[go: up one dir, main page]

CN110366178A - An authentication method and network element - Google Patents

An authentication method and network element Download PDF

Info

Publication number
CN110366178A
CN110366178A CN201810301013.0A CN201810301013A CN110366178A CN 110366178 A CN110366178 A CN 110366178A CN 201810301013 A CN201810301013 A CN 201810301013A CN 110366178 A CN110366178 A CN 110366178A
Authority
CN
China
Prior art keywords
network element
authentication
indication information
seaf
ausf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810301013.0A
Other languages
Chinese (zh)
Inventor
谢振华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201810301013.0A priority Critical patent/CN110366178A/en
Priority to PCT/CN2019/076823 priority patent/WO2019192275A1/en
Publication of CN110366178A publication Critical patent/CN110366178A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本申请公开了一种认证方法及网元,包括:第一网元接收来自SEAF网元的携带有第一指示信息的请求;其中,第一指示信息用于指示第二网元具备执行快速认证的能力;第一网元根据第一指示信息与第二网元执行快速认证。从本发明实施例可见,由于当第一网元需要对第二网元进行快速认证时,第一网元根据第一指示信息直接与第二网元执行快速认证,因此保证了快速认证的灵活性。

The present application discloses an authentication method and a network element, including: the first network element receives a request from a SEAF network element carrying first indication information; wherein, the first indication information is used to indicate that the second network element is capable of performing fast authentication capability; the first network element performs fast authentication with the second network element according to the first indication information. It can be seen from the embodiment of the present invention that when the first network element needs to perform fast authentication on the second network element, the first network element directly performs fast authentication with the second network element according to the first indication information, thus ensuring the flexibility of fast authentication sex.

Description

一种认证方法及网元An authentication method and network element

技术领域technical field

本发明实施例涉及通信技术领域,尤指一种认证方法及网元。The embodiment of the present invention relates to the technical field of communication, in particular to an authentication method and a network element.

背景技术Background technique

第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)提出了一种第五代移动通信技术(the 5th-Generationmobile communication technology,5G)架构下的认证框架,如图1所示,该框架包括需要接入网络的UE(UserEquipment,UE),安全锚点功能(Security Anchor Function,SEAF)网元,认证服务功能(AuthenticationSevericeFunction,AUSF)网元,以及认证签约存储功能(Authentication Repository Function,ARPF)网元。其中SEAF网元负责对UE进行拜访地认证,并保持认证过程中的访问密钥,UE在认证过程中也会产生访问密钥,通过相同的访问密钥,UE可以访问拜访地网络提供的服务;AUSF网元负责对UE进行归属地认证,以确认拜访地的认证是否成功,认证过程产生的归属密钥被UE和AUSF网元分别存储在本地;ARPF网元负责存储签约信息,并依据签约信息生成认证向量,认证向量用于认证过程中UE确认网络的合法性,以及网络确认UE的合法性。The 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) proposed a certification framework under the architecture of the 5th-Generation mobile communication technology (5G), as shown in Figure 1, the framework includes the requirements Access to the network UE (User Equipment, UE), security anchor function (Security Anchor Function, SEAF) network element, authentication service function (AuthenticationSevericeFunction, AUSF) network element, and authentication subscription storage function (Authentication Repository Function, ARPF) network element . Among them, the SEAF network element is responsible for authenticating the UE's visited site and maintaining the access key during the authentication process. The UE will also generate an access key during the authentication process. Through the same access key, the UE can access the services provided by the visited network. ; The AUSF network element is responsible for authenticating the UE's home location to confirm whether the authentication of the visiting location is successful. The home key generated during the authentication process is stored locally by the UE and the AUSF network element respectively; the ARPF network element is responsible for storing the contract information and The information generates an authentication vector, and the authentication vector is used in the authentication process for the UE to confirm the legitimacy of the network, and for the network to confirm the legitimacy of the UE.

相关技术中,当接收到快速认证指令时,网络侧会在本次认证过程中为UE分配快速认证标识以指示UE下一次认证时发起快速认证请求。In related technologies, when receiving a quick authentication instruction, the network side will assign a quick authentication identifier to the UE during the current authentication process to instruct the UE to initiate a quick authentication request in the next authentication.

然而,这种方法只能由网络侧向UE发送快速认证标识以使UE发起快速认证请求,并且当进行快速认证时,网络侧与UE只能按照快速认证标识中指定的方法所确定的认证方法进行快速认证,因此灵活性差。However, in this method, the network side can only send a quick authentication identifier to the UE to make the UE initiate a quick authentication request, and when performing quick authentication, the network side and the UE can only follow the authentication method specified in the quick authentication identifier. Fast authentication is done, so less flexibility.

发明内容Contents of the invention

为了解决上述技术问题,本发明实施例提供了一种认证方法及网元,能够灵活地进行快速认证。In order to solve the above technical problems, the embodiments of the present invention provide an authentication method and a network element, which can flexibly perform fast authentication.

为了达到本发明目的,本发明实施例提供了一种认证方法,包括:In order to achieve the purpose of the present invention, an embodiment of the present invention provides an authentication method, including:

第一网元接收来自安全锚点功能SEAF网元的携带有第一指示信息的请求;其中,所述第一指示信息用于指示第二网元具备执行快速认证的能力;The first network element receives a request carrying first indication information from a security anchor function SEAF network element; wherein the first indication information is used to indicate that the second network element has the ability to perform fast authentication;

所述第一网元根据所述第一指示信息与所述第二网元执行快速认证。The first network element performs fast authentication with the second network element according to the first indication information.

本发明实施例还提供了一种认证方法,包括:The embodiment of the present invention also provides an authentication method, including:

UE向SEAF网元发送携带有第一指示信息的注册请求;或者,所述UE接收所述SEAF网元发送的携带有第一指示信息的消息;其中,所述第一指示信息用于指示发送方具备执行快速认证的能力;The UE sends a registration request carrying the first indication information to the SEAF network element; or, the UE receives a message carrying the first indication information sent by the SEAF network element; wherein the first indication information is used to indicate sending Party has the ability to perform fast certification;

所述UE接收来自所述SEAF网元的派生参数,向所述SEAF网元发送认证响应;其中,所述认证响应至少基于所述派生参数和存储的归属密钥生成。本发明实施例还提供了一种AUSF网元,包括:The UE receives the derived parameters from the SEAF network element, and sends an authentication response to the SEAF network element; wherein the authentication response is at least generated based on the derived parameters and the stored home key. The embodiment of the present invention also provides an AUSF network element, including:

第一接收模块,用于接收来自SEAF网元的携带有第一指示信息和永久用户标识的认证请求;其中,所述第一指示信息用于标识与所述永久用户标识对应的UE具备执行快速认证的能力;The first receiving module is configured to receive an authentication request carrying first indication information and a permanent user ID from a SEAF network element; wherein the first indication information is used to identify that the UE corresponding to the permanent user ID is capable of performing fast Ability to certify;

第一处理模块,用于根据所述第一指示信息与所述第二网元执行快速认证。A first processing module, configured to perform fast authentication with the second network element according to the first indication information.

本发明实施例还提供了一种UE,包括:The embodiment of the present invention also provides a UE, including:

第二处理模块,用于向SEAF网元发送携带有第一指示信息的注册请求,或者,接收所述SEAF网元发送的携带有第一指示信息的消息;其中,所述第一指示信息用于指示所述UE具备执行快速认证的能力;The second processing module is configured to send a registration request carrying the first indication information to the SEAF network element, or receive a message carrying the first indication information sent by the SEAF network element; wherein the first indication information is used To indicate that the UE is capable of performing fast authentication;

第二接收模块,用于接收来自所述SEAF网元的派生参数,向所述SEAF网元发送认证响应;其中,所述认证响应至少基于所述派生参数和存储的归属密钥生成。The second receiving module is configured to receive derived parameters from the SEAF network element, and send an authentication response to the SEAF network element; wherein the authentication response is at least generated based on the derived parameters and a stored home key.

与现有技术相比,由于第一网元根据获得的第一指示信息确定了第二网元具备执行快速认证的能力,当第一网元需要对第二网元进行快速认证时,第一网元根据第一指示信息直接与第二网元执行快速认证,因此保证了快速认证的灵活性。Compared with the prior art, since the first network element determines that the second network element has the ability to perform fast authentication according to the obtained first indication information, when the first network element needs to perform fast authentication on the second network element, the first network element The network element directly performs fast authentication with the second network element according to the first indication information, thus ensuring the flexibility of fast authentication.

本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

附图说明Description of drawings

附图用来提供对本发明技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本发明的技术方案,并不构成对本发明技术方案的限制。The accompanying drawings are used to provide a further understanding of the technical solution of the present invention, and constitute a part of the description, and are used together with the embodiments of the application to explain the technical solution of the present invention, and do not constitute a limitation to the technical solution of the present invention.

图1为本发明实施例提供的一种认证方法的流程示意图;FIG. 1 is a schematic flow diagram of an authentication method provided by an embodiment of the present invention;

图2为本发明实施例提供的另一种认证方法的流程示意图;FIG. 2 is a schematic flowchart of another authentication method provided by an embodiment of the present invention;

图3为本发明实施例提供的又一种认证方法的流程示意图;FIG. 3 is a schematic flowchart of another authentication method provided by an embodiment of the present invention;

图4为本发明实施例提供的又一种认证方法的流程示意图;FIG. 4 is a schematic flowchart of another authentication method provided by an embodiment of the present invention;

图5为本发明实施例提供的又一种认证方法的流程示意图;FIG. 5 is a schematic flowchart of another authentication method provided by an embodiment of the present invention;

图6为本发明实施例提供的一种第一网元的结构示意图;FIG. 6 is a schematic structural diagram of a first network element provided by an embodiment of the present invention;

图7为本发明实施例提供的一种UE的结构示意图。FIG. 7 is a schematic structural diagram of a UE provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚明白,下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to make the purpose, technical solution and advantages of the present invention more clear, the embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings. It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined arbitrarily with each other.

