way authentication with the unified data management network element based on the second authentication algorithm; after the two-way authentication with the unified data management network element, it can receive Registration response from the security anchor function network element.
  • the terminal device initiates the registration process, if the first two-way authentication with the security anchor function network element fails, it can perform the two-way authentication again with the security anchor function network element without re-initiating the registration process, which can effectively reduce additional trust.
  • the interaction can further improve the efficiency of the two-way authentication between the terminal device and the security anchor function network element. Since the two-way authentication is performed twice, the success rate of the two-way authentication between the terminal device and the security anchor function network element can also be improved.
  • the registration request may carry information about the primary authentication capability of the terminal device.
  • the primary authentication capability information of the terminal device includes some or all of the following: primary authentication algorithm supported by the terminal device, authentication credentials supported by the terminal device, and the mapping relationship between the primary authentication algorithm supported by the terminal device and the authentication credentials supported by the terminal device.
  • the primary authentication algorithm supported by the device includes a first authentication algorithm and a second authentication algorithm.
  • the registration request carries the primary authentication capability information of the terminal device, so that the security anchor function network element can know the primary authentication capability information of the terminal device in advance.
  • the primary authentication algorithm it can be based on the primary authentication capability information of the terminal device. Choosing a primary authentication algorithm (such as the first authentication algorithm or the second authentication algorithm) supported by the terminal device can better ensure the success rate of the two-way authentication between the terminal device and the security anchor function network element.
  • the terminal device can then perform mutual authentication with the server (the mutual authentication between the terminal device and the server is called secondary authentication).
  • the terminal device After the terminal device sends a PDU session establishment request to the session management network element, it can first perform mutual authentication with the server based on the third authentication algorithm; if the terminal device fails to authenticate with the server based on the third authentication algorithm, the terminal device can be based on secondary authentication The reason for the failure is to determine whether the server and the terminal device need to trigger a new two-way authentication process; in the case of determining whether the server and the terminal device need to trigger a new two-way authentication process, the terminal device can be based on the secondary authentication algorithm supported by the terminal device and the server support In order to pass the fourth authentication algorithm selected by the server terminal device, the terminal device can send the first authentication algorithm to the server through the session management network element.
  • the authentication request the first authentication request is used to instruct the server and the terminal device to perform mutual authentication based on the fourth authentication algorithm. After that, based on the fourth authentication algorithm, two-way authentication is performed with the server; after the two-way authentication, the PDU session establishment response sent from the session management network element is received.
  • the terminal device after the terminal device initiates the PDU session establishment process, if the first two-way authentication with the server fails, it can perform two-way authentication again with the server network element without re-initiating the PDU session establishment process, which can effectively reduce additional signaling interaction , Which can improve the efficiency of mutual authentication between the terminal device and the server, because the algorithm used for the mutual authentication with the server again can be a secondary authentication algorithm supported by the terminal device and the server selected by the terminal device, which can improve the success of the two-way authentication between the terminal device and the server. rate.
  • the terminal device may first receive the identity request from the server through the session management network element, and the identity request is used to request the identity information of the terminal device corresponding to the fourth authentication algorithm; After the terminal device feeds back the identity information of the terminal device corresponding to the fourth authentication algorithm to the server, it may perform mutual authentication with the server based on the fourth authentication algorithm.
  • the terminal device can first send the identity information of the terminal device and the secondary authentication algorithm to the server before the two-way authentication with the server, so that the server can determine the identity of the terminal device.
  • the terminal device can obtain the fourth authentication algorithm based on the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server.
  • the server's secondary authentication capability information there are many ways for the terminal device to obtain the server's secondary authentication capability information.
  • the terminal device can obtain the server's secondary authentication capability information from the session management network element.
  • the secondary authentication capability information includes some or all of the following: the secondary authentication algorithm supported by the server, the authentication credential supported by the server, and the mapping relationship between the secondary authentication algorithm and the authentication credential.
  • the secondary authentication algorithm supported by the server includes the third authentication algorithm and the second authentication algorithm. Four authentication algorithms.
  • the terminal device can first obtain the server's secondary authentication capability information to facilitate the subsequent selection of the secondary authentication algorithm used for mutual authentication with the server again, and can select the secondary authentication algorithm supported by both the terminal device and the server, such as Four authentication algorithms to ensure that the terminal device can successfully two-way authentication with the server.
  • the terminal device can then perform mutual authentication with the server (the mutual authentication between the terminal device and the server is called secondary authentication).
  • the terminal device After the terminal device sends a PDU session establishment request to the session management network element, it can perform two-way authentication with the server based on the third authentication algorithm; if the two-way authentication between the terminal device and the server fails, the server can trigger a new two-way authentication process with the terminal device.
  • the terminal device receives the identity request from the server through the session management network element.
  • the identity request is used to request the identity information of the terminal device corresponding to the fourth authentication algorithm; the terminal device is feeding back the terminal device’s identity and the fourth authentication algorithm to the server.
  • two-way authentication can be performed with the server based on the fourth authentication algorithm; after the two-way authentication with the server based on the fourth authentication algorithm, the PDU session establishment response sent from the session management network element is received.
  • the terminal device After the terminal device initiates the PDU session establishment process, if the first two-way authentication with the server fails, it can perform two-way authentication again with the server without re-initiating the PDU session establishment process, which can effectively avoid additional signaling interaction, and thus It can improve the efficiency of two-way authentication between terminal equipment and security anchor function network elements. Since the algorithm used for re-authentication with the server can be a secondary authentication algorithm supported by both the terminal equipment and the server selected by the server, the two-way authentication between the terminal equipment and the server can be improved. Success rate.
  • the server can obtain the secondary authentication capability information of the terminal device in advance.
  • the terminal device may carry the secondary authentication capability information of the terminal device in the PDU session establishment request, where the second authentication capability of the terminal device
  • the secondary authentication capability information includes the secondary authentication algorithm supported by the terminal device and the authentication credential of the secondary authentication algorithm
  • the secondary authentication algorithm supported by the terminal device includes the third authentication algorithm and the fourth authentication algorithm.
  • the session management network element may send the secondary authentication capability information of the terminal device to the server.
  • the server can first obtain the secondary authentication capability information of the terminal device to facilitate the subsequent selection of the secondary authentication algorithm used for mutual authentication with the terminal device again, and can select the secondary authentication algorithm supported by both the terminal device and the server, such as The fourth authentication algorithm ensures that the terminal device can successfully two-way authentication with the server.
  • the terminal device may also carry the secondary authentication capability information of the terminal device in the registration request.
  • the secondary authentication capability information of the terminal device includes some or all of the following: the secondary authentication algorithm supported by the terminal device, the authentication certificate supported by the terminal device, and the mapping relationship between the secondary authentication algorithm and the authentication certificate, and the secondary authentication algorithm supported by the terminal device.
  • the authentication algorithm includes a third authentication algorithm and a fourth authentication algorithm.
  • the server can first obtain the secondary authentication capability information of the terminal device to facilitate the subsequent selection of the secondary authentication algorithm used for mutual authentication with the terminal device again, and can select the secondary authentication algorithm supported by both the terminal device and the server, such as The fourth authentication algorithm ensures that the terminal device can successfully two-way authentication with the server.
  • the embodiments of the present application provide an authentication method, which can be executed by a chip of a unified data management network element or a unified data management network element.
  • the method includes: after the unified data management network element initiates a registration request from a terminal device , Can perform two-way authentication with the terminal device based on the first authentication algorithm; if the unified data management network element fails the two-way authentication with the terminal device based on the first authentication algorithm, the unified data management network element can determine the need for the terminal device based on the reason for the failure of one authentication.
  • the unified data management network element performs two-way with the terminal device based on the second authentication algorithm Authentication: After mutual authentication, the unified data management network element sends a registration response to the terminal device through the security anchor function network element.
  • the terminal device initiates the registration process, if the first two-way authentication with the security anchor function network element fails, it can perform the two-way authentication again with the security anchor function network element without re-initiating the registration process, which can avoid additional signaling Interaction can improve the efficiency of two-way authentication between the terminal equipment and the security anchor function network element. Because the unified data management network element can select the one-time authentication algorithm supported by the terminal device, it can also ensure the success rate of the two-way authentication between the terminal device and the security anchor function network element. .
  • the unified data management network element may obtain the primary authentication capability information of the terminal device in advance before selecting a second authentication algorithm with an authentication credential different from the first authentication algorithm from the primary authentication algorithms supported by the terminal device.
  • Method 1 the unified data management network element can obtain the primary authentication capability information of the terminal device from the security anchor function network element, among which The primary authentication capability information of the terminal device includes some or all of the following: primary authentication algorithm supported by the terminal device, authentication credential supported by the terminal device, and the mapping relationship between the primary authentication algorithm and the authentication credential.
  • the primary authentication algorithm supported by the terminal device includes the first Authentication algorithm and second authentication algorithm.
  • Method 2 The unified data management network element obtains the primary authentication algorithm supported by the terminal device stored locally.
  • the security anchor function network element knows the primary authentication capability information of the terminal device in advance.
  • it can select the primary authentication algorithm supported by the terminal device based on the primary authentication capability information of the terminal device (such as the first authentication algorithm or The second authentication algorithm) can better ensure the success rate of the two-way authentication between the terminal device and the security anchor function network element.
  • the unified data management network element is based on the second authentication algorithm, and before performing two-way authentication with the terminal device, the unified data management network element may also send an indication message to the authentication service function network element.
  • the indication message is used to indicate the unified
  • the data management network element performs mutual authentication with the terminal device based on the second authentication algorithm.
  • the authentication service function network element can perform corresponding operations when the unified data management network element and the terminal device perform mutual authentication, and further, can improve the authentication of the unified data management network element and the terminal device. effectiveness.
  • the embodiments of the present application provide an authentication method, which can be executed by a server or a chip of the server, and the method includes:
  • the server can authenticate with the terminal device based on the third authentication algorithm. After the two-way authentication with the terminal device fails, it can determine that it needs to trigger a new two-way with the terminal device based on the reason for the second authentication failure.
  • the server selects the fourth authentication algorithm with the authentication credential different from the authentication credential of the third authentication algorithm from the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server;
  • the terminal device sends an identity request, which is used to request the terminal device’s identity information corresponding to the fourth authentication algorithm; when the server receives the terminal device’s identity information corresponding to the fourth authentication algorithm fed back by the terminal device, it can be based on the first Four authentication algorithms, two-way authentication with terminal equipment.
  • the server can perform the two-way authentication with the terminal device again after the first two-way authentication with the terminal device fails, and does not need to re-initiate the PDU session establishment process, which can effectively avoid additional signaling Interaction, which can improve the efficiency of the two-way authentication between the terminal device and the security anchor function network element.
  • the algorithm used for the server and the terminal device's mutual authentication can be the second authentication algorithm supported by both the terminal device and the server selected by the server, it can make the server and The terminal device successfully performs two-way authentication.
  • the server before the server selects the fourth authentication algorithm whose authentication credential is different from that of the third authentication algorithm from the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server, the server can obtain it in advance
  • the secondary authentication capability information of the terminal device for example, the server may obtain the secondary authentication capability information of the terminal device from the session management network element, where the secondary authentication capability information of the terminal device includes some or all of the following:
  • the secondary authentication algorithm, the authentication credential supported by the terminal device, and the mapping relationship between the secondary authentication algorithm and the authentication credential, the secondary authentication algorithm supported by the terminal device includes a third authentication algorithm and a fourth authentication algorithm.
  • the server can obtain the secondary authentication capability information of the terminal device in advance to facilitate the subsequent selection of the secondary authentication algorithm used for mutual authentication with the terminal device again, and can select the secondary authentication algorithm supported by both the terminal device and the server, such as The fourth authentication algorithm ensures that the terminal device can successfully perform mutual authentication with the server.
  • the embodiments of the present application provide an authentication method, which can be executed by a server or a chip of the server.
  • the method includes: after the terminal device sends a PDU session establishment request, the server may communicate with the terminal device based on the third authentication algorithm. Two-way authentication; if the server fails in two-way authentication with the terminal device based on the third authentication algorithm, the server can receive the first authentication request from the terminal device, the first authentication request is used to instruct the server and the terminal device to perform mutual authentication based on the fourth authentication algorithm; The server may perform mutual authentication with the terminal device based on the fourth authentication algorithm.
  • the terminal device after the terminal device initiates the PDU session establishment process, if the first two-way authentication with the server fails, it can perform two-way authentication again with the server network element without re-initiating the PDU session establishment process, which can effectively reduce additional signaling interaction , Which can improve the efficiency of mutual authentication between the terminal device and the server, because the algorithm used for the mutual authentication with the server again can be a secondary authentication algorithm supported by the terminal device and the server selected by the terminal device, which can improve the success of the two-way authentication between the terminal device and the server. rate.
  • the server may send an identity request to the terminal device through the session management network element, and the identity request is used to request the terminal device's identity information corresponding to the fourth authentication algorithm; After receiving the identity information of the terminal device corresponding to the fourth authentication algorithm fed back by the terminal device, the server may perform two-way authentication with the terminal device based on the fourth authentication algorithm.
  • the terminal device can first send the identity information of the terminal device and the secondary authentication algorithm to the server before the two-way authentication with the server, so that the server can determine the identity of the terminal device.
  • the server may inform the terminal device of the server's secondary authentication capability information in advance.
  • the server may send the server's secondary authentication capability information to the terminal device through the session management network element, where the server's secondary authentication capability information includes some or all of the following: secondary authentication algorithm supported by the server, The authentication credential and the mapping relationship between the secondary authentication algorithm and the authentication credential, the secondary authentication algorithm supported by the server includes the third authentication algorithm and the fourth authentication algorithm.
  • the terminal device can first obtain the server's secondary authentication capability information to facilitate the subsequent selection of the secondary authentication algorithm used for mutual authentication with the server again, and can select the secondary authentication algorithm supported by both the terminal device and the server, such as Four authentication algorithms to ensure that the terminal device can successfully two-way authentication with the server.
  • the embodiments of the present application also provide a communication device, the communication device is applied to a terminal device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the first aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, an authentication unit, and a sending unit. These units can perform the corresponding functions in the method example of the first aspect. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, which is applied to a unified data management network element, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the second aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, an authentication unit, and a sending unit. These units can perform the corresponding functions in the method example of the second aspect. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, the communication device is applied to a server, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the third aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, an authentication unit, and a sending unit. These units can perform the corresponding functions in the third method example above. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, the communication device is applied to a server, and the beneficial effects can be referred to the description of the fourth aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the fourth aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a receiving unit, and an authentication unit. These units can perform the corresponding functions in the method example of the fourth aspect. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, the communication device is applied to a terminal device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the base station to perform the corresponding functions in the above-mentioned method in the first aspect.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a transceiver for communicating with other devices.
  • an embodiment of the present application also provides a communication device, which is applied to a unified data management network element, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the base station to perform the corresponding function in the method of the second aspect described above.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • an embodiment of the present application also provides a communication device, the communication device is applied to a server, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the base station to perform the corresponding function in the method of the third aspect.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • the embodiments of the present application also provide a communication system.
  • the system includes terminal equipment and unified data management network elements.
  • the terminal device is configured to perform two-way authentication with the unified data management network element based on the first authentication algorithm after sending a registration request to the security anchor function network element.
  • the unified data management network element is used to select a first authentication algorithm with a different authentication certificate from the first authentication algorithm supported by the terminal device based on the reason for the failure of the first authentication after the mutual authentication with the terminal device based on the first authentication algorithm fails.
  • Two authentication algorithm Based on the second authentication algorithm, it performs two-way authentication with the terminal device, and sends a registration response to the terminal device through the security anchor function network element.
  • the terminal device may also receive a registration response from the unified data management network element through the security anchor function network element after performing mutual authentication with the server based on the second authentication algorithm.
  • the registration request includes the primary authentication capability information of the terminal device, and the primary authentication capability information of the terminal device includes some or all of the following: primary authentication algorithm supported by the terminal device, authentication credentials supported by the terminal device, and terminal
  • the mapping relationship between the primary authentication algorithm supported by the device and the authentication credential supported by the terminal device, and the primary authentication algorithm supported by the terminal device includes a first authentication algorithm and a second authentication algorithm.
  • the registration response indicates that the terminal device is successfully registered
  • the communication system further includes a server.
  • the terminal device can perform two-way authentication with the server after successful mutual authentication with the unified data management network element.
  • the terminal device may perform mutual authentication with the server based on the third authentication algorithm after sending a PDU session establishment request to the session management network element; if the terminal device is based on the first The two-way authentication between the three authentication algorithms and the server fails.
  • the terminal device can determine that the server and the terminal device need to trigger a new two-way authentication process based on the cause of the second authentication failure; then based on the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server , Select a fourth authentication algorithm with an authentication credential that is different from that of the third authentication algorithm; and send a first authentication request to the server through the session management network element, the first authentication request is used to instruct the server and the terminal device to perform based on the fourth authentication algorithm Two-way authentication; based on the fourth authentication algorithm, two-way authentication with the server.
  • the server After the server fails the mutual authentication with the terminal device based on the third authentication algorithm, it can receive the first authentication request and perform two-way authentication with the terminal device based on the fourth authentication algorithm; the terminal device performs two-way authentication with the server based on the fourth authentication algorithm After authentication, it receives the PDU session establishment response sent from the session management network element.
  • the terminal device after sending the first authentication request, the terminal device is also used to receive an identity request, and the identity request is used to request the identity information of the terminal device corresponding to the fourth authentication algorithm; after that, the terminal device The identity information of the terminal device corresponding to the fourth authentication algorithm can be fed back to the server. After receiving the identity information of the terminal device corresponding to the fourth authentication algorithm fed back by the terminal device, the server can communicate with the terminal device based on the fourth authentication algorithm. Two-way authentication.
  • the terminal device based on the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server, before selecting the fourth authentication algorithm whose authentication credential is different from the authentication credential of the third authentication algorithm, it can start from the session
  • the management network element obtains the server's secondary authentication capability information, where the server's secondary authentication capability information includes some or all of the following: the secondary authentication algorithm supported by the server, the authentication credentials supported by the server, and the re-authentication calculation and authentication credentials
  • the secondary authentication algorithm supported by the server includes the third authentication algorithm and the fourth authentication algorithm.
  • the server may also send the server's secondary authentication capability information to the terminal device through the session management network element, where the server's secondary authentication capability information includes Part or all of the following: the secondary authentication algorithm supported by the server, the authentication credential supported by the server, and the mapping relationship between the secondary authentication algorithm and the authentication credential.
  • the secondary authentication algorithm supported by the server includes the third authentication algorithm and the fourth authentication algorithm.
  • the communication system further includes a server, and the terminal device can perform mutual authentication with the server after successful mutual authentication with the unified data management network element.
  • the terminal device may perform two-way authentication with the server based on the third authentication algorithm; the server may perform mutual authentication with the terminal device based on the third authentication algorithm after the failure of mutual authentication with the terminal device based on the third authentication algorithm.
  • the reason for the failure of the secondary authentication is determined to trigger a new two-way authentication process with the terminal device; and from the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server, select the authentication credential that is different from that of the third authentication algorithm
  • the fourth authentication algorithm after that, an identity request is sent to the terminal device through the session management network element, and the identity request is used to request the identity information of the terminal device corresponding to the fourth authentication algorithm; the terminal device can feed back the terminal to the server after receiving the identity request
  • the PDU session establishment request includes the secondary authentication capability information of the terminal device, and the secondary authentication capability information of the terminal device includes the secondary authentication algorithm supported by the terminal device and the authentication certificate of the secondary authentication algorithm.
  • the secondary authentication algorithms supported by the device include the third authentication algorithm and the fourth authentication algorithm.
  • the session management network element obtains the secondary authentication capability information of the terminal device.
  • the secondary authentication capability information of the terminal device includes some or all of the following: the secondary authentication algorithm supported by the terminal device, the authentication certificate supported by the terminal device, and the secondary authentication algorithm
  • the secondary authentication algorithm supported by the terminal device includes the third authentication algorithm and the fourth authentication algorithm.
  • the present application also provides a computer-readable storage medium having instructions stored in the computer-readable storage medium, which when run on a computer, cause the computer to execute the methods described in the above aspects.
  • this application also provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the methods described in the above aspects.
  • the present application also provides a computer chip connected to a memory, and the chip is configured to read and execute a software program stored in the memory, and execute the methods described in the foregoing aspects.
  • Figure 1 is a schematic diagram of a network system architecture provided by this application.
  • Figure 2 is a schematic diagram of a method for mutual authentication between UE and UDM network elements
  • Figure 3 is a schematic diagram of a method for UE and DN-AAA mutual authentication
  • FIG. 4 is a schematic diagram of an authentication method provided by this application.
  • FIG. 5 is a schematic diagram of an authentication method provided by this application.
  • FIG. 6 is a schematic diagram of an authentication method provided by this application.
  • FIG. 7 is a schematic diagram of an authentication method provided by this application.
  • FIG. 8 is a schematic diagram of an authentication method provided by this application.
  • FIG. 9 is a schematic diagram of an authentication method provided by this application.
  • the network architecture is a 5G network architecture.
  • the network elements in the 5G architecture include user equipment.
  • the terminal equipment is the UE as an example.
  • the network architecture also includes radio access network (RAN), access and mobility control function (AMF), session management function (SMF), data network authentication, authorization, and accounting.
  • Fee function data network-authentication, authorization and accounting, DN-AAA) server, unified data management (unified data management, UDM), authentication server function (authentication server function, AUSF), security anchor function (security anchor function, SEAF) Wait.
  • RAN The main function of RAN is to control users to access the mobile communication network through wireless.
  • RAN is a part of mobile communication system. It implements a wireless access technology. Conceptually, it resides between a certain device (such as a mobile phone, a computer, or any remote control machine) and provides a connection to its core network.
  • the AMF network element is responsible for terminal access management and mobility management, such as registration management, connection management, mobility management, reachability management, etc.; in practical applications, it includes the mobility management entity in the LTE network framework. , MME) in the mobility management function, and joined the access management function.
  • MME mobility management entity
  • the SMF network element is responsible for functions such as session management, user plane selection and control; it can initiate the PDU session release/modification process, and is responsible for the authority control during the initial establishment of the PDU session.
  • the DN-AAA server is used to configure authentication, authorization and accounting functions for the terminal. Authentication refers to the confirmation of the user's identity and available network services; authorization refers to the opening of network services to users based on the authentication results; charging refers to recording the user's usage of various network services and providing them to the billing system.
  • the DN-AAA server may determine whether to perform the mutual authentication again after the mutual authentication with the UE fails.
  • the SEAF network element is used to complete the authentication of the UE.
  • the function of the SEAF can be merged into the AMF.
  • the AUSF network element has an authentication service function, which is used to terminate the authentication function requested by the SEAF network element. During the authentication process, it receives the authentication vector sent by the UDM and processes the authentication vector, and sends the processed authentication vector to the SEAF.
  • the AUSF network element can determine whether to perform two-way authentication again after the two-way authentication of the UDM network element and the UE fails, and notify the UDM network element so that the UDM network element can initiate the authentication process; optionally, the AUSF network element The UDM network element may also be notified of the authentication algorithm used when the two-way authentication with the UE fails.
  • the UDM network element can store the user's subscription information, generate authentication parameters, and so on. In the embodiment of the present application, the UDM network element may determine whether to perform mutual authentication with the UE again after the two-way authentication with the UE fails.
  • ARPF network elements have authentication credential storage and processing functions, which are used to store long-term authentication credentials of users, such as permanent keys K.
  • the functions of ARPF network elements can be incorporated into UDM network elements.
  • the terminal equipment in this application also referred to as user equipment (UE), is a device with wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on water On board (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, satellites, etc.).
  • UE user equipment
  • the terminal device can be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, virtual reality (VR) terminal, augmented reality (AR) terminal, industrial control (industrial control)
  • the UE after the UE fails the mutual authentication with the DN-AAA server, it can determine whether to perform the mutual authentication with the DN-AAA server again.
  • the SEAF network element and the AUSF network element can be located in the same network or in different networks.
  • the SEAF network element is located in a serving network.
  • the SEAF network The element is located in the visited public land mobile network (VPLMN), and the AUSF network element is located in the home network (home network).
  • VPN public land mobile network
  • home network home network
  • the authentication of terminal equipment in the mobile communication system can be divided into two types: primary authentication and secondary authentication.
  • Primary authentication refers to the mutual authentication between the terminal equipment and the core network (such as UDM network elements) after the registration process is initiated.
  • Secondary authentication refers to the establishment of a protocol data unit (protocol data unit, PDU) session establishment in the middle terminal device or the mutual authentication with the server in the data network during the process of access slice.
  • PDU protocol data unit
  • Fig. 2 shows a schematic diagram of a method for authentication and key agreement (5th-Generation Authentication and Key Agreement, 5G-AKA) authentication based on the system framework shown in Fig. 1.
  • 5G-AKA 5th-Generation Authentication and Key Agreement
