CN103458410A - Certification processing method and device - Google Patents

Certification processing method and device Download PDF

Info

Publication number
CN103458410A
CN103458410A CN201310423021XA CN201310423021A CN103458410A CN 103458410 A CN103458410 A CN 103458410A CN 201310423021X A CN201310423021X A CN 201310423021XA CN 201310423021 A CN201310423021 A CN 201310423021A CN 103458410 A CN103458410 A CN 103458410A
Authority
CN
China
Prior art keywords
business
authentication
current business
flow process
subscriber equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310423021XA
Other languages
Chinese (zh)
Other versions
CN103458410B (en
Inventor
毕晓宇
张爱琴
张冬梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201310423021.XA priority Critical patent/CN103458410B/en
Priority claimed from CN2009100938285A external-priority patent/CN102025685B/en
Publication of CN103458410A publication Critical patent/CN103458410A/en
Application granted granted Critical
Publication of CN103458410B publication Critical patent/CN103458410B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention relates to a certification processing method and device. The certification processing method comprises the following steps that in the situation that execution of the certification and key agreement process fails, according to local information and a network strategy, whether connection is released or a current service is executed continuously is determined. According to the certification processing method and device, if execution of the EPS AKA certification process fails, connection cannot be released instantly, whether connection is released or a current service is executed continuously is determined according to the local information and the network strategy, the phenomenon that connection which does not need to be released is released is avoided, and resources are saved.

Description

Authentication method and device
Technical field
The embodiment of the present invention relates to the communications field, relates in particular to a kind of authentication method and device.
Background technology
(Non-Access Stratum, be called for short: NAS) counting (COUNT) is that (Long Term Evolution is called for short: the LTE) part of safe context in the system Long Term Evolution to Non-Access Stratum.In the LTE system, the NAS counting can be used as the life cycle of key, makes key have freshness; Simultaneously, NAS counting can guarantee that (User Equipment is called for short: UE), with the synchronizeing of network side key, have the effect of preventing playback attack subscriber equipment.(Evolved Packet System, be called for short: EPS) safe context comprises two independently NAS count values to every suit evolved packet system: up NAS count value and descending NAS count value.The counter of these two NAS countings is respectively by UE and mobile management entity (Mobility Management Entity, abbreviation: MME) carry out independent maintenance.
The NAS counting has 32, mainly two parts, consists of: NAS sequence number (SQN) and NAS overflow value (OVERFLOW), and wherein the NAS sequence number is 8, the NAS overflow value is 16.The NAS sequence number is carried in every NAS message, and after the NAS message be kept safe that each is new or retransmit is sent, transmitting terminal will increase by 1 by the value of NAS sequence number; When the NAS sequence number is increased to maximum, while circulating a circle, the NAS overflow value increases by 1.
In prior art, when MME detect descending NAS count value be about to around the time, namely the NAS count value relatively approaches maximum 2 24the time, MME will trigger a new EPS Authentication and Key Agreement (Authentication and Key Agreement, be called for short: AKA) flow process, set up new safe context, and when safe context is activated, the NAS count value be initialized as to 0.When the up NAS count value that UE detected as MME also is close to maximum, namely be about to around the time, MME can trigger EPS AKA flow process.
Once prior art MME detect the NAS count value be about to around, just trigger immediately EPS AKA flow process; If carry out EPS AKA flow process authentification failure, release connection immediately just.This safe handling process has been wasted resource.
Summary of the invention
The embodiment of the present invention provides a kind of authentication method and device, in order to saving resource.
The embodiment of the present invention provides a kind of authentication method, comprising:
In the situation that carry out the failure of Authentication and Key Agreement flow process, the cordless communication network side apparatus determines whether network strategy supports that current business does not authenticate;
If described network strategy supports that current business does not authenticate, and described current business continues to carry out described current business for not needing the business authenticated; Perhaps
If described network strategy supports that current business does not authenticate, and described subscriber equipment do not have the ability of carrying out the Authentication and Key Agreement flow process, continues to carry out described current business; Perhaps
If described network strategy supports that current business does not authenticate, and described subscriber equipment continues to carry out described current business without inserting card.
The embodiment of the present invention provides a kind of authentication apparatus, comprising:
Executive Module, for carrying out the Authentication and Key Agreement flow process;
Processing module, be positioned at the cordless communication network side apparatus, comprising:
The first judging unit, in the situation that subscriber equipment is carried out to the failure of Authentication and Key Agreement flow process, determine whether network strategy supports that current business does not authenticate,
The second judging unit, be used in the situation that described network strategy supports that current business does not authenticate, determine whether described current business is the business that need to be authenticated, perhaps whether described subscriber equipment has the ability of carrying out the Authentication and Key Agreement flow process, or whether described subscriber equipment has the card of insertion;
Performance element, being used for is that described current business is not need the business authenticated in described the second judgment unit judges, perhaps described subscriber equipment does not have the ability of carrying out the Authentication and Key Agreement flow process, perhaps described subscriber equipment does not have in the situation of inserting card under condition, continues to carry out described current business.
In the embodiment of the present invention, if carry out EPS AKA flow process authentification failure, release connection immediately not, but according to local information and network strategy release connection or continue to carry out current business, avoided discharging the connection that there is no need to be discharged, saved resource.
The accompanying drawing explanation
The flow chart that Fig. 1 is the embodiment of the present invention one authentication method;
The flow chart that Fig. 2 is the embodiment of the present invention two authentication methods;
The flow chart that Fig. 3 is the embodiment of the present invention three authentication methods;
The flow chart that Fig. 4 is the embodiment of the present invention four authentication methods;
The flow chart that Fig. 5 is the embodiment of the present invention five authentication methods;
The flow chart that Fig. 6 is the embodiment of the present invention six authentication methods;
The flow chart that Fig. 7 is the embodiment of the present invention seven authentication methods;
The structural representation that Fig. 8 is the embodiment of the present invention eight authentication apparatus;
The structural representation that Fig. 9 is the embodiment of the present invention nine authentication apparatus;
The structural representation that Figure 10 is the embodiment of the present invention ten authentication apparatus;
The structural representation that Figure 11 is the embodiment of the present invention 11 authentication apparatus;
The structural representation that Figure 12 is the embodiment of the present invention 12 authentication apparatus;
The structural representation that Figure 13 is the embodiment of the present invention 13 authentication apparatus.
Embodiment
Below by drawings and Examples, the technical scheme of the embodiment of the present invention is described in further detail.
The flow chart that Fig. 1 is the embodiment of the present invention one authentication method.As shown in Figure 1, the present embodiment specifically comprises the steps:
Step 101, when the Non-Access Stratum count value approaches maximum, local information is detected;
Step 102, according to local information determine whether to trigger and subscriber equipment between the Authentication and Key Agreement flow process.
Wherein the NAS count value approach maximum be the NAS count value be about to around the time, the Authentication and Key Agreement flow process can be EPS AKA flow process.
The executive agent of above-mentioned two steps can be MME, when the NAS of downlink or uplink count value be about to around the time, MME is detected local information, according to testing result, determines whether to trigger EPS AKA flow process.
Take that to detect up NAS count value be example, MME receives NAS message, and the NAS count value adds 1; MME detects the NAS count value and whether approaches maximum, and particularly, MME can detect the NAS count value and whether equal threshold value, and this threshold value is the predefined peaked numerical value that approaches; If, local information is detected, whether determine triggering authentication and key agreement flow process according to testing result; Otherwise, continue to receive NAS message.
Once in the present embodiment MME can not detect the NAS count value be about to around, just trigger EPS AKA flow process immediately, reduced the number of times that triggers EPS AKA flow process, the resource cost that the EPS AKA flow process of having avoided there is no need because of triggering causes, saved resource.
Below, before describing embodiment bis-, introduce in advance the technology relevant to embodiment bis-.
In the LTE system, the EPS safe context has two kinds of dividing mode.According to the use state, the EPS safe context can be divided into current EPS safe context (current EPS security context) and non-current EPS safe context (non-current EPS security context).Wherein current EPS safe context refers to the up-to-date safe context be activated, i.e. the current safe context used.The above-mentioned current safe context used can exist with a set of non-current local EPS safe context (non-current native EPS security context) simultaneously.According to generating mode, the EPS safe context can be divided into mapping EPS safe context (mapped EPS security context) and local EPS safe context (native EPS security context).Wherein shine upon the EPS safe context and refer to the safe context of coming from the other system mapping, as (Universal Mobile Telecommunications System is called for short: UMTS) be mapped to the LTE system from universal mobile telecommunications system.Local EPS safe context refers in the LTE system, the safe context generated through EPS AKA.Wherein local EPS safe context is divided into again the local EPS safe context (partial native EPS security context) of part and complete local EPS safe context (full native EPS security context).Its main distinction is that the local EPS safe context of part does not have the NAS safe mode process flow operation through a success, therefore in the local EPS safe context of part, only comprises the root key K authenticated in UE access LTE network aSME, (Key Set Identity, be called for short: KSI), the security capabilities of UE and the NAS count value that is set to 0 for key set sign; And complete local EPS safe context be through after EPS AKA flow process by NAS safe mode command (the Security Mode Command of a success, be called for short: the safe context that SMC) flow process activates, it comprises a set of complete EPS NAS safe context, and therefore complete local EPS safe context can additionally comprise the Integrity Key K of NAS layer nASint, encryption key K nASencand selected NAS cryptographic algorithm and integral algorithm sign.
The flow chart that Fig. 2 is the embodiment of the present invention two authentication methods.In the present embodiment, local information is the local safe context of preserving, and following safe context is local EPS safe context.
As shown in Figure 2, the present embodiment specifically comprises the steps:
Step 201, MME receive NAS message, and the NAS count value adds 1.
Step 202, MME detect the NAS count value and whether approach maximum, if perform step 203; Otherwise perform step 201.
Particularly, can preset one and approach peaked numerical value as threshold value, MME detects the NAS count value and whether equals threshold value, if perform step 203; Otherwise perform step 201.
Step 203, MME detect the local safe context of preserving except when, beyond front safe context, whether also comprise non-current safety context, if perform step 204; Otherwise trigger EPS AKA flow process.
Step 204, activate this non-current safety context.
Above-mentioned non-current safety context can activate by successful operation NAS SMC flow process.The NAS SMC flow process of successful operation comprises: MME is used safe context to carry out integrity protection to NAS SMC message; when UE is proved to be successful NAS SMC message integrity; send the NAS safe mode to MME and complete (Security Mode Complete) message, MME deciphering NAS safe mode completes message and carries out integrity verification.MME can be known shared this safe context with UE, and this safe context is activated.Therefore step 204, by the above-mentioned NAS SMC of successful execution flow process, activates non-current safety context.
Further, if the failure of above-mentioned NAS SMC process flow operation, MME triggers EPS AKA flow process.
Above-mentioned non-current local security context can comprise non-when forward part local security context or non-current complete local security context, and above-mentioned steps 204 can be: MME activates non-when forward part local security context or non-current complete local security context.
In the present embodiment, the NAS SMC flow process triggered by successful operation MME, the non-current local security context that MME and UE share is activated.When MME does not receive that NAS safe mode that UE returns completes message, MME triggers EPS AKA flow process.
Below by two concrete examples, the application scenarios of the present embodiment is described.
(1) when MME detects the NAS count value and approaches maximum, MME is known MME and UMTS subscriber identity module integrated circuit card (UMTS Subscriber Identity Module Integrated Circuit Card by detecting safe context, be called for short: preserved a set of non-current Partial security context UICC), MME activates this non-current Partial security context, now the NAS count value is initialized to 0, has saved like this EPS AKA flow process.
Compared with prior art, in this scene, MME does not trigger EPS AKA flow process immediately, has avoided the waste of non-current Partial security context resource, the resource cost that the EPSAKA flow process of simultaneously also having avoided there is no need because of execution causes.
(2) UE has set up the current safety context in the process of access EPS, UE is from evolved universal grounding wireless access network network (Evolved Universal Terrestrial Radio Access Network afterwards, be called for short: E-UTRAN) be switched to Universal Terrestrial Radio Access Network network (Universal Terrestrial Radio Access Network, be called for short: UTRAN) or GSM/EDGE wireless communication networks (GSM EDGE Radio Access Network, be called for short: preserve this in process GERAN) and be enclosed within the local security context generated in E-UTRAN, then, when this UE switches while getting back in E-UTRAN again, what use is the mapping safe context, and this mapping safe context becomes the current safety context, and the safe context generated in the E-UTRAN network that UE and MME preserve before becomes non-current complete safety context.Under this scene, when MME detects the NAS count value and approaches maximum, MME knows that by detecting safe context this locality preserves this non-current complete safety context, and MME activates this non-current complete safety context, has saved like this EPS AKA flow process.
Compared with prior art, in this scene, MME does not trigger EPS AKA flow process immediately, the waste of the non-current complete safety context resource of having preserved before having avoided, the resource cost that the EPS AKA flow process of also having avoided there is no need because of execution causes simultaneously.
Once in the present embodiment MME can not detect the NAS count value be about to around, just trigger EPS AKA flow process immediately, reduced the number of times that triggers EPS AKA flow process, the resource cost that the EPS AKA flow process of having avoided there is no need because of triggering causes, saved resource.
The flow chart that Fig. 3 is the embodiment of the present invention three authentication methods.In the present embodiment, local information is the timer state.In the present embodiment, set in advance a timer on MME, the state of this timer can and stop for operation.When the count value of NAS counter arrives threshold value and EPS AKA flow process and is successfully completed, the state of timer transfers operation to; When the timing of timer arrives the time gate limit value of setting, the state of timer transfers to and stopping.
As shown in Figure 3, the present embodiment specifically comprises the steps:
Step 301, MME receive NAS message, and the NAS count value adds 1.
Step 302, MME detect the NAS count value and whether approach maximum, if perform step 303; Otherwise perform step 301.
Particularly, the present embodiment presets one and approaches peaked numerical value as threshold value, as is made as 2 24-100, MME detects the NAS count value and whether equals 2 24-100, if perform step 303; Otherwise perform step 301.
Step 303, MME detect whether the timer state is operation, if perform step 304; Otherwise trigger EPS AKA flow process.
Step 304, activate non-current safety context.
Described this non-current safety context is to be activated by the NAS SMC process flow operation of a success.The NAS SMC flow process of a success comprises: MME is used safe context to carry out integrity protection to NAS SMC message; when UE is proved to be successful NAS SMC message integrity; send the NAS safe mode to MME and complete message, MME deciphering NAS safe mode completes message and carries out integrity verification.MME can be known shared this safe context with UE, and this safe context is activated.Therefore step 304, by the above-mentioned NAS SMC of successful execution flow process, activates non-current local security context.
Further, if the failure of above-mentioned NAS SMC process flow operation, MME triggers EPS AKA flow process.
In actual applications, descending NAS count value and up NAS count value generally are more or less the same, when MME detect descending NAS count value be about to around the time, in the near future be about to detect up NAS count value be about to around; And MME triggers EPS AKA flow process afterwards every a period of time, MME triggers NAS SMC flow process, and by carrying out NAS SMC flow process, the NAS count value is initialized to 0.If when MME detect descending NAS count value be about to around the time, MME just triggers EPS AKA flow process, and up NAS count value detected soon around before, do not trigger NAS SMC flow process and activate the new safe context produced, now the NAS count value is not initialised, so prior art detect up NAS count value be about to around, can again trigger EPS AKA flow process again.Whether the present embodiment has arrived the time gate limit value of setting by the time of detecting the timer state and can knowing that EPS AKA flow process was successfully completed apart from last time, this time gate limit value is to determine the time be successfully completed between triggering NAS SMC according to EPS AKA flow process, when this NAS count value approaches maximum and is less than the time gate limit value of setting apart from the time that last time, EPS AKA flow process was successfully completed, MME triggers NAS SMC flow process; When this NAS count value approaches maximum and is more than or equal to the time gate limit value of setting apart from the time that last time, EPS AKA flow process was successfully completed, MME triggers EPS AKA flow process.Therefore, scene for above-mentioned practical application, the present embodiment has been avoided up NAS count value being detected soon around before, do not trigger NAS SMC flow process, just can again trigger EPS AKA flow process again, reduced the number of times of EPS AKA flow process, the resource cost that the EPS AKA flow process of having avoided there is no need because of triggering causes, saved resource.
The flow chart that Fig. 4 is the embodiment of the present invention four authentication methods.In the present embodiment, local information is the stater state.In the present embodiment, need to set in advance stater on MME, the state of this stater can and stop for operation, particularly, can mean to move with 0, can mean to stop with 1.Wherein, operation means to be less than apart from the time that last time, EPS AKA flow process was successfully completed the time gate limit value of setting, stops meaning to be more than or equal to apart from the time that last time, EPS AKA flow process was successfully completed the time gate limit value of setting.Stater can be triggered by timer.
As shown in Figure 4, the present embodiment specifically comprises the steps:
Step 401, MME receive NAS message, and the NAS count value adds 1.
Step 402, MME detect the NAS count value and whether approach maximum, if perform step 403; Otherwise perform step 401.
Particularly, the present embodiment presets one and approaches peaked numerical value as threshold value, as is made as 2 24-100, MME detects the NAS count value and whether equals 2 24-100, if perform step 403; Otherwise trigger EPS AKA flow process.
Whether step 403, MME detected state device state are 0, if perform step 404; Otherwise trigger EPS AKA flow process.
Step 404, activate non-current safety context.
Described this non-current safety context is to be activated by the NAS SMC process flow operation of a success.The NAS SMC flow process of a success comprises: MME is used safe context to carry out integrity protection to NAS SMC message; when UE is proved to be successful NAS SMC message integrity; send the NAS safe mode to MME and complete message, MME deciphering NAS safe mode completes message and carries out integrity verification.MME can be known shared this safe context with UE, and this safe context is activated.Therefore step 404, by the above-mentioned NAS SMC of successful execution flow process, activates non-current local security context.
Further, if the failure of above-mentioned NAS SMC process flow operation, MME triggers EPS AKA flow process.
In actual applications, descending NAS count value and up NAS count value generally are more or less the same, when MME detect descending NAS count value be about to around the time, in the near future be about to detect up NAS count value be about to around; And MME triggers EPS AKA flow process afterwards every a period of time, MME triggers NAS SMC flow process, and by carrying out NAS SMC flow process, the NAS count value is initialized to 0.If when MME detect descending NAS count value be about to around the time, MME just triggers EPS AKA flow process, and up NAS count value detected soon around before, do not trigger NAS SMC, now the NAS count value is not initialised, so prior art detect up NAS count value be about to around, can again trigger EPS AKA flow process again.The present embodiment can know by detected state device state whether EPS AKA flow process was successfully completed apart from last time time has arrived the time gate limit value of setting, this time gate limit value is to determine the time be successfully completed between triggering NAS SMC according to EPS AKA flow process, when this NAS count value approaches maximum and is less than the time gate limit value of setting apart from the time that last time, EPS AKA flow process was successfully completed, MME triggers NAS SMC; When this NAS count value approaches maximum and is more than or equal to the time gate limit value of setting apart from the time that last time, EPS AKA flow process was successfully completed, MME triggers EPS AKA flow process.Therefore, scene for above-mentioned practical application, the present embodiment has been avoided up NAS count value being detected soon around before, do not trigger NAS SMC, just can again trigger EPS AKA flow process again, reduced the number of times of EPS AKA flow process, the resource cost that the EPS AKA flow process of having avoided there is no need because of triggering causes, saved resource.
The flow chart that Fig. 5 is the embodiment of the present invention five authentication methods.In the present embodiment local information be present type of service, service quality (Quality of Service, be called for short: QoS) or subscriber equipment carry out the ability of authentication.
As shown in Figure 5, the present embodiment specifically comprises the steps:
Step 501, MME receive NAS message, and the NAS count value adds 1.
Step 502, MME detect the NAS count value and whether approach maximum, if perform step 503; Otherwise perform step 501.
Particularly, can preset one and approach peaked numerical value as threshold value, MME detects the NAS count value and whether equals threshold value, if perform step 503; Otherwise perform step 501.
Step 503, MME are by detecting present type of service, and whether the current business that detects UE request corresponding to present type of service is the business that need to be authenticated; Perhaps, MME is by detecting QoS, and whether the current business that detects the UE request that QoS is corresponding is the business that need to be authenticated; Perhaps, MME carries out the ability of authentication by detecting UE, detects UE and whether has the ability of carrying out EPS AKA flow process;
If trigger EPS AKA flow process; Otherwise perform step 504.
Current safe context is used in step 504, continuation, or current business is not carried out to safeguard protection, or interrupts the connection of current business.
For instance; the present embodiment knows that by detecting present type of service the business of UE request is urgent call (Emergency Call; be called for short: EMC) business; the business that detects the UE request is not the business that need to be authenticated; no longer trigger EPS AKA flow process, and ignore the NAS count value, approach peaked testing result, can continue to use current safe context; perhaps current business is not carried out to safeguard protection, or interrupt the connection of current business.
When inserting Subscriber Identity Module (Subscriber Identity Module, be called for short: UE SIM card) is switched to the LTE network from the urgent call of UMTS network, MME is from GPRS (General Packet Radio Service, be called for short: GPRS) serving GPRS support node (Service GPRS Support Node, be called for short: SGSN) obtain security parameter Kc, and further according to encryption key (Cipher Key, be called for short: CK) and Integrity Key (Integrity Key, abbreviation: IK) obtain K aSME.The NAS count value is since 0.Now, the safeguard protection of UE in the LTE network is by K aSMEthe sub-key derived from is protected.When the NAS count value be about to around the time; it is the SIM card user that MME can detect UE according to Kc; do not there is the ability of carrying out EPS AKA flow process; MME no longer triggers EPS AKA flow process; approach peaked testing result and ignore the NAS count value; can continue to use current safe context, or current business is not carried out to safeguard protection, or interrupt the connection of current business.
The present embodiment is not that the business that need to be authenticated or UE be not while having the ability of carrying out the Authentication and Key Agreement flow process in the business of UE request, do not trigger EPS AKA flow process, reduced the number of times of EPS AKA flow process, the resource cost that the EPS AKA flow process of having avoided there is no need because of triggering causes, saved resource.
The flow chart that Fig. 6 is the embodiment of the present invention six authentication methods.As shown in Figure 6, the present embodiment specifically comprises the steps:
Step 601, MME receive NAS message, and the NAS count value adds 1.
Step 602, MME detect the NAS count value and whether approach maximum, if perform step 603; Otherwise perform step 601.This NAS count value can be up NAS count value, can be also descending NAS count value.
Particularly, can preset one and approach peaked numerical value as threshold value, MME detects the NAS count value and whether equals threshold value, if perform step 603; Otherwise perform step 601.
Step 603, MME trigger EPS AKA flow process, and MME triggers NAS SMC simultaneously, activate the safe context that the AKA flow process produces, and the NAS count value is initialized to 0.
The present embodiment binds together the execution of EPS AKA flow process and NAS SMC, avoided because of detect different directions (up direction and down direction) NAS count value be about to around, repeated trigger EPS AKA flow process, reduced the number of times of EPS AKA flow process, the resource cost that the EPS AKA flow process of having avoided there is no need because of triggering causes, saved resource.
The flow chart that Fig. 7 is the embodiment of the present invention seven authentication methods.As shown in Figure 7, the present embodiment specifically comprises the steps:
Step 801, MME initiate EPS AKA flow process;
Step 802, in the situation that carry out the failure of EPS AKA flow process, determine release connection or continue to carry out current business according to local information and network strategy.
Further, in above-mentioned steps 801, MME initiates EPS AKA flow process and can carry out under several condition, for example: in the time of can work as the NAS count value and approach maximum, MME initiation EPS AKA flow process; Also can trigger EPS AKA flow process by the strategy of operator, particularly, operator can arrange this certain strategy, by MME, triggers the EPS AKA to its lower UE, and this can be the security strategy of operator based on certain or other demands and the strategy formulated; In the time of can also working as UE and carry out between network switching, trigger EPS AKA flow process, particularly, when the UE network lower from level of security (as GSM or UMTS network) switching (comprising that the switching of activated state and the Idle state move) network (as LTE network) higher to level of security, by network side triggering EPS AKA flow process.
Local information can comprise following information one of at least: present type of service, service quality, subscriber equipment is carried out the ability of authentication, network strategy, whether subscriber identification module type or subscriber equipment insert the information of card.Wherein, present type of service has indicated the type information of current business, and MME can determine whether current business is the business that need to be authenticated according to present type of service.Service quality can identify without the business authenticated, so MME also can determine whether current business is the business that need to be authenticated according to service quality.Ability that UE carries out authentication has indicated the relevant information whether UE has the ability of carrying out EPS AKA, and the ability that MME can carry out authentication according to UE determine whether UE has the ability of carrying out EPS AKA.The SIM card type has also indicated the relevant information whether UE has the ability of carrying out EPS AKA, and MME can determine whether UE has the ability of carrying out EPS AKA according to the SIM card type.Owing to authenticating, need to, in the situation that UE insertion card carries out, if UE inserts the failure of the rear execution of card EPS AKA flow process, so just should discharge the NAS signaling and connect; If UE does not insert card, according to network strategy, determine whether release connection.Network strategy is the strategy that network equipment is set, and it can support whether current business is authenticated.
According to the content of above local information and network strategy, above-mentioned steps 802 can specifically comprise:
If MME determines network strategy and does not support that current business does not authenticate, discharges the connection of current business;
If MME determines network strategy and supports that current business does not authenticate, if and MME determines that according to the present type of service in local information or service quality current business is not need the business authenticated, if perhaps and MME ability or the subscriber identification module type of carrying out authentication according to the subscriber equipment in local information determine that subscriber equipment does not have the ability of carrying out the Authentication and Key Agreement flow process, perhaps and subscriber equipment without inserting card, continue to carry out current business;
If MME determines network strategy and supports that current business does not authenticate, if and MME determines that according to the present type of service in local information or service quality current business is the business that need to be authenticated, if perhaps and MME ability or the subscriber identification module type of carrying out authentication according to the subscriber equipment in local information determine that subscriber equipment has the ability of carrying out the Authentication and Key Agreement flow process, perhaps and subscriber equipment exist to insert card, discharge the connection of current business.
For instance, at MME, determine under the scene that network strategy supports current business not authenticate, MME is by detecting present type of service, the business of knowing the UE request is EMC business or public alarm business, because EMC business or public alarm business are not the business that need to be authenticated, and network strategy is supported unverified EMC or public alarm business, MME and UE continue to carry out current business.
If current business is the single business in the connection of NAS signaling, can connect to realize discharging by discharging the NAS signaling connection of current business.If the NAS signaling has been carried a plurality of business in connecting, and determines that according to present type of service the plurality of current business all needs to be authenticated, discharge the NAS signaling and connect.Not only comprise the business that needs authenticate but also comprise the business (as EMC) that does not need authentication if current, discharge the above-mentioned corresponding EPS carrying of business that needs authentication, and maintenance does not need the EPS carrying (as the EMC carrying) of the business of authentication.Above-mentioned EPS carrying is based upon the NAS signaling and connects on basis.
The present embodiment is at authentification failure, the business of UE request is not that the business that need to be authenticated or UE do not have ability or the subscriber equipment of carrying out EPS AKA flow process and do not insert card, and still can continue to carry out current business in the situation that network strategy supports current business not authenticate, avoid current business to carry out the problem of interrupting, saved the resource of system.
The structural representation that Fig. 8 is the embodiment of the present invention eight authentication apparatus.As shown in Figure 8, the present embodiment specifically comprises detection module 11 and processing module 12.Wherein, detection module 11, for when the Non-Access Stratum count value approaches maximum, is detected local information; Processing module 12 for according to testing result, determine whether to trigger and UE between the Authentication and Key Agreement flow process.
The method that the authentication apparatus that the present embodiment provides can provide according to above-described embodiment one is carried out work.
The structural representation that Fig. 9 is the embodiment of the present invention nine authentication apparatus.As shown in Figure 9, the present embodiment is on the basis of above-described embodiment eight, and local information is safe context, and processing module 12 specifically comprises the first activation unit 21 and the first trigger element 22.Wherein, first activates unit 21 for when detection module 11, determining that safe context comprises non-current safety context, activates non-current safety context; The first trigger element 22 determines that for working as detection module 11 safe context does not comprise non-current safety context, triggering authentication and key agreement flow process.
The present embodiment processing module 12 can also comprise Transmit-Receive Unit 23, and this Transmit-Receive Unit 23 is for send NAS SMC to UE, and receives the message that the NAS safe mode runs succeeded, and activates unit 21 to first in processing module 12 and sends the information that triggers its actions.First activates unit 21 activates non-current safety context according to trigger message.When Transmit-Receive Unit 23 does not receive the message that NAS safe mode that UE returns runs succeeded, the first trigger element 22 triggering authentication and key agreement flow process.
The method that the authentication apparatus that the present embodiment provides can provide according to above-described embodiment two is carried out work.
The structural representation that Figure 10 is the embodiment of the present invention ten authentication apparatus.As shown in figure 10, the present embodiment is on the basis of above-described embodiment eight, and local information is the timer state, and processing module 12 specifically comprises the second activation unit 31 and the second trigger element 32.Wherein, when the second activation unit 31 is operation for detect the timer state when detection module 11, activate non-current safety context; The second trigger element 32 is for detecting the timer state when stopping, triggering authentication and key agreement flow process when detection module 11.
Further, the present embodiment processing module 12 can also comprise Transmit-Receive Unit 33, this Transmit-Receive Unit 33 is for send NAS SMC to UE, and receives the message that the NAS safe mode runs succeeded, and activates unit 31 to second in processing module 12 and sends the information that triggers its actions.Second activates unit 31 activates non-current safety context according to trigger message.When Transmit-Receive Unit 33 does not receive the message that NAS safe mode that UE returns runs succeeded, the second trigger element 32 triggering authentication and key agreement flow process.
The method that the authentication apparatus that the present embodiment provides can provide according to above-described embodiment three is carried out work.
The structural representation that Figure 11 is the embodiment of the present invention 11 authentication apparatus.As shown in figure 11, the present embodiment is on the basis of above-described embodiment eight, and local information is the stater state, and processing module 12 specifically comprises that the 3rd activates unit 41 and the 3rd trigger element 42.Wherein, when the 3rd activation unit 41 is operation for detect the stater state when detection module 11, activate non-current safety context; The 3rd trigger element 42 is for detecting the stater state when stopping, triggering authentication and key agreement flow process when detection module 11.
Further, the present embodiment processing module 12 can also comprise Transmit-Receive Unit 43, this Transmit-Receive Unit 43 is for send NAS SMC to UE, and receives the message that the NAS safe mode runs succeeded, and activates unit 41 to the 3rd in processing module 12 and sends the information that triggers its actions.The 3rd activates unit 41 activates non-current safety context according to trigger message.When Transmit-Receive Unit 43 does not receive the message that NAS safe mode that UE returns runs succeeded, the 3rd trigger element 42 triggering authentication and key agreement flow process.
The method that the authentication apparatus that the present embodiment provides can provide according to above-described embodiment four is carried out work.
The structural representation that Figure 12 is the embodiment of the present invention 12 authentication apparatus.As shown in figure 12, the present embodiment is on the basis of above-described embodiment eight, and local information is current type of service or the ability of service quality or subscriber equipment execution authentication, and processing module 12 specifically comprises the 4th trigger element 51 and processing unit 52.If the 4th trigger element 51 is determined the business of business corresponding to present type of service for being authenticated for detection module 11, perhaps determine the business of business corresponding to service quality for being authenticated, the ability of perhaps determining subscriber equipment execution authentication has the ability of carrying out the Authentication and Key Agreement flow process, triggering authentication and key agreement flow process.If processing unit 52 determines that for detection module 11 business corresponding to present type of service is not the business that need to be authenticated, perhaps determine that business corresponding to service quality is not the business that need to be authenticated, the ability of perhaps determining subscriber equipment execution authentication does not have the ability of carrying out the Authentication and Key Agreement flow process, continue to use current safe context, or current business is not carried out to safeguard protection; Perhaps interrupt the connection of current business.
The method that the authentication apparatus that the present embodiment provides can provide according to above-described embodiment five is carried out work.
Once in said apparatus embodiment, can not detect the NAS count value be about to around, just trigger EPS AKA flow process immediately, reduced the number of times that triggers EPS AKA flow process, the resource cost that the EPS AKA flow process of having avoided there is no need because of triggering causes, saved resource.
The structural representation that Figure 13 is the embodiment of the present invention 13 authentication apparatus.As shown in figure 13, the present embodiment specifically comprises Executive Module 61 and processing module 62.Wherein, Executive Module 61 is for carrying out the Authentication and Key Agreement flow process; Processing module 62, in the situation that Executive Module 61 is carried out the failure of Authentication and Key Agreement flow process, determines release connection or continues to carry out current business according to local information and network strategy.
Further, the present embodiment can also comprise trigger module 63, this trigger module 63, under the trigger condition that approaches maximum, carrier policy or subscriber equipment in the Non-Access Stratum count value and carry out switching between network, triggers Executive Module 61 and carries out the Authentication and Key Agreement flow processs.
Above-mentioned processing module 62 may further include: the first judging unit 64, the first releasing unit 65, the second judging unit 66, the second releasing unit 67 and performance element 68.Wherein, the first judging unit 64, in the situation that Executive Module 61 is carried out the failure of Authentication and Key Agreement flow process, judges whether network strategy supports that current business does not authenticate; The first releasing unit 65, in the situation that the first judging unit 64 is judged as NO, discharges the connection of current business; The second judging unit 66 in the situation that the first judging unit 64 be judged as YES, judge according to the present type of service in local information or service quality whether current business is the business that need to be authenticated, perhaps, ability or the subscriber identification module type of carrying out authentication according to the subscriber equipment in local information judge whether subscriber equipment has the ability of carrying out the Authentication and Key Agreement flow process, perhaps, judge whether subscriber equipment exists the insertion card; The second releasing unit 67, in the situation that the second judging unit 66 is judged as YES, discharges the connection of current business; Performance element 68, in the situation that the second judging unit 66 is judged as NO, continues to carry out current business.
The method that the authentication apparatus that the present embodiment provides can provide according to above-described embodiment seven is carried out work.
The present embodiment is at authentification failure, the business of UE request is not that the business that need to be authenticated or UE do not have ability or the subscriber equipment of carrying out EPS AKA flow process and do not insert card, and still can continue to carry out current business in the situation that network strategy supports current business not authenticate, avoid current business to carry out the problem of interrupting, saved the resource of system.
One of ordinary skill in the art will appreciate that: realize that the hardware that all or part of step of said method embodiment can be relevant by program command completes, aforesaid program can be stored in a computer read/write memory medium, this program is when carrying out, execution comprises the step of said method embodiment, and aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Finally it should be noted that: above embodiment only, in order to the technical scheme of the embodiment of the present invention to be described, is not intended to limit; Although with reference to previous embodiment, the embodiment of the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: its technical scheme that still can put down in writing aforementioned each embodiment is modified, or part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of each embodiment technical scheme of the embodiment of the present invention.

Claims (22)

1. an authentication method is characterized in that comprising:
In the situation that carry out the failure of Authentication and Key Agreement flow process, the cordless communication network side apparatus determines whether network strategy supports that current business does not authenticate;
If described network strategy supports that current business does not authenticate, and described current business continues to carry out described current business for not needing the business authenticated; Perhaps
If described network strategy supports that current business does not authenticate, and described subscriber equipment do not have the ability of carrying out the Authentication and Key Agreement flow process, continues to carry out described current business; Perhaps
If described network strategy supports that current business does not authenticate, and described subscriber equipment continues to carry out described current business without inserting card.
2. method according to claim 1, is characterized in that, also comprises:
If described network strategy does not support that current business does not authenticate, discharge the connection of described current business.
3. method according to claim 1 and 2, is characterized in that, also comprises:
If described network strategy supports described current business not authenticate, and, when the business of described front business for being authenticated, discharge the connection of described current business; Perhaps
If described network strategy supports described current business not authenticate, and described subscriber equipment has the ability of carrying out the Authentication and Key Agreement flow process, discharges the connection of described current business; Perhaps
If described network strategy supports described current business not authenticate, and described subscriber equipment existence insertion card, the connection of described current business discharged.
4. according to the described method of claims 1 to 3 any one, it is characterized in that, also comprise according to present type of service or service quality and determine whether current business is the business that need to be authenticated.
5. according to the described method of claims 1 to 3 any one, it is characterized in that, also comprise that carrying out according to subscriber equipment the ability or the subscriber identification module type that authenticate determines whether subscriber equipment has the ability of carrying out the Authentication and Key Agreement flow process.
6. according to the described method of claim 2 to 5 any one, it is characterized in that, the connection of the described current business of described release comprises:
If described current business is the single business in the connection of Non-Access Stratum signaling, discharges the Non-Access Stratum signaling and connect; Perhaps
If the Non-Access Stratum signaling has been carried a unnecessary business in connecting, and determines that according to described present type of service described a plurality of current business all needs to be authenticated, discharge the Non-Access Stratum signaling and connect.
7. according to the described method of claim 2 to 5 any one, it is characterized in that, the connection of the described current business of described release comprises:
If the Non-Access Stratum signaling has been carried a unnecessary business in connecting, and determine that according to described present type of service described current business not only comprises the business of needs authentication but also comprises the business that does not need authentication, discharge the grouping system carrying of the evolution of the described business that needs authentication, and keep the grouping system carrying of the evolution of the described business that does not need authentication.
8. according to the described method of claim 1 to 7 any one, it is characterized in that, carry out the Authentication and Key Agreement flow process and trigger by following condition: the Non-Access Stratum count value reaches the counting threshold value, or carrier policy, or subscriber equipment carries out switching between network.
9. according to the described method of claim 1 to 7 any one, it is characterized in that, described current business comprises emergence call service, and/or the public alarm business.
10. method as claimed in claim 9, is characterized in that,
Described emergence call service is not for to need the emergence call service authenticated maybe to need the emergence call service authenticated;
Described public alarm business is not for to need the public alarm business authenticated maybe to need the public alarm business authenticated.
11. method as described as claim 1 to 10 any one, is characterized in that, described cordless communication network side apparatus comprises mobile management entity.
12. an authentication apparatus is characterized in that comprising:
Executive Module, for carrying out the Authentication and Key Agreement flow process;
Processing module, be positioned at the cordless communication network side apparatus, comprising:
The first judging unit, in the situation that subscriber equipment is carried out to the failure of Authentication and Key Agreement flow process, determine whether network strategy supports that current business does not authenticate,
The second judging unit, be used in the situation that described network strategy supports that current business does not authenticate, determine whether described current business is the business that need to be authenticated, perhaps whether described subscriber equipment has the ability of carrying out the Authentication and Key Agreement flow process, or whether described subscriber equipment has the card of insertion;
Performance element, being used for is that described current business is not need the business authenticated in described the second judgment unit judges, perhaps described subscriber equipment does not have the ability of carrying out the Authentication and Key Agreement flow process, perhaps described subscriber equipment does not have in the situation of inserting card under condition, continues to carry out described current business.
13. device according to claim 12, is characterized in that, described processing module also comprises:
The first releasing unit, in the situation that described the first judgment unit judges, for not supporting current business not authenticate, discharges the connection of described current business.
14. according to the described device of claim 12 or 13, it is characterized in that, described processing module also comprises:
The second releasing unit, being used for is that described current business is the business that need to be authenticated in described the second judgment unit judges, perhaps described subscriber equipment has the ability of carrying out the Authentication and Key Agreement flow process, perhaps described subscriber equipment has in the situation of inserting card, discharges the connection of described current business.
15. according to claim 12 to the described device of 14 any one, it is characterized in that, described the second judging unit is used in the situation that described network strategy supports that current business does not authenticate, determine according to present type of service or service quality whether current business is the business that need to be authenticated, perhaps whether described subscriber equipment has the ability of carrying out the Authentication and Key Agreement flow process, or whether described subscriber equipment has the card of insertion.
16. according to claim 12 to the described device of 14 any one, it is characterized in that, described the second judging unit is used in the situation that described network strategy supports that current business does not authenticate, determine whether current business is the business that need to be authenticated, perhaps according to subscriber equipment, carry out the ability or the subscriber identification module type that authenticate and determine whether subscriber equipment has the ability of carrying out the Authentication and Key Agreement flow process, or whether described subscriber equipment has the card of insertion.
17. according to claim 13 to the described device of 16 any one, it is characterized in that, described the first releasing unit or the second releasing unit are used for:
If described current business is the single business in the connection of Non-Access Stratum signaling, discharges the Non-Access Stratum signaling and connect; Perhaps
If the Non-Access Stratum signaling has been carried a unnecessary business in connecting, and determines that according to described present type of service described a plurality of current business all needs to be authenticated, discharge the Non-Access Stratum signaling and connect.
18. according to claim 13 to the described device of 16 any one, it is characterized in that, described the first releasing unit or the second releasing unit are used for:
If the Non-Access Stratum signaling has been carried a unnecessary business in connecting, and determine that according to described present type of service described current business not only comprises the business of needs authentication but also comprises the business that does not need authentication, discharge the grouping system carrying of the evolution of the described business that needs authentication, and keep the grouping system carrying of the evolution of the described business that does not need authentication.
19. according to claim 12 to the described device of 18 any one, it is characterized in that, also comprise:
Trigger module, for reach counting threshold value or carrier policy in the Non-Access Stratum count value, or, under the subscriber equipment trigger condition carrying out switching between network, trigger described Executive Module and carry out described Authentication and Key Agreement flow process.
20. according to claim 12 to the described device of 18 any one, it is characterized in that, described current business comprises emergence call service, and/or the public alarm business.
21. device as claimed in claim 20, is characterized in that,
Described emergence call service is not for to need the emergence call service authenticated maybe to need the emergence call service authenticated;
Described public alarm business is not for to need the public alarm business authenticated maybe to need the public alarm business authenticated.
22. device as described as claim 12 to 21 any one, is characterized in that, described cordless communication network side apparatus comprises mobile management entity.
CN201310423021.XA 2009-09-21 2009-09-21 Authentication method and device Active CN103458410B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310423021.XA CN103458410B (en) 2009-09-21 2009-09-21 Authentication method and device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009100938285A CN102025685B (en) 2009-09-21 2009-09-21 Authentication processing method and device
CN201310423021.XA CN103458410B (en) 2009-09-21 2009-09-21 Authentication method and device

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN2009100938285A Division CN102025685B (en) 2009-09-21 2009-09-21 Authentication processing method and device

Publications (2)

Publication Number Publication Date
CN103458410A true CN103458410A (en) 2013-12-18
CN103458410B CN103458410B (en) 2017-07-14

Family

ID=49740281

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310423021.XA Active CN103458410B (en) 2009-09-21 2009-09-21 Authentication method and device

Country Status (1)

Country Link
CN (1) CN103458410B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104066087A (en) * 2014-07-08 2014-09-24 天津理工大学 Method for dynamically selecting length of authentication vector set

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237334A (en) * 2007-01-31 2008-08-06 华为技术有限公司 Microwave access global intercommunication system and method and device for providing emergent service
US20090103728A1 (en) * 2007-10-09 2009-04-23 Sarvar Patel Secure wireless communication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237334A (en) * 2007-01-31 2008-08-06 华为技术有限公司 Microwave access global intercommunication system and method and device for providing emergent service
US20090103728A1 (en) * 2007-10-09 2009-04-23 Sarvar Patel Secure wireless communication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3GPP: "3GPP System Architecture Evolution(SAE);Security Architecture", 《3GPP TS 33.401 V9.0.0》 *
3GPP: "AKA when NAS COUNT about to wrap around", 《3GPP TSG-SA WG3 MEETING #54,S3-090100》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104066087A (en) * 2014-07-08 2014-09-24 天津理工大学 Method for dynamically selecting length of authentication vector set

Also Published As

Publication number Publication date
CN103458410B (en) 2017-07-14

Similar Documents

Publication Publication Date Title
CN102025685B (en) Authentication processing method and device
CN108271125B (en) Data transmitting method, data receiving method and device
CN109716834B (en) Temporary identifier in a wireless communication system
US20100172500A1 (en) Method of handling inter-system handover security in wireless communications system and related communication device
US11523280B2 (en) Radio link recovery for user equipment
EP3596985B1 (en) Method and apparatus for protection of privacy in paging of user equipment
CN109644354B (en) Integrity verification method, network equipment, UE and computer storage medium
EP2874367B1 (en) Call authentication method, device, and system
EP3799461B1 (en) Network validity verification method and device and computer storage medium
CN106465108A (en) Cellular network authentication control
CN106899562A (en) The secure algorithm negotiation method of Internet of Things, network element and internet-of-things terminal
CN102223632B (en) A kind of Access Layer security algorithm synchronous method and system
CN100499900C (en) Method for authentication of access of wireless communication terminal
CN102638793B (en) Methods and device for authentication processing
CN100484292C (en) Method, system and base station for locking illegal copied mobile terminal
CN103458410A (en) Certification processing method and device
CN109842881B (en) Communication method, related equipment and system
US8392990B2 (en) Mitigating excessive operations attacks in a wireless communication network
CN101835150B (en) Method, device and system for updating shared enciphered data
CN113396637B (en) Communication method, device and system
CN103037346A (en) Method, user equipment, base station and communication system for cell update
JP7045455B2 (en) Access denied methods, devices and systems, as well as storage media and professionals
CN101383702A (en) Method and system protecting cipher generating parameter in tracing region updating

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant