CN102625306A - Method, system and equipment for authentication - Google Patents
Method, system and equipment for authentication Download PDFInfo
- Publication number
- CN102625306A CN102625306A CN2011100342804A CN201110034280A CN102625306A CN 102625306 A CN102625306 A CN 102625306A CN 2011100342804 A CN2011100342804 A CN 2011100342804A CN 201110034280 A CN201110034280 A CN 201110034280A CN 102625306 A CN102625306 A CN 102625306A
- Authority
- CN
- China
- Prior art keywords
- terminal
- equipment
- aka
- message
- ciphering key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the invention, which relates to the wireless communication technology field, discloses a method, a system and equipment for authentication, so that a problem of how to carry out authentication between a terminal and an access point (AP) device can be solved. According to the invention, a terminal sends identification information of the terminal to an AP device; the AP device sends an authentication request carrying the identification information of the terminal to a home subscriber server (HSS) through gateway (GW) equipment; the HSS determines a root key that is arranged for the terminal corresponding to the terminal identification in advance; according to the root key and an authentication and key agreement (AKA) algorithm, an AKA authentication vector is obtained by calculation; the AKA authentication vector is sent to the AP device through GW equipment; and the AP device sends the AKA authentication vector to the terminal and the terminal uses the AKA algorithm to carry out verification on the AKA authentication vector and determines whether the AP device is legal or not according to the verification result. Therefore, the authentication on the AP device by the terminal is realized.
Description
Technical field
The present invention relates to wireless communication technology field, relate in particular to a kind of authentication method, system and equipment.
Background technology
In recent years, along with popularizing of mobile Internet (Mobile Internet) and smart mobile phone, the mobile data traffic demand rapidly increases, and indoor data service has occupied a large portion ratio.Indoor and hot spot data service feature for the user be generally fixing perhaps very low speed move, less demanding to mobility; On the other hand, data service be mainly based on Internet Protocol (Internet Protocol, IP) Internet is professional, (Quality of Service, requirement QoS) is more single, and well below the requirement of carrier class business to QoS to service quality.Traditional cell mobile communication systems mainly towards be high-speed mobile, the professional design of the carrier class of seamless switching, when it carried big flow low speed IP data packet traffic, efficient was on the low side, cost is too high.
To sum up, honeycomb mobile operator need find out low cost, and high power capacity is fit to the solution that the indoor wireless data insert.Main solution is at present:
Home eNodeB (Femto; Femtocell formula base station) as solving other a solution indoor and hot zones data service flow demand, indoor distances is shorter according to covering, the characteristics that number of users is less; Reduce the capacity requirement and the merit emissivity at single station; Usually number of users is at 8-20, and power and mobile phone terminal are suitable, generally below 23dBm.Fig. 1 is Long Term Evolution (Long Term Evolution, LTE) a Femto network architecture sketch map.
The relative indoor covering system of Home eNodeB and little base station, cost is lower, dispose more flexible, the effect of business experience of having played certain indoor data.But its deficiency be not optimized to indoor data service characteristics with: Home eNodeB; With the LTE system is example; LTE Femto system has adopted the protocol infrastructure and the Interface design of LTE system complete basically; So the complicacy of realization, just base station capacity and power reduce, so cost is high always.In addition; Femto is international mobile telecommunication (International Mobile Telecommunications; IMT) equipment in the system; Its frequency that can work is still authorized frequency range for the operator in the IMT, and the bandwidth that relative WiFi can use is less, can't satisfy operator's data service shunting demand fully.
At present, terminal and the network side method of carrying out two-way authentication mainly contains following two kinds:
First; The authentication of Long Term Evolution/System Architecture Evolution (LTE/SAE) system and key management (Authentication and Key Agreement; AKA) the AKA verification process in verification process and the UMTS (Universal Mobile Telecommunications System, UMT S) is basic identical, adopts the Milenage algorithm; Inherit the advantage of five-tuple authentication mechanism among the UMTS, realized the two-way authentication of terminal (UE) and network side.
Compare with UMTS, and the Ciphering Key of SAE system (Authentication Vector, AV) AV with UMTS is different; UMTS AV comprises encryption key (Cipher Key; CK)/and Integrity Key (Integrity Key, IK), and SAEAV only comprises intermediate key Kasme; Kasme is terminal and home signature user server (Home Subscriber Server, the key that HSS) in the AKA process, generates according to CK and IK.The LTE/SAE system uses authentication management field (the Authentication Management Field among the AV; AMF) identifying this AV is SAE AV or UMTS is AV; UE utilizes this to identify to judge whether authentication challenge meets its access network type; Network side also can utilize this sign to isolate SAE AV and UMTS AV, prevents that the assailant who obtains UMTS AV from palming off the SAE network.
Second; For non-3G (Third Generation) Moblie (the 3rd Generation Partnership Project of standardization body;) security architecture and the authentication mode of 3GPP access way; Extensible Authentication Protocol (Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement, mode EAP-AKA) have been adopted to authentication of third generation communication system and key management.The EAP-AKA agreement is the RFC agreement that IETF formulates for 3GPPAKA specially, and initial purpose is that (Wireless Local Area Network, when WLAN) being linked into the 3GPP system, UE can adopt the AKA authentication mode of 3GPP when WLAN.The mode that realizes EAP-AKA has two kinds:
Insert for WLAN, and the support expanded authentication protocol of wlan system own (Extensible Authentication Protocol, EAP), the support that therefore need not upper-layer protocol just can be worked;
For connecting system is not the system of WLAN access technology, must protocols having carry EAP, at present because in the LTE system; For network security; For non-3GPP connecting system, be necessary between Access Network (AN) and network, to set up Internet protocol security (Internet protocol Security, IPSEC) tunnel; When setting up the IPSEC tunnel, need use Internet Key Exchange version 2 (Internet key exchange Version2; IKEV2) agreement is carried out the negotiation of security association, so uses the IKEV2 agreement to carry EAP-AKA message among the 3GPP, thereby has realized the verification process of EAP-AKA.
The cost of existing LTE Femto is higher relatively; (Wireless Fidelity wifi) has compared a certain distance, has therefore introduced a kind of new network access system with adopting wireless fidelity technology; And access point (Access Point, AP) equipment have been added in this system.
For the new system that introduces; Adopt the framework of LTE itself can not; Because in the LTE security architecture, security process needs equipment of the core network to participate in, and also needs Non-Access Stratum (NAS) agreement to accomplish security process simultaneously; And in new system architecture, possibly not have equipment of the core network, so the security process that passes through the carrying of NAS agreement of LTE definition all can not use.
If the security architecture that adopts non 3gpp to insert; Use IKEV2 to carry EAP-AKA and carry out safety certification process; So just need the AP equipment of new system to have IP stack; And the AP equipment of new system is a two-layer equipment under many circumstances, does not possess IP stack, therefore can't use the mode of IKEV2.
Simultaneously; Because the IKEV2 agreement itself is used for carrying out that the IPSEC tunnel safety is related consults, so IKEV2 is the part of IPSEC, promptly must set up the IPSEC tunnel and could use IKEV2; It is from the IPSEC agreement, to separate IKEV2 that draft is arranged in IETF at present; As independent authentication protocol, but also have a lot of shortcomings, do not obtain everybody consistent and approve.And the AP equipment of new system might not use the IPSEC tunnel to realize safety.
To sum up, the scheme that does not also have UE and AP equipment to carry out authentication at present.
Summary of the invention
The embodiment of the invention provides a kind of authentication method and equipment, is used to solve the problem how UE carries out authentication to AP equipment.
A kind of authentication method, this method comprises:
After the terminal receives the request message of access point AP equipment sent request terminal to report identification information, the identification information at this terminal is sent to AP equipment;
After the terminal receives the authentication and key management AKA Ciphering Key that AP equipment sends, use the AKA algorithm that said AKA Ciphering Key is verified;
The terminal confirms according to the checking result whether AP equipment is legal access device.
A kind of authenticating device, this equipment comprises:
Transmitting element after being used to receive the request message of access point AP equipment sent request terminal to report identification information, sends to AP equipment with the identification information at this terminal;
Authentication unit, be used to receive the authentication and key management AKA Ciphering Key that AP equipment sends after, use the AKA algorithm that said AKA Ciphering Key is verified;
Authentication ' unit is used for confirming according to the checking result whether AP equipment is legal access device.
Adopt this programme, realized the authentication of UE AP equipment.
The embodiment of the invention provides a kind of authentication method, system and equipment, is used to solve the problem how AP equipment carry out authentication to UE.
A kind of authentication method, this method comprises:
Access point AP equipment sends the request message that the requesting terminal reports identification information to the terminal of adhering to;
After AP equipment receives the terminal identification information of self terminal, send the authentication request of carrying this terminal identification information to home signature user server HSS through gateway device GW;
AP equipment sends to the terminal with this AKA Ciphering Key after receiving the authentication and key management AKA Ciphering Key from HSS of GW forwarding;
AP equipment receives the authentication response RES of self terminal, verifies said RES according to said AKA Ciphering Key; And according to verifying that the result confirms whether the terminal is legal terminal.
A kind of authenticating device, this equipment comprises:
The identification request unit is used for sending the request message that the requesting terminal reports identification information to the terminal of adhering to;
The authentication request unit after being used to receive the terminal identification information of self terminal, sends the authentication request of carrying this terminal identification information through gateway device GW to home signature user server HSS;
The vector transmitting element after being used to receive the authentication and key management AKA Ciphering Key from HSS of GW forwarding, sends to the terminal with this AKA Ciphering Key;
Authentication ' unit is used to receive the authentication response RES of self terminal, verifies said RES according to said AKA Ciphering Key; And according to verifying that the result confirms whether the terminal is legal terminal.