  • Step 201 The UE carries the encrypted user identity in the registration request and sends it to the SEAF network element in the serving network.
  • the UE may encrypt the subscription permanent identifier (SUPI) to generate a subscription concealed identifier (SUCI), and the UE carries the SUCI in the registration request and sends it to the SEAF network element.
  • SUPI subscription permanent identifier
  • SUCI subscription concealed identifier
  • Step 202 The SEAF network element carries the encrypted user identification in the authentication request, and sends it to the AUSF network element in the home network.
  • Step 203 The AUSF network element carries the encrypted user identity in the UE authentication acquisition request, and sends it to the UDM network element in the home network.
  • Step 204 The UDM network element decrypts the encrypted user ID to obtain the user ID, and the UDM network element queries the subscription information of the UE corresponding to the user ID according to the user ID.
  • Step 205 The UDM network element selects an authentication algorithm, and generates an authentication vector based on the subscription information of the UE.
  • the authentication vector includes multiple parameters, including authentication token (AUTN), RAND, and expected challenge response (eXpected RESponse, XRES*), K AUSF , where the authentication token carries a message authentication code (MAC) and a sequence number (SQN).
  • AUTN authentication token
  • RAND RAND
  • expected challenge response eXpected RESponse
  • K AUSF K AUSF
  • the authentication token carries a message authentication code (MAC) and a sequence number (SQN).
  • MAC message authentication code
  • SQL sequence number
  • the UDM network element may select an authentication algorithm according to a locally configured policy, such as the priority of each authentication algorithm.
  • Step 206 The UDM network element sends an authentication acquisition response to the AUSF network element, and the authentication acquisition response includes the authentication vector and the user identifier.
  • Step 207 The AUSF network element sends an authentication authentication response to the SEAF network element, and the authentication authentication response carries the authentication vector.
  • the AUSF network element can process the authentication vector, for example, perform a hash operation on XRES* to generate HXRES*, and generate K SEAF based on K AUSF .
  • the authentication vector includes RAND, AUTN, HXRES* and K SEAF ; the authentication response carries the processed authentication vector.
  • Step 208 The SEAF network element sends an authentication request to the UE, where the authentication request carries part of the parameters in the authentication vector, and the part of the parameters includes RAND and AUTN.
  • Step 209 The UE verifies the UDM network element according to the AUTN.
  • the UE After receiving the AUTN, the UE will obtain the SQN and MAC carried in the AUTN, and verify the SQN and MAC respectively.
  • the UE can send an authentication failure message to the SEAF network element, and the failure reason value carried in the authentication failure message is used to indicate that the cause of an authentication failure is MAC verification failure; the SEAF network element will The authentication failure message is forwarded to the AUSF network element, and then the AUSF network element forwards the authentication failure message to the UDM network element; after receiving the authentication failure message, the UDM network element can use the same authentication algorithm to perform authentication again.
  • the UE can send an authentication failure message to the SEAF network element.
  • the failure reason value carried in the authentication failure message is used to indicate that the reason for an authentication failure is SQN verification failure.
  • the authentication failure message is included in the authentication failure message.
  • the SEAF network element forwards the authentication failure message to the AUSF network element, and then the AUSF network element forwards the authentication failure message to the UDM network element; the UDM network element obtains the UE side from the authentication failure message
  • the saved SQN is synchronized (that is, the locally saved SQN is updated to the SQN saved on the UE side), and then the synchronized SQN is used to initiate authentication again using the same authentication algorithm.
  • the UE can send an authentication failure message to the SEAF network element.
  • the failure reason value carried in the authentication failure message is used to indicate that the cause of an authentication failure is network failure, and the authentication failure message It carries the SQN saved on the UE side; the SEAF network element forwards the authentication failure message to the AUSF network element, and then the AUSF network element forwards the authentication failure message to the UDM network element; the UDM network element receives the authentication failure message After that, the authentication process can be ended.
  • the failure reason value can be MAC failure (mac failure) and SQN verification failure.
  • SQN failure the extensible authentication protocol transport layer security protocol
  • EAP-TLS extensible authentication protocol transport layer security
  • network failure network failure
  • authentication failure authentication failure
  • network congestion The network standard does not match the authentication vector and other reasons.
  • step 211 is executed.
  • Step 210 After the verification is passed, the UE generates RES* in the same way as the UDM network element generates XRES*, and sends an authentication response carrying RES* to the SEAF network element.
  • Step 211 The SEAF network element forwards the RES* returned by the UE to the AUSF network element, and the AUSF network element performs the next step of authentication.
  • Step 212 After receiving the RES*, the AUSF network element compares the RES* with the XRES* in the authentication vector, and if the results are consistent, the UE authentication is completed.
  • the AUSF network element can send an authentication failure message to the UDM network element, and the UDM network element can choose to end the authentication process.
  • the authentication failure message can carry the failure reason value. If the failure reason value indicates authentication failure (authentication failure) or network failure (network failure).
  • Step 213 After the authentication is successful, the AUSF network element sends the user ID and K SEAF to the SEAF network element.
  • the terminal device needs to perform a second authentication with the server in the data network.
  • the second authentication is explained below:
  • Fig. 3 is a schematic diagram of a method for secondary authentication between the UE and the DN-AAA in the process of establishing a PDU session for the UE based on the system framework shown in Fig. 1.
  • Step 301 The UE sends a PDU session establishment request to the SMF network element in the serving network.
  • the PDU session establishment request includes the PDU session ID and the data network name (DNN).
  • the DNN is used to indicate the network to which the UE needs to connect.
  • Step 302 The SMF network element in the serving network sends a PDU session establishment request to the SMF network element in the home network, which carries the user identity of the UE.
  • Step 303 After receiving the PDU session establishment request, the SMF network element in the home network selects the UPF network element, establishes an N4 session with the UPF network element, and sends the PDU session establishment request to the DN-AAA through the UPF network element.
  • a PDU session establishment request is sent to the UPF network element; UPF sends a session establishment request to DN-AAA according to the DNN in the PDU session establishment request, and the session is established
  • the request is different from the PDU session establishment request sent by the UE, which may not carry the DNN.
  • Step 304 DN-AAA selects the authentication algorithm with the highest priority according to the priority list of secondary authentication algorithms it supports, and initiates an EAP authentication process.
  • Step 305 The DN-AAA requests the UE identity through the SMF network element in the home network to request the identity information of the UE corresponding to the authentication algorithm.
  • the DN-AAA sends an identity request to an SMF network element in the home network, and the SMF network element in the home network sends an identity request to the UE.
  • the identity information of the UE corresponding to different authentication algorithms can be different.
  • the identity information of the UE corresponding to the authentication algorithm refers to the UE user name information that meets the requirements of the authentication algorithm. Exemplarily, it may be the SUPI of the UE, where the authentication algorithm is a secondary authentication algorithm.
  • Step 306 The UE sends the identity information of the UE corresponding to the authentication algorithm to the DN-AAA through the SMF network element in the home network.
  • the UE sends an identity response to the SMF network element in the home network, and the identity response includes the identity information of the UE corresponding to the authentication algorithm.
  • the SMF network element in the home network sends the identity information of the UE corresponding to the authentication algorithm to the UPF network element through the N4 session, and the UPF network element sends the identity information of the UE corresponding to the authentication algorithm to the DN-AAA.
  • Step 307 After receiving the identity information of the UE corresponding to the authentication algorithm, the DN-AAA performs mutual authentication with the UE based on the authentication algorithm.
  • Step 308 After the DN-AAA successfully authenticates the UE, the DN-AAA sends an authentication success message to the SMF network element in the home network. If the DN-AAA fails to authenticate with the UE, the DN-AAA sends an authentication failure message to the SMF network element in the home network.
  • the DN-AAA sends an authentication success message to the UPF network element, and after receiving the authentication success message, the UPF network element sends an authentication success message to the SMF network element.
  • DN-AAA can send the DN-AAA parameters to the UE, such as TLS certificate, and request the UE to obtain the certificate of the UE.
  • the UE receives the TLS certificate of the DN-AAA, it verifies the TLS certificate.
  • the UE can verify whether the TLS certificate has been modified or whether the certificate is issued by a legal organization.
  • the UE sends a TLS-Alert message to the DN-AAA.
  • the TLS-Alert message indicates that the DN-AAA fails the UE's verification.
  • the UE sends the UE's certificate to DN-AAA, and DN-AAA verifies the UE's certificate.
  • DN-AAA can verify whether the UE's certificate has been modified, and it can also verify the UE's certificate. Whether it is issued by a legal organization, it can also be verified whether the identity information corresponding to the UE's certificate indicates the UE.
  • the DN-AAA sends an authentication success message to the SMF network element in the home network; if the verification fails, the server sends a TLS-Alert message to the UE, which indicates that the UE has not passed the DN-AAA verification .
  • the information exchanged between the DN-AAA and the UE for mutual authentication will pass through the SMF network element in the home network, and the SMF network element in the home network is used to implement information forwarding without processing.
  • Step 309 After receiving the authentication success message, the SMF network element in the home network will establish a PDU session for the UE. After the PDU session is established, the PDU session establishment success response is sent to the UE through the SMF network element in the serving network. The PDU session establishment success response can also indicate that the DN-AAA has successfully authenticated with the UE.
  • the SMF network element in the home network If the SMF network element in the home network receives the authentication failure message, the SMF network element in the home network sends a PDU session establishment failure response to the UE through the SMF network element in the serving network.
  • the UE and DN-AAA cannot know the authentication algorithms that each other can support, and DN-AAA only initiates the authentication process based on the secondary authentication algorithm supported by DN-AAA; if the secondary authentication selected by DN-AAA If the UE does not support the algorithm, the secondary authentication will fail.
  • the secondary authentication fails, after the SMF network element in the home network terminates the PDU session establishment process, if the UE still needs to establish a PDU session, it needs to initiate the secondary authentication process again. Steps 301-303 need to be repeated, which will also cause PDU The duration of the session establishment process increases, causing additional signaling overhead.
  • the primary authentication and secondary authentication methods in the roaming scenario are taken as examples.
  • the specific authentication method of the two-way authentication between the UE and the home network is not limited in the embodiment of this application, and may be the first authentication method.
  • the fifth-generation mobile communication technology authentication and key agreement (5th-Generation authentication and key agreement, 5G-AKA) may also adopt an extensible authentication protocol (extensible authentication protocol, EAP) authentication method.
  • EAP extensible authentication protocol
  • the UE is in the home network, and it also needs to perform two-way authentication with the UDM network element and DN-AAA respectively.
  • the authentication method is similar to that in the roaming scenario, as shown in Figure 2.
  • the difference in the embodiment is that the SEAF network element, the AUSF network element, and the UDM network element are all network elements in the home network. Compared with the embodiment shown in FIG. 3, the difference is that there are only SMF network elements in the home network.
  • the operations performed by the SMF network element in the service network in the illustrated embodiment are performed by the SMF network element in the home network, and there is no interaction between the SMF network element in the home network and the SMF network element in the service network.
  • the authentication method provided in the embodiment of the present application can be applied to a roaming scenario as well as a non-roaming scenario.
  • the terminal device can notify the unified data management network element of the primary authentication capability information of the terminal device in advance (for example, carry part or all of the information on the primary authentication capability information of the terminal device in the registration request, or pre-configure the terminal Part or all of the information in the primary authentication capability information of the device is configured in the unified data management network element.
  • the unified data management network element may select the primary authentication algorithm supported by the terminal device based on the primary authentication capability information of the terminal device.
  • the unified data management network element can know in advance the one-time authentication algorithm supported by the terminal device before the first authentication, during the first authentication, you can select the one-time authentication algorithm supported by the terminal device and the unified data management network element, which can improve the success of the first authentication To reduce the authentication failure caused by the unsupported authentication algorithm; for the convenience of explanation, the first authentication process between the terminal equipment and the unified data management network element is called the first authentication in the first authentication.
  • the authentication performed by the data management network element is called re-authentication in one authentication.
  • the unified data management network element can perform re-authentication. During re-authentication, select an authentication algorithm that is different from the first authentication (for example, select an authentication algorithm with different authentication credentials) to further ensure the success of an authentication rate.
  • the second authentication it is the two-way authentication between the terminal device and the server. In the embodiment of the present application, it can be divided into two ways to improve the success rate of the second authentication and reduce redundant signaling interaction.
  • the terminal device may notify the server of the secondary authentication capability information of the terminal device in advance, and the server may select the secondary authentication algorithm supported by both the terminal device and the server based on the secondary authentication capability information of the terminal device to perform mutual authentication.
  • the server can know in advance the secondary authentication algorithm supported by the terminal device before the secondary authentication, it can select the secondary authentication algorithm supported by both the terminal device and the server during the secondary authentication, which can improve the success rate of the secondary authentication and reduce
  • the authentication failure caused by the second authentication algorithm is not supported; for the convenience of description, the first authentication process performed by the terminal device and the server is called the first authentication in the second authentication, and the authentication performed by the terminal device and the server is called the second authentication. Re-certification in the second certification. If the first authentication in the second authentication fails, the server can determine to re-authenticate with the terminal device, that is, perform re-authentication, and select an authentication algorithm different from the first authentication during re-authentication to further ensure the success rate of the second authentication.
  • Method 2 The server can notify the terminal device of the server's secondary authentication capability information in advance. After the terminal device fails the first authentication in the secondary authentication, it selects the secondary authentication capability information supported by the server and the terminal device based on the server's secondary authentication capability information. Authentication algorithm, and notify the server of the selected secondary authentication algorithm, and re-authenticate with the server.
  • the terminal device can know in advance the secondary authentication algorithm supported by the server, in the case of the first authentication failure in the secondary authentication, the terminal device can choose to perform the re-authentication in the secondary authentication, and select a different authentication algorithm from the first authentication.
  • the authentication algorithm can guarantee the success rate of the second authentication, and does not require redundant signaling interaction, which can ensure the efficiency of the second authentication.
  • an authentication method provided by an embodiment of this application includes:
  • Step 401 The terminal device initiates a registration process and sends a registration request to the security anchor function network element.
  • the terminal device initiates the registration process and sends a registration request to the security anchor function network element.
  • the security anchor function network element can send the first authentication acquisition request to the unified data management network element through the authentication service function network element.
  • the authentication acquisition request is used to request the unified data management network element to trigger a two-way authentication process with the terminal device.
  • Step 402 The unified data management network element performs mutual authentication with the terminal device based on the first authentication algorithm; this is the first authentication in one authentication.
  • Step 403 After the two-way authentication with the terminal device fails, the unified data management network element selects a second authentication algorithm with an authentication credential different from the first authentication algorithm from the primary authentication algorithms supported by the terminal device.
  • Step 404 The unified data management network element performs mutual authentication with the terminal device based on the second authentication algorithm; this is a re-authentication in one authentication.
  • Step 405 The unified data management network element sends a registration response to the terminal device through the security anchor function network element.
  • the registration response can indicate that the terminal device is successfully registered; if the unified data management network element fails in two-way authentication with the terminal device based on the second authentication algorithm, then The registration response may indicate that the terminal device has failed to register.
  • the first authentication algorithm selected for the two-way authentication between the unified data management network element and the terminal device may be selected by the unified data management network element from the one-time authentication algorithm it supports, or the unified data management network element may be selected from the terminal device.
  • the embodiment of this application does not limit the selection method of the first authentication algorithm.
  • the unified data management network element selects the first authentication algorithm from the first authentication algorithm supported by the terminal device, or in the re-authentication in the first authentication, the unified data management network element selects the second authentication algorithm.
  • the unified data management network element needs to determine the one-time authentication algorithm supported by the terminal device.
  • the unified data management network element can determine the one-time authentication algorithm supported by the terminal device in two ways:
  • Method 1 The unified data management network element obtains the primary authentication algorithm supported by the terminal device from the security anchor function network element.
  • the terminal device can carry the primary authentication capability information of the terminal device in the registration request.
  • the security anchor function network element After receiving the registration request, the security anchor function network element obtains the primary authentication capability information of the terminal device, and carries the primary authentication capability information of the terminal device in the first registration request.
  • An authentication request is in progress.
  • the first authentication acquisition request may also include identification information of the terminal device, which is used for the unified data management network element to determine which terminal device needs to perform two-way authentication with, and which terminal device the first authentication capability information carried by the identifier belongs.
  • the primary authentication capability information of the terminal device includes some or all of the following: primary authentication algorithm supported by the terminal device, authentication credential supported by the terminal device, and mapping relationship between the primary authentication algorithm supported by the terminal device and the authentication credential supported by the terminal device.
  • the primary authentication capability information of the terminal device needs to include the primary authentication algorithm supported by the terminal device. If the primary authentication capability information of the terminal device does not include the primary authentication algorithm supported by the terminal device, the primary authentication algorithm supported by the terminal device can be determined through the second method.
  • the one-time authentication algorithm defines the information content that the terminal device interacts with the unified data management network element, the authentication method of the terminal device to the unified data management network element, and the authentication method of the unified data management network element to the terminal device.
  • primary authentication algorithms for example, 5G AKA, EAP-AKA’, EAP-TLS, EAP-AKA.
  • the authentication credential is an important parameter for the unified data management network element to generate authentication parameters in an authentication process.
  • the authentication parameters include but are not limited to authentication tokens, authentication vectors and certificates.
  • the authentication certificate and the one-time authentication algorithm can be one-to-one or one-to-many.
  • the authentication credential of 5G AKA, EAP-AKA' may be a root key
  • the authentication credential of EAP-TLS may be a certificate.
  • Method 2 The unified data management network element obtains the primary authentication algorithm supported by the locally stored terminal device.
  • the unified data management network element can pre-store the primary authentication algorithm supported by the terminal device; optionally, the unified data management network element can also pre-store the authentication credentials supported by the terminal device and/or the primary authentication algorithm supported by the terminal device and the terminal device support The mapping relationship of authentication credentials.
  • a terminal device when a terminal device signs a contract with a unified data management network element, it can combine the primary authentication algorithm supported by the terminal device, the authentication certificate supported by the terminal device, and/or the primary authentication algorithm supported by the terminal device with the authentication certificate supported by the terminal device. Part or all of the mapping relationship is stored in the unified data management network element as the contract information of the terminal device.
  • the registration request sent by the terminal device may not carry the one-time authentication capability information of the terminal device, that is, the one-time authentication algorithm supported by the terminal device, the authentication certificate supported by the terminal device, and the one-time authentication algorithm supported by the terminal device.
  • the mapping relationship with the authentication credential supported by the terminal device has been saved in the unified data management network element.
  • any information in the primary authentication algorithm supported by the terminal device, the authentication credential supported by the terminal device, and the mapping relationship between the primary authentication algorithm supported by the terminal device and the authentication credential supported by the terminal device can be carried in the first authentication
  • the acquisition request can also be saved locally in the unified data management network element.
  • the primary authentication capability information of the terminal device may include the primary authentication algorithm supported by the terminal device and the authentication credential supported by the terminal device.
  • the mapping relationship between the primary authentication algorithm supported by the terminal device and the authentication credential supported by the terminal device can be pre-stored in unified data.
  • the management network element In this case, the unified data management network element can configure the mapping relationship between multiple primary authentication algorithms and authentication credentials.
  • the multiple primary authentication algorithms include the primary authentication algorithm supported by the terminal device, and can also include the primary authentication algorithm of other terminal devices. .
  • the unified data management network element only needs to know the one-time authentication algorithm supported by the terminal device. It can determine the one-time authentication algorithm supported by the terminal device and the authentication certificate supported by the terminal device through the mapping relationship between multiple one-time authentication algorithms and authentication credentials stored locally. The mapping relationship.
  • the unified data management network element After the unified data management network element selects the first authentication algorithm, it can perform mutual authentication with the terminal device based on the first authentication algorithm. If the two-way authentication with the terminal device is successful, the subsequent operations can be continued, such as initiating a PDU session establishment process and performing two-way authentication with the server.
  • the unified data management network element can determine whether to perform the two-way authentication with the terminal device again.
  • the first is that the terminal device does not support other authentication algorithms.
  • the second is that the terminal device and the unified data management network element have no other common support authentication algorithm.
  • the third type is another authentication algorithm jointly supported by the terminal device and the unified data management network element, and the other authentication algorithm is the same as the authentication credential corresponding to the first authentication algorithm.
  • the third type is that the unified data management network element can determine not to perform two-way authentication with the terminal device based on the reason for an authentication failure.
  • the reason for an authentication failure may be feedback from the terminal device.
  • the unified data management network element can determine the cause of the authentication failure according to the failure reason value fed back by the terminal device; the cause of the authentication failure can also be determined by the unified data management network element itself .
  • the failure reason value refer to the relevant description of the embodiment shown in FIG. 2.
  • the unified data management network element can end the authentication process.
  • the unified data management network element considers that the two-way authentication cannot be performed again.
  • the unified data management network element After the unified data management network element determines that it will not perform mutual authentication with the terminal device again, it may send an authentication failure message to the terminal device and instruct to end the authentication.
  • the unified data management network element passes the failure reason value to determine that the cause of the first authentication failure is that the MAC verification failed.
  • the unified data management network element can again use the first authentication algorithm and the terminal device to perform For re-authentication, if the terminal device also supports other authentication algorithms, the unified data management network element can select other primary authentication algorithms from the secondary authentication algorithms supported by the terminal device.
  • This embodiment of the application takes the second authentication algorithm as an example, and the second authentication algorithm The corresponding authentication credential is different from the authentication credential corresponding to the first authentication algorithm, and the unified data management network element may use the second authentication algorithm to perform re-authentication with the terminal device.
  • Case 2 During the first authentication process of the first authentication, the unified data management network element passes the failure reason value to determine that the reason for the authentication failure is that the SQN verification failed.
  • the unified data management network element can perform SQN synchronization. After the SQN is synchronized, based on the first The authentication algorithm or the second authentication algorithm uses the synchronized SQN to perform mutual authentication with the terminal device.
  • the unified data management network element uses the failure reason value to determine that the cause of the first authentication failure is authentication failure.
  • the unified data management network element can select the second authentication from the secondary authentication algorithm supported by the terminal device Algorithm, the unified data management network element can use the second authentication algorithm to re-authenticate with the terminal device.
  • the unified data management network element receives a second authentication acquisition request from the authentication service function network element, and the second authentication acquisition request is used to request the unified data management network element to trigger a new two-way authentication process.
  • the information that the unified data management network element interacts with the terminal device can be transmitted through the authentication service function network element.
  • the authentication service function network element can send the information from the terminal device to the unified data management network element; the authentication service function network element can also send the information from the unified data management network element directly to the terminal device (such as EAP authentication method), authentication service
  • the functional network element can also process the information from the unified data management network element, and send the processed information to the terminal device (such as 5G-AKA authentication mode).
  • the messages sent between the unified data management network element and the terminal device can be learned by the authentication service function network element. If the authentication service function network element stores the primary authentication capability information supported by the unified data management network element and the terminal device, it can be determined whether to replace the authentication algorithm according to the failure cause value (for the determination method, please refer to the unified data management network element determination in the foregoing content Mode), and in the case where it is determined that the authentication algorithm needs to be replaced, the second authentication acquisition request is sent to the unified data management network element.
  • the failure cause value for the determination method, please refer to the unified data management network element determination in the foregoing content Mode
  • the unified data management network element considers that the two-way authentication can be performed again.
  • the unified data management network element may not record the authentication algorithm used in the two-way authentication during the process of mutual authentication with the terminal device based on the first authentication algorithm; that is, the unified data management network element
  • the terminal device is two-way authentication, it can only determine whether the authentication result is failure or success, and cannot determine the authentication algorithm used when the authentication fails; in order to enable the unified data management network element to choose the authentication algorithm used for re-authentication later, avoid choosing the first
  • the second authentication acquisition request sent by the authentication service function network element may indicate that the unified data management network element fails the two-way authentication with the terminal device based on the first authentication algorithm.
  • the unified data management network element may also record the authentication algorithm used for mutual authentication. In this way, when the authentication algorithm used for re-authentication is subsequently selected, an authentication algorithm different from the first authentication algorithm can be selected based on the recorded information.
  • the information that the unified data management network element interacts with the terminal device can be transmitted through the authentication service function network element, and in different authentication algorithms, the operation performed by the authentication service function network element may be different.
  • the unified data management network The element can notify the authentication service function network element to perform two-way authentication with the terminal device again, and it can also send the authentication parameters (such as authentication vector) in the authentication process to the authentication service function network element so that the authentication service function network element can manage the unified data During the re-authentication process of the network element and the terminal device, perform the corresponding operation.
  • the unified data management network element may send an indication message to the authentication service function network element before performing mutual authentication with the terminal device, and the indication message may indicate the unified data management network element Perform two-way authentication again with the terminal device, and the indication message may also carry the authentication parameters of the second authentication algorithm.
  • secondary authentication can be performed, that is, the two-way authentication between the terminal device and the server.
  • the embodiment of the present application provides two implementation methods for secondary authentication, which will be described separately below.
  • an authentication method provided by an embodiment of this application includes:
  • Step 501 The terminal device sends a PDU session establishment request to the session management network element.
  • Step 502 The terminal device performs mutual authentication with the server based on the third authentication algorithm.
  • the terminal device can send a PDU session establishment request to the session management network element.
  • the session management network element sends a session establishment request to the server through the user plane network element, and the server receives After the session establishment request, the terminal device can perform mutual authentication based on the third authentication algorithm.
  • Step 502 After the terminal device fails the mutual authentication with the server based on the third authentication algorithm, it is determined that the server and the terminal device need to trigger a new mutual authentication process based on the reason for the failure of the secondary authentication.
  • Step 503 The terminal device selects a fourth authentication algorithm whose authentication credential is different from that of the third authentication algorithm from the secondary authentication algorithm supported by the server and the secondary authentication algorithm supported by the terminal device.
  • Step 504 The terminal device sends a first authentication request to the server through the session management network element, where the first authentication request is used to instruct the server and the terminal device to perform mutual authentication based on the fourth authentication algorithm.
  • Step 505 The server sends an identity request to the terminal device through the session management network element, where the identity request is used to request the identity information of the terminal device corresponding to the fourth authentication algorithm.
  • Step 506 The terminal device feeds back the identity information of the terminal device corresponding to the fourth authentication algorithm to the server.
  • Step 507 The server performs mutual authentication with the terminal device based on the fourth authentication algorithm.
  • Step 508 The server may inform the session management network element of the authentication result based on the fourth authentication algorithm and the terminal device, and the session management network element sends a PDU session establishment response to the terminal device according to the authentication result.
