CN110881020B - Authentication method for user subscription data and data management network element - Google Patents
Authentication method for user subscription data and data management network element Download PDFInfo
- Publication number
- CN110881020B CN110881020B CN201811039073.6A CN201811039073A CN110881020B CN 110881020 B CN110881020 B CN 110881020B CN 201811039073 A CN201811039073 A CN 201811039073A CN 110881020 B CN110881020 B CN 110881020B
- Authority
- CN
- China
- Prior art keywords
- network element
- user
- data management
- interface
- management network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/60—Network streaming of media packets
- H04L65/65—Network streaming protocols, e.g. real-time transport protocol [RTP] or real-time control protocol [RTCP]
Abstract
The invention provides an authentication method of user subscription data and a data management network element, which are used for solving the problem that in the prior art, multiple sets of user subscription data are maintained simultaneously in multiple networks (such as a 4G network and a 5G network), and smooth access cannot be easily caused by different data in different network switching processes. The method comprises the following steps: the data management network element receives the authentication information request message through the transmission interface; the data management network element is connected with a first core network element adopting a first communication system, and the data management network element is connected with a second core network element adopting a second communication system; the data management network element analyzes the authentication information request message according to the message protocol type adopted by the transmission interface to obtain the identification information of the user; the data management network element acquires the subscription data of the user according to the identification information of the user; and the data management network element generates an authentication vector of the user according to the subscription data of the user and sends the authentication vector of the user through the transmission interface.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an authentication method for user subscription data and a data management network element.
Background
Currently, subscription data of the same user is stored in both the 4th Generation mobile communication (4G) system and the 5th Generation mobile communication (5G) system. In the 4G system, the Subscriber subscription Data is stored in a Home Subscriber Server (HSS), whereas in the 5G system, the Subscriber subscription Data is stored in a User Data Manager (UDM).
Therefore, an operator needs to maintain two sets of subscription data of the users, but for hundreds of millions of users, in the operation and maintenance process, errors easily occur when two sets of subscription data are maintained for each user.
Disclosure of Invention
The invention provides an authentication method of user subscription data and a data management network element, which are used for solving the problem of errors caused by maintaining two sets of user subscription data in the prior art.
In a first aspect, an embodiment of the present invention provides an authentication method for user subscription data, including:
the data management network element receives an authentication information request message through a transmission interface, wherein the authentication information request message comprises identification information of a user;
the data management network element is connected with a first core network element adopting a first communication system, and the data management network element is connected with a second core network element adopting a second communication system; the transmission interface is an interface for the data management network element to communicate with a first core network element adopting a first communication mode, or the transmission interface is an interface for the data management network element to communicate with a second core network element adopting a second communication mode;
the data management network element analyzes the authentication information request message according to the message protocol type adopted by the transmission interface to obtain the identification information of the user;
the data management network element acquires the subscription data of the user according to the identification information of the user;
and the data management network element generates an authentication vector of the user according to the subscription data of the user and sends the authentication vector of the user through the transmission interface.
Specifically, when the data management network element generates the authentication vector of the user according to the subscription data of the user, the authentication algorithm corresponding to the transmission interface is adopted, and the authentication vector of the user is generated according to the subscription data of the user.
In an optional implementation manner, the transmission interface is a stream control transmission protocol SCTP interface, and the analyzing, by the data management network element, the authentication information request message according to a message protocol type adopted by the transmission interface to obtain the identification information of the user includes:
and the data management network element analyzes the authentication information request message according to a diameter protocol signaling format adopted by the SCTP interface to obtain the identification information of the user.
In an optional implementation manner, the transmission interface is a service interface, and the analyzing, by the data management network element, the authentication information request message according to a message protocol type adopted by the transmission interface to obtain the identification information of the user includes:
and the data management network element analyzes the authentication information request message according to a hypertext transfer protocol (HTTP) signaling format adopted by the service interface to obtain the identification information of the user.
In an optional implementation manner, the generating, by the data management network element, an authentication vector of the user according to the subscription data of the user includes:
and the data management network element selects an authentication algorithm according to the signed data of the user and generates an authentication vector of the user by adopting the selected authentication algorithm.