A kind of Verification System, this system comprises:
The terminal after being used to receive the request message of access point AP equipment sent request terminal to report identification information, sends to AP equipment with the identification information at this terminal; After receiving the authentication and key management AKA Ciphering Key that AP equipment sends, use the AKA algorithm that said AKA Ciphering Key is verified; The result confirms whether AP equipment is legal access device according to checking;
AP equipment is used for sending the request message that the requesting terminal reports identification information to the terminal of adhering to; After receiving the terminal identification information of self terminal, send the authentication request of carrying this terminal identification information to home signature user server HSS through gateway device GW; After receiving the AKA Ciphering Key from HSS of GW forwarding, this AKA Ciphering Key is sent to the terminal; Receive the authentication response RES of self terminal, verify said RES according to said AKA Ciphering Key; And according to verifying that the result confirms whether the terminal is legal terminal;
GW is used to receive the AKA Ciphering Key from HSS, and said AKA Ciphering Key is transmitted to AP equipment;
HSS, be used to receive the authentication request of the carried terminal identification information that AP equipment sends through GW after, confirm be the root key of the corresponding terminal setting of said terminal iidentification in advance; According to said root key and AKA algorithm, calculate the AKA Ciphering Key; Said AKA Ciphering Key is sent to AP equipment through GW.
Adopt this programme, realized of the authentication of AP equipment UE.
The embodiment of the invention provides a kind of data forwarding method and equipment, is used to solve the problem how AP equipment obtains the AKA Ciphering Key.
A kind of data forwarding method, this method comprises:
Gateway device GW receives the AKA Ciphering Key from home signature user server HSS;
GW is transmitted to access point AP equipment with said AKA Ciphering Key.
A kind of data transfer equipment, this equipment comprises:
Receiving element is used to receive the AKA Ciphering Key from home signature user server HSS;
Retransmission unit is used for said AKA Ciphering Key is transmitted to access point AP equipment.
Adopt this programme, AP equipment can obtain the AKA Ciphering Key from GW.
The embodiment of the invention provides a kind of Ciphering Key sending method and equipment, is used to solve the problem that how to generate the AKA Ciphering Key.
A kind of Ciphering Key sending method, its this method comprises:
Home signature user server HSS confirms be the root key of the corresponding terminal setting of said terminal iidentification in advance after receiving the authentication request of the carried terminal identification information that access point AP equipment sends through gateway device GW;
HSS calculates the AKA Ciphering Key according to said root key and authentication and key management AKA algorithm;
HSS sends to AP equipment with said AKA Ciphering Key through GW.
A kind of Ciphering Key transmitting apparatus, this equipment comprises:
Confirm the unit, be used to receive the authentication request of the carried terminal identification information that access point AP equipment sends through gateway device GW after, confirm be the root key of the corresponding terminal setting of said terminal iidentification in advance;
Computing unit is used for calculating the AKA Ciphering Key according to said root key and authentication and key management AKA algorithm;
Transmitting element is used for said AKA Ciphering Key is sent to AP equipment through GW.
Adopt this programme, HSS can generate the KA Ciphering Key according to terminal iidentification.
To sum up, among the present invention, AP equipment sends the request message that the requesting terminal reports identification information to the terminal of adhering to; The terminal sends to AP equipment with the identification information at this terminal; AP equipment sends the authentication request of carrying this terminal identification information through GW to HSS, and HSS confirms to be the root key that the corresponding terminal of said terminal iidentification is provided with in advance, according to said root key and AKA algorithm; Calculate the AKA Ciphering Key, said AKA Ciphering Key is sent to AP equipment through GW; AP equipment sends to the terminal with this AKA Ciphering Key, and the terminal uses the AKA algorithm that said AKA Ciphering Key is verified, and confirms according to the checking result whether AP equipment is legal access device, thereby has realized the authentication of terminal to AP equipment.
Further, the terminal according to RAND in the AKA Ciphering Key and AKA algorithm, calculates RES, and this RES is sent to AP equipment after definite AP equipment is legal access device; AP equipment is verified said RES according to the AKA Ciphering Key, and confirms according to the checking result whether the terminal is legal terminal, thereby has realized the authentication of AP equipment to the terminal.
Description of drawings
Fig. 1 is the configuration diagram of Femto scheme of the prior art;
Fig. 2 A and Fig. 2 B are the LTE-LAN structural representation among the present invention;
The method flow sketch map that Fig. 3 provides for the embodiment of the invention;
Another method schematic flow sheet that Fig. 4 provides for the embodiment of the invention;
The another method flow sketch map that Fig. 5 provides for the embodiment of the invention;
The method flow sketch map again that Fig. 6 provides for the embodiment of the invention;
Fig. 7 is the security architecture sketch map in the embodiment of the invention;
Fig. 8 is the schematic flow sheet of the embodiment of the invention;
The system configuration sketch map that Fig. 9 provides for the embodiment of the invention;
The device structure sketch map that Figure 10 provides for the embodiment of the invention;
Another device structure sketch map that Figure 11 provides for the embodiment of the invention;
The another device structure sketch map that Figure 12 provides for the embodiment of the invention;
The device structure sketch map again that Figure 13 provides for the embodiment of the invention.
Embodiment
In order to realize UE to the authentication to UE of the authentication of AP equipment and AP equipment, the embodiment of the invention provides a kind of authentication method, and in this method, terminal and AP equipment use the AKA algorithm that the other side is carried out authentication.
The embodiment of the invention can be applied in the Long Term Evolution local area network (LAN) of new introducing, and (Local Area Network LTE-LAN) in the system, also can be applied in other systems that contain UE, AP equipment, gateway device and HSS.
Shown in Fig. 2 A; In the LTE-LAN system, AP equipment is a kind of new access device, has adopted existing LTE physical-layer techniques on eating dishes without rice or wine; Insert internet through gateway device after accomplishing synchronously between the AP equipment, the frequency range that AP equipment uses and the frequency range of macro base station (eNB) do not repeat.In the LTE-LAN system UE through and AP equipment, gateway device between the passage set up accomplish and internet between data service.Interface between AP equipment and the gateway device is the Iu-r interface, i.e. the interface of redetermination.
Shown in Fig. 2 B, the LTE-LAN system comprises:
Access device LTE-LAN-AP is used to realize the networking of Local wireless network Long Term Evolution local area network (LAN) LTE-LAN and communicating by letter of the interior terminal of LTE-LAN, and is connected with the data of external network through setting up, and the approach of access external network is provided for the terminal;
The terminal is used for becoming the network members of LTE-LAN through selecting and inserting a LTE-LAN-AP, passes through the LTE-LAN-AP that inserted, communicate with other network members among the LTE-LAN, and the visit external network that LTE-LAN-AP connected.
In the LTE-LAN system architecture; The terminal is directly through the LTE-LAN-AP access external network; And can carry out terminal room communication in the LTE-LAN through LTE-LAN-AP; Communicating by letter between terminal and LTE-LAN-AP realizes based on LTE GSM bottom communication technology; LTE-LAN-AP is based on LTE GSM bottom communication technology constructing local network; Therefore UE has set up local connecting system for the terminal effectively in the method for family, enterprise or hot zones deployment LTE-LAN-AP establishment WLAN like this, thereby has allowed the terminal also to realize the visit to external network with comparatively direct mode in the inner realization of consolidated network information interaction based on LTE-LAN and external network communication; In addition; Owing to realize the system architecture of local network LTE-LAN based on LTE GSM bottom communication technology; Can data communication services efficiently can be provided through utilizing existing LTE system layer 1, layer 2 and layer 3 technology between terminal and wireless network access point, to set up to have the Radio Link of fail safe and QoS assurance to the terminal of indoor and hot spot region.
Preferably; Shown in Fig. 2 B, the LTE-LAN system also comprises: operation and maintenance OAM entity is connected with LTE-LAN-AP; Be used for mutual through with LTE-LAN-AP, realize the network parameter configuration of LTE-LAN, the management at terminal and the setting of LTE-LAN security mechanism.The keeper realizes LTE-LAN is configured and manages and safeguards through the OAM entity.
WAP LTE-LAN-AP in the LTE-LAN system utilizes existing LTE bottom transmission and access technology for the terminal wireless data link to be provided, thereby has the communication service that QoS ensures for the terminal provides.The LTE-LAN-AP of Local wireless network is through the direct access external network of the corresponding interface, and a kind of like this network configuration of flattening helps the fast processing and the forwarding of terminal data, has reduced the cost of network service, has improved efficient.Its function is separately all realized based on LTE GSM bottom communication technology in LTE-LAN-AP and terminal; Promptly, under situation about handling, realize the IP access of terminal to external network without operator's core net through the network architecture and the upper-layer protocol of transforming existing LTE system through increasing interconnecting of terminal in networking that new management and transmitting and scheduling function realize Local wireless network and the local network.
According in the preferred embodiment of the present invention; LTE-LAN-AP and terminal all are not limited thereto based on the function that LTE GSM bottom communication technology is realized; Can also carry out function corresponding and expand, describe based on the technological function that is realized of LTE bottom communication with the terminal in the face of LTE-LAN-AP in the preferred embodiment of the present invention down:
1) LTE-LAN-AP function
On the whole, LTE-LAN-AP is the centralized control unit of LTE-LAN network, is responsible for networking and the management of LTE-LAN, for terminal LTE-LAN-UE provides the Local wireless network access service.