  • the embodiment of the present application does not limit the determination method of the third authentication algorithm used by the terminal device and the server for double authentication.
  • the method of step 304 in the embodiment shown in FIG. 3 may be used, and the server supports the second authentication algorithm from the server.
  • the second authentication algorithm is selected.
  • Other methods can also be used, two of which are listed below:
  • the session management network element is selected from the secondary authentication algorithms supported by the terminal device.
  • the session management network element can obtain the secondary authentication capability information of the terminal device.
  • the secondary authentication capability information of the terminal device includes some or all of the following: the secondary authentication algorithm supported by the terminal device, the authentication certificate supported by the terminal device, and the secondary authentication algorithm.
  • the mapping relationship with the authentication credential, the secondary authentication algorithm supported by the terminal device includes the third authentication algorithm and the fourth authentication algorithm.
  • the session management network element may select a third authentication algorithm from the secondary authentication algorithms supported by the terminal device.
  • the session management network element may send a second authentication request to the server The second authentication request is used to notify the server to perform mutual authentication with the terminal device based on the third authentication algorithm.
  • the second authentication request can be independently sent to the server, or can be carried in other messages that need to be sent to the server and sent to the server; exemplary, the second authentication request can be carried in the N4 message and the interaction message between the UPF and the server.
  • the secondary authentication algorithm defines the information content that the terminal device interacts with the server, the authentication method of the terminal device to the server, and the authentication method of the server to the terminal device.
  • secondary authentication algorithms for example, 5G AKA, EAP-AKA’, EAP-TLS, EAP-AKA, please give an example.
  • authentication credential For details of the authentication credential, please refer to the related description of the authentication credential in the first authentication capability information, which will not be repeated here.
  • Authentication credentials and secondary authentication algorithms can be one-to-one or one-to-many.
  • the authentication credential of 5G AKA, EAP-AKA' may be a root key
  • the authentication credential of EAP-TLS may be a certificate.
  • the session management network element can obtain the secondary authentication capability information of the terminal device, which is not limited in the embodiment of the present application. Two of them are listed below:
  • the terminal device may carry the secondary authentication capability information of the terminal device in the information sent to the session management network element.
  • it may be carried in the PDU session establishment request, and the session management network element may obtain the secondary authentication capability information of the terminal device from the PDU session establishment request from the terminal device.
  • the session management network element may obtain the secondary authentication algorithm supported by the terminal device from the PDU session establishment request after receiving the PDU session establishment request.
  • the unified data management network element may store the secondary authentication capability information of the terminal device, and the session management network element may obtain the secondary authentication capability information of the terminal device from the unified data management network element.
  • the unified data management network element can store the secondary authentication capability information of the terminal device as the terminal equipment contract information when signing a contract with the terminal device.
  • the session management network element needs to select the authentication algorithm for the secondary authentication from the unified data
  • the management network element obtains the secondary authentication algorithm supported by the terminal device, and selects the third authentication algorithm from the secondary authentication algorithm supported by the terminal device.
  • the terminal device when it initiates the registration process, it can carry the secondary authentication capability information of the terminal device in the registration request; after receiving the registration request, the security anchor function network element can retrieve the registration request Obtaining the secondary authentication capability information of the terminal device, carrying the secondary authentication capability information of the terminal device in the first authentication obtaining request, and sending the first authentication obtaining request to the unified data management network element through the authentication service function network element; After receiving the first authentication acquisition request, the data management network element may save the secondary authentication capability information of the terminal device.
  • the session establishment request may also be stored locally in the unified data management network element.
  • the secondary authentication capability information of the terminal device may include the secondary authentication algorithm supported by the terminal device and the authentication credentials supported by the terminal device; the mapping relationship between the secondary authentication algorithm supported by the terminal device and the authentication credentials supported by the terminal device can be saved in advance In the unified data management network element.
  • the session management network element may only obtain the secondary authentication algorithm supported by the terminal device.
  • it may obtain the authentication credential supported by the terminal device and/or the mapping relationship between the secondary authentication algorithm supported by the terminal device and the authentication credential supported by the terminal device.
  • the secondary authentication capability information of the terminal device or the secondary authentication algorithm supported by the terminal device can also be stored locally in the session management network element. .
  • the session management network element obtains the secondary authentication capability information of the terminal device or the secondary authentication algorithm supported by the terminal device, it can be combined with the secondary authentication algorithm supported by the server obtained from the server to select whether the terminal device and the server support both Supported secondary authentication algorithm.
  • the server selects from the secondary authentication algorithms supported by the terminal device.
  • the session management network element may send a first authentication capability notification message to the server, and the first authentication capability notification message includes the secondary authentication capability information of the terminal device.
  • the server receives the first authentication capability notification message and obtains the secondary authentication capability information of the terminal device.
  • the server selects the third authentication algorithm from the secondary authentication algorithm supported by the terminal device, and performs mutual authentication with the terminal device based on the third authentication algorithm.
  • the terminal device and the server can perform mutual authentication based on the third authentication algorithm.
  • the session management network element can establish a PDU session for the terminal device.
  • the terminal device and the server can be based on the third authentication algorithm and the mutual authentication fails, the terminal device can determine whether it needs to perform mutual authentication again with the server.
  • the terminal device can obtain the server's secondary authentication capability information from the session management network element. After the first authentication in the secondary authentication fails, it can determine whether to perform mutual authentication with the server again according to the reason for the secondary authentication failure.
  • the session management network element may obtain the server's secondary authentication capability information from the server in advance, and send the obtained server's secondary authentication capability information to the terminal device.
  • the embodiment of the present application does not limit the manner in which the session management network element sends the server's secondary authentication capability information to the terminal device.
  • the server's secondary authentication capability information may be sent to the terminal device through separate information.
  • the server can send a second authentication capability notification message carrying the server's secondary authentication capability information to the session management network element.
  • the session management network element After receiving the second authentication capability notification message, the session management network element obtains the server's secondary authentication Capability information, the server's secondary authentication capability information includes some or all of the following: secondary authentication algorithms supported by the server, authentication credentials supported by the server, and the mapping relationship between secondary authentication algorithms and authentication credentials.
  • the secondary authentication algorithms supported by the server include The third authentication algorithm and the fourth authentication algorithm.
  • the session management network element obtains the server's secondary authentication capability information from the unified data management network element.
  • the server's secondary authentication capability information may also be pre-stored in the unified data management network element.
  • the terminal device does not support other secondary authentication algorithms or also supports other authentication algorithms, but the authentication credentials corresponding to the other authentication algorithms are the same as the authentication credentials corresponding to the third authentication algorithm.
  • the reason for the authentication failure may be the verification failure of the terminal device side authentication parameters (such as the certificate of the server), the parameter is not synchronized, or the verification failure of the server side authentication parameters (such as the certificate of the terminal device). It may also be that the integrity check on the terminal device side or the server side fails.
  • the server does not support other secondary authentication algorithms, or other authentication algorithms, but the authentication credentials corresponding to the other authentication algorithms are the same as the authentication credentials corresponding to the third authentication algorithm.
  • the third reason is that the second authentication fails because of the network. In this case, if any authentication algorithm is selected for mutual authentication, the authentication will fail because of the network.
  • the terminal device considers that the two-way authentication cannot be performed again.
  • the terminal device After determining that the terminal device does not perform two-way authentication with the server again, it can send a message to the session management network element indicating that it will no longer perform two-way authentication with the server.
  • the message can also carry the reason for not performing two-way authentication with the server. For specific reasons, refer to the above three situations.
  • the terminal device and the session management network element can identify the above three situations, and each situation corresponds to an identifier, and the message can carry a corresponding identifier.
  • Case 1 The terminal device and the server also support other secondary authentication algorithms.
  • the embodiment of this application takes the fourth authentication algorithm as an example, and the authentication credential corresponding to the fourth authentication algorithm is different from the authentication credential corresponding to the third authentication algorithm.
  • the terminal device can select a fourth authentication algorithm whose authentication credential is different from the third authentication algorithm from the secondary authentication algorithms supported by the terminal device and the server.
  • the terminal device After the terminal device determines that it can perform two-way authentication with the server again, and selects a fourth authentication algorithm whose authentication credential is different from that of the third authentication algorithm, it can send the first authentication request to the server through the session management network element, and the first authentication request It is used to instruct the server and the terminal device to perform mutual authentication based on the fourth authentication algorithm.
  • the server can request the terminal device for the identity information of the terminal device corresponding to the fourth authentication algorithm. After receiving the terminal device corresponding to the fourth authentication algorithm After the identity information of the device, it can perform mutual authentication with the terminal device based on the fourth authentication algorithm.
  • the server is based on the fourth authentication algorithm and performs mutual authentication with the terminal device. If the authentication is successful, the server can notify the session management network element of the successful authentication with the terminal device based on the fourth authentication algorithm through an authentication success message, and the session management network element receives the authentication success After the message, a PDU session can be established for the terminal device. After the establishment is successful, the session management network element can send a successful PDU session establishment response to the terminal device. If the authentication fails, the server can notify the session management network element of the authentication failure with the terminal device based on the fourth authentication algorithm through the authentication failure message. After the session management network element receives the authentication failure message, the terminal device does not need to establish a PDU session. The session management network element A PDU session establishment response that refuses to establish a session can be sent to the terminal device.
  • the description is made by taking the information interaction when the session management network element participates in the mutual authentication between the terminal device and the server as an example.
  • the operations performed by the session management network element in the embodiment shown in FIG. 5 can also be performed by the mobile access management network element.
  • the terminal sends to the mobile access management network element It is a slice establishment request (not a PDU session establishment request).
  • the slice establishment request is used by the terminal device to request access to the slice; the two-way authentication between the terminal device and the server is successful (for example, the first authentication succeeds in the second authentication, or the second authentication succeeds).
  • the mobile access management network element can connect the terminal device to the slice and send a slice establishment success response to the terminal device; if the re-authentication of the two-way authentication between the terminal device and the server fails, the mobile access The incoming management network element may refuse the terminal device to access the slice, and send a slice establishment failure response to the terminal device.
  • an authentication method provided in an embodiment of this application includes:
  • Step 601 same as step 501, please refer to the related description of step 501, which will not be repeated here.
  • the embodiment of the present application does not limit the determination method of the third authentication algorithm used by the terminal device and the server for double authentication.
  • the method of step 304 in the embodiment shown in FIG. 3 may be used, and the server supports the second authentication algorithm from the server.
  • the selection of the secondary authentication algorithm other methods may also be used.
  • Step 602 After the server fails the mutual authentication with the terminal device based on the third authentication algorithm, it determines that a new mutual authentication process needs to be triggered with the terminal device based on the cause of the second authentication failure.
  • Step 603 The server selects a fourth authentication algorithm whose authentication credential is different from that of the third authentication algorithm from the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server.
  • Step 604 Same as step 505, please refer to the related description of step 505, which will not be repeated here.
  • Step 605 same as step 506, please refer to the related description of step 506, which will not be repeated here.
  • Step 606 same as step 507, please refer to the related description of step 507, which will not be repeated here.
  • Step 607 same as step 508, please refer to the related description of step 508, which will not be repeated here.
  • the terminal device and the server can perform mutual authentication based on the third authentication algorithm.
  • the subsequent process can be continued.
  • the session management network element can continue to establish a session for the terminal device.
  • the server can determine whether it is necessary to perform mutual authentication with the terminal device again.
  • the terminal device does not support other secondary authentication algorithms or also supports other authentication algorithms, but the authentication credentials corresponding to the other authentication algorithms are the same as the authentication credentials corresponding to the third authentication algorithm.
  • the method for the server to obtain the secondary authentication capability information of the terminal device can be found in the foregoing description, which will not be repeated here.
  • the server can determine whether the terminal device supports other secondary authentication algorithms, or supports Whether the authentication credentials corresponding to other secondary authentication algorithms are the same as the authentication credentials corresponding to the third authentication algorithm.
  • the server does not support other secondary authentication algorithms, or other authentication algorithms, but the authentication credentials corresponding to the other authentication algorithms are the same as the authentication credentials corresponding to the third authentication algorithm.
  • the third is that the server determines that the reason for the second authentication failure is the network reason through the failure reason value, which means that if other second authentication algorithms are used, the two-way authentication between the terminal device and the server will also fail.
  • the server After the server determines that it will not perform two-way authentication with the terminal device again, it can send a message to the session management network element to indicate that it will no longer perform two-way authentication with the terminal device.
  • the message can also carry that it does not perform two-way authentication with the terminal device.
  • the server and the session management network element can identify the above three situations, and each situation corresponds to an identifier, and the message can carry the corresponding identifier.
  • Case 1 The server determines that the reason for the second authentication failure is not a network reason through the authentication reason value, and the terminal device or server also supports other second authentication algorithms.