In a second aspect, an embodiment of the present invention provides a data management network element, where the data management network element is connected to a first core network element adopting a first communication scheme, and the data management network element is connected to a second core network element adopting a second communication scheme, and the method includes:
a receiving and transmitting unit, configured to receive an authentication information request message through a transmission interface, where the authentication information request message includes identification information of a user;
the transmission interface is an interface for the data management network element to communicate with a first core network element adopting a first communication mode, or the transmission interface is an interface for the data management network element to communicate with a second core network element adopting a second communication mode;
the processing unit is used for analyzing the authentication information request message according to the message protocol type adopted by the transmission interface to obtain the identification information of the user; acquiring the subscription data of the user according to the identification information of the user; generating an authentication vector of the user according to the subscription data of the user;
the receiving and sending unit is further configured to send the authentication vector of the user through the transmission interface.
In an optional implementation manner, the transmission interface is a stream control transmission protocol SCTP interface, and when the processing unit obtains the identification information of the user from the authentication information request message by parsing according to a message protocol type adopted by the transmission interface, the processing unit is specifically configured to:
and analyzing the authentication information request message according to a diameter protocol signaling format adopted by the SCTP interface to obtain the identification information of the user.
In an optional implementation manner, the transmission interface is a service interface, and when the processing unit obtains the identification information of the user from the authentication information request message by parsing according to a message protocol type adopted by the transmission interface, the processing unit is specifically configured to:
and analyzing the authentication information request message according to a hypertext transfer protocol (HTTP) signaling format adopted by the service interface to obtain the identification information of the user.
In an optional implementation manner, when generating the authentication vector of the user according to the subscription data of the user, the processing unit is specifically configured to:
and selecting an authentication algorithm according to the subscription data of the user, and generating an authentication vector of the user by adopting the selected authentication algorithm.
In a third aspect, an embodiment of the present invention provides a data management network element, including:
a communication interface, a memory, and a processor;
the data management network element is respectively connected with a first core network element of a first communication system and a second core network element of a second communication system through the communication interface;
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the method of any implementation mode in the first aspect according to the obtained program.
In a fourth aspect, the embodiments of the present invention provide a computer-readable storage medium, which stores computer instructions, and when the computer instructions are executed on a computer, the computer is caused to execute the method according to any implementation manner of the first aspect.
In the embodiment of the invention, the data management network element is respectively connected with the core network equipment for authentication in the 4G and the core network equipment for authentication in the 5G through different transmission interfaces, and the message types adopted by the different transmission interfaces are different, so that the protocol signaling type adopted by the analysis message is determined through the transmission interface for receiving the message, and the authentication vector is generated and sent through the transmission interface for interface message, thereby two sets of users do not need to be maintained.
Drawings
Fig. 1 is a schematic structural diagram of an LTE system according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an NR system according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a fusion structure of a 4G system and a 5G system according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of an authentication method for user subscription data according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an interface between an MME and a UDM according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating an authentication procedure between an MME and a UDM according to an embodiment of the present invention;
fig. 7 is a schematic diagram illustrating the UDM calculating an authentication vector for AUSF according to an embodiment of the present invention;
fig. 8 is a schematic flowchart of another authentication method for user subscription data according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a data management network element according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of another data management network element according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention can be used in a 3G system or a 4G system and a 5G system in a fusion scene. The 4G system may be a Long Term Evolution (LTE) system, and the 5G system may be a New Radio (NR) system.
Fig. 1 is a schematic diagram of a partial structure of an LTE system. The location of the HSS in the LTE system is shown in fig. 1. An Evolved UMTS Terrestrial Radio Access Network (E-UTRAN) or Global System for Mobile Communications (GSM) Enhanced Data rates for GSM Evolution (EDGE) Radio Access Network (GSM EDGE Radio Access Network, GERAN) node (eNB) is responsible for managing UEs, including resource allocation, scheduling, managing Access policies, and the like. A Mobility Management Entity (MME) is used to implement user authentication and roaming Management, Mobility Management, and the like. A Serving Gateway (SGW) is mainly responsible for transmission of data traffic during handover. A Packet Data Network Gateway (P-GW) is mainly responsible for allocating an IP address of a User Equipment (UE), and provides functions of IP routing and forwarding. The HSS is a database server existing in the 4G core network, and stores therein subscription data of all subscribers belonging to the core network. When the user equipment is connected to the MME, the data submitted by the user is compared with the data in the HSS data server for authentication.