在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps shown in the flowcharts of the figures may be performed in a computer system, such as a set of computer-executable instructions. Also, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

本发明实施例提供一种认证方法,如图1所示,该方法包括:An embodiment of the present invention provides an authentication method, as shown in Figure 1, the method includes:

步骤101、第一网元接收来自SEAF网元的携带有第一指示信息的请求。Step 101, the first network element receives a request carrying first indication information from a SEAF network element.

其中,第一指示信息用于指示第二网元具备执行快速认证的能力。Wherein, the first indication information is used to indicate that the second network element is capable of performing fast authentication.

步骤102、第一网元根据第一指示信息与第二网元执行快速认证。Step 102, the first network element performs fast authentication with the second network element according to the first indication information.

需要说明的是,在5G之前的移动通信技术中需要对UE进行快速认证时,认证服务器会为UE分配一个快速认证标识,以使得UE在下一次认证时进行快速认证然而,5G之前的移动通信技术与5G的架构不同,在5G之前的移动通信技术中,认证服务器和被认证端之间的网元都只是作为管道传递两者之间可交互的信息,而在5G中,AUSF网元和UE之间的SEAF网元不是一个纯粹的管道,因此需要使用标识来路由AUSF网元和UE之间的信息,而现有技术中认证服务器分配的快速认证标识无法被SEAF网元用来路由AUSF网元和UE之间的消息,因此现有技术中的快速认证方法在5G中无法使用,5G中缺乏可行的能够实现快速认证的认证方法。It should be noted that, in the mobile communication technology before 5G, when the UE needs to be quickly authenticated, the authentication server will assign a fast authentication ID to the UE, so that the UE can perform fast authentication in the next authentication. However, the mobile communication technology before 5G Different from the architecture of 5G, in the mobile communication technology before 5G, the network element between the authentication server and the authenticated end is only used as a channel to transmit the information that can be interacted between the two, while in 5G, the AUSF network element and UE The SEAF network element between them is not a pure pipeline, so it is necessary to use the identification to route the information between the AUSF network element and the UE, and the fast authentication identification assigned by the authentication server in the prior art cannot be used by the SEAF network element to route the AUSF network Therefore, the fast authentication method in the prior art cannot be used in 5G, and there is no feasible authentication method capable of fast authentication in 5G.

本发明实施例提供的认证方法,由于第一网元根据获得的第一指示信息确定了第二网元具备执行快速认证的能力,当第一网元需要对第二网元进行快速认证时,第一网元根据第一指示信息直接与第二网元执行快速认证,因此保证了快速认证的灵活性。In the authentication method provided by the embodiment of the present invention, since the first network element determines that the second network element has the ability to perform fast authentication according to the obtained first indication information, when the first network element needs to perform fast authentication on the second network element, The first network element directly performs quick authentication with the second network element according to the first indication information, thus ensuring the flexibility of quick authentication.

可选地,第一网元为认证服务功能AUSF网元,第二网元为用户终端UE。Optionally, the first network element is an AUSF network element, and the second network element is a user terminal UE.

或者;or;

第一网元为UE,第二网元为AUSF网元。The first network element is a UE, and the second network element is an AUSF network element.

可选地,当第一网元为UE,且第二网元为AUSF网元时,第一网元根据第一指示信息与第二网元执行快速认证,包括:Optionally, when the first network element is a UE and the second network element is an AUSF network element, the first network element performs fast authentication with the second network element according to the first indication information, including:

UE向SEAF网元发送携带有第二指示信息的注册请求;其中,第二指示信息用于指示AUSF网元进行快速认证。The UE sends a registration request carrying second indication information to the SEAF network element; wherein the second indication information is used to instruct the AUSF network element to perform fast authentication.

UE接收AUSF网元通过SEAF网元发送的派生参数;其中,派生参数由AUSF网元生成。The UE receives the derived parameter sent by the AUSF network element through the SEAF network element; wherein, the derived parameter is generated by the AUSF network element.

需要说明的是,由于AUSF网元根据获得的第一指示信息确定了UE具备执行快速认证的能力,当AUSF网元需要对UE进行快速认证时,通过SEAF单元直接向UE发送派生参数以进行快速认证,因此保证了快速认证的时效性和灵活性。It should be noted that since the AUSF network element determines that the UE has the ability to perform fast authentication according to the obtained first indication information, when the AUSF network element needs to perform fast authentication on the UE, the SEAF unit directly sends the derived parameters to the UE for fast authentication. Certification, thus ensuring the timeliness and flexibility of rapid certification.

可选地,当第一网元为AUSF网元,且第二网元为UE时,第一网元根据第一指示信息与第二网元执行快速认证,包括:Optionally, when the first network element is an AUSF network element and the second network element is a UE, the first network element performs fast authentication with the second network element according to the first indication information, including:

AUSF网元通过SEAF网元向UE发送派生参数;其中,派生参数由AUSF网元生成。The AUSF network element sends the derived parameter to the UE through the SEAF network element; wherein, the derived parameter is generated by the AUSF network element.

可选地,第一指示信息还包括:第一网元能够使用的快速认证方法的信息。Optionally, the first indication information further includes: information about the fast authentication method that the first network element can use.

可选地,还包括:Optionally, also include:

AUSF网元根据第一指示信息确定发送派生参数的消息。The AUSF network element determines to send the derived parameter message according to the first indication information.

可选地,还包括:Optionally, also include:

AUSF网元向SEAF网元发送网络哈希和期望哈希;其中,网络哈希至少基于派生参数和AUSF网元中存储的归属密钥生成;期望哈希至少基于派生参数和期望响应生成;期望响应至少基于派生参数和归属密钥生成。The AUSF network element sends the network hash and the expected hash to the SEAF network element; wherein, the network hash is generated based at least on the derived parameters and the attribution key stored in the AUSF network element; the expected hash is generated based on at least the derived parameters and the expected response; the expected The response is generated based on at least the derived parameters and the attributed key.

具体的,假设派生参数是参数A,网络哈希是根据参数A和归属密钥生成的,那么期望哈希可能是根据参数A、参数B和归属密钥生成的;假设派生参数是参数A,网络哈希是根据参数A、参数C和归属密钥生成的,那么期望哈希可能是根据参数A和归属密钥生成的,也可能是根据参数A、参数D和归属密钥生成的。Specifically, assuming that the derived parameter is parameter A, and the network hash is generated based on parameter A and the attribution key, then the expected hash may be generated based on parameter A, parameter B and the attribution key; assuming the derived parameter is parameter A, The network hash is generated according to parameter A, parameter C and the attribution key, then the expected hash may be generated according to the parameter A and the attribution key, or it may be generated according to the parameter A, parameter D and the attribution key.

可选地,还包括:Optionally, also include:

AUSF网元通过SEAF网元向UE发送第二指示信息;其中,第二指示信息用于指示UE进行快速认证。The AUSF network element sends the second indication information to the UE through the SEAF network element; wherein, the second indication information is used to instruct the UE to perform quick authentication.

本发明实施例还提供一种认证方法,如图2所示,该方法包括:The embodiment of the present invention also provides an authentication method, as shown in Figure 2, the method includes:

步骤201、UE向SEAF网元发送携带有第一指示信息和的注册请求;或者,UE接收SEAF网元发送的携带有第一指示信息的消息。In step 201, the UE sends a registration request carrying the first indication information to the SEAF network element; or, the UE receives the message carrying the first indication information sent by the SEAF network element.

其中,第一指示信息用于指示发送方具备执行快速认证的能力。Wherein, the first indication information is used to indicate that the sender has the ability to perform fast authentication.

步骤202、UE接收来自SEAF网元的派生参数,向SEAF网元发送认证响应。Step 202, the UE receives the derived parameters from the SEAF network element, and sends an authentication response to the SEAF network element.

其中,认证响应至少基于派生参数和存储的归属密钥生成。Wherein, the authentication response is generated based at least on the derived parameters and the stored attribution key.

本发明实施例提供的认证方法,由于UE向SEAF单元发送了携带有用于指示UE具备执行快速认证的能力的第一指示信息的注册请求,使得SEAF网元向AUSF网元可以发送第一指示信息,因此使得AUSF网元需要对UE进行快速认证时,通过SEAF单元直接向UE发送派生参数以进行快速认证,因此保证了快速认证的时效性和灵活性。In the authentication method provided by the embodiment of the present invention, since the UE sends to the SEAF unit a registration request carrying the first indication information indicating that the UE has the ability to perform fast authentication, the SEAF network element can send the first indication information to the AUSF network element , so that when the AUSF network element needs to quickly authenticate the UE, the SEAF unit directly sends the derived parameters to the UE for fast authentication, thus ensuring the timeliness and flexibility of the fast authentication.

可选地,第一指示信息还包括:发送方能够使用的快速认证方法的信息。Optionally, the first indication information further includes: information about a fast authentication method that the sender can use.

可选地,向SEAF网元发送认证响应前,还包括:Optionally, before sending the authentication response to the SEAF network element, it also includes:

UE接收来自SEAF网元的第二指示信息;其中,第二指示信息用于指示UE进行快速认证。The UE receives second indication information from the SEAF network element; wherein, the second indication information is used to instruct the UE to perform quick authentication.

可选地,还包括:Optionally, also include:

UE接收来自SEAF网元的网络哈希。The UE receives the network hash from the SEAF network element.

UE至少基于派生参数和存储的归属密钥生成期望网络哈希。The UE generates a desired network hash based on at least the derived parameters and the stored home key.

当期望网络哈希与网络哈希相同时,UE发送认证响应。When the expected Network Hash is the same as the Network Hash, the UE sends an Authentication Response.

本发明实施例还提供一种认证方法,该方法是根据增强的认证协议-认证与密钥协商协议(Enhanced AuthenticationProtocal-Authentication and Key Agreemen,EAP-AKA’)进行的快速认证,如图3所示,该方法包括:The embodiment of the present invention also provides an authentication method, which is a fast authentication based on an Enhanced Authentication Protocol-Authentication and Key Agreement (Enhanced Authentication Protocol-Authentication and Key Agreement, EAP-AKA'), as shown in Figure 3 , the method includes:

步骤301:UE注册网络,注册过程中,SEAF网元通知AUSF网元执行认证过程,AUSF网元向ARPF网元请求认证向量,ARPF网元选择认证方法并将认证向量与认证方法通知AUSF网元,AUSF网元使用认证方法与认证向量通过SEAF网元认证UE。Step 301: UE registers with the network. During the registration process, the SEAF network element notifies the AUSF network element to perform the authentication process. The AUSF network element requests the authentication vector from the ARPF network element. The ARPF network element selects the authentication method and notifies the AUSF network element of the authentication vector and the authentication method. , the AUSF network element uses the authentication method and authentication vector to authenticate the UE through the SEAF network element.

如果SEAF网元之前参与过认证过UE,则SEAF网元中会保存UE的永久标识,如果SEAF网元之前没认证过UE,ARPF网元会将UE的永久标识也通知给AUSF网元,AUSF网元会把UE的永久标识发送给SEAF网元。认证完成后,SEAF网元会为UE分配一个临时标识,并将临时标识发送给UE。认证过程中AUSF网元和UE会分别使用相同方法派生归属密钥并存储,AUSF网元会生成访问密钥并向SEAF网元发送访问密钥,用于保护UE和网络的通讯,UE会使用相同方法产生访问密钥。If the SEAF network element has participated in the authentication of the UE before, the UE's permanent identity will be saved in the SEAF network element. If the SEAF network element has not authenticated the UE before, the ARPF network element will also notify the AUSF network element of the UE's permanent identity, and the AUSF The network element will send the UE's permanent identity to the SEAF network element. After the authentication is completed, the SEAF network element will assign a temporary ID to the UE and send the temporary ID to the UE. During the authentication process, the AUSF network element and the UE will use the same method to derive the attribution key and store it respectively. The AUSF network element will generate an access key and send it to the SEAF network element to protect the communication between the UE and the network. The UE will use The access key is generated in the same way.

步骤302:经过一段时间后,UE再次向网络发起注册请求,比如发送RegisterRequest消息,携带网络分配的临时用户标识和指示信息,该指示信息表示UE有能力执行快速认证,该指示信息可以包含UE能够使用的认证方法,比如EAP-AKA’和/或5G AKA。Step 302: After a period of time, the UE initiates a registration request to the network again, such as sending a RegisterRequest message, carrying the temporary user ID and indication information allocated by the network. The indication information indicates that the UE is capable of performing fast authentication. The indication information may include that the UE can The authentication method used, such as EAP-AKA' and/or 5G AKA.

步骤303:SEAF网元收到注册请求,向AUSF网元发送认证请求消息,比如发送5G-AIR消息,SEAF网元通过临时用户表示找到匹配的永久用户标识,在认证请求中携带永久用户标识以及指示信息。Step 303: The SEAF network element receives the registration request, sends an authentication request message to the AUSF network element, such as sending a 5G-AIR message, the SEAF network element finds the matching permanent user ID through the temporary user representation, and carries the permanent user ID and Instructions.

步骤304:AUSF网元判断认证请求中有指示信息,可以根据之前认证UE时使用的认证方法,或根据指示信息中包含的认证方法信息选择认证方法,比如,如果AUSF网元之前使用EAP-AKA’认证UE,则可以选择EAP-AKA’或5G AKA,如果AUSF网元之前使用5G AKA认证UE,则可以选择5G AKA。AUSF网元选择使用EAP-AKA’,于是向SEAF发送AKA重认证请求,比如发送EAP-Request/AKA-Reauthentication消息,消息携带派生参数,比如NONCE和COUNTER,派生参数由AUSF生成,消息还携带消息验证码1(MAC1),该消息验证码1基于上次认证过程中产生的完保密钥以及该消息的内容产生,比如使用哈希消息认证码-安全散列算法-256(Hash-based Message Authentication Code-Secure Hash Algorithm-256,HMAC-SHA-256)算法。Step 304: The AUSF network element judges that there is instruction information in the authentication request, and the authentication method can be selected according to the authentication method used when authenticating the UE before, or according to the authentication method information contained in the instruction information, for example, if the AUSF network element previously used EAP-AKA 'Authenticating the UE, you can choose EAP-AKA' or 5G AKA, if the AUSF network element used 5G AKA to authenticate the UE before, you can choose 5G AKA. The AUSF network element chooses to use EAP-AKA', so it sends an AKA re-authentication request to SEAF, such as sending an EAP-Request/AKA-Reauthentication message. The message carries derived parameters, such as NONCE and COUNTER. The derived parameters are generated by AUSF, and the message also carries a message Authentication code 1 (MAC1), the message authentication code 1 is generated based on the security key generated in the last authentication process and the content of the message, such as using Hash Message Authentication Code-Secure Hash Algorithm-256 (Hash-based Message Authentication Code-Secure Hash Algorithm-256, HMAC-SHA-256) algorithm.

步骤305:SEAF网元转发AKA重认证请求给UE。Step 305: The SEAF network element forwards the AKA re-authentication request to the UE.

步骤306:UE基于密钥派生参数和存储的归属密钥派生新的归属密钥,然后向SEAF网元发送AKA重认证响应,携带消息验证码2(MAC2),该消息验证码2基于上次认证过程中产生的完保密钥以及该消息的内容产生,比如使用HMAC-SHA-256算法。Step 306: The UE derives a new home key based on the key derivation parameters and the stored home key, and then sends an AKA re-authentication response to the SEAF network element, carrying a message authentication code 2 (MAC2), which is based on the last The secure key generated during the authentication process and the content of the message are generated, for example, using the HMAC-SHA-256 algorithm.

步骤307:SEAF网元向AUSF网元转发密钥协商协议(Authentication and KeyAgreemen,AKA)重认证响应,AUSF网元校验MAC2。Step 307: The SEAF network element forwards the key agreement agreement (Authentication and Key Agreement, AKA) re-authentication response to the AUSF network element, and the AUSF network element verifies the MAC2.

步骤308:AUSF网元校验MAC2成功,则认证成功,AUSF网元基于存储的归属密钥和派生参数生成新的归属密钥,比如使用HMAC-SHA-256算法,AUSF网元基于新的归属密钥派生新的访问密钥。Step 308: If the AUSF network element verifies MAC2 successfully, then the authentication is successful. The AUSF network element generates a new attribution key based on the stored attribution key and derived parameters. key to derive a new access key.

步骤309:AUSF网元向SEAF网元发送认证成功消息,比如发送EAP-Success消息,消息携带新的访问密钥。Step 309: The AUSF network element sends an authentication success message, such as an EAP-Success message, to the SEAF network element, and the message carries a new access key.

步骤310:SEAF网元保存新的访问密钥,并向UE发送注册成功消息,比如发送Register Accept消息。Step 310: The SEAF network element stores the new access key, and sends a registration success message, such as a Register Accept message, to the UE.

本发明实施例还提供一种认证方法,该方法是根据第五代移动通信技术认证与密钥协商协议(the 5th-Generationmobile communication technologyAuthenticationand Key Agreemen,5G AKA)进行的快速认证,如图4所示,该方法包括:The embodiment of the present invention also provides an authentication method, which is a fast authentication according to the 5th-Generation mobile communication technology Authentication and Key Agreement (the 5th-Generation mobile communication technology Authentication and Key Agreement, 5G AKA), as shown in Figure 4 , the method includes:

步骤401:UE注册网络,注册过程中,SEAF网元通知AUSF网元执行认证过程,AUSF网元向ARPF网元请求认证向量,ARPF网元选择认证方法并将认证向量与认证方法通知AUSF网元,AUSF网元使用认证方法与认证向量通过SEAF网元认证UE。Step 401: UE registers with the network. During the registration process, the SEAF network element notifies the AUSF network element to perform the authentication process. The AUSF network element requests the authentication vector from the ARPF network element. The ARPF network element selects the authentication method and notifies the AUSF network element of the authentication vector and the authentication method. , the AUSF network element uses the authentication method and authentication vector to authenticate the UE through the SEAF network element.

如果SEAF网元之前认证过UE,则SEAF网元中会保存UE的永久标识,如果SEAF网元之前没认证过UE,ARPF网元会将UE的永久标识也通知给AUSF网元,AUSF网元会把UE的永久标识发送给SEAF网元。认证完成后,SEAF网元会为UE分配一个临时标识,并将临时标识发送给UE。认证过程中AUSF网元和UE会分别使用相同方法派生归属密钥并存储,AUSF网元会生成访问密钥并向SEAF网元发送访问密钥,用于保护UE和网络的通讯,UE会使用相同方法产生访问密钥。If the SEAF NE has authenticated the UE before, the SEAF NE will save the UE’s permanent ID. If the SEAF NE has not authenticated the UE before, the ARPF NE will also notify the AUSF NE of the UE’s permanent ID, and the AUSF NE will The permanent identity of the UE will be sent to the SEAF network element. After the authentication is completed, the SEAF network element will assign a temporary ID to the UE and send the temporary ID to the UE. During the authentication process, the AUSF network element and the UE will use the same method to derive the attribution key and store it respectively. The AUSF network element will generate an access key and send it to the SEAF network element to protect the communication between the UE and the network. The UE will use The access key is generated in the same way.

步骤402:经过一段时间后,UE再次向网络发起注册请求,比如发送RegisterRequest消息,携带网络分配的临时用户标识和指示信息1,该指示信息1表示UE有能力执行快速认证,该指示信息可以包含UE能够使用的认证方法,比如EAP-AKA’和/或5G AKA。Step 402: After a period of time, the UE initiates a registration request to the network again, such as sending a RegisterRequest message, carrying a temporary user ID assigned by the network and indication information 1. The indication information 1 indicates that the UE is capable of performing fast authentication, and the indication information may include Authentication methods that the UE can use, such as EAP-AKA' and/or 5G AKA.

步骤403:SEAF网元收到注册请求,向AUSF网元发送认证请求消息,比如发送5-AIR消息,SEAF网元通过临时用户表示找到匹配的永久用户标识,在认证请求中携带永久用户标识以及指示信息。Step 403: The SEAF network element receives the registration request, sends an authentication request message to the AUSF network element, such as sending a 5-AIR message, the SEAF network element finds a matching permanent user ID through the temporary user representation, and carries the permanent user ID and Instructions.

步骤404:AUSF网元判断认证请求中有指示信息,可以根据之前认证UE时使用的认证方法,或根据指示信息中包含的认证方法信息选择认证方法,比如,如果AUSF网元之前使用EAP-AKA’认证UE,则可以选择EAP-AKA’或5G AKA,如果AUSF网元之前使用5G AKA认证UE,则可以选择5G AKA。AUSF网元选择使用5G AKA,于是生成派生参数,比如NONCE,基于派生参数和存储的归属密钥生成网络哈希Hash,比如使用HMAC-SHA-256算法,基于派生参数和存储的归属密钥生成期望响应Hash,比如使用HMAC-SHA-256算法,基于派生参数和期望响应生成期望Hash,比如使用安全散列算法-256(Secure Hash Algorithm-256,SHA-256)算法,基于派生参数和存储的归属密钥生成新的归属密钥,比如使用HMAC-SHA-256算法,基于新的归属密钥生成新的访问密钥。Step 404: The AUSF network element judges that there is instruction information in the authentication request, and can select the authentication method according to the authentication method used to authenticate the UE before, or according to the authentication method information contained in the instruction information, for example, if the AUSF network element used EAP-AKA before 'Authenticating the UE, you can choose EAP-AKA' or 5G AKA, if the AUSF network element used 5G AKA to authenticate the UE before, you can choose 5G AKA. The AUSF network element chooses to use 5G AKA, so it generates derived parameters, such as NONCE, and generates network hash Hash based on the derived parameters and the stored attribution key, such as using the HMAC-SHA-256 algorithm, based on the derived parameters and the stored attribution key. The expected response Hash, such as using the HMAC-SHA-256 algorithm, generates the expected Hash based on the derived parameters and the expected response, such as using the Secure Hash Algorithm-256 (Secure Hash Algorithm-256, SHA-256) algorithm, based on the derived parameters and stored The attribution key generates a new attribution key, such as using the HMAC-SHA-256 algorithm, and generates a new access key based on the new attribution key.

步骤405:AUSF网元向SEAF网元发送认证响应,比如发送5G-AIA消息,消息携带认证向量,认证向量包含派生参数,网络Hash,期望Hash和新的访问密钥,消息还携带指示信息2,用于指示UE使用快速认证。Step 405: The AUSF network element sends an authentication response to the SEAF network element, such as sending a 5G-AIA message, the message carries an authentication vector, the authentication vector includes derived parameters, network Hash, expected Hash and new access key, and the message also carries instruction information 2 , used to instruct the UE to use fast authentication.

步骤406:SEAF网元向UE发送用户认证请求,比如发送User AuthenticationRequest消息,消息携带认证向量中的派生参数和网络Hash,还携带指示信息2。Step 406: The SEAF network element sends a user authentication request to the UE, such as sending a User AuthenticationRequest message, the message carries the derived parameters and the network Hash in the authentication vector, and also carries instruction information 2.

步骤407:UE收到携带指示信息2的用户认证请求,使用快速认证,UE校验网络Hash,比如基于派生参数和存储的归属密钥生成期望网络Hash,比较网络Hash和期望网络Hash是否相同,相同则校验成功,否则校验失败;校验成功后,UE基于派生参数和存储的归属密钥生成认证响应RES,比如使用HMAC-SHA-256算法,基于派生参数和存储的归属密钥生成新的归属密钥,比如使用HMAC-SHA-256算法,基于新的归属密钥生成新的访问密钥派生新的归属密钥,然后向SEAF网元发送用户认证响应,比如发送User AuthenticationResponse消息,携带认证响应RES。Step 407: The UE receives the user authentication request carrying the indication information 2, uses the fast authentication, and the UE verifies the network Hash, for example, generates the expected network Hash based on the derived parameters and the stored attribution key, and compares whether the network Hash is the same as the expected network Hash, If they are the same, the verification succeeds, otherwise the verification fails; after the verification is successful, the UE generates an authentication response RES based on the derived parameters and the stored attribution key, for example, using the HMAC-SHA-256 algorithm, based on the derived parameters and the stored attribution key. The new attribution key, such as using the HMAC-SHA-256 algorithm, generates a new access key based on the new attribution key to derive a new attribution key, and then sends a user authentication response to the SEAF network element, such as sending a User AuthenticationResponse message, Carry authentication response RES.

步骤408:SEAF网元基于认证响应RES校验期望Hash,比如基于派生参数和认证响应RES生成校验Hash,比如使用SHA-256算法,比较校验Hash和期望Hash,相同则校验成功,否则校验失败。Step 408: The SEAF network element verifies the expected Hash based on the authentication response RES, for example, generates a verification Hash based on the derived parameters and the authentication response RES, for example, uses the SHA-256 algorithm, compares the verification Hash and the expected Hash, if they are the same, the verification succeeds, otherwise Validation failed.

步骤409:SEAF网元校验期望hash成功后,向AUSF网元发送认证确认,比如发送5G-AC消息,携带认证响应RES。Step 409: After the SEAF network element verifies that the expected hash is successful, it sends an authentication confirmation to the AUSF network element, such as sending a 5G-AC message with an authentication response RES.

步骤410:AUSF网元校验认证响应,比如比较期望响应和认证响应,相同则校验成功,否则校验失败;校验成功后,AUSF网元向SEAF网元发送认证成功消息,比如发送5G-ACA消息。Step 410: The AUSF network element verifies the authentication response, such as comparing the expected response and the authentication response. If they are the same, the verification succeeds, otherwise the verification fails; after the verification is successful, the AUSF network element sends an authentication success message to the SEAF network element, such as sending a 5G - ACA message.

步骤411:SEAF网元保存新的访问密钥,并向UE发送注册成功消息,比如发送Register Accept消息。Step 411: The SEAF network element saves the new access key, and sends a registration success message, such as a Register Accept message, to the UE.

本发明实施例还提供一种认证方法,该方法是根据5G AKA进行的快速认证,如图5所示,该方法包括:The embodiment of the present invention also provides an authentication method, which is a fast authentication based on 5G AKA, as shown in Figure 5, the method includes:

步骤501:UE注册网络,注册过程中,SEAF网元通知AUSF网元执行认证过程,AUSF网元向ARPF网元请求认证向量,ARPF网元选择认证方法并将认证向量与认证方法通知AUSF网元,AUSF网元使用认证方法与认证向量通过SEAF网元认证UE。Step 501: UE registers with the network. During the registration process, the SEAF network element notifies the AUSF network element to perform the authentication process. The AUSF network element requests the authentication vector from the ARPF network element. The ARPF network element selects the authentication method and notifies the AUSF network element of the authentication vector and the authentication method. , the AUSF network element uses the authentication method and authentication vector to authenticate the UE through the SEAF network element.

如果SEAF网元之前认证过UE,则SEAF网元中会保存UE的永久标识,如果SEAF网元之前没认证过UE,ARPF网元会将UE的永久标识也通知给AUSF网元,AUSF网元会把UE的永久标识发送给SEAF网元。认证完成后,SEAF网元会为UE分配一个临时标识,并将临时标识发送给UE。认证过程中AUSF网元和UE会分别使用相同方法派生归属密钥并存储,AUSF网元会生成访问密钥并向SEAF网元发送访问密钥,用于保护UE和网络的通讯,UE会使用相同方法产生访问密钥。If the SEAF NE has authenticated the UE before, the SEAF NE will save the UE’s permanent ID. If the SEAF NE has not authenticated the UE before, the ARPF NE will also notify the AUSF NE of the UE’s permanent ID, and the AUSF NE will The permanent identity of the UE will be sent to the SEAF network element. After the authentication is completed, the SEAF network element will assign a temporary ID to the UE and send the temporary ID to the UE. During the authentication process, the AUSF network element and the UE will use the same method to derive the attribution key and store it respectively. The AUSF network element will generate an access key and send it to the SEAF network element to protect the communication between the UE and the network. The UE will use The access key is generated in the same way.

步骤502:AUSF可以根据之前认证UE时使用的认证方法选择可以用于快速认证的认证方法,比如,如果AUSF网元之前使用EAP-AKA’认证UE,则可以选择EAP-AKA’或5G AKA,如果AUSF网元之前使用5G AKA认证UE,则可以选择5G AKA。AUSF向SEAF发送消息,比如发送Insert Subscribe Data消息,携带指示信息1,该指示信息1表示AUSF有能力执行快速认证,该指示信息可以包含AUSF能够使用的认证方法,比如EAP-AKA’和/或5G AKA。Step 502: AUSF can select an authentication method that can be used for fast authentication according to the authentication method used to authenticate the UE before. For example, if the AUSF network element used EAP-AKA' to authenticate the UE before, you can choose EAP-AKA' or 5G AKA, If the AUSF network element used 5G AKA to authenticate UE before, you can choose 5G AKA. AUSF sends a message to SEAF, such as sending an Insert Subscribe Data message, carrying indication information 1, which indicates that AUSF is capable of performing fast authentication, and the indication information may include authentication methods that AUSF can use, such as EAP-AKA' and/or 5G AKA.

步骤503:SEAF转发指示信息1给UE。Step 503: SEAF forwards indication information 1 to UE.

上述步骤502~503可以是在步骤501完成后由AUSF发起,也可以是步骤501的过程中触发的某个AUSF下发消息。The above steps 502 to 503 may be initiated by the AUSF after step 501 is completed, or may be triggered by a certain AUSF to send a message during the process of step 501 .

步骤504:经过一段时间后,UE再次向网络发起注册请求,比如发送RegisterRequest消息,携带网络分配的临时用户标识指示信息2,用于指示AUSF使用快速认证。Step 504: After a period of time, the UE initiates a registration request to the network again, such as sending a RegisterRequest message, carrying the temporary user identification indication information 2 allocated by the network, which is used to instruct the AUSF to use fast authentication.

步骤505:SEAF网元收到注册请求,向AUSF网元发送认证请求消息,比如发送5-AIR消息,SEAF网元通过临时用户表示找到匹配的永久用户标识,在认证请求中携带永久用户标识以及指示信息2。Step 505: The SEAF network element receives the registration request, sends an authentication request message to the AUSF network element, such as sending a 5-AIR message, the SEAF network element finds the matching permanent user ID through the temporary user representation, and carries the permanent user ID and Instructions 2.

步骤506:AUSF网元判断认证请求中有指示信息2,可以根据之前发送给UE的指示信息1选择认证方法。本实施例AUSF网元选择使用5G AKA,于是生成派生参数,比如NONCE,基于派生参数和存储的归属密钥生成网络哈希Hash,比如使用HMAC-SHA-256算法,基于派生参数和存储的归属密钥生成期望响应Hash,比如使用HMAC-SHA-256算法,基于派生参数和期望响应生成期望Hash,比如使用安全散列算法-256(Secure Hash Algorithm-256,SHA-256)算法,基于派生参数和存储的归属密钥生成新的归属密钥,比如使用HMAC-SHA-256算法,基于新的归属密钥生成新的访问密钥。Step 506: The AUSF network element judges that there is indication information 2 in the authentication request, and can select an authentication method according to the indication information 1 previously sent to the UE. In this embodiment, the AUSF network element chooses to use 5G AKA, so it generates derived parameters, such as NONCE, and generates a network hash Hash based on the derived parameters and the stored attribution key, such as using the HMAC-SHA-256 algorithm, based on the derived parameters and the stored attribution The key generates the expected response Hash, such as using the HMAC-SHA-256 algorithm, based on the derived parameters and the expected response to generate the expected Hash, such as using the Secure Hash Algorithm-256 (Secure Hash Algorithm-256, SHA-256) algorithm, based on the derived parameters Generate a new attribution key with the stored attribution key, for example, use the HMAC-SHA-256 algorithm to generate a new access key based on the new attribution key.

步骤507:AUSF网元向SEAF网元发送认证响应,比如发送5G-AIA消息,消息携带认证向量,认证向量包含派生参数,网络Hash,期望Hash和新的访问密钥。Step 507: The AUSF network element sends an authentication response to the SEAF network element, such as sending a 5G-AIA message, the message carries an authentication vector, and the authentication vector includes derived parameters, network hash, expected hash and new access key.

步骤508:SEAF网元向UE发送用户认证请求,比如发送User AuthenticationRequest消息,消息携带认证向量中的派生参数和网络Hash。Step 508: The SEAF network element sends a user authentication request to the UE, such as sending a User AuthenticationRequest message, the message carries the derived parameters in the authentication vector and the network Hash.

步骤509:UE使用快速认证,UE校验网络Hash,比如基于派生参数和存储的归属密钥生成期望网络Hash,比较网络Hash和期望网络Hash是否相同,相同则校验成功,否则校验失败;校验成功后,UE基于派生参数和存储的归属密钥生成认证响应RES,比如使用HMAC-SHA-256算法,基于派生参数和存储的归属密钥生成新的归属密钥,比如使用HMAC-SHA-256算法,基于新的归属密钥生成新的访问密钥派生新的归属密钥,然后向SEAF网元发送用户认证响应,比如发送User Authentication Response消息,携带认证响应RES。Step 509: The UE uses fast authentication, and the UE verifies the network Hash, for example, generates the expected network Hash based on the derived parameter and the stored attribution key, and compares whether the network Hash is the same as the expected network Hash. If they are the same, the verification succeeds; otherwise, the verification fails; After the verification is successful, the UE generates an authentication response RES based on the derived parameters and the stored home key, such as using the HMAC-SHA-256 algorithm, and generates a new home key based on the derived parameters and the stored home key, such as using HMAC-SHA -256 algorithm, generate a new access key based on the new home key to derive a new home key, and then send a user authentication response to the SEAF network element, such as sending a User Authentication Response message, carrying the authentication response RES.

步骤510:SEAF网元基于认证响应RES校验期望Hash,比如基于派生参数和认证响应RES生成校验Hash,比如使用SHA-256算法,比较校验Hash和期望Hash,相同则校验成功,否则校验失败。Step 510: The SEAF network element verifies the expected Hash based on the authentication response RES, for example, generates a verification Hash based on the derived parameters and the authentication response RES, for example, uses the SHA-256 algorithm, compares the verification Hash and the expected Hash, if they are the same, the verification succeeds, otherwise Validation failed.

步骤511:SEAF网元校验期望hash成功后,向AUSF网元发送认证确认,比如发送5G-AC消息,携带认证响应RES。Step 511: After the SEAF network element verifies that the expected hash is successful, it sends an authentication confirmation to the AUSF network element, such as sending a 5G-AC message with an authentication response RES.

步骤512:AUSF网元校验认证响应,比如比较期望响应和认证响应,相同则校验成功,否则校验失败;校验成功后,AUSF网元向SEAF网元发送认证成功消息,比如发送5G-ACA消息。Step 512: The AUSF network element verifies the authentication response, such as comparing the expected response and the authentication response. If they are the same, the verification succeeds, otherwise the verification fails; after the verification is successful, the AUSF network element sends an authentication success message to the SEAF network element, such as sending a 5G - ACA message.

步骤513:SEAF网元保存新的访问密钥,并向UE发送注册成功消息,比如发送Register Accept消息。Step 513: The SEAF network element stores the new access key, and sends a registration success message, such as a Register Accept message, to the UE.

需要说明的是,以上过程也可以用于EAP-AKA’的快速认证过程。It should be noted that the above process can also be used in the fast authentication process of EAP-AKA'.

本发明实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于执行上述任一项认证方法。An embodiment of the present invention also provides a computer-readable storage medium, which stores computer-executable instructions, and the computer-executable instructions are used to execute any one of the above authentication methods.

本发明实施例提供一种第一网元,如图6所示,该第一网元6包括:An embodiment of the present invention provides a first network element. As shown in FIG. 6, the first network element 6 includes:

第一接收模块601,用于接收来自SEAF网元的携带有第一指示信息和永久用户标识的认证请求;其中,第一指示信息用于标识与永久用户标识对应的UE具备执行快速认证的能力。The first receiving module 601 is configured to receive an authentication request carrying first indication information and a permanent user ID from a SEAF network element; wherein the first indication information is used to identify that the UE corresponding to the permanent user ID has the ability to perform fast authentication .

第一处理模块602,用于根据第一指示信息与第二网元执行快速认证。The first processing module 602 is configured to perform fast authentication with the second network element according to the first indication information.

可选地,第一网元为AUSF网元,第二网元为UE。Optionally, the first network element is an AUSF network element, and the second network element is a UE.

或着;or

第一网元为UE,第二网元为AUSF网元。The first network element is a UE, and the second network element is an AUSF network element.

可选地,当第一网元为UE,且第二网元为AUSF网元时,第一处理模块602具体用于:Optionally, when the first network element is a UE, and the second network element is an AUSF network element, the first processing module 602 is specifically configured to:

接收AUSF网元通过SEAF网元发送的派生参数;其中,派生参数由AUSF网元生成。Receive the derived parameters sent by the AUSF network element through the SEAF network element; wherein, the derived parameters are generated by the AUSF network element.

通过SEAF网元向UE发送派生参数;其中,派生参数由AUSF网元生成。The derived parameter is sent to the UE through the SEAF network element; wherein, the derived parameter is generated by the AUSF network element.

可选地,当第一网元为AUSF网元,且第二网元为UE时,第一处理模块602具体用于:Optionally, when the first network element is an AUSF network element and the second network element is a UE, the first processing module 602 is specifically configured to:

通过SEAF网元向UE发送派生参数;其中,派生参数由AUSF网元生成。The derived parameter is sent to the UE through the SEAF network element; wherein, the derived parameter is generated by the AUSF network element.

可选地,第一指示信息还包括:第一网元能够使用的快速认证方法的信息。Optionally, the first indication information further includes: information about the fast authentication method that the first network element can use.

可选地,第一处理模块602,还用于根据第一指示信息确定发送派生参数的消息。Optionally, the first processing module 602 is further configured to determine to send a message of derived parameters according to the first indication information.

可选地,第一处理模块602,还用于向SEAF网元发送网络哈希和期望哈希;其中,网络哈希至少基于派生参数和AUSF网元中存储的归属密钥生成;期望哈希至少基于派生参数和期望响应生成;期望响应至少基于派生参数和归属密钥生成。Optionally, the first processing module 602 is further configured to send the network hash and the expected hash to the SEAF network element; wherein the network hash is at least based on the derived parameter and the attribution key stored in the AUSF network element; the expected hash The generation is based on at least the derived parameters and the expected response; the expected response is generated based on at least the derived parameters and the home key.

可选地,第一处理模块602,还用于通过SEAF网元向UE发送第二指示信息;其中,第二指示信息用于指示UE进行快速认证。Optionally, the first processing module 602 is further configured to send second indication information to the UE through the SEAF network element; where the second indication information is used to instruct the UE to perform quick authentication.

本发明实施例提供的第一网元,由于根据获得的第一指示信息确定了第二网元具备执行快速认证的能力,当第一网元需要对第二网元进行快速认证时,第一网元根据第一指示信息直接与第二网元执行快速认证,因此保证了快速认证的灵活性。The first network element provided by the embodiment of the present invention determines that the second network element has the ability to perform fast authentication according to the obtained first indication information. When the first network element needs to perform fast authentication on the second network element, the first network element The network element directly performs fast authentication with the second network element according to the first indication information, thus ensuring the flexibility of fast authentication.

在实际应用中,第一接收模块601和第一处理模块602均可由位于第一网元中的中央处理器(Central Processing Unit,CPU)、微处理器(Micro Processor Unit,MPU)、数字信号处理器(Digital Signal Processor,DSP)或现场可编程门阵列(Field ProgrammableGate Array,FPGA)等实现。In practical applications, both the first receiving module 601 and the first processing module 602 can be composed of a central processing unit (Central Processing Unit, CPU), a microprocessor (Micro Processor Unit, MPU), a digital signal processing unit located in the first network element Realizations such as Digital Signal Processor (DSP) or Field Programmable Gate Array (Field Programmable Gate Array, FPGA).

本发明实施例还提供一种UE,如图7所示,该UE 7包括:The embodiment of the present invention also provides a UE. As shown in FIG. 7, the UE 7 includes:

第二处理模块701,用于向SEAF网元发送携带有第一指示信息的注册请求,或者,接收SEAF网元发送的携带有第一指示信息的消息;其中,第一指示信息用于指示UE具备执行快速认证的能力。The second processing module 701 is configured to send a registration request carrying the first indication information to the SEAF network element, or receive a message carrying the first indication information sent by the SEAF network element; wherein the first indication information is used to instruct the UE Ability to perform expedited certification.

第二接收模块702,用于接收来自SEAF网元的派生参数,向SEAF网元发送认证响应;其中,认证响应至少基于派生参数和存储的归属密钥生成.The second receiving module 702 is configured to receive derived parameters from the SEAF network element, and send an authentication response to the SEAF network element; wherein, the authentication response is at least generated based on the derived parameters and the stored home key.

可选地,第一指示信息还包括:发送方能够使用的快速认证方法的信息。Optionally, the first indication information further includes: information about a fast authentication method that the sender can use.

可选地,第二接收模块702,还用于接收来自SEAF网元的第二指示信息;其中,第二指示信息用于指示UE进行快速认证。Optionally, the second receiving module 702 is further configured to receive second indication information from the SEAF network element; wherein, the second indication information is used to instruct the UE to perform quick authentication.

可选地,第二接收模块702,还用于接收来自SEAF网元的网络哈希。Optionally, the second receiving module 702 is also configured to receive the network hash from the SEAF network element.

第二处理模块701,用于至少基于派生参数和存储的归属密钥生成期望网络哈希。The second processing module 701 is configured to generate a desired network hash based on at least the derived parameter and the stored attribution key.

还包括:发送模块703,用于当期望网络哈希与网络哈希相同时,发送认证响应。It also includes: a sending module 703, configured to send an authentication response when the expected network hash is the same as the network hash.

本发明实施例提供的UE,由于向SEAF单元发送了携带有用于指示UE具备执行快速认证的能力的第一指示信息的注册请求,使得SEAF网元向AUSF网元可以发送第一指示信息,因此使得AUSF网元需要对UE进行快速认证时,通过SEAF单元直接向UE发送派生参数以进行快速认证,因此保证了快速认证的时效性和灵活性。The UE provided in the embodiment of the present invention sends a registration request to the SEAF unit carrying the first indication information used to indicate that the UE has the ability to perform fast authentication, so that the SEAF network element can send the first indication information to the AUSF network element, so When the AUSF network element needs to quickly authenticate the UE, the SEAF unit directly sends the derived parameters to the UE for fast authentication, thus ensuring the timeliness and flexibility of the fast authentication.

在实际应用中,第二处理模块701、第二接收模块702和发送模块703均可由位于UE中的CPU、MPU、DSP或FPGA等实现。In practical applications, the second processing module 701, the second receiving module 702, and the sending module 703 can all be implemented by a CPU, MPU, DSP, or FPGA located in the UE.

本发明实施例还提供一种第一网元,包括第一存储器和第一处理器,其中,第一存储器中存储有以下可被第一处理器执行的指令:An embodiment of the present invention also provides a first network element, including a first memory and a first processor, wherein the first memory stores the following instructions executable by the first processor:

接收来自SEAF网元的携带有第一指示信息的请求;其中,第一指示信息用于指示第二网元具备执行快速认证的能力。A request carrying first indication information from a SEAF network element is received; wherein, the first indication information is used to indicate that the second network element is capable of performing fast authentication.

根据第一指示信息与第二网元执行快速认证。Perform fast authentication with the second network element according to the first indication information.

可选地,第一网元为认证服务功能AUSF网元,第二网元为用户终端UE。Optionally, the first network element is an AUSF network element, and the second network element is a user terminal UE.

或者;or;

第一网元为UE,第二网元为AUSF网元。The first network element is a UE, and the second network element is an AUSF network element.

可选地,当第一网元为UE,且第二网元为AUSF网元时,第一存储器中具体存储有以下可被第一处理器执行的指令:Optionally, when the first network element is a UE and the second network element is an AUSF network element, the first memory specifically stores the following instructions executable by the first processor:

向SEAF网元发送携带有第二指示信息的注册请求;其中,第二指示信息用于指示AUSF网元进行快速认证。Sending a registration request carrying second indication information to the SEAF network element; wherein, the second indication information is used to instruct the AUSF network element to perform fast authentication.

接收AUSF网元通过SEAF网元发送的派生参数;其中,派生参数由AUSF网元生成。Receive the derived parameters sent by the AUSF network element through the SEAF network element; wherein, the derived parameters are generated by the AUSF network element.

可选地,当第一网元为AUSF网元,且第二网元为UE时,第一存储器中具体存储有以下可被第一处理器执行的指令:Optionally, when the first network element is an AUSF network element and the second network element is a UE, the first memory specifically stores the following instructions executable by the first processor:

通过SEAF网元向UE发送派生参数;其中,派生参数由AUSF网元生成。The derived parameter is sent to the UE through the SEAF network element; wherein, the derived parameter is generated by the AUSF network element.

可选地,第一指示信息还包括:第一网元能够使用的快速认证方法的信息。Optionally, the first indication information further includes: information about the fast authentication method that the first network element can use.

可选地,第一存储器中还存储有以下可被第一处理器执行的指令:Optionally, the first memory also stores the following instructions executable by the first processor:

根据第一指示信息确定发送派生参数的消息。It is determined to send a message of derived parameters according to the first indication information.

可选地,第一存储器中还存储有以下可被第一处理器执行的指令:Optionally, the first memory also stores the following instructions executable by the first processor:

向SEAF网元发送网络哈希和期望哈希;其中,网络哈希至少基于派生参数和AUSF网元中存储的归属密钥生成;期望哈希至少基于派生参数和期望响应生成;期望响应至少基于派生参数和归属密钥生成。Send a network hash and an expected hash to the SEAF network element; wherein the network hash is generated based at least on the derived parameters and the attribution key stored in the AUSF network element; the expected hash is generated based on at least the derived parameters and the expected response; the expected response is at least based on Derived parameters and attributed key generation.

可选地,第一存储器中还存储有以下可被第一处理器执行的指令:Optionally, the first memory also stores the following instructions executable by the first processor:

通过SEAF网元向UE发送第二指示信息;其中,第二指示信息用于指示UE进行快速认证。The SEAF network element sends the second indication information to the UE; wherein, the second indication information is used to instruct the UE to perform quick authentication.

本发明实施例还提供一种UE,包括第二存储器和第二处理器,其中,第二存储器中存储有以下可被第二处理器执行的指令:An embodiment of the present invention also provides a UE, including a second memory and a second processor, wherein the second memory stores the following instructions executable by the second processor:

向SEAF网元发送携带有第一指示信息的注册请求;或者,UE接收SEAF网元发送的携带有第一指示信息的消息;其中,第一指示信息用于指示发送方具备执行快速认证的能力。Send a registration request carrying the first indication information to the SEAF network element; or, the UE receives a message carrying the first indication information sent by the SEAF network element; where the first indication information is used to indicate that the sender has the ability to perform fast authentication .

接收来自SEAF网元的派生参数,向SEAF网元发送认证响应;其中,认证响应至少基于派生参数和存储的归属密钥生成。Receive the derived parameters from the SEAF network element, and send an authentication response to the SEAF network element; wherein, the authentication response is at least generated based on the derived parameters and the stored home key.

可选地,第一指示信息还包括:发送方能够使用的快速认证方法的信息。Optionally, the first indication information further includes: information about a fast authentication method that the sender can use.

可选地,第二存储器中还存储有以下可被第二处理器执行的指令:Optionally, the second memory also stores the following instructions executable by the second processor:

接收来自SEAF网元的第二指示信息;其中,第二指示信息用于指示UE进行快速认证。Receive second indication information from the SEAF network element; wherein, the second indication information is used to instruct the UE to perform quick authentication.

可选地,第二存储器中还存储有以下可被第二处理器执行的指令:Optionally, the second memory also stores the following instructions executable by the second processor:

接收来自SEAF网元的网络哈希。Receive network hashes from SEAF network elements.

至少基于派生参数和存储的归属密钥生成期望网络哈希。A desired network hash is generated based on at least the derived parameters and the stored attribution key.

当期望网络哈希与网络哈希相同时,发送认证响应。An authentication response is sent when the network hash is expected to be the same as the network hash.

虽然本发明所揭露的实施方式如上,但的内容仅为便于理解本发明而采用的实施方式,并非用以限定本发明。任何本发明所属领域内的技术人员,在不脱离本发明所揭露的精神和范围的前提下,可以在实施的形式及细节上进行任何的修改与变化,但本发明的专利保护范围,仍须以所附的权利要求书所界定的范围为准。Although the embodiments disclosed in the present invention are as above, the content is only for the convenience of understanding the present invention, and is not intended to limit the present invention. Anyone skilled in the field of the present invention can make any modifications and changes in the form and details of the implementation without departing from the spirit and scope disclosed by the present invention, but the patent protection scope of the present invention must still be The scope defined by the appended claims shall prevail.

Claims (24)

1.一种认证方法,包括:1. An authentication method, comprising: 第一网元接收来自安全锚点功能SEAF网元的携带有第一指示信息的请求;其中,所述第一指示信息用于指示第二网元具备执行快速认证的能力;The first network element receives a request carrying first indication information from a security anchor function SEAF network element; wherein the first indication information is used to indicate that the second network element has the ability to perform fast authentication; 所述第一网元根据所述第一指示信息与所述第二网元执行快速认证。The first network element performs fast authentication with the second network element according to the first indication information. 2.根据权利要求1所述的认证方法,其特征在于,所述第一网元为认证服务功能AUSF网元,所述第二网元为用户终端UE;2. The authentication method according to claim 1, wherein the first network element is an authentication service function AUSF network element, and the second network element is a user terminal UE; 或者;or; 所述第一网元为所述UE,所述第二网元为所述AUSF网元。The first network element is the UE, and the second network element is the AUSF network element. 3.根据权利要求2所述的认证方法,其特征在于,当所述第一网元为所述UE,且所述第二网元为所述AUSF网元时,所述第一网元根据第一指示信息与第二网元执行快速认证,包括:3. The authentication method according to claim 2, wherein when the first network element is the UE and the second network element is the AUSF network element, the first network element according to The first instruction information performs fast authentication with the second network element, including: 所述UE向所述SEAF网元发送携带有第二指示信息的注册请求;其中,所述第二指示信息用于指示所述AUSF网元进行快速认证;The UE sends a registration request carrying second indication information to the SEAF network element; wherein the second indication information is used to instruct the AUSF network element to perform fast authentication; 所述UE接收所述AUSF网元通过所述SEAF网元发送的派生参数;其中,所述派生参数由所述AUSF网元生成。The UE receives the derived parameter sent by the AUSF network element through the SEAF network element; wherein, the derived parameter is generated by the AUSF network element. 4.根据权利要求2所述的认证方法,其特征在于,当所述第一网元为所述AUSF网元,且所述第二网元为所述UE时,所述第一网元根据第一指示信息与第二网元执行快速认证,包括:4. The authentication method according to claim 2, wherein when the first network element is the AUSF network element and the second network element is the UE, the first network element according to The first instruction information performs fast authentication with the second network element, including: 所述AUSF网元通过所述SEAF网元向所述UE发送派生参数;其中,所述派生参数由所述AUSF网元生成。The AUSF network element sends the derived parameter to the UE through the SEAF network element; wherein the derived parameter is generated by the AUSF network element. 5.根据权利要求1所述的认证方法,其特征在于,所述第一指示信息还包括:所述第一网元能够使用的快速认证方法的信息。5 . The authentication method according to claim 1 , wherein the first indication information further includes: information about a fast authentication method that can be used by the first network element. 6 . 6.根据权利要求3或4所述的认证方法,其特征在于,还包括:6. The authentication method according to claim 3 or 4, further comprising: 所述AUSF网元根据所述第一指示信息确定发送所述派生参数的消息。The AUSF network element determines to send the derived parameter message according to the first indication information. 7.根据权利要求3或4所述的认证方法,其特征在于,还包括:7. The authentication method according to claim 3 or 4, further comprising: 所述AUSF网元向所述SEAF网元发送网络哈希和期望哈希;其中,所述网络哈希至少基于所述派生参数和所述AUSF网元中存储的归属密钥生成;所述期望哈希至少基于所述派生参数和期望响应生成;所述期望响应至少基于所述派生参数和所述归属密钥生成。The AUSF network element sends a network hash and an expected hash to the SEAF network element; wherein the network hash is generated based at least on the derived parameters and the home key stored in the AUSF network element; the expected A hash is generated based on at least said derived parameters and an expected response; said expected response is generated based on at least said derived parameters and said home key. 8.根据权利要求4所述的认证方法,其特征在于,还包括:8. The authentication method according to claim 4, further comprising: 所述AUSF网元通过所述SEAF网元向所述UE发送第二指示信息;其中,所述第二指示信息用于指示所述UE进行快速认证。The AUSF network element sends second indication information to the UE through the SEAF network element; wherein the second indication information is used to instruct the UE to perform fast authentication. 9.一种认证方法,包括:9. An authentication method comprising: UE向SEAF网元发送携带有第一指示信息的注册请求;或者,所述UE接收所述SEAF网元发送的携带有第一指示信息的消息;其中,所述第一指示信息用于指示发送方具备执行快速认证的能力;The UE sends a registration request carrying the first indication information to the SEAF network element; or, the UE receives a message carrying the first indication information sent by the SEAF network element; wherein the first indication information is used to indicate sending Party has the ability to perform fast certification; 所述UE接收来自所述SEAF网元的派生参数,向所述SEAF网元发送认证响应;其中,所述认证响应至少基于所述派生参数和存储的归属密钥生成。The UE receives the derived parameters from the SEAF network element, and sends an authentication response to the SEAF network element; wherein the authentication response is at least generated based on the derived parameters and the stored home key. 10.根据权利要求9所述的认证方法,其特征在于,所述第一指示信息还包括:所述发送方能够使用的快速认证方法的信息。10 . The authentication method according to claim 9 , wherein the first indication information further includes: information of a fast authentication method that the sender can use. 11 . 11.根据权利要求9所述的认证方法,其特征在于,所述向SEAF网元发送认证响应前,还包括:11. The authentication method according to claim 9, wherein before sending the authentication response to the SEAF network element, further comprising: 所述UE接收来自所述SEAF网元的第二指示信息;其中,所述第二指示信息用于指示所述UE进行快速认证。The UE receives second indication information from the SEAF network element; wherein the second indication information is used to instruct the UE to perform fast authentication. 12.根据权利要求11所述的认证方法,其特征在于,还包括:12. The authentication method according to claim 11, further comprising: 所述UE接收来自所述SEAF网元的网络哈希;The UE receives a network hash from the SEAF network element; 所述UE至少基于所述派生参数和存储的归属密钥生成期望网络哈希;said UE generates a desired network hash based at least on said derived parameters and a stored home key; 当所述期望网络哈希与所述网络哈希相同时,所述UE发送所述所述认证响应。The UE sends the authentication response when the expected network hash is identical to the network hash. 13.一种第一网元,其特征在于,包括:13. A first network element, comprising: 第一接收模块,用于接收来自SEAF网元的携带有第一指示信息和永久用户标识的认证请求;其中,所述第一指示信息用于标识与所述永久用户标识对应的UE具备执行快速认证的能力;The first receiving module is configured to receive an authentication request carrying first indication information and a permanent user ID from a SEAF network element; wherein the first indication information is used to identify that the UE corresponding to the permanent user ID is capable of performing fast Ability to certify; 第一处理模块,用于根据所述第一指示信息与所述第二网元执行快速认证。A first processing module, configured to perform fast authentication with the second network element according to the first indication information. 14.根据权利要求13所述的第一网元,其特征在于,所述第一网元为AUSF网元,所述第二网元为UE;14. The first network element according to claim 13, wherein the first network element is an AUSF network element, and the second network element is a UE; 或着;or 所述第一网元为所述UE,所述第二网元为所述AUSF网元。The first network element is the UE, and the second network element is the AUSF network element. 15.根据权利要求14所述的第一网元,其特征在于,当所述第一网元为所述UE,且所述第二网元为所述AUSF网元时,所述第一处理模块具体用于:15. The first network element according to claim 14, wherein when the first network element is the UE and the second network element is the AUSF network element, the first processing Modules are used specifically for: 向所述SEAF网元发送携带有第二指示信息的注册请求;其中,所述第二指示信息用于指示所述AUSF网元进行快速认证;Sending a registration request carrying second indication information to the SEAF network element; wherein the second indication information is used to instruct the AUSF network element to perform fast authentication; 所述UE接收所述AUSF网元通过所述SEAF网元发送的派生参数;其中,所述派生参数由所述AUSF网元生成。The UE receives the derived parameter sent by the AUSF network element through the SEAF network element; wherein, the derived parameter is generated by the AUSF network element. 16.根据权利要求14所述的第一网元,其特征在于,当所述第一网元为所述AUSF网元,且所述第二网元为所述UE时,所述第一处理模块具体用于:16. The first network element according to claim 14, wherein when the first network element is the AUSF network element and the second network element is the UE, the first processing Modules are used specifically for: 通过所述SEAF网元向所述UE发送派生参数;其中,所述派生参数由所述AUSF网元生成。sending the derived parameter to the UE through the SEAF network element; wherein the derived parameter is generated by the AUSF network element. 17.根据权利要求13所述的第一网元,其特征在于,所述第一指示信息还包括:所述第一网元能够使用的快速认证方法的信息。17. The first network element according to claim 13, wherein the first indication information further includes: information about a fast authentication method that the first network element can use. 18.根据权利要求15或16所述的第一网元,其特征在于,18. The first network element according to claim 15 or 16, characterized in that, 所述第一处理模块,还用于根据所述第一指示信息确定发送所述派生参数的消息。The first processing module is further configured to determine to send the derived parameter message according to the first indication information. 19.根据权利要求15或16所述的第一网元,其特征在于,19. The first network element according to claim 15 or 16, characterized in that, 所述第一处理模块,还用于向所述SEAF网元发送网络哈希和期望哈希;其中,所述网络哈希至少基于所述派生参数和所述AUSF网元中存储的归属密钥生成;所述期望哈希至少基于所述派生参数和期望响应生成;所述期望响应至少基于所述派生参数和所述归属密钥生成。The first processing module is further configured to send a network hash and an expected hash to the SEAF network element; wherein the network hash is at least based on the derived parameter and the home key stored in the AUSF network element generating; the expected hash is generated based on at least the derived parameters and an expected response; the expected response is generated based on at least the derived parameters and the home key. 20.根据权利要求16所述的第一网元,其特征在于,20. The first network element according to claim 16, characterized in that, 所述第一处理模块,还用于通过所述SEAF网元向所述UE发送第二指示信息;其中,所述第二指示信息用于指示所述UE进行快速认证。The first processing module is further configured to send second indication information to the UE through the SEAF network element; wherein the second indication information is used to instruct the UE to perform fast authentication. 21.一种UE,其特征在于,包括:21. A UE, characterized by comprising: 第二处理模块,用于向SEAF网元发送携带有第一指示信息的注册请求,或者,接收所述SEAF网元发送的携带有第一指示信息的消息;其中,所述第一指示信息用于指示所述UE具备执行快速认证的能力;The second processing module is configured to send a registration request carrying the first indication information to the SEAF network element, or receive a message carrying the first indication information sent by the SEAF network element; wherein the first indication information is used To indicate that the UE is capable of performing fast authentication; 第二接收模块,用于接收来自所述SEAF网元的派生参数,向所述SEAF网元发送认证响应;其中,所述认证响应至少基于所述派生参数和存储的归属密钥生成。The second receiving module is configured to receive derived parameters from the SEAF network element, and send an authentication response to the SEAF network element; wherein the authentication response is at least generated based on the derived parameters and a stored home key. 22.根据权利要求21所述的UE,其特征在于,所述第一指示信息还包括:所述发送方能够使用的快速认证方法的信息。22. The UE according to claim 21, wherein the first indication information further includes: information of a fast authentication method that the sender can use. 23.根据权利要求21所述的UE,其特征在于,23. The UE according to claim 21, characterized in that, 所述第二接收模块,还用于接收来自所述SEAF网元的第二指示信息;其中,所述第二指示信息用于指示所述UE进行快速认证。The second receiving module is further configured to receive second indication information from the SEAF network element; wherein the second indication information is used to instruct the UE to perform fast authentication. 24.根据权利要求23所述的UE,其特征在于,24. The UE according to claim 23, characterized in that, 所述第二接收模块,还用于接收来自所述SEAF网元的网络哈希;The second receiving module is further configured to receive the network hash from the SEAF network element; 所述第二处理模块,还用于至少基于所述派生参数和存储的归属密钥生成期望网络哈希;The second processing module is further configured to generate a desired network hash based at least on the derived parameters and the stored attribution key; 还包括:发送模块,用于当所述期望网络哈希与所述网络哈希相同时,发送所述所述认证响应。It also includes: a sending module, configured to send the authentication response when the expected network hash is the same as the network hash.
CN201810301013.0A 2018-04-04 2018-04-04 An authentication method and network element Pending CN110366178A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810301013.0A CN110366178A (en) 2018-04-04 2018-04-04 An authentication method and network element
PCT/CN2019/076823 WO2019192275A1 (en) 2018-04-04 2019-03-04 Authentication method and network element

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810301013.0A CN110366178A (en) 2018-04-04 2018-04-04 An authentication method and network element

Publications (1)

Publication Number Publication Date
CN110366178A true CN110366178A (en) 2019-10-22

Family

ID=68099771

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810301013.0A Pending CN110366178A (en) 2018-04-04 2018-04-04 An authentication method and network element

Country Status (2)

Country Link
CN (1) CN110366178A (en)
WO (1) WO2019192275A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830985A (en) * 2019-11-11 2020-02-21 重庆邮电大学 A 5G lightweight terminal access authentication method based on trust mechanism

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788598B (en) * 2019-11-01 2022-11-11 华为技术有限公司 Method and device for protecting parameters in authentication process

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566115B (en) * 2016-07-01 2022-01-14 华为技术有限公司 Secret key configuration and security policy determination method and device
US20180084427A1 (en) * 2016-09-16 2018-03-22 Zte Corporation Security features in next generation networks
WO2018053271A1 (en) * 2016-09-16 2018-03-22 Idac Holdings, Inc. Unified authentication framework

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830985A (en) * 2019-11-11 2020-02-21 重庆邮电大学 A 5G lightweight terminal access authentication method based on trust mechanism
CN110830985B (en) * 2019-11-11 2022-04-29 重庆邮电大学 A 5G lightweight terminal access authentication method based on trust mechanism

Also Published As

Publication number Publication date
WO2019192275A1 (en) 2019-10-10

Similar Documents

Publication Publication Date Title
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US11405780B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US11496320B2 (en) Registration method and apparatus based on service-based architecture
US11431695B2 (en) Authorization method and network element
JP6732095B2 (en) Unified authentication for heterogeneous networks
WO2020177768A1 (en) Network verification method, apparatus, and system
ES2617067T7 (en) Generation of cryptographic keys
US9668139B2 (en) Secure negotiation of authentication capabilities
CN101511084B (en) Authentication and cipher key negotiation method of mobile communication system
RU2580399C2 (en) METHOD AND SYSTEM FOR SECURE ACCESS TO HNB OR HeNB AND CORE NETWORK ELEMENT
CN111641498B (en) Key Determination Method and Device
JP7237200B2 (en) Parameter transmission method and device
JP2007522695A (en) System, method, and device for authentication in a wireless local area network (WLAN)
WO2012097723A1 (en) Method, network side entity and communication terminal for protecting data security
JP2016111660A (en) Authentication server, terminal and authentication method
CN107820242A (en) A kind of machinery of consultation of authentication mechanism and device
WO2018126791A1 (en) Authentication method and device, and computer storage medium
CN110366178A (en) An authentication method and network element
CN106856605B (en) An Anonymous Handover Authentication Method Based on Fake Identity Wireless Network
CN101160784B (en) A key update negotiation method and device
US11972032B2 (en) Authentication of an original equipment manufacturer entity
WO2019010701A1 (en) Methods and computing device for transmitting encoded information during authentication
CN113449286B (en) Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)
CN101848464A (en) Method, device and system for implementing network security
CN111212424B (en) Method and system for authenticating UE during interoperation from EPS to 5GS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20191022