  • the fourth authentication algorithm is taken as an example in this embodiment, and the fourth authentication algorithm The corresponding authentication credential is different from the authentication credential corresponding to the third authentication algorithm.
  • the server may select that both the terminal device and the server support other secondary authentication algorithms.
  • the reason for the failure of the secondary authentication may be that the verification of the authentication parameters on the terminal device (such as the certificate of the server) fails, or the parameters are not synchronized, or the verification of the authentication parameters on the server side (such as the certificate of the terminal device).
  • the failure can also be a failure of the integrity verification on the terminal device side or the server side.
  • the description is made by taking the session management network element participating in the information exchange between the terminal device and the server in the mutual authentication as an example.
  • the operations performed by the session management network element in the embodiment shown in FIG. 6 can also be performed by the mobile access management network element.
  • the terminal device transfers to the mobile access management network element. It is a slice establishment request (not a PDU session establishment request) that is sent.
  • the slice establishment request is used by the terminal device to request access to the slice; the two-way authentication between the terminal device and the server is successful (for example, the first authentication is successful in the second authentication, or the second When the re-authentication is successful during the secondary authentication), the mobile access management network element can connect the terminal device to the slice and send a slice establishment success response to the terminal device; if the re-authentication of the two-way authentication between the terminal device and the server fails, the mobile The access management network element may refuse the terminal device to access the slice, and send a slice establishment failure response to the terminal device.
  • the embodiment shown in FIG. 4 is applied to a specific scenario to describe an authentication method provided in the embodiment of the present application. As shown in FIG. 7, the method includes:
  • Step 701 The UE sends a registration request to the SEAF network element.
  • the registration request includes a subscription concealed identifier (SUCI).
  • SUCI subscription concealed identifier
  • it may also include the first authentication capability information of the UE.
  • Step 702 The SEAF network element sends a first authentication acquisition request to the UDM network element through the AUSF network element, and the first authentication acquisition request includes SUCI and the UE's primary authentication capability information.
  • Step 703 The UDM network element decrypts the SUCI to obtain the permanent identifier (subscription permanent identifier, SUPI) of the terminal.
  • Step 704 The UDM network element selects the first authentication algorithm supported by both the UE and the UDM network element according to the primary authentication capability information of the UE and the primary authentication algorithm supported by the UDM network element.
  • the UDM network element also stores the priority of the primary authentication algorithm locally, and the UDM network element can select the first authentication algorithm with the highest priority supported by both the UE and the UDM network element.
  • Step 705 The UDM network element performs two-way authentication with the UE based on the first authentication algorithm (corresponding to the first authentication in one authentication). For the way of performing two-way authentication between the UDM network element and the UE, refer to step 205 in the embodiment shown in FIG. 2 ⁇ Step 212.
  • Step 706 The UDM network element determines whether the two-way authentication needs to be performed again with the UE according to the failure reason of one authentication.
  • the UDM network element directly ends the authentication process.
  • the UDM network element can change the authentication algorithm once, for example, select the second authentication algorithm.
  • the UDM network element can try to perform two-way authentication with the UE based on the first authentication algorithm after parameter synchronization, or it can change the authentication algorithm once.
  • the UDM network element may try to perform mutual authentication with the UE based on the first authentication algorithm again.
  • MAC failure UE-side integrity check failure
  • the UDM network element can change the authentication algorithm once, such as selecting the second authentication algorithm.
  • Step 707 If the UDM network element needs to change the authentication algorithm once, the UDM network element can select the authentication algorithm of the UE and the UDM network element to select the second authentication algorithm supported by both parties.
  • the UDM network element may select the authentication algorithm of the UE and the UDM network element. Both of the selections support the second authentication algorithm with the highest priority, and the second authentication algorithm is different from the authentication credential used by the first authentication algorithm.
  • Step 708 The UDM network element may send an indication message to the AUSF network element.
  • the indication message may instruct the UDM network element and the UE to perform two-way authentication again.
  • the indication message may also carry authentication parameters of the second authentication algorithm.
  • the indication message is used to indicate the end of the authentication.
  • Step 709 The UDM network element initiates a new authentication process.
  • the UDM network element performs two-way authentication with the UE based on the second authentication algorithm (corresponding to the re-authentication in one authentication); the two-way authentication method between the UDM network element and the UE can be seen in the figure Step 205 to step 213 in the embodiment shown in 2.
  • Step 710 After the UDM network element and the UE are authenticated, the SEAF network element may send a registration response to the UE.
  • the registration response indicates that the UE has successfully registered; if the UDM network element informs the SEAF network element that the authentication with the UE failed in the re-authentication of the first authentication , The registration response indicates that the UE registration failed.
  • the embodiment shown in FIG. 5 is applied to a specific scenario, and an authentication method provided in an embodiment of the present application is described. As shown in FIG. 8, the method includes:
  • Step 801 The UE sends a PDU session establishment request to the SMF network element (V-SMF network element for short) in the serving network.
  • the PDU session establishment request carries the PDU session ID and DNN; optionally, it may also include the secondary authentication capability information of the UE. .
  • Step 802 The V-SMF network element sends a PDU session establishment request to the SMF network element (H-SMF network element for short) in the home network.
  • Step 803 The H-SMF network element initiates an authentication process.
  • the H-SMF network element selects the UPF network element and establishes an N4 session with the UPF network element, and sends a session establishment request to the DN-AAA through the UPF network element.
  • the session establishment request carries the UE's secondary authentication capability information.
  • the DN-AAA selects the second authentication algorithm supported by both the UE and the DN-AAA according to the secondary authentication capability information of the UE and the secondary authentication algorithm supported by the DN-AAA, taking the selected third authentication algorithm as an example.
  • the DN-AAA also stores the priority of the secondary authentication algorithm locally, and the DN-AAA can select the secondary authentication algorithm with the highest priority that is supported by both the UE and the DN-AAA.
  • Step 805 The DN-AAA sends a first identity request to the UE through the H-SMF network element.
  • the first identity request is used to request the identity information of the UE corresponding to the third authentication algorithm.
  • the first identity request may also carry the DN. -AAA's one-time authentication capability information.
  • Step 806 The UE feeds back the identity information of the UE corresponding to the third authentication algorithm to the DN-AAA.
  • Step 807 After receiving the identity information of the UE corresponding to the third authentication algorithm, the DN-AAA performs mutual authentication with the UE based on the third authentication algorithm.
  • step 808 the DN-AAA fails to perform mutual authentication with the UE, and the UE determines whether it needs to perform mutual authentication with the DN-AAA again according to the reason for the failure of the secondary authentication.
  • the UE can directly end the authentication process.
  • the UE can change the secondary authentication algorithm, for example, select the fourth authentication algorithm.
  • the reason for the second authentication failure is parameter synchronization (for example, SQN or similar parameters can also be used for anti-replay in the second authentication, DN-AAA and UE need to maintain parameter synchronization), after DN-AAA performs parameter synchronization, the UE You can try to perform mutual authentication with DN-AAA based on the third authentication algorithm again, or you can change the second authentication algorithm.
  • parameter synchronization for example, SQN or similar parameters can also be used for anti-replay in the second authentication, DN-AAA and UE need to maintain parameter synchronization
  • the UE can try to perform two-way authentication based on the third authentication algorithm and DN-AAA, or change the secondary authentication algorithm and DN -AAA for mutual authentication.
  • the UE can change the secondary authentication algorithm, for example, select the fourth authentication algorithm.
  • step 809 the UE determines that it needs to perform two-way authentication with DN-AAA and needs to change the secondary authentication algorithm.
  • the UE can select the fourth authentication algorithm supported by both parties according to the secondary authentication algorithms supported by the UE and DN-AAA.
  • Step 810 The UE sends a first authentication request to the DN-AAA through the H-SMF network element.
  • the first authentication request is used to instruct the DN-AAA to perform mutual authentication with the UE based on the fourth authentication algorithm.
  • the first authentication request is used to instruct to terminate the authentication process.
  • the DN-AAA may notify the UE of the failure of the first authentication of the second authentication through the H-SMF network element.
  • the DN-AAA sends the first authentication failure message to the H-SMF network element.
  • the first authentication failure message is used to indicate that the DN-AAA fails to perform mutual authentication with the UE based on the third authentication algorithm.
  • Step 811 The DN-AAA sends a second identity request to the UE through the H-SMF network element, and the second identity request is used to request to obtain identity information corresponding to the fourth authentication algorithm.
  • Step 812 The UE feeds back the identity information of the UE corresponding to the fourth authentication algorithm to the DN-AAA.
  • Step 813 After the DN-AAA receives the identity information of the UE corresponding to the fourth authentication algorithm, the DN-AAA performs mutual authentication with the UE based on the fourth authentication algorithm.
  • step 814 the DN-AAA informs the H-SMF network element of the authentication result of the re-authentication of the secondary authentication, and the H-SMF network element sends a PDU session establishment response to the UE.
  • the DN-AAA can send an authentication success message to the H-SMF network element.
  • the H-SMF network element receives the authentication success message, it can: The UE establishes a PDU session.
  • the V-SMF network element sends a PDU session establishment response for indicating the successful establishment of the PDU session to the UE.
  • the PDU session establishment response may also indicate that the DN-AAA has successfully authenticated with the UE.
  • DN-AAA can send an authentication failure message to the H-SMF network element. After the H-SMF network element receives the authentication failure message, the H-SMF network element passes The V-SMF network element sends a PDU session establishment response to the UE to indicate that the PDU session establishment fails.
  • the UE and the DN-AAA perform mutual authentication through SMF network elements (such as H-SMF network elements and V-SMF network elements) during the process of establishing a PDU session for the UE as an example. of.
  • SMF network elements such as H-SMF network elements and V-SMF network elements
  • the UE and DN-AAA can use a similar way for mutual authentication, and the information exchanged during mutual authentication between the UE and DN-AAA needs to pass through the AMF network. Meta transfer, the AMF network element is used to perform the operations performed by the H-SMF network element in the above process. The difference is that in step 801, the UE sends a slice establishment request to the AMF network element to request access to the slice (and there is no step 802) .
  • a slice establishment response is fed back to the UE. If the re-authentication of the two-way authentication between the UE and DN-AAA succeeds, the AMF network element connects the UE to the slice and feeds back a slice establishment success response to the UE. If the UE and DN-AAA are two-way The re-authentication of the authentication fails, the AMF network element rejects the UE to access the slice, and reports the failure of the slice establishment to the UE.
  • the embodiment shown in FIG. 6 is applied to a specific scenario, and an authentication method provided in the embodiment of the present application is described. As shown in FIG. 9, the method includes:
  • Step 901 is the same as step 801, please refer to the related description of step 801, which will not be repeated here.
  • Step 902 is the same as step 802, please refer to the related description of step 802, which will not be repeated here.
  • Step 903 is the same as step 803, please refer to the related description of step 803, which will not be repeated here.
  • Step 904 is the same as step 804, please refer to the related description of step 804, which will not be repeated here.
  • Step 905 is the same as step 805, please refer to the related description of step 805, which will not be repeated here.
  • Step 906 is the same as step 806, please refer to the related description of step 806, which will not be repeated here.
  • Step 907 is the same as step 807, please refer to the related description of step 807, which will not be repeated here.
  • step 908 the DN-AAA fails to perform mutual authentication with the UE, and the DN-AAA determines whether it needs to perform mutual authentication with the UE again according to the reason for the failure of the second authentication.
  • DN-AAA can directly end the authentication process.
  • the DN-AAA can replace the secondary authentication algorithm, such as selecting the fourth authentication algorithm.
  • the DN-AAA performs the parameter synchronization, it can try to perform two-way authentication with the UE based on the third authentication algorithm, or change the secondary authentication algorithm.
  • the DN-AAA may try to perform mutual authentication with the DN-AAA based on the third authentication algorithm.
  • DN-AAA can replace the second authentication algorithm, such as selecting the fourth authentication algorithm.
  • the DN-AAA determines that it needs to perform mutual authentication with the UE and needs to change the secondary authentication algorithm.
  • the DN-AAA can select the fourth authentication algorithm supported by both parties according to the secondary authentication algorithms supported by the UE and the DN-AAA.
  • the DN-AAA may notify the UE of the failure of the first authentication of the second authentication through the H-SMF.
  • the DN-AAA sends the first authentication failure message to the H-SMF.
  • the first authentication failure message is used to instruct the DN-AAA to perform mutual authentication with the UE based on the third authentication algorithm.
  • Step 910 is the same as step 811, please refer to the related description of step 811, which will not be repeated here.
  • Step 911 is the same as step 812, please refer to the related description of step 812, which will not be repeated here.
  • Step 912 is the same as step 813, please refer to the related description of step 813, which will not be repeated here.
  • Step 913 is the same as step 814, please refer to the related description of step 814, which will not be repeated here.
  • the UE and the DN-AAA perform mutual authentication through SMF network elements (such as H-SMF network elements and V-SMF network elements) during the process of establishing a PDU session for the UE as an example. of.
  • SMF network elements such as H-SMF network elements and V-SMF network elements
  • the UE and DN-AAA can use a similar way for mutual authentication, and the information exchanged during mutual authentication between the UE and DN-AAA needs to pass through the AMF network. Meta transfer, the AMF network element is used to perform the operations performed by the H-SMF network element in the above process.
  • step 901 the UE sends a slice establishment request to the AMF network element to request access to the slice (and there is no step 902) .
  • step 914 a slice establishment response is fed back to the UE. If the re-authentication between the UE and DN-AAA is successful, the AMF network element connects the UE to the slice and feeds back a slice establishment success response to the UE. If the UE and DN-AAA are two-way The re-authentication of the authentication fails, the AMF network element rejects the UE to access the slice, and reports the failure of the slice establishment to the UE.
  • the embodiment of the present application also provides a terminal device for executing the method executed by the terminal device in the above method embodiment.
  • the device includes a sending unit 1001, an authentication unit 1002, and a receiving unit 1003:
  • the sending unit 1001 is configured to send a registration request to the security anchor function network element.
  • the authentication unit 1002 is configured to perform two-way authentication with the unified data management network element based on the first authentication algorithm after the sending unit 1001 sends the registration request; and after the two-way authentication with the unified data management network element fails based on the first authentication algorithm, Based on the second authentication algorithm, two-way authentication is performed with the unified data management network element.
  • the receiving unit 1003 is configured to receive the registration response from the unified data management network element through the security anchor function network element.
  • the registration request includes the primary authentication capability information of the terminal device, and the primary authentication capability information of the terminal device includes some or all of the following: primary authentication algorithm supported by the terminal device, authentication credentials supported by the terminal device, and primary authentication supported by the terminal device The mapping relationship between the authentication algorithm and the authentication credential supported by the terminal device.
  • the primary authentication algorithm supported by the terminal device includes a first authentication algorithm and a second authentication algorithm.
  • the sending unit 1001 may send the protocol data unit PDU session establishment to the session management network element.
  • the authentication unit 1002 can perform two-way authentication with the server based on the third authentication algorithm; it can also be based on the third authentication algorithm, after the two-way authentication with the server fails, based on the reason for the second authentication failure, it is determined that the server and the terminal device need to trigger a new A two-way authentication process; and based on the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server, a fourth authentication algorithm with an authentication certificate different from that of the third authentication algorithm is selected.
  • the sending unit 1001 sends a first authentication request to the server through the session management network element, where the first authentication request is used to instruct the server and the terminal device to perform mutual authentication based on the fourth authentication algorithm.
  • the authentication unit 1002 may perform mutual authentication with the server based on the fourth authentication algorithm; after mutual authentication with the server based on the fourth authentication algorithm, receive the PDU session establishment response sent from the session management network element.
  • the authentication unit 1002 based on the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server, selects the fourth authentication algorithm whose authentication credential is different from that of the third authentication algorithm before receiving
  • the unit 1003 can obtain the server's secondary authentication capability information from the session management network element.
  • the server's secondary authentication capability information includes some or all of the following: secondary authentication algorithms supported by the server, authentication credentials supported by the server, and secondary authentication algorithm
  • the secondary authentication algorithm supported by the server includes the third authentication algorithm and the fourth authentication algorithm.
  • the sending unit 1001 may send a PDU session establishment request to the session management network element to authenticate
  • the unit 1002 can perform two-way authentication with the server based on the third authentication algorithm; after the two-way authentication with the server fails, the receiving unit 1003 can receive the identity request from the server through the session management network element.
  • the identity information corresponding to the authentication algorithm; the sending unit 1001 can feed back the identity information of the terminal device corresponding to the fourth authentication algorithm to the server, and then the authentication unit 1002 can perform mutual authentication with the server based on the fourth authentication algorithm; the receiving unit 1003 is in the server Based on the fourth authentication algorithm with the terminal device, after two-way authentication, it can receive the PDU session establishment response sent from the session management network element.
  • the PDU session establishment request includes the secondary authentication capability information of the terminal device, and the secondary authentication capability information of the terminal device includes the secondary authentication algorithm supported by the terminal device and the authentication credentials of the secondary authentication algorithm.
  • the secondary authentication algorithm supported by the terminal device includes a third authentication algorithm and a fourth authentication algorithm.
  • the registration request also includes the secondary authentication capability information of the terminal device, and the secondary authentication capability information of the terminal device includes some or all of the following: secondary authentication algorithm supported by the terminal device, and supported by the terminal device
  • the authentication credential and the mapping relationship between the secondary authentication algorithm and the authentication credential, the secondary authentication algorithm supported by the terminal device includes the third authentication algorithm and the fourth authentication algorithm.
  • the embodiment of the application also provides a communication device for executing the method performed by the UDM network element in the above method embodiment.
  • the device includes an authentication unit 1101 and a sending unit 1102.
  • the authentication unit 1101 is configured to perform two-way authentication with the terminal device based on the first authentication algorithm after the terminal device initiates a registration request; and after the two-way authentication with the terminal device fails, based on the cause of one authentication failure, determine that the terminal device needs to trigger a new In the two-way authentication process, a second authentication algorithm whose authentication credential is different from the first authentication algorithm is selected from the one-time authentication algorithm supported by the terminal device; and the two-way authentication is performed with the terminal device based on the second authentication algorithm.
  • the sending unit 1102 is configured to send a registration response to the terminal device through the security anchor function network element.
  • the communication device further includes a receiving unit 1103, and the receiving unit 1103 before the authentication unit 1101 selects a second authentication algorithm whose authentication credential is different from the first authentication algorithm from the primary authentication algorithms supported by the terminal device,
  • the primary authentication capability information of the terminal device can be obtained from the security anchor function network element.
  • the primary authentication capability information of the terminal device includes some or all of the following: primary authentication algorithm supported by the terminal device, authentication certificate supported by the terminal device, and primary authentication algorithm and authentication For the credential mapping relationship, the primary authentication algorithm supported by the terminal device includes the first authentication algorithm and the second authentication algorithm.
  • the authentication unit 1101 may also obtain the primary authentication algorithm supported by the terminal device stored locally.
  • the sending unit 1102 may send an indication message to the authentication service function network element before the authentication unit 1101 performs mutual authentication with the terminal device based on the second authentication algorithm.
  • the indication message is used to instruct the unified data management network The yuan performs mutual authentication with the terminal device based on the second authentication algorithm.
  • an embodiment of the present application also provides a communication device for executing the method executed by the server or DN-AAA in the method embodiment shown in FIGS. 6 and 9.
  • the apparatus includes an authentication unit 1201, a sending unit 1202, and a receiving unit 1203.
  • the authentication unit 1201 is configured to, after the terminal device sends a PDU session establishment request, based on the third authentication algorithm, after the mutual authentication with the terminal device fails, based on the reason for the failure of the secondary authentication, determine that a new mutual authentication process needs to be triggered with the terminal device; and From the secondary authentication algorithm supported by the terminal device and the secondary authentication algorithm supported by the server, a fourth authentication algorithm whose authentication credential is different from that of the third authentication algorithm is selected.
  • the sending unit 1202 is configured to send an identity request to the terminal device through the session management network element, and the identity request is used to request the terminal device's identity information corresponding to the fourth authentication algorithm.
  • the receiving unit 1203 is configured to receive the identity information of the terminal device corresponding to the fourth authentication algorithm fed back by the terminal device.
  • the authentication unit 1201 is further configured to perform mutual authentication with the terminal device based on the fourth authentication algorithm after the receiving unit 1203 receives the identity information of the terminal device corresponding to the fourth authentication algorithm fed back by the terminal device.
  • the receiving unit 1203 may The session management network element obtains the secondary authentication capability information of the terminal device.
  • the secondary authentication capability information of the terminal device includes some or all of the following: the secondary authentication algorithm supported by the terminal device, the authentication certificate supported by the terminal device, and the secondary authentication algorithm For the mapping relationship of the authentication credentials, the secondary authentication algorithm supported by the terminal device includes the third authentication algorithm and the fourth authentication algorithm.
  • the embodiment of the present application also provides a communication device for executing the method executed by the server or DN-AAA in the method embodiment shown in FIGS. 5 and 8.
  • the device includes an authentication unit 1301, a receiving unit 1302, and a sending unit 1303.
  • the authentication unit 1301 is configured to perform two-way authentication with the terminal device based on the third authentication algorithm after the terminal device sends a PDU session establishment request; and perform two-way authentication with the terminal device based on the third authentication algorithm.
  • the receiving unit 1302 is configured to receive a first authentication request from the terminal device after the authentication unit 1301 fails in mutual authentication with the terminal device.
  • the first authentication request is used to instruct the server and the terminal device to perform mutual authentication based on the fourth authentication algorithm.
  • the authentication unit 1301 is also configured to perform mutual authentication with the terminal device based on the fourth authentication algorithm.
  • the sending unit 1303 sends the server's secondary authentication capability information to the terminal device through the session management network element.
  • the server's secondary authentication capability information includes the following parts Or all: the secondary authentication algorithm supported by the server, the authentication credential supported by the server, and the mapping relationship between the secondary authentication algorithm and the authentication credential.
  • the secondary authentication algorithm supported by the server includes the third authentication algorithm and the fourth authentication algorithm.
  • the division of units in the embodiments of this application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods.
  • the functional units in the various embodiments of this application can be integrated into one process. In the device, it can also exist alone physically, or two or more units can be integrated into a module.
  • the above-mentioned integrated unit can be realized in the form of hardware or software function module.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a terminal device (which can be a personal computer, a mobile phone, or a network device, etc.) or a processor execute all or part of the steps of the method in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
  • both the unified data management network element and the terminal device may be presented in the form of dividing various functional modules in an integrated manner.
  • the "module” here can refer to a specific ASIC, circuit, processor and memory that executes one or more software or firmware programs, integrated logic circuit, and/or other devices that can provide the above-mentioned functions.
  • the unified data management network element and server can adopt the form shown in FIG. 14.
  • the communication device 1400 shown in FIG. 14 includes at least one processor 1401, a memory 1402, and optionally, a communication interface 1403.
  • the memory 1402 may be a volatile memory, such as random access memory; the memory may also be a non-volatile memory, such as read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1402 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 1402 may be a combination of the foregoing memories.
  • connection medium between the processor 1401 and the memory 1402 described above is not limited in the embodiment of the present application.
  • the memory 1402 and the processor 1401 are connected through a bus 1404 in the figure, and the bus 1404 is represented by a thick line in the figure.
  • the connection mode between other components is only for schematic illustration and is not cited Is limited.
  • the bus 1404 can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 14, but it does not mean that there is only one bus or one type of bus.
  • an independent data transceiving module such as a communication interface 1403, can be set to send and receive data; when the processor 1401 communicates with other devices, data can be transmitted through the communication interface 1403.
  • the processor 1401 in FIG. 14 can call the computer execution instructions stored in the memory 1402, so that the unified data management network element can execute any of the foregoing method embodiments
  • the unified data management network element or UDM network element in the implementation method can call the computer execution instructions stored in the memory 1402, so that the unified data management network element can execute any of the foregoing method embodiments
  • the unified data management network element or UDM network element in the implementation method can call the computer execution instructions stored in the memory 1402, so that the unified data management network element can execute any of the foregoing method embodiments
  • the unified data management network element or UDM network element in the implementation method can call the computer execution instructions stored in the memory 1402, so that the unified data management network element can execute any of the foregoing method embodiments
  • the unified data management network element or UDM network element in the implementation method can call the computer execution instructions stored in the memory 1402, so that the unified data management network element can execute any of the foregoing method embodiments
  • the functions/implementation processes of the sending unit, the receiving unit, and the authentication unit in FIG. 11 can all be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402.
  • the function/implementation process of the authentication unit in FIG. 11 may be implemented by the processor 1401 in FIG. 14 calling computer execution instructions stored in the memory 1402, and the function/implementation process of the sending unit and the receiving unit in FIG.
  • the communication interface 1403 in 14 is implemented.
  • the processor 1401 in FIG. 14 can execute instructions by calling the computer stored in the memory 1402, so that the server can execute the server or DN- in any of the foregoing method embodiments. AAA implementation method.
  • the functions/implementation processes of the sending unit, the receiving unit, and the authentication unit in FIG. 12 can all be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402.
  • the function/implementation process of the authentication unit in FIG. 12 may be implemented by the processor 1401 in FIG. 14 calling computer execution instructions stored in the memory 1402, and the function/implementation process of the sending unit and receiving unit in FIG.
  • the communication interface 1403 in 14 is implemented.
  • the functions/implementation processes of the sending unit, the receiving unit, and the authentication unit in FIG. 13 can all be implemented by the processor 1401 in FIG. 13 calling a computer execution instruction stored in the memory 1402.
  • the function/implementation process of the authentication unit in FIG. 11 may be implemented by the processor 1401 in FIG. 13 calling computer execution instructions stored in the memory 1402, and the function/implementation process of the sending unit and receiving unit in FIG.
  • the communication interface 1403 in 14 is implemented.
  • the terminal device may adopt the form shown in FIG. 15.
  • the communication device 1500 shown in FIG. 15 includes at least one processor 1501, a memory 1502, and optionally, a transceiver 1503.
  • the memory 1502 may be a volatile memory, such as a random access memory; the memory may also be a nonvolatile memory, such as a read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1502 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 1502 may be a combination of the above-mentioned memories.
  • connection medium between the processor 1501 and the memory 1502 described above is not limited in the embodiment of the present application.
  • the memory 1502 and the processor 1501 are connected by a bus 1504 in the figure, and the bus 1504 is represented by a thick line in the figure.
  • the connection mode between other components is only for schematic description and is not cited Is limited.
  • the bus 1504 can be divided into address bus, data bus, control bus and so on. For ease of presentation, only a thick line is used in FIG. 15, but it does not mean that there is only one bus or one type of bus.
  • an independent data transceiver module such as a transceiver 1503, can be set to send and receive data; when the processor 1501 communicates with other devices, data can be transmitted through the transceiver 1503.
  • the processor 1501 in FIG. 15 can call the computer execution instructions stored in the memory 1502, so that the terminal device can execute the terminal device in any of the foregoing method embodiments. method.
  • the functions/implementation processes of the receiving unit, the sending unit, and the authentication unit in FIG. 10 can all be implemented by the processor 1501 in FIG. 15 calling a computer execution instruction stored in the memory 1502.
  • the function/implementation process of the authentication unit in FIG. 10 may be implemented by the processor 1501 in FIG. 15 calling computer execution instructions stored in the memory 1502
  • the function/implementation process of the sending unit and the receiving unit in FIG. 10 may be implemented by The transceiver 1503 in FIG. 15 is implemented.
  • the embodiments of the present application can be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • a computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé, un appareil et un système d'authentification, à utiliser pour résoudre le problème de faible efficacité d'authentification bidirectionnelle entre un côté de dispositif terminal et un côté de réseau. Dans la présente invention, après qu'un dispositif terminal a lancé un processus d'enregistrement, si la première authentification bidirectionnelle entre le dispositif terminal et un élément de réseau de fonction d'ancrage de sécurité échoue, une authentification bidirectionnelle entre le dispositif terminal et l'élément de réseau de fonction d'ancrage de sécurité peut être effectuée de nouveau sans avoir besoin de relancer le processus d'enregistrement, et l'interaction entre signaux peut être réduite davantage ; et lorsque l'authentification bidirectionnelle entre le dispositif terminal et l'élément de réseau de fonction d'ancrage de sécurité est effectuée à nouveau, un élément de réseau de gestion de données unifiée peut sélectionner un algorithme d'authentification primaire pris en charge par le dispositif terminal, et peut également assurer le taux de réussite de l'authentification bidirectionnelle entre le dispositif terminal et l'élément de réseau de fonction d'ancrage de sécurité.
PCT/CN2020/096618 2019-06-17 2020-06-17 Procédé, appareil et système d'authentification WO2020253736A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910523207.X 2019-06-17
CN201910523207.XA CN112105021B (zh) 2019-06-17 2019-06-17 一种认证方法、装置及系统

Publications (1)

Publication Number Publication Date
WO2020253736A1 true WO2020253736A1 (fr) 2020-12-24

Family

ID=73749039

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/096618 WO2020253736A1 (fr) 2019-06-17 2020-06-17 Procédé, appareil et système d'authentification

Country Status (2)

Country Link
CN (1) CN112105021B (fr)
WO (1) WO2020253736A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697963A (zh) * 2022-03-29 2022-07-01 中国南方电网有限责任公司 终端的身份认证方法、装置、计算机设备和存储介质
US12010610B2 (en) 2020-12-29 2024-06-11 Ofinno, Llc Support for tunneling

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115226103A (zh) * 2021-04-21 2022-10-21 华为技术有限公司 一种通信方法及装置
CN114095928A (zh) * 2021-11-08 2022-02-25 光宝科技股份有限公司 认证系统和方法
CN114390525A (zh) * 2021-12-30 2022-04-22 中国电信股份有限公司 一种网络接入方法、装置及电子设备
CN117178583A (zh) * 2022-04-02 2023-12-05 北京小米移动软件有限公司 信息处理方法及装置、通信设备及存储介质
CN118160337A (zh) * 2022-06-13 2024-06-07 中兴通讯股份有限公司 用于互通网络的归属地触发的主认证

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190068625A1 (en) * 2017-08-31 2019-02-28 Blackberry Limited Method and system for user plane traffic characteristics and network security
CN109474927A (zh) * 2017-09-08 2019-03-15 中国电信股份有限公司 信息交互方法、归属网络、用户终端以及信息交互系统
CN109788480A (zh) * 2017-11-14 2019-05-21 华为技术有限公司 一种通信方法及装置

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100764153B1 (ko) * 2006-03-15 2007-10-12 포스데이타 주식회사 휴대 인터넷 시스템에서의 단말 복제 검출 방법 및 장치
CN101237443B (zh) * 2007-02-01 2012-08-22 华为技术有限公司 管理协议中对用户进行认证的方法和系统
CN107580324B (zh) * 2017-09-22 2020-05-08 中国电子科技集团公司第三十研究所 一种用于移动通信系统imsi隐私保护的方法
WO2019086129A1 (fr) * 2017-11-06 2019-05-09 Nokia Technologies Oy Fourniture de données d'abonné à partir d'un gestionnaire de données unifié dans des contenants transparents
CN108901018B (zh) * 2018-07-27 2021-02-12 中国电子科技集团公司第三十研究所 一种终端发起的移动通信系统用户身份隐匿方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190068625A1 (en) * 2017-08-31 2019-02-28 Blackberry Limited Method and system for user plane traffic characteristics and network security
CN109474927A (zh) * 2017-09-08 2019-03-15 中国电信股份有限公司 信息交互方法、归属网络、用户终端以及信息交互系统
CN109788480A (zh) * 2017-11-14 2019-05-21 华为技术有限公司 一种通信方法及装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
NOKIA; NOKIA SHANGHAI BELL: "Add definition and values for ABBA parameter", 3GPP DRAFT; S3-182653 V4 WAS S3-182209_CR ANNEX A AND 3.1 ABBA PARAMETER DEFINITION V1, vol. SA WG3, 27 August 2018 (2018-08-27), Dalian (China), pages 1 - 12, XP051541720 *
SAMSUNG: "Corrections to multiple authentication vector text references.", 3GPP DRAFT; S3-180815-AVS, vol. SA WG3, 2 March 2018 (2018-03-02), San Diego, US, pages 1 - 10, XP051409226 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12010610B2 (en) 2020-12-29 2024-06-11 Ofinno, Llc Support for tunneling
CN114697963A (zh) * 2022-03-29 2022-07-01 中国南方电网有限责任公司 终端的身份认证方法、装置、计算机设备和存储介质

Also Published As

Publication number Publication date
CN112105021B (zh) 2022-05-10
CN112105021A (zh) 2020-12-18

Similar Documents

Publication Publication Date Title
WO2020253736A1 (fr) Procédé, appareil et système d'authentification
WO2020177768A1 (fr) Procédé, appareil et système de vérification de réseau
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US11824981B2 (en) Discovery method and apparatus based on service-based architecture
US11496320B2 (en) Registration method and apparatus based on service-based architecture
JP6732095B2 (ja) 異種ネットワークのための統一認証
US9232398B2 (en) Method and apparatus for link setup
US20110276798A1 (en) Security management method and system for wapi terminal accessing ims network
WO2012174959A1 (fr) Procédé, système et passerelle d'authentification de groupe dans une communication entre machines
WO2009152749A1 (fr) Procédé, système et appareil d'authentification d'association
US10462671B2 (en) Methods and arrangements for authenticating a communication device
WO2022068219A1 (fr) Procédé d'accès à un réseau privé virtuel à lignes commutée, système du côté réseau, système, et support de stockage
US9807088B2 (en) Method and network node for obtaining a permanent identity of an authenticating wireless device
WO2021197489A1 (fr) Système, procédé et appareil de communication
WO2022147803A1 (fr) Procédé et dispositif de communication sécurisée
WO2021218978A1 (fr) Procédé, dispositif, et système de gestion de clé
WO2008011826A1 (fr) Procédé et dispositif permettant d'exécuter plusieurs authentifications au cours d'un processus epa
WO2013152740A1 (fr) Procédé, dispositif et système d'authentification destinés à un équipement utilisateur
WO2021195816A1 (fr) Procédé, appareil et système de communication
CN110226319A (zh) 用于紧急接入期间的参数交换的方法和设备
CN115942305A (zh) 一种会话建立方法和相关装置
WO2019196794A1 (fr) Dispositif et procédé d'authentification, et support de stockage lisible par ordinateur
WO2018137239A1 (fr) Procédé d'authentification, serveur d'authentification et équipement de réseau central
WO2013166909A1 (fr) Procédé et système de déclenchement d'authentification eap, dispositif de réseau d'accès et dispositif terminal
US20240179525A1 (en) Secure communication method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20827129

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20827129

Country of ref document: EP

Kind code of ref document: A1