Referring to fig. 2, which is a schematic diagram of a partial structure of the NR system, the position of UDM in the NR system is shown in fig. 2. The UDM is used to store subscription data for the user. The NR system includes: a control plane network element, which is an Access and Mobility Management Function (AMF) and a Session Management Function (SMF), respectively, where the AMF is responsible for Mobility and Access Management of a terminal; the SMF is responsible for session management functions and may be configured in plural. The AMF and the SMF are two main network elements of a Control plane, and are also matched with a UDM, an Authentication Server Function (AUSF), and a Policy Control Function (PCF) to perform user data management, Authentication, Policy Control, and the like. In addition, there are two Network elements, a Network service Exposure Function (NEF) and a Network element data Repository Function (NF replication Function, NRF), which are used to help other Network elements to discover Network services. User Plane Function (UPF) also replaces SGW and PGW that perform routing and forwarding functions in the original 4G, and UPF performs routing and forwarding of User data. A Network Slice Selection Function (NSSF) is used to perform the Selection of a Network Slice. The (Radio) Access Network (R) AN device may be a base station.
As can be seen from the above, the HSS in the existing 4G and the UDM in the 5G are deployed separately. Therefore, an operator needs to maintain two sets of subscription data of the users, but for hundreds of millions of users, in the operation and maintenance process, errors easily occur when two sets of subscription data are maintained for each user. In order to maintain uniqueness of user data, the embodiment of the invention realizes that the 4G-HSS and the 5G-UDM function are combined, so that each user maintains one user subscription data.
However, the authentication method and procedure for the user subscription data in the 4G core network are different from those in the 5G core network, so how to authenticate the user subscription data when the 4G-HSS and the 5G-UDM functions are combined is worth studying.
Based on this, the embodiment of the present invention provides an authentication method and apparatus for user subscription data, which are used to authenticate the user subscription data under the condition that a 4G-HSS function and a 5G-UDM function are combined. The method and the device are based on the same inventive concept, and because the principles of solving the problems of the method and the device are similar, the implementation of the device and the method can be mutually referred, and repeated parts are not repeated.
Referring to fig. 3, a schematic structural diagram of a communication system in a case where the 4G-HSS and the 5G-UDM function are merged according to the embodiment of the present application is shown. The function after the fusion of the 4G-HSS and the 5G-UDM function may be a data management network element, and may be implemented by an HSS, an UDM, or other devices for implementing user subscription data management. In the present embodiment, UDM is used as an example for explanation.
The UDM is respectively connected with the MME adopting the 4G system and the AUSF in the 5G system.
Referring to fig. 4, a schematic flow chart of an authentication method for user subscription data provided in the embodiment of the present application is shown.
S401, the UDM receives an authentication information request message through a transmission interface, wherein the authentication information request message comprises identification information of a user.
The UDM is connected with a first core network element adopting a first communication system, and the UDM is connected with a second core network element adopting a second communication system; the transmission interface is an interface for the UDM to communicate with a first core network element adopting a first communication mode, or the transmission interface is an interface for the UDM to communicate with a second core network element adopting a second communication mode. The first communication system may be a 4G system, the first core network element may be an MME, the second communication system may be a 5G system, and the second core network element may be an AUSF.
S402, the UDM analyzes the authentication information request message according to the message protocol type adopted by the transmission interface to obtain the identification information of the user.
And S403, the UDM acquires the subscription data of the user according to the identification information of the user.
S404, the UDM generates an authentication vector of the user according to the subscription data of the user and sends the authentication vector of the user through the transmission interface.