One side at the terminal; LTE-LAN-AP sets up wireless connections based on existing LTE-Uu interface and terminal; Owing to be the LTE-Uu interface; Therefore terminal working frequency range, the wireless access technology of communicating by letter with LTE-LAN-AP all can overcome the existing existing defective of WLAN, for high level data transmits reliable transmission channel is provided.LTE-LAN-AP utilizes the transmission channel with terminal room, can realize down surface function: it is mutual that the control information of top management inter-entity is carried out at LTE-LAN-AP and terminal, and realization is to the management at terminal in the LTE-LAN; Except control information, utilize this transmission channel, LTE-LAN-AP realizes transmission and reception towards the business datum at terminal.
Network one side externally, LTE-LAN-AP is set up to the data connection of external network, for the terminal access external network provides approach through connecting the interface II of LTE-LAN-AP and external network.
In addition, LTE-LAN-AP can also be connected with the OAM entity through connecting the interface I of LTE-LAN-AP and OAM entity, realizes the information interaction with the OAM inter-entity.
2) terminal LTE-LAN-UE function
LTE-LAN-UE is the terminal with LTE-LAN access capability, promptly can set up wireless connections based on LTE-Uu interface and LTE-LAN-AP.LTE-LAN-UE has following function: after the start, through selecting and insert a LTE-LAN-AP, LTE-LAN-UE can become the member of a LTE-LAN network; Pass through the LTE-LAN-AP that inserted, LTE-LAN-UE can communicate with other network memberses in the LTE-LAN network, and the interface II visit external network that LTE-LAN-AP connected through LTE-LAN-AP.
Realize through supporting LTE bottom transmission technology and increasing suitable function in higher level protocol suite at the LTE-LAN-UE terminal of above-mentioned functions; It can be to the improved existing LTE system terminal of upper-layer protocol, also can be the LTE-LAN special-purpose terminal of bottom based on LTE systems technology brand-new design.
3) OAM entity function
The OAM entity is the operation management maintain module, and the network user can realize being provided with etc. of management, LTE-LAN security mechanism at network parameter configuration, LTE-LAN terminal to LTE-LAN through its.The OAM entity can close with LTE-LAN-AP and be located at same physical entity, or is divided into different physical entities with LTE-LAN-AP, and under the situation that sets up separately, OAM is connected with LTE-LAN-AP with the interface I of LTE-LAN-AP through connecting OAM.
External network among Fig. 2 B mainly is meant other networks outside the Local wireless network LTE-LAN scope, like Internet network, home network, enterprise network etc.LTE-LAN-AP is connected with external network through the back haul link (like xDSL, xPON, CABLE etc.) or the mode of Ethernet.
Referring to Fig. 3, the authentication method that the embodiment of the invention provides specifically may further comprise the steps:
Step 30: after the terminal receives the request message of access point (AP) equipment sent request terminal to report identification information, the identification information at this terminal is sent to AP equipment; Here, the identification information at terminal can be international mobile subscriber identification code (International Mobile Subscriber Identity, IMSI), also can be network access Identifier (Network Access identity, NAI) etc.
Step 31: after the terminal receives the authentication and key management (AKA) Ciphering Key that AP equipment sends, use the AKA algorithm that said AKA Ciphering Key is verified;
Step 32: the terminal confirms according to the checking result whether AP equipment is legal access device.
The terminal receives before the said EAP request message in step 30, and this method further comprises:
Attaching process is initiated to AP equipment in the terminal, sets up the Signaling Radio Bearer (SRB) that is used for certified transmission message with AP equipment.
In the step 31, said AKA Ciphering Key comprises authentication token (AUTN) information; The concrete realization of then using the AKA algorithm that said AKA Ciphering Key is verified can be following:
The terminal sends to the telecom intelligent card at this terminal with said AUTN information, and for example (Universal SubscriberIdentity Module, USIM), whether this telecom intelligent card uses the said AUTN information of AKA proof of algorithm correct to universal subscriber identity module.Concrete, the USIM reading and saving is at the root key of this locality, and root key is imported operation AKA algorithm behind the AKA algorithm; With operation AKA algorithm AUTN that obtains and the AUTN that receives relatively, if both are consistent, verify then whether said AUTN information is correct; Otherwise, verify whether mistake of said AUTN information.
In the step 32, the terminal confirms according to the checking result whether AP equipment is legal access device, and its concrete realization can be following:
The terminal confirms that then AP equipment is legal access device if the said AKA Ciphering Key of checking is correct; If the said AKA Ciphering Key mistake of checking confirms that then AP equipment is illegal access device.
Preferable; Said AKA Ciphering Key also comprises random number (RAND), and the terminal confirms that according to the checking result AP equipment is after the legal access device in step 32, can also be according to said RAND and AKA algorithm; Calculate authentication response (RES), and this RES is sent to AP equipment.Concrete, with operation AKA algorithm behind the said RAND input AKA algorithm, obtain RES.
Preferable, after this RES was sent to AP equipment, the Data Radio Bearer (DRB) that is used to transmit data was set up in the terminal when receiving the EAP success message that AP equipment sends.Concrete, the local BAC of the SAE notice of UE sets up the DRB that is used to transmit data through RRC message.
Preferable, the terminal also receives first message authentication code (MAC) that is carried in first message in the step 31 when receiving the AKA Ciphering Key that AP equipment sends, and first message is the message of carrying said AKA Ciphering Key; The terminal is verified said first message according to a said MAC, if checking is passed through, then uses the AKA algorithm that said AKA Ciphering Key is verified, otherwise, do not use the AKA algorithm that said AKA Ciphering Key is verified.Here; The terminal according to the concrete grammar that a MAC verifies first message is: after the terminal will be kept at the local integrity protection key that is directed against AP equipment, counting (COUNT) value, first message, transmission of messages direction value (here for descending) input protection algorithm integrallty, and the operation protection algorithm integrallty, a MAC and a MAC that the operation protection algorithm integrallty is obtained compare; If both are consistent; Then the checking of first message is passed through, otherwise, to the authentication failed of first message.
Preferable, the terminal is when sending to AP equipment with said RES, and the 2nd MAC that also will use the integrity protection algorithm computation to obtain is carried at and sends to AP equipment in second message, and second message is the message of carrying said RES.Here; Use the concrete grammar of integrity protection algorithm computation the 2nd MAC to be: after the terminal will be kept at the local integrity protection key to AP equipment, counting (COUNT) value, second message, transmission of messages direction value (here for up) input protection algorithm integrallty; The operation protection algorithm integrallty obtains the 2nd MAC.
Preferable, after the terminal confirmed that according to the checking result AP equipment is illegal access device, the authentification of user refuse information can be sent to AP equipment in the terminal, carries the cause information of authentification failure in this authentification of user refuse information.
In this method, adopt Extensible Authentication Protocol (EAP) to communicate between terminal and the AP equipment.The executive agent of each step of this method specifically can be the BAE in the terminal.
Referring to Fig. 4, the embodiment of the invention also provides a kind of authentication method, may further comprise the steps:
Step 40:AP equipment sends the request message that the requesting terminal reports identification information to the terminal of adhering to;
After step 41:AP equipment receives the terminal identification information of self terminal, send the authentication request of carrying this terminal identification information to home signature user server (HSS) through gateway device (GW);
Step 42:AP equipment sends to the terminal with this AKA Ciphering Key after receiving the AKA Ciphering Key from HSS of GW forwarding;
Step 43:AP equipment receives the RES of self terminal, verifies said RES according to said AKA Ciphering Key; And according to verifying that the result confirms whether the terminal is legal terminal.
AP equipment is before said EAP request message is sent at the terminal of adhering in step 40, and AP equipment can be set up uncontrolled port and controlled ports for the terminal of adhering to; Specifically can be that BAC on the GW interface of AP equipment sets up uncontrolled port and controlled ports for this terminal.Said uncontrolled port is to point to the employed port of GW certified transmission message; Said controlled ports is to point to the employed port of GW transmission data, if this controlled ports is in open mode, then data can be passed through this controlled ports, otherwise data can not be passed through this controlled ports.
In the step 42, AP equipment specifically with RAND in the said AKA Ciphering Key and AUTN information, sends to the terminal.
Preferable, AP equipment is when sending to the terminal with said RAND and AUTN information, and a MAC that also will use the integrity protection algorithm computation to obtain is carried in first message and sends to the terminal, and first message is the message of carrying said RAND and AUTN information.Here; AP equipment use the concrete grammar of integrity protection algorithm computation the one MAC to be: after will be kept at the local integrity protection key to the terminal, counting (COUNT) value, first message, transmission of messages direction value (here for descending) input protection algorithm integrallty; The operation protection algorithm integrallty obtains a MAC.
Preferable, AP equipment also receives the 3rd MAC that is carried in the 3rd message in the step 42 when receiving said AKA Ciphering Key, and the 3rd message is the message of carrying said AKA Ciphering Key; AP equipment is verified said the 3rd message according to said the 3rd MAC, if checking is passed through, then this AKA Ciphering Key is sent to the terminal, otherwise, this AKA Ciphering Key is not sent to the terminal.Here; AP equipment according to the concrete grammar that the 3rd MAC verifies the 3rd message is: after AP equipment will be kept at the local integrity protection key that is directed against GW, counting (COUNT) value, the 3rd message, transmission of messages direction value (here for descending) input protection algorithm integrallty, and the operation protection algorithm integrallty, MAC and the 3rd MAC that the operation protection algorithm integrallty is obtained compare; If both are consistent; Then the checking of the 3rd message is passed through, otherwise, to the authentication failed of the 3rd message.
In the step 43, verify said RES according to said AKA Ciphering Key, its concrete realization can be following:
AP equipment confirms whether said RES is consistent with the expectation authentication response (xRES) in the said AKA Ciphering Key, if consistent, verifies that then said RES is correct, otherwise, verify said RES mistake.
In the step 43, the result confirms whether the terminal is legal terminal, and its concrete realization can be following according to checking:
AP equipment confirms that then the terminal is a legal terminal if the said RES of checking is correct; If the said RES mistake of checking confirms that then the terminal is an illegal terminal.
Preferable, AP equipment confirms that the terminal is after the legal terminal in step 43, and AP equipment can be opened said controlled ports, and sends the EAP success message to the terminal.Concrete, AP equipment can notify the BAC on the GW interface to open controlled ports.
In this method, adopt EAP to communicate between AP equipment and terminal, the GW.The executive agent of each step of this method specifically can be the BAE in the AP equipment.
Referring to Fig. 5, the embodiment of the invention also provides a kind of data forwarding method, may further comprise the steps:
Step 50:GW receives the AKA Ciphering Key from HSS;
Step 51:GW is transmitted to AP equipment with said AKA Ciphering Key.Said AKA Ciphering Key comprises RAND, RUTN.
Preferable, GW is carried at the 3rd MAC that uses the integrity protection algorithm computation to obtain and sends to AP equipment in the 3rd message when said AKA Ciphering Key is transmitted to AP equipment in the step 51, and the 3rd message is the message of carrying said AKA Ciphering Key.Here; GW use the concrete grammar of integrity protection algorithm computation the 3rd MAC to be: after will be kept at the local integrity protection key to AP equipment, counting (COUNT) value, the 3rd message, transmission of messages direction value (here for descending) input protection algorithm integrallty; The operation protection algorithm integrallty obtains the 3rd MAC.
Referring to Fig. 6, the embodiment of the invention also provides a kind of Ciphering Key sending method, may further comprise the steps:
Step 60:HSS confirms be the root key of the corresponding terminal setting of said terminal iidentification in advance after receiving the authentication request of the carried terminal identification information that AP equipment sends through GW;
Step 61:HSS calculates the AKA Ciphering Key according to said root key and AKA algorithm; Concrete, root key is imported operation AKA algorithm behind the AKA algorithm, obtain the AKA Ciphering Key;
Step 62:HSS sends to AP equipment with said AKA Ciphering Key through GW.
Said AKA Ciphering Key comprises: RAND, AUTN information, xRES.
Specify in the face of the present invention down:
When UE was linked into AP, AP need carry out authentication to UE, could access network after having only authentication to pass through; Transceive data, UE also need carry out authentication to AP simultaneously, and the AP that guarantees its access is a legitimate device; Rather than pseudo-base station, simultaneously for the LTE-LAN system, AP possibly be a two-layer equipment; Do not have IP stack, therefore can't use IP-based EAP-AKA bearing method, this patent has proposed based on the UE that is applicable to the LTE-LAN system of link layer and the bi-directional authentification authentication method between the AP; Be to use link-layer technologies to carry authentication protocol in this patent, and realize mutual authentication process.Its framework is as shown in Figure 7, and this security architecture mainly contains following a few part and forms:
MAC layer: for being the mac-layer protocol of LTE-LAN system between UE and the AP, for the MAC layer that between AP and the GW is standard ethernet;
Rlc layer: the rlc layer of LTE-LAN system;
Rrc layer: the rrc layer of LTE-LAN system;
PDCP layer: the PDCP layer of LTE-LAN system, the signaling between responsible UE and the AP and the safety of data;
LLC (Logical Link Control) layer: the LLC layer of interconnection technique between AP and the GW;
BAE: port inserts entity module, is logic module, is responsible for the entity of execution algorithm and protocol operation, realizes following function: use the EAP agreement to realize two-way authentication and execution key agreement.
BAC: be the access control module, this logic entity is according to the access control of BAE and the behavior of Authorization result control access.For the interface between AP and the UE, BAC is positioned at rrc layer, and for the interface between AP and the GW, BAC is positioned at the MAC layer.
Between AP and UE, when the two-way authentication success, BAE notifies BAC; BAC sets up Data Radio Bearer through the RRC signaling, and (Data radio bearer DRB), can pass through all packets; If authentication is unsuccessful, BAE notifies BAC so, and BAC can not set up DRB;
Between AP and GW, when the two-way authentication success, BAE notice BAC opens controlled ports, and this moment, all packets can pass through; If two-way authentication is unsuccessful, BAE notice BAC closes controlled ports so, and this moment, all packets all can not pass through.
Fig. 7 middle level 2 main functions can be divided into 3 parts, are respectively the RLC/MAC of tcp data segment, and the RRC of connection management part.The layer of optimizing 2 is designed to the main innovate point of this system.It is following to specifically describe the each several part function:
MAC mainly comprises data packet dispatching, channel Mapping and multiplexing, and transformat is selected and the HARQ function.Dispatch part, kept the interface of QoS rank and requirement, can realize the QoS of high level data bag transmission is guaranteed.Channel Mapping and multiplexing function are transmitted for final various MAC packet multiplexings are mapped on the physical channel.Transformat is chosen as the embodiment of link circuit self-adapting function at the MAC layer, selects the block size of data packet transmission.HARQ realizes wrong fast the re-transmission according to the feedback of physical channel, guarantees link-quality.
The major function of RLC part is for being converted into the IP bag MAC bag that is fit to the transmission of MAC layer, and the MAC bag is recombinated and uploaded to the IP layer.
The PDCP layer is realized integrity protection, encryption; The segmentation cascade, function such as reorder, the segmentation cascade with the IP packet be segmented into be fit to the MAC transmission the MAC bag; Perhaps MAC bag is cascaded as the IP packet, reorders and realize and to retransmit but not the bag of order arrival sorts owing to mistake.Data encryption feature is the demand according to system configuration, accomplishes packet in the encryption of eating dishes without rice or wine, and improves fail safe, and this function can realize the different encrypted mode by the high-rise security level that disposes.
RRC partly realizes system information broadcast, AP and user's access authentication and security management, the authentication between AP and the Gateway, and the function of wireless link management; RRC also is responsible for receiving the managing configuration information from gateway simultaneously, realizes each layer parameter configuration and synchronizing function.
As shown in Figure 8, concrete identifying procedure is following:
Step 1:UE initiates attaching process, is connected on the AP, and (Sigalling Radio Bearer SRB), is used to transmit follow-up authentication message, and authentication message is the message of transmitting in the whole identifying procedure to set up Signaling Radio Bearer with AP;
Attaching process is meant that mainly UE and AP have set up bottom and be connected (like physical layer, MAC, rlc layer).
Step 2-step 3:AP finds that UE adheres to, and the BAC on the GW interface of AP sets up controlled ports and uncontrolled port for this UE, and the BAE of AP sends EAP-Request message to UE simultaneously, and request UE sends its identity; Uncontrolled port is used to transmit follow-up authentication message;
Connect through cable technology between AP and the GW, do not have wireless signaling bear and Data-carrying, have only LLC to connect, therefore before not having authentication success, need to adopt certain mechanism that data are passed through, and can only let authentication message pass through.These two ports are logical concept, and uncontrolled port is meant the port that authentication message can be passed through, and controlled ports is meant at FPDP, has only behind authentication success and just can open.These two ports are generated by the BAC control of MAC layer.
The BAE of step 4:UE issues AP with the sign of UE in EAP-Response message;
The sign of UE can be IMSI, also can be NAI.
BAE on the GW interface of step 5-step 7:AP sends the authentication request (EAP-Response message) of carried terminal sign to the BAE of GW; GW sends authentication request to HSS; HSS calculates the AKA Ciphering Key, the RAND that obtains, AUTN, KASME, xRES is issued the BAE of AP through GW;
The sign that HSS sends according to AP (like IMSI) finds the corresponding root key K of AP, in the AuC of HSS, derives out CK, IK, and derives out KASME according to CK, IK, produces random number RA ND and authentication token AUTN simultaneously, issues GW through aaa server.Wherein CK, IK only are kept among UE and the HSS, and KASME is kept in the safe context, and other encrypt with the key of integrity protection in order to derive out, do not concern too much with authentication process, just need in this process, pass to GW.
The BAE of step 8:AP carries RAND, AUTN, MAC (Message Authentication Code message authentication code) to UE in EAP-Request/AKA-Challenge message;
Message authentication is actually the information-MAC (message authentication code) that message itself is produced a redundancy, and message authentication code is to utilize key that the message of wanting authentication is produced new data block and to data block encryption generation.It is unique and one to one for the information that will protect.Therefore can protect the integrality of message effectively, and the non-repudiation of realizing transmit leg message with can not forge.
Step 9:UE also moves the AKA algorithm, and checking AUTN calculates RES (Response) and session key after verifying successfully;
RES is an authentication response, and session key is meant the key to link layer, can be Kupenc at present, is mainly used in the safety of user plane.The meaning of checking AUTN is that UE authentication AP is a validated user, and after UE received the AUTN that AP sends, UE issued USIM with it; Whether AUTN is correct in the USIM inspection; If correctly then calculate corresponding RES and Session KEY, issue AP with corresponding with MAC simultaneously, whether RES is correct in the AP inspection; If correct, then AP thinks that UE is legal.If it is that AUTN is wrong that UE finds, authentication is unsuccessful so, and UE should send the authentification of user refuse information, wherein the reason of CAUSE value indication failure.
The BAE of step 10:UE in EAP-Response/AKA-Challenge message, carries RES and MAC gives AP;
Whether RES is effective in step 11:AP inspection, if effectively, expression UE is a validated user, and execution in step 14;
Receive the RES of UE transmission as AP after, compare with xRES, if identical, then expression effectively.
Step 12-step 13:AP equipment sends EAP success message and gives UE, and after UE received this message, BAE notice BAC set up DRB through RRC message, is used for transmitting data;
BAC on the GW interface of step 14:BAE notice AP opens controlled ports.
Referring to Fig. 9, the embodiment of the invention also provides a kind of Verification System, and this system comprises:
GW92 is used to receive the AKA Ciphering Key from HSS, and said AKA Ciphering Key is transmitted to AP equipment;
HSS93, be used to receive the authentication request of the carried terminal identification information that AP equipment sends through GW after, confirm be the root key of the corresponding terminal setting of said terminal iidentification in advance; According to said root key and AKA algorithm, calculate the AKA Ciphering Key; Said AKA Ciphering Key is sent to AP equipment through GW.
Referring to Figure 10, the embodiment of the invention also provides a kind of authenticating device, and this equipment comprises:
Transmitting element 101 after being used to receive the request message of access point AP equipment sent request terminal to report identification information, sends to AP equipment with the identification information at this terminal;
Authentication ' unit 103 is used for confirming according to the checking result whether AP equipment is legal access device.
This equipment comprises:
Said authentication unit 102 is used for:
When said AKA Ciphering Key comprises authentication token AUTN information, said AUTN information is sent to the telecom intelligent card at this terminal, whether this telecom intelligent card uses the said AUTN information of AKA proof of algorithm correct.
Said authentication ' unit 103 is used for:
If the said AKA Ciphering Key of checking is correct, confirm that then AP equipment is legal access device; If the said AKA Ciphering Key mistake of checking confirms that then AP equipment is illegal access device.
This equipment also comprises:
This equipment also comprises:
Said authentication unit 102 also is used for:
When receiving the AKA Ciphering Key that AP equipment sends, also receive the first message authentication code MAC that is carried in first message, first message is the message of carrying said AKA Ciphering Key;
According to a said MAC said first message is verified,, then used the AKA algorithm that said AKA Ciphering Key is verified if checking is passed through, otherwise, do not use the AKA algorithm that said AKA Ciphering Key is verified.
Said first response unit 104 also is used for:
When said RES was sent to AP equipment, the 2nd MAC that also will use the integrity protection algorithm computation to obtain was carried at and sends to AP equipment in second message, and second message is the message of carrying said RES.
This equipment also comprises:
Referring to Figure 11, the embodiment of the invention also provides a kind of authenticating device, and this equipment comprises:
Identification request unit 111 is used for sending the request message that the requesting terminal reports identification information to the terminal of adhering to;
Authentication request unit 112 after being used to receive the terminal identification information of self terminal, sends the authentication request of carrying this terminal identification information through gateway device GW to home signature user server HSS;
Vector transmitting element 113 after being used to receive the authentication and key management AKA Ciphering Key from HSS of GW forwarding, sends to the terminal with this AKA Ciphering Key;
Authentication ' unit 114 is used to receive the authentication response RES of self terminal, verifies said RES according to said AKA Ciphering Key; And according to verifying that the result confirms whether the terminal is legal terminal.
This equipment also comprises:
Port is set up unit 115, is used for before sending said EAP request message to the terminal of adhering to, for setting up uncontrolled port and controlled ports in the terminal of adhering to;
Said uncontrolled port is to point to the employed port of GW certified transmission message; Said controlled ports is to point to the employed port of GW transmission data, if this controlled ports is in open mode, then data can be passed through this controlled ports, otherwise data can not be passed through this controlled ports.
Said vectorial transmitting element 113 is used for:
With random number RA ND in the said AKA Ciphering Key and authentication token AUTN information, send to the terminal.
Said vectorial transmitting element 113 also is used for:
When said RAND and AUTN information were sent to the terminal, the first Message Authentication Code MAC that also will use the integrity protection algorithm computation to obtain was carried in first message and sends to the terminal, and first message is the message of carrying said RAND and AUTN information.
Said vectorial transmitting element 113 also is used for:
When receiving said AKA Ciphering Key, also receive the 3rd message authentication code MAC that is carried in the 3rd message, the 3rd message is the message of carrying said AKA Ciphering Key;
According to said the 3rd MAC said the 3rd message is verified,, then this AKA Ciphering Key is sent to the terminal if checking is passed through, otherwise, this AKA Ciphering Key is not sent to the terminal.
Said authentication ' unit 114 is used for:
Confirm whether said RES is consistent with the expectation authentication response xRES in the said AKA Ciphering Key,, verify that then said RES is correct if consistent, otherwise, said RES mistake verified.
Said authentication ' unit 114 is used for:
If said RES is correct in checking, confirm that then the terminal is a legal terminal; If the said RES mistake of checking confirms that then the terminal is an illegal terminal.
This equipment also comprises:
Port is opened unit 116 and also is used for:
After definite terminal is legal terminal, said controlled ports is opened, and sent the EAP success message to the terminal.
Referring to Figure 12, the embodiment of the invention also provides a kind of data transfer equipment, and this equipment comprises:
Receiving element 121 is used to receive the AKA Ciphering Key from home signature user server HSS;
Said retransmission unit 122 also is used for:
When said AKA Ciphering Key is transmitted to AP equipment, the 3rd Message Authentication Code MAC that uses the integrity protection algorithm computation to obtain is carried at sends to AP equipment in the 3rd message, the 3rd message is the message of carrying said AKA Ciphering Key.
Referring to Figure 13, the embodiment of the invention also provides a kind of Ciphering Key transmitting apparatus, and this equipment comprises:
Confirm unit 131, be used to receive the authentication request of the carried terminal identification information that access point AP equipment sends through gateway device GW after, confirm be the root key of the corresponding terminal setting of said terminal iidentification in advance;
Computing unit 132 is used for calculating the AKA Ciphering Key according to said root key and authentication and key management AKA algorithm;
Transmitting element 133 is used for said AKA Ciphering Key is sent to AP equipment through GW.
Said AKA Ciphering Key comprises: random number RA ND, authentication token AUTN information, expectation authentication response xRES.
To sum up, beneficial effect of the present invention comprises:
In the scheme that the embodiment of the invention provides; AP equipment sends the request message that the requesting terminal reports identification information to the terminal of adhering to, and the terminal sends to AP equipment with the identification information at this terminal, and AP equipment sends the authentication request of carrying this terminal identification information through GW to HSS; HSS confirms to be the root key that the corresponding terminal of said terminal iidentification is provided with in advance; According to said root key and AKA algorithm, calculate the AKA Ciphering Key, said AKA Ciphering Key is sent to AP equipment through GW; AP equipment sends to the terminal with this AKA Ciphering Key, and the terminal uses the AKA algorithm that said AKA Ciphering Key is verified, and confirms according to the checking result whether AP equipment is legal access device, thereby has realized the authentication of terminal to AP equipment.
Further, the terminal according to RAND in the AKA Ciphering Key and AKA algorithm, calculates RES, and this RES is sent to AP equipment after definite AP equipment is legal access device; AP equipment is verified said RES according to the AKA Ciphering Key, and confirms according to the checking result whether the terminal is legal terminal, thereby has realized the authentication of AP equipment to the terminal.
The present invention is that reference is described according to the flow chart and/or the block diagram of method, equipment (system) and the computer program of the embodiment of the invention.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or the block diagram and/or square frame and flow chart and/or the block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, make the instruction of carrying out through the processor of computer or other programmable data processing device produce to be used for the device of the function that is implemented in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame appointments.
These computer program instructions also can be stored in ability vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work; Make the instruction that is stored in this computer-readable memory produce the manufacture that comprises command device, this command device is implemented in the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
These computer program instructions also can be loaded on computer or other programmable data processing device; Make on computer or other programmable devices and to carry out the sequence of operations step producing computer implemented processing, thereby the instruction of on computer or other programmable devices, carrying out is provided for being implemented in the step of the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
Although described the preferred embodiments of the present invention, in a single day those skilled in the art get the basic inventive concept could of cicada, then can make other change and modification to these embodiment.So accompanying claims is intended to be interpreted as all changes and the modification that comprises preferred embodiment and fall into the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.
Claims (45)
1. an authentication method is characterized in that, this method comprises:
After the terminal receives the request message of access point AP equipment sent request terminal to report identification information, the identification information at this terminal is sent to AP equipment;
After the terminal receives the authentication and key management AKA Ciphering Key that AP equipment sends, use the AKA algorithm that said AKA Ciphering Key is verified;
The terminal confirms according to the checking result whether AP equipment is legal access device.
2. the method for claim 1 is characterized in that, before the terminal received said EAP request message, this method further comprised:
Attaching process is initiated to AP equipment in the terminal, sets up the Signaling Radio Bearer SRB that is used for certified transmission message with AP equipment.
3. the method for claim 1 is characterized in that, said AKA Ciphering Key comprises authentication token AUTN information; Said use AKA algorithm is verified said AKA Ciphering Key and is comprised:
The terminal sends to the telecom intelligent card at this terminal with said AUTN information, and whether this telecom intelligent card uses the said AUTN information of AKA proof of algorithm correct.
4. the method for claim 1 is characterized in that, said terminal confirms according to the checking result whether AP equipment is that legal access device comprises:
The terminal confirms that then AP equipment is legal access device if the said AKA Ciphering Key of checking is correct; If the said AKA Ciphering Key mistake of checking confirms that then AP equipment is illegal access device.
5. method as claimed in claim 3 is characterized in that, said AKA Ciphering Key also comprises random number RA ND, and after the terminal confirmed that according to the checking result AP equipment is legal access device, this method further comprised:
The terminal calculates authentication response RES according to said RAND and AKA algorithm, and this RES is sent to AP equipment.
6. method as claimed in claim 5 is characterized in that, after this RES was sent to AP equipment, this method further comprised:
The Data Radio Bearer DRB that is used to transmit data is set up in the terminal after receiving the EAP success message that AP equipment sends.
7. the method for claim 1 is characterized in that, this method further comprises:
The terminal also receives the first message authentication code MAC that is carried in first message when receiving the AKA Ciphering Key that AP equipment sends, first message is the message of carrying said AKA Ciphering Key;
The terminal is verified said first message according to a said MAC, if checking is passed through, then uses the AKA algorithm that said AKA Ciphering Key is verified, otherwise, do not use the AKA algorithm that said AKA Ciphering Key is verified.
8. method as claimed in claim 5 is characterized in that, this method further comprises:
The terminal is when sending to AP equipment with said RES, and the 2nd MAC that also will use the integrity protection algorithm computation to obtain is carried at and sends to AP equipment in second message, and second message is the message of carrying said RES.
9. the method for claim 1 is characterized in that, after the terminal confirmed that according to the checking result AP equipment is illegal access device, this method further comprised:
The authentification of user refuse information is sent to AP equipment in the terminal, carries the cause information of authentification failure in this authentification of user refuse information.
10. like arbitrary described method among the claim 1-9, it is characterized in that, adopt Extensible Authentication Protocol EAP to communicate between terminal and the AP equipment.
11. an authentication method is characterized in that, this method comprises:
Access point AP equipment sends the request message that the requesting terminal reports identification information to the terminal of adhering to;
After AP equipment receives the terminal identification information of self terminal, send the authentication request of carrying this terminal identification information to home signature user server HSS through gateway device GW;
AP equipment sends to the terminal with this AKA Ciphering Key after receiving the authentication and key management AKA Ciphering Key from HSS of GW forwarding;
AP equipment receives the authentication response RES of self terminal, verifies said RES according to said AKA Ciphering Key; And according to verifying that the result confirms whether the terminal is legal terminal.
12. method as claimed in claim 11 is characterized in that, before said EAP request message was sent at the terminal of adhering to, this method further comprised at AP equipment:
AP equipment is that uncontrolled port and controlled ports are set up in the terminal of adhering to;
Said uncontrolled port is to point to the employed port of GW certified transmission message; Said controlled ports is to point to the employed port of GW transmission data, if this controlled ports is in open mode, then data can be passed through this controlled ports, otherwise data can not be passed through this controlled ports.
13. method as claimed in claim 11 is characterized in that, saidly this AKA Ciphering Key is sent to the terminal comprises:
AP equipment sends to the terminal with random number RA ND in the said AKA Ciphering Key and authentication token AUTN information.
14. method as claimed in claim 13 is characterized in that, this method further comprises:
AP equipment is when sending to the terminal with said RAND and AUTN information; The first Message Authentication Code MAC that also will use the integrity protection algorithm computation to obtain is carried in first message and sends to the terminal, and first message is the message of carrying said RAND and AUTN information.
15. method as claimed in claim 11 is characterized in that, this method further comprises:
AP equipment also receives the 3rd message authentication code MAC that is carried in the 3rd message when receiving said AKA Ciphering Key, the 3rd message is the message of carrying said AKA Ciphering Key;
AP equipment is verified said the 3rd message according to said the 3rd MAC, if checking is passed through, then this AKA Ciphering Key is sent to the terminal, otherwise, this AKA Ciphering Key is not sent to the terminal.
16. method as claimed in claim 11 is characterized in that, saidly verifies that according to said AKA Ciphering Key said RES comprises:
AP equipment confirms whether said RES is consistent with the expectation authentication response xRES in the said AKA Ciphering Key, if consistent, verifies that then said RES is correct, otherwise, verify said RES mistake.
17. method as claimed in claim 11 is characterized in that, and is said according to verifying the result confirms whether the terminal is that legal terminal comprises:
AP equipment confirms that then the terminal is a legal terminal if the said RES of checking is correct; If the said RES mistake of checking confirms that then the terminal is an illegal terminal.
18. method as claimed in claim 12 is characterized in that, after AP equipment confirmed that the terminal is legal terminal, this method further comprised:
AP equipment is opened said controlled ports, and sends the EAP success message to the terminal.
19. like arbitrary described method among the claim 11-18, it is characterized in that, adopt Extensible Authentication Protocol EAP to communicate between AP equipment and terminal, the GW.
20. a data forwarding method is characterized in that, this method comprises:
Gateway device GW receives the AKA Ciphering Key from home signature user server HSS;
GW is transmitted to access point AP equipment with said AKA Ciphering Key.
21. method as claimed in claim 20 is characterized in that, this method further comprises:
GW is carried at the 3rd Message Authentication Code MAC that uses the integrity protection algorithm computation to obtain and sends to AP equipment in the 3rd message when said AKA Ciphering Key is transmitted to AP equipment, and the 3rd message is the message of carrying said AKA Ciphering Key.
22. a Ciphering Key sending method is characterized in that, this method comprises:
Home signature user server HSS confirms be the root key of the corresponding terminal setting of said terminal iidentification in advance after receiving the authentication request of the carried terminal identification information that access point AP equipment sends through gateway device GW;
HSS calculates the AKA Ciphering Key according to said root key and authentication and key management AKA algorithm;
HSS sends to AP equipment with said AKA Ciphering Key through GW.
23. method as claimed in claim 22 is characterized in that, said AKA Ciphering Key comprises:
Random number RA ND, authentication token AUTN information, expectation authentication response xRES.
24. an authenticating device is characterized in that, this equipment comprises:
Transmitting element after being used to receive the request message of access point AP equipment sent request terminal to report identification information, sends to AP equipment with the identification information at this terminal;
Authentication unit, be used to receive the authentication and key management AKA Ciphering Key that AP equipment sends after, use the AKA algorithm that said AKA Ciphering Key is verified;
Authentication ' unit is used for confirming according to the checking result whether AP equipment is legal access device.
25. equipment as claimed in claim 24 is characterized in that, this equipment comprises:
Adhesion unit was used for before receiving said EAP request message, initiated attaching process to AP equipment, set up the Signaling Radio Bearer SRB that is used for certified transmission message with AP equipment.
26. equipment as claimed in claim 24 is characterized in that, said authentication unit is used for:
When said AKA Ciphering Key comprises authentication token AUTN information, said AUTN information is sent to the telecom intelligent card at this terminal, whether this telecom intelligent card uses the said AUTN information of AKA proof of algorithm correct.
27. equipment as claimed in claim 24 is characterized in that, said authentication ' unit is used for:
If the said AKA Ciphering Key of checking is correct, confirm that then AP equipment is legal access device; If the said AKA Ciphering Key mistake of checking confirms that then AP equipment is illegal access device.
28. equipment as claimed in claim 26 is characterized in that, this equipment also comprises:
First response unit; Be used for also comprising random number RA ND and according to checking after the result confirms that AP equipment is legal access device at said AKA Ciphering Key; According to said RAND and AKA algorithm, calculate authentication response RES, and this RES is sent to AP equipment.
29. equipment as claimed in claim 28 is characterized in that, this equipment also comprises:
The unit is set up in carrying, is used for after this RES is sent to AP equipment, when receiving the EAP success message that AP equipment sends, sets up the Data Radio Bearer DRB that is used to transmit data.
30. equipment as claimed in claim 24 is characterized in that, said authentication unit also is used for:
When receiving the AKA Ciphering Key that AP equipment sends, also receive the first message authentication code MAC that is carried in first message, first message is the message of carrying said AKA Ciphering Key;
According to a said MAC said first message is verified,, then used the AKA algorithm that said AKA Ciphering Key is verified if checking is passed through, otherwise, do not use the AKA algorithm that said AKA Ciphering Key is verified.
31. equipment as claimed in claim 28 is characterized in that, said first response unit also is used for:
When said RES was sent to AP equipment, the 2nd MAC that also will use the integrity protection algorithm computation to obtain was carried at and sends to AP equipment in second message, and second message is the message of carrying said RES.
32. equipment as claimed in claim 24 is characterized in that, this equipment also comprises:
Second response unit is used for after confirming that according to the checking result AP equipment is illegal access device, sending the authentification of user refuse information to AP equipment, carries the cause information of authentification failure in this authentification of user refuse information.
33. an authenticating device is characterized in that, this equipment comprises:
The identification request unit is used for sending the request message that the requesting terminal reports identification information to the terminal of adhering to;
The authentication request unit after being used to receive the terminal identification information of self terminal, sends the authentication request of carrying this terminal identification information through gateway device GW to home signature user server HSS;
The vector transmitting element after being used to receive the authentication and key management AKA Ciphering Key from HSS of GW forwarding, sends to the terminal with this AKA Ciphering Key;
Authentication ' unit is used to receive the authentication response RES of self terminal, verifies said RES according to said AKA Ciphering Key; And according to verifying that the result confirms whether the terminal is legal terminal.
34. equipment as claimed in claim 33 is characterized in that, this equipment also comprises:
Port is set up the unit, is used for before sending said EAP request message to the terminal of adhering to, for setting up uncontrolled port and controlled ports in the terminal of adhering to;
Said uncontrolled port is to point to the employed port of GW certified transmission message; Said controlled ports is to point to the employed port of GW transmission data, if this controlled ports is in open mode, then data can be passed through this controlled ports, otherwise data can not be passed through this controlled ports.
35. equipment as claimed in claim 33 is characterized in that, said vectorial transmitting element is used for:
With random number RA ND in the said AKA Ciphering Key and authentication token AUTN information, send to the terminal.
36. equipment as claimed in claim 35 is characterized in that, said vectorial transmitting element also is used for:
When said RAND and AUTN information were sent to the terminal, the first Message Authentication Code MAC that also will use the integrity protection algorithm computation to obtain was carried in first message and sends to the terminal, and first message is the message of carrying said RAND and AUTN information.
37. equipment as claimed in claim 33 is characterized in that, said vectorial transmitting element also is used for:
When receiving said AKA Ciphering Key, also receive the 3rd message authentication code MAC that is carried in the 3rd message, the 3rd message is the message of carrying said AKA Ciphering Key;
According to said the 3rd MAC said the 3rd message is verified,, then this AKA Ciphering Key is sent to the terminal if checking is passed through, otherwise, this AKA Ciphering Key is not sent to the terminal.
38. equipment as claimed in claim 33 is characterized in that, said authentication ' unit is used for:
Confirm whether said RES is consistent with the expectation authentication response xRES in the said AKA Ciphering Key,, verify that then said RES is correct if consistent, otherwise, said RES mistake verified.
39. equipment as claimed in claim 33 is characterized in that, said authentication ' unit is used for:
If said RES is correct in checking, confirm that then the terminal is a legal terminal; If the said RES mistake of checking confirms that then the terminal is an illegal terminal.
40. equipment as claimed in claim 34 is characterized in that, this equipment also comprises:
Port is opened the unit, is used for after definite terminal is legal terminal, said controlled ports being opened, and sends the EAP success message to the terminal.
41. a data transfer equipment is characterized in that, this equipment comprises:
Receiving element is used to receive the AKA Ciphering Key from home signature user server HSS;
Retransmission unit is used for said AKA Ciphering Key is transmitted to access point AP equipment.
42. equipment as claimed in claim 41 is characterized in that, said retransmission unit also is used for:
When said AKA Ciphering Key is transmitted to AP equipment, the 3rd Message Authentication Code MAC that uses the integrity protection algorithm computation to obtain is carried at sends to AP equipment in the 3rd message, the 3rd message is the message of carrying said AKA Ciphering Key.
43. a Ciphering Key transmitting apparatus is characterized in that, this equipment comprises:
Confirm the unit, be used to receive the authentication request of the carried terminal identification information that access point AP equipment sends through gateway device GW after, confirm be the root key of the corresponding terminal setting of said terminal iidentification in advance;
Computing unit is used for calculating the AKA Ciphering Key according to said root key and authentication and key management AKA algorithm;
Transmitting element is used for said AKA Ciphering Key is sent to AP equipment through GW.
44. equipment as claimed in claim 43 is characterized in that, said AKA Ciphering Key comprises:
Random number RA ND, authentication token AUTN information, expectation authentication response xRES.
45. a Verification System is characterized in that, this system comprises:
The terminal after being used to receive the request message of access point AP equipment sent request terminal to report identification information, sends to AP equipment with the identification information at this terminal; After receiving the authentication and key management AKA Ciphering Key that AP equipment sends, use the AKA algorithm that said AKA Ciphering Key is verified; The result confirms whether AP equipment is legal access device according to checking;
AP equipment is used for sending the request message that the requesting terminal reports identification information to the terminal of adhering to; After receiving the terminal identification information of self terminal, send the authentication request of carrying this terminal identification information to home signature user server HSS through gateway device GW; After receiving the AKA Ciphering Key from HSS of GW forwarding, this AKA Ciphering Key is sent to the terminal; Receive the authentication response RES of self terminal, verify said RES according to said AKA Ciphering Key; And according to verifying that the result confirms whether the terminal is legal terminal;
GW is used to receive the AKA Ciphering Key from HSS, and said AKA Ciphering Key is transmitted to AP equipment;
HSS, be used to receive the authentication request of the carried terminal identification information that AP equipment sends through GW after, confirm be the root key of the corresponding terminal setting of said terminal iidentification in advance; According to said root key and AKA algorithm, calculate the AKA Ciphering Key; Said AKA Ciphering Key is sent to AP equipment through GW.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100342804A CN102625306A (en) | 2011-01-31 | 2011-01-31 | Method, system and equipment for authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100342804A CN102625306A (en) | 2011-01-31 | 2011-01-31 | Method, system and equipment for authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102625306A true CN102625306A (en) | 2012-08-01 |
Family
ID=46564951
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100342804A Pending CN102625306A (en) | 2011-01-31 | 2011-01-31 | Method, system and equipment for authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102625306A (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103745353A (en) * | 2014-01-23 | 2014-04-23 | 福建联迪商用设备有限公司 | Electronic payment terminal verification method and system |
| CN103874068A (en) * | 2014-03-20 | 2014-06-18 | 工业和信息化部电信研究院 | Method and device for identifying false base stations |
| WO2014113922A1 (en) * | 2013-01-22 | 2014-07-31 | 华为技术有限公司 | Method and network device for security authentication of mobile communication system |
| CN103973658A (en) * | 2013-02-04 | 2014-08-06 | 中兴通讯股份有限公司 | Static user terminal authentication processing method and device |
| CN104066087A (en) * | 2014-07-08 | 2014-09-24 | 天津理工大学 | Method for dynamically selecting length of authentication vector set |
| WO2015097223A1 (en) * | 2013-12-23 | 2015-07-02 | Koninklijke Kpn N.V. | Method and system for providing security from a radio access network |
| CN106559783A (en) * | 2015-09-29 | 2017-04-05 | 华为技术有限公司 | A kind of authentication method to WIFI network, device and system |
| WO2018077232A1 (en) * | 2016-10-31 | 2018-05-03 | 华为技术有限公司 | Network authentication method, and related device and system |
| WO2018090986A1 (en) * | 2016-11-18 | 2018-05-24 | 华为技术有限公司 | Authentication method, base station, user equipment, and core network element |
| WO2018153173A1 (en) * | 2017-02-27 | 2018-08-30 | 中兴通讯股份有限公司 | Terminal identification processing method, apparatus, and related device |
| CN108712252A (en) * | 2018-05-29 | 2018-10-26 | 如般量子科技有限公司 | It is a kind of based on pool of symmetric keys and span centre after AKA identity authorization systems and method |
| CN109565904A (en) * | 2016-08-05 | 2019-04-02 | 高通股份有限公司 | Technology for the secure connection via access node established between wireless device and local area network |
| CN109756451A (en) * | 2017-11-03 | 2019-05-14 | 华为技术有限公司 | A kind of information interacting method and device |
| CN110381486A (en) * | 2019-07-09 | 2019-10-25 | 广东以诺通讯有限公司 | A kind of method, Tag label and terminal for sharing VoWiFi business by NFC |
| CN110583036A (en) * | 2017-05-29 | 2019-12-17 | 华为国际有限公司 | Network authentication method, network equipment and core network equipment |
| US10659960B2 (en) | 2013-12-23 | 2020-05-19 | Koninklijke Kpn N.V. | Method and system for providing security from a radio access network |
| CN112019489A (en) * | 2019-05-31 | 2020-12-01 | 华为技术有限公司 | Verification method and device |
| CN112637846A (en) * | 2020-12-24 | 2021-04-09 | 青岛海尔科技有限公司 | Hotspot connection method and device |
| CN112702776A (en) * | 2020-12-15 | 2021-04-23 | 锐捷网络股份有限公司 | Method for realizing wireless terminal access to wireless local area network and wireless access point |
| CN113691974A (en) * | 2021-08-19 | 2021-11-23 | 支付宝(杭州)信息技术有限公司 | Method and apparatus for authenticating a wireless access point |
| CN114143016A (en) * | 2020-08-14 | 2022-03-04 | 中兴通讯股份有限公司 | Authentication method based on general guide architecture GBA and corresponding device |
| WO2023143418A1 (en) * | 2022-01-27 | 2023-08-03 | 维沃移动通信有限公司 | Device authentication method and apparatus, and terminal and network function |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060052085A1 (en) * | 2002-05-01 | 2006-03-09 | Gregrio Rodriguez Jesus A | System, apparatus and method for sim-based authentication and encryption in wireless local area network access |
| CN101160924A (en) * | 2005-05-09 | 2008-04-09 | 诺基亚公司 | Method for distributing certificates in a communication system |
| CN101420695A (en) * | 2008-12-16 | 2009-04-29 | 天津工业大学 | A kind of 3G subscription fast roaming authentication method based on WLAN (wireless local area network) |
| CN101854629A (en) * | 2010-05-21 | 2010-10-06 | 西安电子科技大学 | Method of access authentication and recertification in home NodeB system of user terminal |
-
2011
- 2011-01-31 CN CN2011100342804A patent/CN102625306A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060052085A1 (en) * | 2002-05-01 | 2006-03-09 | Gregrio Rodriguez Jesus A | System, apparatus and method for sim-based authentication and encryption in wireless local area network access |
| CN101160924A (en) * | 2005-05-09 | 2008-04-09 | 诺基亚公司 | Method for distributing certificates in a communication system |
| CN101420695A (en) * | 2008-12-16 | 2009-04-29 | 天津工业大学 | A kind of 3G subscription fast roaming authentication method based on WLAN (wireless local area network) |
| CN101854629A (en) * | 2010-05-21 | 2010-10-06 | 西安电子科技大学 | Method of access authentication and recertification in home NodeB system of user terminal |
Cited By (46)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104937965A (en) * | 2013-01-22 | 2015-09-23 | 华为技术有限公司 | Method and network device for security authentication of mobile communication system |
| WO2014113922A1 (en) * | 2013-01-22 | 2014-07-31 | 华为技术有限公司 | Method and network device for security authentication of mobile communication system |
| CN104937965B (en) * | 2013-01-22 | 2019-09-03 | 华为技术有限公司 | The method and the network equipment of the safety certification of mobile communication system |
| US9948647B2 (en) | 2013-02-04 | 2018-04-17 | Zte Corporation | Method and device for authenticating static user terminal |
| CN103973658A (en) * | 2013-02-04 | 2014-08-06 | 中兴通讯股份有限公司 | Static user terminal authentication processing method and device |
| WO2014117525A1 (en) * | 2013-02-04 | 2014-08-07 | 中兴通讯股份有限公司 | Method and device for handling authentication of static user terminal |
| CN105830476A (en) * | 2013-12-23 | 2016-08-03 | 皇家Kpn公司 | Method and system for providing security from a radio access network |
| WO2015097223A1 (en) * | 2013-12-23 | 2015-07-02 | Koninklijke Kpn N.V. | Method and system for providing security from a radio access network |
| EP4247034A3 (en) * | 2013-12-23 | 2023-11-08 | Koninklijke KPN N.V. | Method and system for providing security from a radio access network |
| EP3735012A1 (en) * | 2013-12-23 | 2020-11-04 | Koninklijke KPN N.V. | Method and system for providing security from a radio access network |
| CN105830476B (en) * | 2013-12-23 | 2020-05-19 | 皇家Kpn公司 | Method and system for providing security from a radio access network |
| US10659960B2 (en) | 2013-12-23 | 2020-05-19 | Koninklijke Kpn N.V. | Method and system for providing security from a radio access network |
| US9986432B2 (en) | 2013-12-23 | 2018-05-29 | Koninklijke Kpn N.V. | Method and system for providing security from a radio access network |
| CN103745353A (en) * | 2014-01-23 | 2014-04-23 | 福建联迪商用设备有限公司 | Electronic payment terminal verification method and system |
| CN103874068A (en) * | 2014-03-20 | 2014-06-18 | 工业和信息化部电信研究院 | Method and device for identifying false base stations |
| CN103874068B (en) * | 2014-03-20 | 2018-04-20 | 工业和信息化部电信研究院 | A kind of method and apparatus for identifying pseudo-base station |
| CN104066087A (en) * | 2014-07-08 | 2014-09-24 | 天津理工大学 | Method for dynamically selecting length of authentication vector set |
| US10743180B2 (en) | 2015-09-29 | 2020-08-11 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for authenticating WIFI network |
| CN106559783B (en) * | 2015-09-29 | 2020-04-14 | 华为技术有限公司 | Authentication method, device and system for WIFI network |
| CN106559783A (en) * | 2015-09-29 | 2017-04-05 | 华为技术有限公司 | A kind of authentication method to WIFI network, device and system |
| CN109565904A (en) * | 2016-08-05 | 2019-04-02 | 高通股份有限公司 | Technology for the secure connection via access node established between wireless device and local area network |
| CN109565904B (en) * | 2016-08-05 | 2022-04-08 | 高通股份有限公司 | Techniques for establishing a secure connection between a wireless device and a local area network via an access node |
| WO2018077232A1 (en) * | 2016-10-31 | 2018-05-03 | 华为技术有限公司 | Network authentication method, and related device and system |
| CN108012267A (en) * | 2016-10-31 | 2018-05-08 | 华为技术有限公司 | A kind of method for network authorization, relevant device and system |
| US11272365B2 (en) | 2016-10-31 | 2022-03-08 | Huawei Technologies Co., Ltd. | Network authentication method, and related device and system |
| CN108012267B (en) * | 2016-10-31 | 2022-05-24 | 华为技术有限公司 | Network authentication method, related equipment and system |
| US10848970B2 (en) | 2016-10-31 | 2020-11-24 | Huawei Technologies Co., Ltd. | Network authentication method, and related device and system |
| US10869197B2 (en) | 2016-11-18 | 2020-12-15 | Huawei Technologies Co., Ltd. | Authentication method, base station, user equipment, and core network element |
| CN108076461A (en) * | 2016-11-18 | 2018-05-25 | 华为技术有限公司 | A kind of method for authenticating, base station, user equipment and core network element |
| WO2018090986A1 (en) * | 2016-11-18 | 2018-05-24 | 华为技术有限公司 | Authentication method, base station, user equipment, and core network element |
| WO2018153173A1 (en) * | 2017-02-27 | 2018-08-30 | 中兴通讯股份有限公司 | Terminal identification processing method, apparatus, and related device |
| US11432157B2 (en) | 2017-05-29 | 2022-08-30 | Huawei International Pte. Ltd. | Network authentication method, network device, and core network device |
| CN110583036A (en) * | 2017-05-29 | 2019-12-17 | 华为国际有限公司 | Network authentication method, network equipment and core network equipment |
| US11647390B2 (en) | 2017-11-03 | 2023-05-09 | Huawei Technologies Co., Ltd. | Information exchange method and apparatus |
| CN109756451B (en) * | 2017-11-03 | 2022-04-22 | 华为技术有限公司 | Information interaction method and device |
| CN109756451A (en) * | 2017-11-03 | 2019-05-14 | 华为技术有限公司 | A kind of information interacting method and device |
| CN108712252B (en) * | 2018-05-29 | 2021-01-05 | 如般量子科技有限公司 | Symmetric key pool and relay-crossing based AKA identity authentication system and method |
| CN108712252A (en) * | 2018-05-29 | 2018-10-26 | 如般量子科技有限公司 | It is a kind of based on pool of symmetric keys and span centre after AKA identity authorization systems and method |
| CN112019489A (en) * | 2019-05-31 | 2020-12-01 | 华为技术有限公司 | Verification method and device |
| CN110381486A (en) * | 2019-07-09 | 2019-10-25 | 广东以诺通讯有限公司 | A kind of method, Tag label and terminal for sharing VoWiFi business by NFC |
| CN114143016A (en) * | 2020-08-14 | 2022-03-04 | 中兴通讯股份有限公司 | Authentication method based on general guide architecture GBA and corresponding device |
| CN112702776A (en) * | 2020-12-15 | 2021-04-23 | 锐捷网络股份有限公司 | Method for realizing wireless terminal access to wireless local area network and wireless access point |
| CN112637846B (en) * | 2020-12-24 | 2022-12-30 | 青岛海尔科技有限公司 | Hotspot connection method and device |
| CN112637846A (en) * | 2020-12-24 | 2021-04-09 | 青岛海尔科技有限公司 | Hotspot connection method and device |
| CN113691974A (en) * | 2021-08-19 | 2021-11-23 | 支付宝(杭州)信息技术有限公司 | Method and apparatus for authenticating a wireless access point |
| WO2023143418A1 (en) * | 2022-01-27 | 2023-08-03 | 维沃移动通信有限公司 | Device authentication method and apparatus, and terminal and network function |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102625306A (en) | Method, system and equipment for authentication | |
| CN109417709B (en) | Method and system for authenticating access in a mobile wireless network system | |
| US11895498B2 (en) | Method and device for negotiating security and integrity algorithms | |
| CN1859614B (en) | Method, device and system for radio transmission | |
| JP5806394B2 (en) | Data stream transmission method and related equipment and system | |
| US9510387B2 (en) | Recovering connection in LTE local area network for EPS and local services | |
| US7890745B2 (en) | Apparatus and method for protection of management frames | |
| Lai et al. | Secure group communications in vehicular networks: A software-defined network-enabled architecture and solution | |
| EP2529566B1 (en) | Efficient terminal authentication in telecommunication networks | |
| WO2013185735A2 (en) | Encryption realization method and system | |
| MX2009002507A (en) | Security authentication and key management within an infrastructure-based wireless multi-hop network. | |
| WO2019096075A1 (en) | Method and apparatus for message protection | |
| CN102461062A (en) | Proactive authentication | |
| CN101931953A (en) | Method and system for generating safety key bound with device | |
| CN106375989A (en) | Method for realizing access layer security, user equipment, and small radio access network node | |
| CN104349315B (en) | It is a kind of to ensure base station and the method and system of user equipment information safety | |
| CN102625307B (en) | Wireless network access system | |
| CN102223634A (en) | Method and device for controlling mode of accessing user terminal into Internet | |
| CN104602229B (en) | A kind of efficient initial access authentication method for WLAN and 5G combination network application scenarios | |
| US11582214B2 (en) | Updating security key | |
| CN106375992A (en) | Method for realizing access layer security, user equipment, and node | |
| CN101977378A (en) | Information transmission method, network side and relay node | |
| CN101860862B (en) | Method and system for establishing enhanced key in moving process from terminal to enhanced universal terrestrial radio access network (UTRAN) | |
| CN105764052A (en) | TD-LTE authentication and protective encryption method | |
| CN103167493A (en) | Method and system for wireless access controller concentrating identification under local transmitting mode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120801 |