Alternatively, the interface protocol that can be employed between the UDM and the MME is as shown in fig. 5. The Transmission Protocol adopts Stream Control Transmission Protocol (SCTP), and the signaling format adopts diameter Protocol signaling format. Specifically, in the embodiment of the present invention, a transmission interface adopting an interface protocol shown in fig. 5 is added to the UDM. The interface employed between UDM and MME may be referred to as SCTP interface. Based on this, the UDM obtains the identification information of the user from the authentication information request message by parsing according to the message protocol type adopted by the transmission interface, and may be implemented in the following manner: and the UDM analyzes the authentication information request message according to a diameter protocol signaling format adopted by the SCTP interface to obtain the identification information of the user.
The authentication procedure between MME and UDM can be seen in fig. 6.
S601, the MME sends an Authentication Information Request (AIR) message to the UDM, where the AIR message is used to obtain an Authentication vector from the UDM. The AIR message may include identification information of the user. The Identification information of the user is an ID for identifying the user, and may be a unique network identifier of the user, such as an Electronic Serial Number (ESN) or an International Mobile Subscriber Identity (IMSI).
Wherein the AIR message may be in diameter protocol signaling format and the UDM receives over the SCTP interface.
The AIR message may include information as shown in table 1.
TABLE 1
The information shown in table 2 may be included in the AIA message.
TABLE 2
S602, the UDM inquires whether the subscription data of the user is stored according to the identification Information of the user, calculates an Authentication vector according to the subscription data of the user, and returns an Authentication-Information-Answer (AIA) message to the MME, wherein the AIA message comprises the Authentication vector. Wherein the AIA message is in diameter protocol signaling format and the UDM is sent to the MME over the SCTP interface.
Optionally, when the UDM calculates the authentication vector, the UDM may derive the ciphering key CK and the integrity key IK according to the root key K corresponding to the identification information of the user. The access network name, CK and IK may be used as parameters of the function KDF to calculate an encryption key CK ' or an integrity key IK ' according to the EAP-AKA ' algorithm, and sent to the MME.
Optionally, a service interface may be used between the UDM and the AUSF, the Transmission Protocol may use a Transmission Control Protocol (TCP) Protocol, and the signaling format may use a hypertext Transfer Protocol (HTTP) signaling format. In this case, the UDM obtains the identification information of the user from the authentication information request message by parsing according to the message protocol type adopted by the transmission interface, and may be implemented in the following manner: and the UDM analyzes the authentication information request message according to a hypertext transfer protocol (HTTP) signaling format adopted by the service interface to obtain the identification information of the user.
The AIR message sent by AUSF to UDM adopts HTTP signaling format, UDM adopts service interface existed in itself, that is, TCP interface is used to receive AIR message. The AIA message sent by the UDM to the AUSF adopts an HTTP signaling format, and the UDM adopts a service interface which exists in the UDM, namely a TCP interface is adopted to send the AIA to the AUSF. When the UDM receives the AIR message sent by the AUSF, and calculates the authentication vector, it can deduce the encryption key CK and the integrity key IK according to the root key K corresponding to the user's identification information. Determining that the selection is an enhanced AKA (5G-AKA) algorithm according to subscription data of a user, and sending an access network name, a sequence number (SQN) XOR Anonymity Key (AK) and CK, IK as a parameter calculation Kausf of a function KDF to the AUSF. Where XOR represents an exclusive or operation. If it is determined that the EAP-AKA ' algorithm is selected according to the subscription data of the user, the encryption key CK ' or the integrity key IK ' may be calculated by using the access network name and CK and IK as functions KDF, and sent to the AUSF, as shown in fig. 7. The detailed process of calculating the authentication vector sent to the AUSF by the UDM using the 5G-AKA algorithm or EAP-AKA' can be referred to third Generation Partnership Project (3 GPP) TS 33.501V15.1.0, which is not described herein.
The following describes the scheme provided in the embodiment of the present application in detail by taking an example that the UDM communicates with the MME through an SCTP interface and communicates with the AUSF through a service interface, as shown in fig. 8.
And the UDM takes the signing data of the same user to perform different operations according to different interfaces.
And S801, the UDM receives the authentication information request message through the SCTP interface. And if the UDM receives the authentication information request through the SCTP interface, the authentication information request is determined to be the authentication information request sent by the MME. Identification information of the user included in the authentication information request message. S802 is performed.
And S802, the UDM analyzes the message according to the Diameter protocol adopted by the SCTP interface. And the UDM analyzes the authentication information request message to obtain the identification information of the user. S803 is executed.
And S803, the UDM acquires the parameters of the KDF function based on the authentication algorithm corresponding to the SCTP interface. S804 is performed.
Specifically, the UDM obtains user subscription data corresponding to the identification information of the user, and obtains the entry parameter of the KDF function based on the subscription data of the user and the authentication algorithm corresponding to the SCTP interface.
The UDM sets the entry parameters of the KDF function as service network identification (SN id) and SQN XOR AK.
And S804, the UDM acquires an authentication vector according to the KDF function. S805 is performed.
And S805, the UDM determines a transmission interface from which the authentication information request message comes, if the transmission interface is the SCTP interface, S806 is executed, and if the transmission interface is the service interface, S807 is executed.
Specifically, the UDM includes the authentication vector in messages that are subject to different formats, depending on the source of the message.
And S806, the UDM encapsulates the authentication vector in an authentication information response message in a Diameter protocol signaling format and sends the authentication vector through the SCTP interface.
And S807, encapsulating the authentication vector in an authentication information response message in an http protocol signaling format by the UDM, and sending the authentication vector through a service interface. The http protocol signaling format is a JSON format.
S808, the UDM receives the authentication information request message through the service interface. I.e., determines that the authentication information request message is from the AUSF. The transmission protocol adopted by the service interface is TCP. The type of the service interface message is HTTP, and the HTTP message is packaged in a JSON format.
And S809, the UDM analyzes the message according to the HTTP protocol adopted by the service interface. And the UDM analyzes the authentication information request message to obtain the identification information of the user.
S810, the UDM selects an authentication algorithm for the user from the authentication algorithm corresponding to the service interface, if the selected authentication algorithm is the 5G-AKA algorithm, S811 is performed, and if the selected authentication algorithm is the EAP-AKA' algorithm, S812 is performed.
S811, the UDM obtains entries for the KDF function based on the select 5G-AKA algorithm. S804 is performed.
The UDM sets the entry parameters of the KDF function as service network identification (SN id) and SQN XOR AK.
S812, acquiring the parameters of the KDF function based on the selection of the EAP-AKA' algorithm. S804 is performed.
The UDM sets the entry of the KDF function as the service network identity (SN id).
Based on the same inventive concept as the method embodiment, an embodiment of the present invention provides a data management network element, where the data management network element is connected to a first core network element using a first communication scheme, and the data management network element is connected to a second core network element using a second communication scheme, and as shown in fig. 9, the data management network element includes:
a transceiving unit 901, configured to receive an authentication information request message through a transmission interface, where the authentication information request message includes identification information of a user;
the transmission interface is an interface for the data management network element to communicate with a first core network element adopting a first communication mode, or the transmission interface is an interface for the data management network element to communicate with a second core network element adopting a second communication mode;
a processing unit 902, configured to obtain, according to a message protocol type adopted by the transmission interface, identification information of the user through analysis of the authentication information request message; acquiring the subscription data of the user according to the identification information of the user; generating an authentication vector of the user according to the subscription data of the user;
the transceiving unit 901 is further configured to send the authentication vector of the user through the transmission interface.
Optionally, the transmission interface is a stream control transmission protocol SCTP interface, and when the processing unit 902 obtains the identification information of the user from the authentication information request message by parsing according to a message protocol type adopted by the transmission interface, the processing unit is specifically configured to: and analyzing the authentication information request message according to a diameter protocol signaling format adopted by the SCTP interface to obtain the identification information of the user.
Optionally, the transmission interface is a service interface, and when the processing unit 902 obtains the identification information of the user from the authentication information request message by parsing according to a message protocol type adopted by the transmission interface, the processing unit is specifically configured to: and analyzing the authentication information request message according to a hypertext transfer protocol (HTTP) signaling format adopted by the service interface to obtain the identification information of the user.
Optionally, when generating the authentication vector of the user according to the subscription data of the user, the processing unit 902 is specifically configured to:
and selecting an authentication algorithm according to the subscription data of the user, and generating an authentication vector of the user by adopting the selected authentication algorithm.
The division of the unit in the embodiment of the present invention is schematic, and is only a logic function division, and there may be another division manner in actual implementation. In addition, functional units in the embodiments of the present invention may be integrated into one processor, may exist alone physically, or may be integrated into one unit from two or more units. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
An embodiment of the present invention further provides a data management network element, as shown in fig. 10, including:
a communication interface 1001, a memory 1002, and a processor 1003;
the data management network element is connected with a first core network element of a first communication system and a second core network element of a second communication system through the communication interface 1002; a memory for storing program instructions; and the processor 1003 is configured to call the program instruction stored in the memory, and execute the method executed by the UDM in the above embodiment according to the obtained program.
The communication interface 1002 includes two transmission interfaces, which are an SCTP interface and a service interface.
Wherein in fig. 10 the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 1003, and various circuits, represented by memory 1002, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The processor 1003 is responsible for managing the bus architecture and general processing, and the memory 1002 may store data used by the processor 400 in performing operations.
The processor 1003 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or a Complex Programmable Logic Device (CPLD).
Embodiments of the present application also provide a computer storage medium for storing computer program instructions for any apparatus described in the embodiments of the present application, which includes a program for executing any method provided in the embodiments of the present application.
The computer storage media may be any available media or data storage device that can be accessed by a computer, including, but not limited to, magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs)), etc.
In the embodiment of the invention, the data management network element is respectively connected with the core network equipment for authentication in the 4G and the core network equipment for authentication in the 5G through different transmission interfaces, and the message types adopted by the different transmission interfaces are different, so that the protocol signaling type adopted by the analysis message is determined through the transmission interface for receiving the message, and the authentication vector is generated and sent through the transmission interface for interface message, thereby two sets of users do not need to be maintained.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (6)
1. An authentication method for user subscription data, comprising:
the data management network element receives an authentication information request message through a transmission interface, wherein the authentication information request message comprises identification information of a user;
the data management network element is connected with a first core network element adopting a first communication system, and the data management network element is connected with a second core network element adopting a second communication system; the transmission interface is an interface for the data management network element to communicate with a first core network element adopting a first communication mode, or the transmission interface is an interface for the data management network element to communicate with a second core network element adopting a second communication mode;
if the transmission interface is a Stream Control Transmission Protocol (SCTP) interface, the data management network element analyzes the authentication information request message according to a diameter protocol signaling format adopted by the SCTP interface to obtain the identification information of the user;
if the transmission interface is a service interface, the data management network element analyzes the authentication information request message according to a hypertext transfer protocol (HTTP) signaling format adopted by the service interface to obtain the identification information of the user;
the data management network element acquires the subscription data of the user according to the identification information of the user;
and the data management network element generates an authentication vector of the user according to the subscription data of the user and sends the authentication vector of the user through the transmission interface.
2. The method of claim 1, wherein the generating, by the data management network element, the authentication vector of the user according to the subscription data of the user comprises:
and the data management network element selects an authentication algorithm according to the signed data of the user and generates an authentication vector of the user by adopting the selected authentication algorithm.
3. A data management network element is characterized in that the data management network element is connected with a first core network element adopting a first communication mode, and the data management network element is connected with a second core network element adopting a second communication mode, and the data management network element comprises:
a receiving and transmitting unit, configured to receive an authentication information request message through a transmission interface, where the authentication information request message includes identification information of a user;
the transmission interface is an interface for the data management network element to communicate with a first core network element adopting a first communication mode, or the transmission interface is an interface for the data management network element to communicate with a second core network element adopting a second communication mode;
the processing unit is used for analyzing the authentication information request message according to the message protocol type adopted by the transmission interface to obtain the identification information of the user, wherein if the transmission interface is a Stream Control Transmission Protocol (SCTP) interface, the identification information of the user is obtained by analyzing the authentication information request message according to a diameter protocol signaling format adopted by the SCTP interface; if the transmission interface is a service interface, analyzing the authentication information request message according to a hypertext transfer protocol (HTTP) signaling format adopted by the service interface to obtain the identification information of the user; acquiring the subscription data of the user according to the identification information of the user; generating an authentication vector of the user according to the subscription data of the user;
the receiving and sending unit is further configured to send the authentication vector of the user through the transmission interface.
4. The data management network element of claim 3, wherein the processing unit, when generating the authentication vector of the user according to the subscription data of the user, is specifically configured to:
and selecting an authentication algorithm according to the subscription data of the user, and generating an authentication vector of the user by adopting the selected authentication algorithm.
5. A data management network element, comprising:
a communication interface, a memory, and a processor;
the data management network element is respectively connected with a first core network element of a first communication system and a second core network element of a second communication system through the communication interface;
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to execute the method of claim 1 or 2 in accordance with the obtained program.
6. A computer-readable storage medium having stored thereon computer instructions which, when executed on a computer, cause the computer to perform the method of claim 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811039073.6A CN110881020B (en) | 2018-09-06 | 2018-09-06 | Authentication method for user subscription data and data management network element |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811039073.6A CN110881020B (en) | 2018-09-06 | 2018-09-06 | Authentication method for user subscription data and data management network element |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110881020A CN110881020A (en) | 2020-03-13 |
| CN110881020B true CN110881020B (en) | 2021-07-23 |
Family
ID=69727137
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811039073.6A Active CN110881020B (en) | 2018-09-06 | 2018-09-06 | Authentication method for user subscription data and data management network element |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110881020B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113541925B (en) * | 2020-03-30 | 2023-02-14 | 华为技术有限公司 | Communication system, method and device |
| CN111431925B (en) * | 2020-04-02 | 2022-08-26 | 中国工商银行股份有限公司 | Message data processing method and device |
| CN111935701B (en) * | 2020-08-06 | 2023-04-07 | 中国联合网络通信集团有限公司 | Shared method, system, equipment and storage medium for preparing electronic SIM card |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442745A (en) * | 2007-11-22 | 2009-05-27 | 华为技术有限公司 | Method and system for fusion of WiMAX network and 3GPP network |
| CN102056169A (en) * | 2009-11-05 | 2011-05-11 | 中兴通讯股份有限公司 | Method and system for preventing illegal terminal from accessing as well as terminal |
| CN102056251A (en) * | 2009-11-04 | 2011-05-11 | ***通信集团公司 | Network switching method and system and equipment adopting same |
| CN103338489A (en) * | 2013-06-27 | 2013-10-02 | 华为技术有限公司 | System switching method, system switching device and network system |
| CN103813402A (en) * | 2012-11-15 | 2014-05-21 | 中兴通讯股份有限公司 | Communication path switching method, device, processing device and system |
| CN104768195A (en) * | 2014-01-03 | 2015-07-08 | 上海宽带技术及应用工程研究中心 | Heterogeneous wireless network system capable of realizing seamless switching and seamless switching method |
| WO2017063708A1 (en) * | 2015-10-15 | 2017-04-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Apparatus and method for attaching user equipment to a mobile communications network |
| CN107295511A (en) * | 2016-03-31 | 2017-10-24 | 展讯通信(上海)有限公司 | WLAN terminal, base station and method for handover control from LTE network to wlan network |
| CN107529199A (en) * | 2017-10-24 | 2017-12-29 | 广东工业大学 | IMS registration and speech business provide method, system, equipment and storage medium |
| WO2018008983A1 (en) * | 2016-07-05 | 2018-01-11 | Samsung Electronics Co., Ltd. | Method and system for authenticating access in mobile wireless network system |
| CN108282827A (en) * | 2017-01-06 | 2018-07-13 | 北京三星通信技术研究有限公司 | Method, node for interoperating between network and equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043744B (en) * | 2006-03-21 | 2012-06-06 | 华为技术有限公司 | Method for user terminal accessing authentication in IMS network |
| CN101132279B (en) * | 2006-08-24 | 2011-05-11 | 华为技术有限公司 | Authentication method and authentication system |
| CN103313239B (en) * | 2012-03-06 | 2018-05-11 | 中兴通讯股份有限公司 | A kind of method and system of user equipment access converged CN |
-
2018
- 2018-09-06 CN CN201811039073.6A patent/CN110881020B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442745A (en) * | 2007-11-22 | 2009-05-27 | 华为技术有限公司 | Method and system for fusion of WiMAX network and 3GPP network |
| CN102056251A (en) * | 2009-11-04 | 2011-05-11 | ***通信集团公司 | Network switching method and system and equipment adopting same |
| CN102056169A (en) * | 2009-11-05 | 2011-05-11 | 中兴通讯股份有限公司 | Method and system for preventing illegal terminal from accessing as well as terminal |
| CN103813402A (en) * | 2012-11-15 | 2014-05-21 | 中兴通讯股份有限公司 | Communication path switching method, device, processing device and system |
| CN103338489A (en) * | 2013-06-27 | 2013-10-02 | 华为技术有限公司 | System switching method, system switching device and network system |
| CN104768195A (en) * | 2014-01-03 | 2015-07-08 | 上海宽带技术及应用工程研究中心 | Heterogeneous wireless network system capable of realizing seamless switching and seamless switching method |
| WO2017063708A1 (en) * | 2015-10-15 | 2017-04-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Apparatus and method for attaching user equipment to a mobile communications network |
| CN107295511A (en) * | 2016-03-31 | 2017-10-24 | 展讯通信(上海)有限公司 | WLAN terminal, base station and method for handover control from LTE network to wlan network |
| WO2018008983A1 (en) * | 2016-07-05 | 2018-01-11 | Samsung Electronics Co., Ltd. | Method and system for authenticating access in mobile wireless network system |
| CN108282827A (en) * | 2017-01-06 | 2018-07-13 | 北京三星通信技术研究有限公司 | Method, node for interoperating between network and equipment |
| CN107529199A (en) * | 2017-10-24 | 2017-12-29 | 广东工业大学 | IMS registration and speech business provide method, system, equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| Technical Specification Group Core Network and Terminals;HuaweiTechnologiesCo.,Ltd.;《3GPP TR 29.891》;20171231;全文 * |
| 面向5G 的核心网演进规划;杨旭,肖子玉 等;《电信科学》;20180720;第34卷(第7期);正文2-3节,图2,3,9 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110881020A (en) | 2020-03-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108574969B (en) | Connection processing method and device in multi-access scene | |
| EP3780682B1 (en) | Method and device for subscribing to service | |
| CN107852601B (en) | Method and apparatus for contextual network architecture and security | |
| US11689920B2 (en) | System and method for security protection of NAS messages | |
| CN107852600B (en) | Methods and apparatus for network architecture and security with simplified mobility procedures | |
| KR101167781B1 (en) | System and method for authenticating a context transfer | |
| US11570617B2 (en) | Communication method and communications apparatus | |
| TW201703556A (en) | Network security architecture | |
| EP3284276B1 (en) | Security improvements in a cellular network | |
| US20210204133A1 (en) | Communication terminal, network device, communication method, and non-transitory computer readable medium | |
| US9100796B2 (en) | Methods, systems, and computer readable media for seamless roaming between diameter and non-diameter networks | |
| CN110881020B (en) | Authentication method for user subscription data and data management network element | |
| US20190274039A1 (en) | Communication system, network apparatus, authentication method, communication terminal, and security apparatus | |
| EP3622738A1 (en) | Indicator for determination of key for processing message in communication system | |
| CN111866871B (en) | Communication method and device | |
| CN108616805B (en) | Emergency number configuration and acquisition method and device | |
| US20220360670A1 (en) | System and method to enable charging and policies for a ue with one or more user identities | |
| JP2010518679A (en) | Method for separating mobile terminals moving between communication systems | |
| CN102870489B (en) | For the method and apparatus of receiving mobility management entity title | |
| WO2021073382A1 (en) | Registration method and apparatus | |
| KR101780401B1 (en) | Method and apparatus for setting of authorazation and security in radio communication system | |
| CN113810903B (en) | Communication method and device | |
| RU2772709C1 (en) | Systems and a method for protecting the security of nas messages | |
| WO2024067146A1 (en) | Communication method, communication apparatus, communication device and computer storage medium | |
| US20230209343A1 (en) | Network-assisted attachment for hybrid subscribers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |