WO2017024662A1 - 一种接入认证方法及装置 - Google Patents
一种接入认证方法及装置 Download PDFInfo
- Publication number
- WO2017024662A1 WO2017024662A1 PCT/CN2015/090766 CN2015090766W WO2017024662A1 WO 2017024662 A1 WO2017024662 A1 WO 2017024662A1 CN 2015090766 W CN2015090766 W CN 2015090766W WO 2017024662 A1 WO2017024662 A1 WO 2017024662A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- cellular network
- network access
- access device
- key
- identifier
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/04—Large scale networks; Deep hierarchical networks
- H04W84/042—Public Land Mobile systems, e.g. cellular systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Definitions
- the present invention relates to the field of communications technologies, and in particular, to an access authentication method and apparatus.
- the mobile operator cooperates with the non-3GPP network to mitigate the pressure of the 3GPP network traffic, for example, through the wireless local area network (Wireless Local Area Network, WLAN) network and the 3GPP network.
- WLAN Wireless Local Area Network
- the current solution is that the authentication of the WLAN is still authenticated according to the authentication method specified in the 3GPP protocol.
- the commonly used authentication method is the 802.1X authentication and key agreement (English: Extensible Authentication Protocol-Authentication and Key Agreement).
- EAP-AKA The EAP-AKA authentication mode requires the deployment of 3GPP authentication, authorization, and accounting (Authentication, Authorization and Accounting, AAA) servers.
- User equipment (English: User Equipment, UE for short) is authenticated after accessing the 3GPP network.
- LTE-WLAN aggregation (English: LTE-WLAN Aggregation, LWA for short)
- the UE accesses the WLAN, it needs to first authenticate to the AAA server.
- the access point (English: Access Point, AP for short) of the UE and the WLAN network obtains the key determined by the AAA server for the AP, and then the UE and the AP perform a four-way handshake based on the obtained key.
- the UE can communicate with the AP.
- the EAP-AKA authentication mode requires the UE to authenticate to the AAA server and negotiate the key when the AP is associated with the AP. Then, the UE performs four-way handshake authentication with the AP based on the negotiated key. The entire authentication process is required. Through multiple signaling interactions, the process is cumbersome, which increases the signaling overhead and leads to longer authentication time.
- the embodiment of the present invention provides an access authentication method and device, which are used to solve the problem that the authentication time is long and the signaling overhead is large in the prior art.
- an embodiment of the present invention provides an access authentication method, including:
- the cellular network access device determines the key identifier
- the cellular network access device sends the key identifier to the user equipment UE and the non-cellular network access device, where the key identifier is used to indicate that the UE is based on the key and the corresponding identifier of the key identifier.
- the non-cellular network access device performs security authentication.
- the cellular network access device determines a key identifier, including:
- the cellular network access device determines a logical function entity that manages the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- the cellular network access device performs the following steps for each non-cellular network access device managed by the logical function entity:
- the cellular network access device sends the determined key identifier corresponding to each non-cellular network access device to the non-cellular network access device corresponding to the identifier of each non-cellular network access device, and identifies the key
- the list is sent to the UE, and the key identifier list includes an identifier of each non-cellular network access device managed by the logical function entity and a key identifier corresponding to each non-cellular network access device.
- the cellular network access device determines a key identifier, including:
- the cellular network access device determines a logical function entity that manages the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- a key identifier for the at least one non-cellular network access device, wherein a key corresponding to an identifier of each non-cellular network access device in the at least one non-cellular network access device.
- the identifier is the same, and the key identifier is used for security authentication by the non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device;
- the cellular network access device sends the determined key identifiers to the non-cellular network access devices corresponding to the identifiers of the respective non-cellular network access devices and the UE.
- the method further includes:
- the cellular network access device determines a key, and the key is used for security authentication by the UE and the non-cellular network access device;
- the cellular network access device sends the determined key identifier to the UE and the non-cellular network access device, including:
- the cellular network access device associates the key with the key identifier and sends the key to the UE and the non-cellular network access device.
- the method further includes:
- the cellular network access device determines a key based on a predetermined derivation rule; the key is used for security authentication by the UE and the non-cellular network access device, and the predetermined derivation rule is associated with the UE
- the derivation rules used by the cellular access device to determine the key are the same;
- the cellular network access device sends the determined key identifier to the UE and the non-cellular network access device, including:
- the cellular network access device associates the key with the key identifier, sends the key to the non-cellular network access device, and sends the key identifier to the UE.
- the method further includes:
- the cellular network access device transmits at least one of the following to the UE and/or the non-cellular network access device:
- the life cycle is used to indicate an expiration date of the key and the key identifier
- the authentication mode indication information is used to indicate an authentication type adopted by the UE.
- an embodiment of the present invention further provides an access authentication method, including:
- the user equipment receives the key identifier sent by the cellular network access device, and the key identifier is used to indicate that the UE performs security authentication with the non-cellular network access device based on the key corresponding to the key identifier.
- the UE performs security authentication with the non-cellular network access device according to the received key identifier and the determined key.
- the determining, by the UE, the key corresponding to the key identifier includes:
- the UE determines a key corresponding to the key identifier according to a predetermined derivation rule.
- the receiving, by the UE, the key identifier sent by the cellular network access device includes:
- a key identifier list sent by the cellular network access device, where the key identifier list includes identifiers of each non-cellular network access device to be selected by the UE and each non-cellular network access Key identifier corresponding to the device;
- the UE performs security authentication with the non-cellular network access device according to the received key identifier and the determined key, including:
- the UE performs security authentication according to the key identifier corresponding to the identifier of the target non-cellular network access device in the key identifier list and the determined key and the target non-cellular network access device, where The target non-cellular network access device is determined by the UE or the cellular network access device.
- the embodiment of the present invention further provides an access authentication method, including:
- the non-cellular network access device receives the key identifier sent by the cellular network access device; the key identifier is used to instruct the non-cellular network access device to perform security authentication on the user equipment UE associated with itself;
- the non-cellular network access device performs security authentication with the UE based on the key corresponding to the key identifier when receiving the association request initiated by the UE to associate with the non-cellular network access device.
- the embodiment of the present invention further provides an access authentication apparatus, including:
- a determining unit configured to determine a key identifier
- a sending unit configured to send the key identifier determined by the determining unit to the user equipment UE and the non-cellular network access device, where the key identifier is used to indicate that the UE is corresponding to the key identifier
- the key is securely authenticated with the non-cellular network access device.
- the determining unit is specifically configured to determine a logical function entity that manages the non-cellular network access device, where the logical function entity management includes Determining at least one non-cellular network access device, such as a non-cellular network access device; and performing the following steps for each non-cellular network access device managed by the logical function entity: determining each of the non-cellular network connections Key identifier corresponding to the identifier of the incoming device;
- the sending unit is specifically configured to send a key identifier corresponding to each non-cellular network access device determined by the determining unit to a non-cellular network access device corresponding to the identifier of each non-cellular network access device, Sending a key identifier list to the UE, where the key identifier list includes an identifier of each non-cellular network access device managed by the logical function entity and a key corresponding to each non-cellular network access device Logo.
- the determining unit is specifically configured to determine a logical function entity that manages the non-cellular network access device, where the logical function entity management includes Determining at least one non-cellular network access device, such as a non-cellular network access device, and determining a key identifier for the at least one non-cellular network access device of the logical function entity, wherein the at least one non-cellular network
- the key identifiers of the identifiers of the non-cellular network access devices in the access device are the same, and the key identifier is used for security of the non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device.
- the sending unit is specifically configured to send the key identifier determined by the determining unit to the non-cellular network access device corresponding to the identifier of each non-cellular network access device and the UE.
- the determining unit is further configured to determine the density Key, the key is used for security authentication by the UE and the non-cellular network access device;
- the sending unit is specifically configured to associate the key determined by the determining unit with the key identifier, and then send the key to the UE and the non-cellular network access device.
- the determining unit is further configured to be based on a predetermined Deriving a rule to determine a key; the key is used for security authentication by the UE and a non-cellular network access device; and the predetermined derivation rule is used by the UE to determine a key for the non-cellular network access device associated with the UE
- the deduction rules are the same;
- the sending unit is specifically configured to associate the key determined by the determining unit with the key identifier, send the key to the non-cellular network access device, and send the key identifier to the UE .
- the sending unit is further configured to send at least one of the following to the UE and/or the non-cellular network access device:
- the life cycle is used to indicate an expiration date of the key and the key identifier
- the authentication mode indication information is used to indicate an authentication type adopted by the UE.
- an embodiment of the present invention further provides an access authentication apparatus, including:
- a receiving unit a determining unit, and an authentication unit
- the receiving unit is configured to receive a key identifier sent by the cellular network access device, where the key identifier is used to indicate that the authentication unit performs security based on the key corresponding to the key identifier and the non-cellular network access device.
- the determining unit is configured to determine a key corresponding to the key identifier received by the receiving unit;
- the authentication unit is configured to perform security authentication according to the key identifier received by the receiving unit and the key determined by the determining unit and the non-cellular network access device.
- the determining unit is specifically configured to:
- the receiving unit When the receiving unit receives the key corresponding to the key identifier sent by the cellular network access device, determining a key corresponding to the key identifier;
- the receiving unit is configured to receive the secret sent by the cellular network access device a key identifier list, where the key identifier list includes an identifier of each non-cellular network access device to which the UE is to be selected to be associated, and a key identifier corresponding to each non-cellular network access device;
- the determining unit is further configured to determine a target non-cellular network access device
- the authentication unit is specifically configured to: according to the key identifier corresponding to the identifier of the target non-cellular network access device in the key identifier list, and the determined key and the target non-cellular network access setting The security authentication is performed, wherein the target non-cellular network access device is determined by the determining unit or the cellular network access device.
- the embodiment of the present invention further provides an access authentication apparatus, including:
- the receiving unit is configured to receive a key identifier sent by the cellular network access device, where the key identifier is used to instruct the authentication unit to perform security authentication on the user equipment UE associated with the UE;
- the authentication unit is configured to: when the receiving unit receives the association request initiated by the UE and the non-cellular network access device to which the authentication unit belongs, based on the key corresponding to the key identifier and the The UE performs security authentication.
- the embodiment of the present invention further provides an access authentication system, including:
- a cellular network access device a user equipment UE, and at least one non-cellular network access device;
- the cellular network access device determines a key identifier, where the key identifier is used to indicate that the UE is based on a key corresponding to the key identifier and one of the at least one non-cellular network access device
- the access device performs security authentication; and sends the key identifier to the UE and the one non-cellular network access device respectively;
- the UE is configured to receive the key identifier sent by the cellular network access device, and perform security authentication with the non-cellular network access device based on the key corresponding to the key identifier;
- the one non-cellular network access device is configured to receive the key identifier sent by the cellular network access device, and perform security authentication with the UE according to the key corresponding to the key identifier.
- the method further includes: a logical function entity, configured to manage the at least one non-cellular network access device;
- the cellular network access device is specifically configured to determine a logical function entity that manages the one non-cellular network access device; and perform the following steps for each non-cellular network access device managed by the logical function entity: Defining a key identifier corresponding to the identifier of each non-cellular network access device; transmitting the key identifier corresponding to each non-cellular network access device to each non-cellular network access device The cellular network accesses the device, and sends a key identifier list to the UE, where the key identifier list includes each non-cellular network access managed by the logical function entity. The identifier of the device and the key identifier corresponding to each non-cellular network access device;
- the UE is configured to: receive the key identifier list sent by the cellular network access device when receiving the key identifier sent by the cellular network access device; and corresponding to the key identifier according to the key identifier
- the key identifier corresponding to the identifier of the target non-cellular network access device in the key identifier list and the determined key and location are determined.
- the target non-cellular network access device performs security authentication, wherein the target non-cellular network access device is determined by the UE or the cellular network access device.
- the method further includes: a logical function entity, configured to manage the at least one non-cellular network access device;
- the cellular network access device is specifically configured to determine a logical function entity that manages the non-cellular network access device, and determine a key identifier for the at least one non-cellular network access device, where the at least one non-cellular
- the key identifiers of the identifiers of the non-cellular network access devices in the network access device are the same, and the key identifiers are used by the non-cellular network access devices corresponding to the identifiers of the UE and the non-cellular network access devices.
- a security authentication the determined key identifier is respectively sent to the non-cellular network access device corresponding to the identifier of each non-cellular network access device and the UE;
- the UE is specifically configured to: according to the key identifier and the identifier corresponding to the identifier of the target non-cellular network access device, when the security corresponding to the key identifier is used to perform security authentication with the non-cellular network access device.
- the key is securely authenticated with the target non-cellular network access device, wherein the target non-cellular network access device is determined by the UE or the cellular network access device.
- the cellular network access device is further used Determining a key, the key is used for secure authentication by the UE and the non-cellular network access device; and when the determined key identifier is sent to the UE and the non-cellular network access device, And the key is associated with the key identifier and sent to the UE and the non-cellular network access device;
- the UE is specifically configured to receive a key identifier and a key corresponding to the key identifier sent by the non-cellular network access device, and the non-cellular network access device according to the received key identifier and key Conduct safety certification.
- the cellular network access device is further used Determining a key based on a predetermined derivation rule; the key is used by the UE to perform security authentication with the non-cellular network access device; and transmitting the determined key identifier to the UE and the non- When the cellular network accesses the device, the key is associated with the key identifier, and then sent to the non-cellular network access device, and the key identifier is sent to the UE;
- the UE upon receiving the key identifier sent by the one non-cellular network access device, determines a key based on the predetermined derivation rule, and based on the key identifier and the determined key and the Non-cellular network access equipment for security authentication.
- the cellular network access device is further used Transmitting at least one of the following to the UE and/or the non-cellular network access device:
- the life cycle is used to indicate an expiration date of the key and the key identifier
- the authentication mode indication information is used to indicate an authentication type adopted by the UE.
- the solution provided by the embodiment of the present invention determines the key identifier by using the cellular network access device, and then the cellular network access device sends the determined key identifier directly to the UE and the non-cellular network access device.
- the UE and the non-cellular network access device obtain the key identifier, so that the UE and the non-cellular network access device directly perform the security authentication by using the key corresponding to the key identifier, the authentication time is short, and the signaling overhead is small.
- an embodiment of the present invention provides an access authentication method, including:
- the cellular network access device determines a key for the non-cellular network access device, the key is used for security authentication by the user equipment UE and the non-cellular network access device; and the manner in which the cellular network access device determines the key The same way as the UE determines the key;
- the cellular access device transmits the determined key to the non-cellular network access device.
- the cellular network access device determines a key for the non-cellular network access device, including:
- the cellular network access device derives a key for the non-cellular network access device based on the shared key with the UE; wherein the derivation rule used by the derivation key is pre-configured, and is pre-configured in the UE
- the derivation rules used to derive the key are the same.
- the cellular network access device determines a key for the non-cellular network access device, including:
- the cellular network access device derives a key for the non-cellular network access device based on the shared key with the UE;
- the method further includes:
- the cellular network access device sends a deduction rule used to derive the key to the UE, and the derivation rule is used by the UE to perform a security authentication derivation key with the non-cellular network access device.
- the cellular network access device is a non-cellular
- the network access device determines the key, including:
- the cellular network access device determines a logical function entity that manages the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- the cellular network access device performs the following steps for each non-cellular network access device managed by the logical function entity:
- the cellular network access device sends the determined key to the non-cellular network access device, including:
- the cellular network access device sends the determined key corresponding to each non-cellular network access device to the non-cellular network access device corresponding to the identifier of each non-cellular network access device.
- the cellular network access device is a non-cellular
- the network access device determines the key, including:
- the cellular network access device determines a logical function entity that manages the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- the cellular network access device determines a key for the at least one non-cellular network access device, wherein an identifier of each non-cellular network access device in the at least one non-cellular network access device corresponds to a same key
- the key is used for security authentication by the non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device.
- the cellular network access device is a non-cellular
- the network access device determines the key, including:
- the cellular network access device determines a logical function entity that manages the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device; Said at least one non-cellular network access device is included in at least one non-cellular network access device group;
- the cellular network access device determines a key for each non-cellular network access device group, wherein each of the non-cellular network access device groups includes a same key corresponding to the identifier of each non-cellular network access device
- the key is used for security authentication by the non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device.
- the cellular network access device After determining the key for the non-cellular network access device, the cellular network access device determines a key identifier corresponding to the key, and sends the key identifier to the non-cellular network access device.
- a ninth aspect, an embodiment of the present invention provides an access authentication method, where the method includes:
- the user equipment UE determines a key, and the key is used for security authentication by the UE and the non-cellular network access device;
- the UE uses the key and the key identifier to perform security with the non-cellular network access device. Fully certified.
- the determining, by the UE, a key includes:
- the UE uses a derivation rule to derive a key on a basis of a shared key with the cellular access device;
- the derivation rule is sent by the cellular network access device, or the derivation rule is pre-configured in the UE, and the cellular network access device is used to play the secret for the non-cellular network access device.
- the derivation rules used by the key are the same.
- an embodiment of the present invention provides an access authentication method, where the method includes:
- the non-cellular network access device receives the key sent by the cellular network access device; the key is used to indicate that the non-cellular network access device performs security authentication on the user equipment UE associated with itself;
- the non-cellular network access device determines a key identifier corresponding to the key
- the non-cellular network access device performs security authentication with the UE by using the key identifier and the key.
- the non-cellular network access device determines a key identifier corresponding to the key, including:
- the non-cellular network access device receives the key identifier corresponding to the key sent by the cellular network access device.
- an embodiment of the present invention provides an access authentication apparatus, where the apparatus is applied to a cellular network access device, including:
- a processing unit configured to determine a key for the non-cellular network access device, where the key is used for performing security authentication by the user equipment UE and the non-cellular network access device; The UE determines the key in the same way;
- transceiver unit configured to send the key determined by the processing unit to the non-cellular network access device.
- the processing unit is specifically configured to: derive a key for a non-cellular network access device based on a shared key with the UE;
- the derivation rule used to derive the key is pre-configured and is the same as the derivation rule used to pre-configure the derivation key in the UE.
- the processing unit is specifically configured to: derive a key for the non-cellular network access device based on the shared key with the UE;
- the transceiver unit is further configured to send, to the UE, a derivation rule used to derive the key, where the derivation rule is used by the UE to perform a security authentication derivation key with the non-cellular network access device. .
- the processing unit is specifically used to:
- Determining a logical function entity managing the non-cellular network access device the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- the transceiver unit is configured to: when the key determined by the processing unit is sent to the non-cellular network access device, specifically:
- the processing unit is specifically used to:
- Determining a logical function entity managing the non-cellular network access device the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- the keys are used for The non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device performs security authentication.
- the processing unit is specifically used to:
- Determining a logical function entity managing the non-cellular network access device Determining a logical function entity managing the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device; the at least one non-cellular network connection The ingress device is included in at least one non-cellular network access device group;
- each of the non-cellular network access device groups includes a same key corresponding to the identifier of each non-cellular network access device, and the key is used for The non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device performs security authentication.
- the processing unit is further used After determining a key for the non-cellular network access device, determining a key identifier corresponding to the key;
- the transceiver unit is further configured to send the key identifier determined by the processing unit to the non-cellular network access device.
- an embodiment of the present invention provides an access authentication apparatus, where the apparatus is applied to a user equipment UE, including:
- a determining unit configured to determine a key, where the key is used for security authentication by the UE and the non-cellular network access device; and determining a key identifier corresponding to the key;
- An authentication unit configured to perform security authentication with the non-cellular network access device by using the key and the key identifier.
- the determining unit when determining a key, is specifically used to share the secret with the cellular network access device by using a derivation rule Deriving a key based on the key;
- the derivation rule is sent by the cellular network access device, or the derivation rule is pre-configured in the UE, and the cellular network access device is used to play the secret for the non-cellular network access device.
- the derivation rules used by the key are the same.
- an embodiment of the present invention provides an access authentication apparatus, where the apparatus is applied to a non-cellular network access device, including:
- a transceiver unit configured to receive a key sent by the cellular network access device, where the key is used to instruct the non-cellular network access device to perform security authentication on the user equipment UE associated with the non-cellular network access device;
- the processing unit is configured to determine a key identifier corresponding to the key, and perform security authentication with the UE by using the key identifier and the key.
- the transceiver unit is further configured to receive a key identifier corresponding to the key sent by the cellular network access device.
- FIG. 1 is a flowchart of an access authentication method according to an embodiment of the present invention
- FIG. 2 is a flowchart of another access authentication method according to an embodiment of the present invention.
- FIG. 3 is a flowchart of still another access authentication method according to an embodiment of the present invention.
- 4A-4B are schematic structural diagrams of a network system for offload aggregation according to an embodiment of the present invention.
- FIG. 5 is a schematic diagram of an access authentication method according to an embodiment of the present invention.
- FIG. 6 is a schematic diagram of another access authentication method according to an embodiment of the present disclosure.
- FIG. 7 is a schematic diagram of an access authentication apparatus according to an embodiment of the present invention.
- FIG. 8 is a schematic diagram of another access authentication apparatus according to an embodiment of the present disclosure.
- FIG. 9 is a schematic diagram of still another access authentication apparatus according to an embodiment of the present disclosure.
- FIG. 10 is a schematic structural diagram of a cellular network access device according to an embodiment of the present disclosure.
- FIG. 11 is a schematic structural diagram of a user equipment according to an embodiment of the present disclosure.
- FIG. 12 is a schematic structural diagram of a non-cellular network access device according to an embodiment of the present disclosure.
- FIG. 13 is a schematic structural diagram of an access authentication system according to an embodiment of the present disclosure.
- FIG. 14 is a flowchart of an access authentication method performed by a cellular network access device according to an embodiment of the present invention.
- FIG. 15 is a flowchart of an access authentication method performed by a UE according to an embodiment of the present invention.
- FIG. 16 is a flowchart of an access authentication method performed by a non-cellular network access device according to an embodiment of the present invention.
- FIG. 17 is a schematic diagram of an access authentication method according to an embodiment of the present disclosure.
- FIG. 18 is a schematic diagram of an access authentication apparatus applied to a cellular network access device according to an embodiment of the present invention.
- FIG. 19 is a schematic diagram of an access authentication apparatus applied to a UE according to an embodiment of the present disclosure.
- FIG. 20 is a schematic diagram of an access authentication apparatus applied to a non-cellular network access device according to an embodiment of the present invention.
- FIG. 21 is a schematic diagram of an access authentication device applied to a cellular network access device according to an embodiment of the present disclosure
- FIG. 22 is a schematic diagram of an access authentication device applied to a UE according to an embodiment of the present disclosure
- FIG. 23 is a schematic diagram of an access authentication device applied to a non-cellular network access device according to an embodiment of the present invention.
- the embodiment of the present invention provides an access authentication method and device, which are used to solve the problem that the authentication time is long and the signaling overhead is large in the prior art. Since the principle of the method and the device for solving the problem is the same, the method part and the device part embodiment can refer to each other, and the repeated parts are not described again.
- Cellular network may include, but is not limited to, a cellular network in any of the following systems: Long Term Evolution (English) Text: Long Term Evolution (LTE) system, 3GPP protocol related to Global System for Mobile communications (GSM) system, code division multiple access (English: Code Division Multiple Access, CDMA) System, Time Division Multiple Access (TDMA) system, Wideband Code Division Multiple Access Wireless (WCDMA) system, Frequency Division Multiple Access (English: Frequency Division Multiple) Addressing, abbreviation: FDMA) system, Orthogonal Frequency-Division Multiple Access (OFDMA) system, single-carrier FDMA (SC-FDMA) system, general packet radio service (English: General Packet Radio Service, referred to as: GPRS) system, Universal Mobile Telecommunications System (English: Universal Mobile Telecommunications System, UMTS for short).
- GSM Global System for Mobile communications
- CDMA Code Division Multiple Access
- TDMA Time Division Multiple Access
- WCDMA Wideband Code Division Multiple Access Wireless
- OFDMA
- the "cellular access device” may be a base station device, for example, an eNB in LTE, a BTS (Base Transceiver Station) in a GSM or CDMA system, a Node B in a WCDMA system, etc. It is a control node, for example, SRC (Single RAN Coordinator, fused access network coordinator) in LTE, RNC (Radio Network Controller) in UMTS, and the like.
- SRC Single RAN Coordinator, fused access network coordinator
- RNC Radio Network Controller
- the “non-cellular network” may include, but is not limited to, any of the following: WLAN, Worldwide Interoperability for Mi-crowave Access (WIMAX) network, and the like.
- WLAN Worldwide Interoperability for Mi-crowave Access
- WIMAX Worldwide Interoperability for Mi-crowave Access
- the non-cellular network access device may be an access point (English: Access Point, AP for short) or an access controller (English: Access Controller, AC for short) in the WLAN, or may be a base station in the WIMAX network ( English: Base Station, referred to as: BS).
- AP Access Point
- AC Access Controller
- the “non-cellular network access device” may be an autonomous management architecture (ie, a “fat” AP architecture) or a centralized management architecture (ie, a “thin” AP). Architecture).
- the WLAN AP is responsible for user equipment access, user equipment disconnection, authority authentication, security policy enforcement, data forwarding, data encryption, network management, and other tasks.
- the centralized management architecture is also called the “thin” AP architecture.
- the management rights are generally concentrated on the wireless controller (English: Access Controller, AC for short).
- the AC manages the IP address, authentication, and encryption of the user equipment.
- the WLAN AP only has encryption, data forwarding, and radio frequency functions, and cannot work independently.
- the Control and Provisioning of Wireless Access Points (CAPWAP) specification protocol is adopted between the WLAN AP and the AC.
- the foregoing WLAN AP may be integrated with the base station.
- the following is an example of an autonomous management architecture, that is, a "fat" AP architecture, and the present invention is not limited.
- the cellular network access device and the non-cellular network access device cannot communicate directly, but communicate through a logical function entity.
- the logical function entity may be a device in a cellular network or a device in a non-cellular network.
- the logical function entity may be a device in the WLAN, and may be a WLAN node (English: WLAN Termination, WT for short).
- WT can be set up with the AP, or can be combined with the AC, and can also be independent of the AP and the AC.
- One eNB may connect to one or more WTs, in other words, one eNB may support one or more WTs; one WT may support one or more AP Groups.
- an AP Group consists of one or more APs.
- one WT is connected to one eNB; in particular, a WT located in a common coverage area of a plurality of eNBs may be connected to the plurality of eNBs.
- An AP can connect to one or more UEs.
- the eNB communicates directly with the WT, and the UE directly communicates with the AP in the non-cellular network.
- multi-stream aggregation refers to part of data communicated between a cellular access device and a UE, that is, data for multi-stream aggregation, transmitted by a non-cellular network access device, and a cellular network access device and The other data communicated between the UEs, that is, the data that is not aggregated by multiple streams, is directly connected to the cellular network.
- the incoming device is transmitted between the UE and the UE.
- the cellular network access device communicates with the non-cellular network access device through a logical functional entity.
- Multi-stream aggregation includes downlink multi-stream aggregation and uplink multi-stream aggregation.
- the cellular network can only support downlink multi-stream aggregation, or only support uplink multi-stream aggregation, and can support both downlink multi-stream aggregation and uplink multi-stream aggregation.
- the UE to which the present invention relates may include a handheld device having a wireless communication function, an in-vehicle device, a wearable device, a computing device, or other processing device connected to the wireless modem, and various forms of user equipment.
- station English: Station, abbreviation: STA
- mobile station English: Mobile Station, referred to as: MS
- Subscriber Unit Subscriber Unit
- personal computer English: Personal Computer, referred to as: PC
- knee Laptop English: Laptop Computer, LC for short
- Tablet PC English: Tablet Computer, TC for short
- Netbook Terminal (Terminal), Personal Digital Assistant (English: Personal Digital Assistant, PDA for short) ), mobile WiFi hotspot devices (MiFi Devices), smart watches, smart glasses, and so on.
- the above UEs can be distributed throughout the network. For convenience of description, in the present application, it is simply referred to as a user equipment or a UE.
- An embodiment of the present invention provides an access authentication method. As shown in FIG. 1 , the method includes:
- Step 101 The cellular network access device determines a key identifier.
- the key identifier is used to instruct the UE to perform security authentication with the non-cellular network access device based on the key corresponding to the key identifier.
- the cellular network access device may determine, for the UE, an identical key identifier for each non-cellular access device under the logical function entity, or may also be configured for each non-cellular network of the UE for the logical functional entity.
- Each non-cellular access device under the device group determines an identical key identifier
- the UE may also determine a different key identifier for each non-cellular access device under all non-cellular access device groups under the logical function entity.
- the key identification may be determined by the cellular access device based on the identity of the UE and the identity of the non-cellular access device by a hash (HASH) algorithm. It can also be determined based only on the identity of the UE. Of course, it can be determined by other algorithms, and the algorithm for determining the key identifier is not specifically limited in the embodiment of the present invention.
- HASH hash
- Step 102 The cellular network access device sends the determined key identifier to the UE and the non-cellular network access device, where the key identifier is used to indicate that the UE is based on the key identifier.
- the key is securely authenticated with the non-cellular network access device.
- the key identifier is determined by the cellular network access device, and then the determined key identifier is directly sent by the cellular network access device to the UE and the non-cellular network access device.
- the UE and the non-cellular network access device obtain the key identifier, so that the UE and the non-cellular network access device directly perform the security authentication by using the key corresponding to the key identifier, the authentication time is short, and the signaling overhead is small.
- the cellular network access device sends the key identifier to the non-cellular access device through the logical function entity.
- the logical function entity and the non-cellular access device implement communication through the private interface, which is not limited by the present invention. .
- the cellular network access device sends the identifier of the non-cellular network access device to the key identifier when the key identifier is sent to the UE, and may be sent in the form of a table.
- the identifier of the non-cellular network may be sent separately from the key identifier. For example, if the key identifier determined for each non-cellular network access device is the same, only one key identifier may be sent to the UE.
- the cellular network access device sends the key identifier to the non-cellular network access device.
- the non-cellular network access device only needs to determine the key identifier carried in the association request sent by the UE.
- the key identifiers saved by the UE are the same.
- the UE and the non-cellular network access device perform the four-way handshake authentication using the key corresponding to the key identifier.
- the identifier of the non-cellular network access device may be a Service Set Identifier (English: Service Set Identifier, SSID for short) or an extended service identifier (English: Extended service set Identifier, ESSID or Basic service set identifier (English: Basic Service Set Identifier, referred to as BSSID).
- the BSSID of the non-cellular network access device is also the medium access control (English: Medium Access Control, MAC address) address of the non-cellular network access device.
- the identity of the UE may be the MAC address of the WLAN of the UE.
- the cellular network access device may send the key identifier separately to the UE, or may be included in the Pairwise Master Key Security Association (PAKSA) information. send. It can also be sent in an LWA command message. Or other newly defined message, which is used to instruct the UE to perform LWA.
- PKASA Pairwise Master Key Security Association
- the cellular network access device may separately transmit the key identifier when transmitting the key identifier to the non-cellular network access device.
- the key identifier may also be carried in the user plane of the GPRS tunneling protocol of the cellular network access device to the logical function entity (English: User plane of GPRS Tunneling Protocol, referred to as: GTP-U) is sent in the tunnel establishment message and can also be carried in other newly defined messages.
- GTP-U User plane of GPRS Tunneling Protocol
- the cellular network access device If the logical function entity and the non-cellular network access device are not the same node, the cellular network access device carries the key identifier in the GTP-U tunnel establishment message and sends the key identifier to the logical function entity, and then the logical function entity sends the message to the non-cellular Network access equipment.
- the cellular network access device may also send at least one of the following to the UE and/or the non-cellular network access device:
- the life cycle is used to indicate a key corresponding to the key identifier and an expiration date of the key identifier, where the authentication mode indication information is used to indicate an authentication type adopted by the UE, and the authentication type may be It is an authentication type specified by the Authentication and Key Management Protocol (AKMP), such as the 802.1X EAP AKA cache method.
- AKMP Authentication and Key Management Protocol
- At least one of the foregoing items may be included in the PSKMA, or sent in the same message as the key identifier.
- the key corresponding to the key identifier may be determined by, but not limited to, by:
- the key corresponding to the key identifier can be determined by the cellular access device. And after determining, the cellular network access device associates the key and the key identifier and sends the key to the UE and the non-cellular network access device. Therefore, the key and the key identifier may be sent in the PSKMA, and may also be sent in the same message.
- the specific message may be referred to as described above, and details are not described herein again.
- the key determined by the cellular access device may be a shared key between the UE and the cellular access device, such as one of keNB, Krrc.int, krrc.enc, Kup.enc, Kup.int, and the like. It may also be a key derived from one or more of these keys.
- the key identification may be determined by the cellular network access device based on the identity of the UE and the identity of the non-cellular network access device or only based on the identity of the UE, and may also be accessed by a key, an identifier of the UE, or a non-cellular network.
- the identity of the device is determined or determined by the key and the identity of the UE.
- PMKID HMAC-SHA1-128 (PMK, "PMK_name”
- the PMKID represents the key identifier
- the PMK represents the key
- the PMK_name represents the key name
- the MAC_UE represents the UE identifier, that is, the MAC address of the UE in the WLAN.
- MAC_AP indicates the identity of the non-cellular network access device, that is, the MAC address of the non-cellular network access device.
- HMAC is a key-related hash authentication message authentication code (English: Hash-based Message Authentication Code).
- SHA1 refers to the Secure Hash Algorithm.
- the key corresponding to the key identifier may also be: a cellular network access device and a key determined by the UE to associate the UE with the non-cellular network access device based on a predetermined derivation rule.
- the cellular access device then transmits the determined key to the non-cellular access device.
- the predetermined derivation rule may be determined in advance by the UE and the cellular access device.
- the cellular network access device determines, according to a predetermined derivation rule, a key that the UE associates with the non-cellular network access device, and then determines a key identifier corresponding to the key. The key identification and key are then sent to the non-cellular network access device. And send the key identifier to the UE. Before the UE associates the non-cellular network access device, the UE first determines the key corresponding to the key identifier according to the predetermined derivation rule.
- the UE sends an association request to the non-cellular network access device, and carries the key identifier in the association request;
- the non-cellular network access device determines that the received key identifier sent by the UE is the same as the key identifier stored by itself. Then, the UE and the non-cellular network access device perform a four-way handshake process based on the key corresponding to the key identifier. After the four-way handshake authentication is passed, the cellular network access device can perform multi-stream aggregation data transmission with the UE through the non-cellular network access device.
- the cellular access device uses the shared key of the UE and the cellular access device to derive the key identifier based on the derivation rule, and then the cellular network access device sends the derivation rule to the UE and the non-cellular access device, and the cellular The shared key of the network access device and the UE is sent to the non-cellular network access device. Then, after the UE and the non-cellular network access device receive the key identifier, the key corresponding to the key identifier is derived based on the shared key based on the same derivation rule, and thus the derived key is the same.
- the UE sends an association request to the non-cellular network access device, and carries the key identifier in the association request. Then, the non-cellular network access device determines that the received key identifier sent by the UE is the same as the key identifier stored by the UE. Then, the UE and the non-cellular network access device perform a four-way handshake process based on the key corresponding to the key identifier. After the four-way handshake authentication is passed, the cellular network access device can perform multi-stream aggregation data transmission with the UE through the non-cellular network access device.
- the non-cellular network access device and the logical function entity are the same node.
- the non-cellular network access device and the logical function entity are the same node, and the functions of the non-cellular network access device and the logical function entity may be implemented by one device, or the logic function entity may be embedded in the non-cellular network access device. If the logical function entity is embedded in the non-cellular network access device, the logical function entity has an internal interface with the non-cellular network access device, and the two exchange information through the internal interface.
- the cellular network access device determines the key identifier for the UE associated non-cellular network access device by the following methods:
- the cellular network access device determines, according to the measurement report sent by the UE, the non-cellular network access device that the UE needs to associate.
- the measurement report includes the signal quality of the WLAN network where the UE is located, and the cellular network access device selects the non-cellular network access device of the WLAN network with better quality for the UE.
- the UE may The signal quality of the WLAN network in which it is located is measured, and the measurement report formed by the measurement result is sent to the cellular network access device.
- the cellular network access device determines a key identifier corresponding to the non-cellular network access device selected by the UE, where the key identifier is used to indicate that the UE is based on the key corresponding to the key identifier and the non-cellular network access
- the device is certified for safety.
- the cellular network access device sends the determined key identifier corresponding to the non-cellular network access device selected by the UE to the non-cellular network access device.
- the cellular network access device determines the key identifier for the UE associated non-cellular network access device by using the following methods:
- the cellular network access device determines a logical function entity to which the non-cellular network access device to which the UE is to be associated belongs; the cellular network access device determines each non-cellular network access device managed by the logical function entity.
- the cellular network access device is configured to perform, for each of the non-cellular network access devices, a key identifier corresponding to each non-cellular network access device, where the key identifier is used to indicate that the UE is based on the secret
- the key corresponding to the key identifier is securely authenticated with the non-cellular network access device.
- the non-cellular network access device to which the UE is to be associated is selected by the cellular network access device for the UE.
- the non-cellular network access device to be associated is selected to determine a logical function entity, thereby acquiring each non-cellular network access device managed by the logical function entity.
- the specific selection manner may be as follows: after receiving the measurement configuration request message sent by the cellular network access device, the UE may measure the signal quality of the WLAN network where the UE is located, and send the measurement report formed by the measurement result to the cellular network. Into the device.
- the cellular network access device determines, according to the measurement report sent by the UE, the non-cellular network access device that the UE needs to associate. For example, the cellular network access device selects a non-cellular network access device of a better quality WLAN network for the UE.
- the cellular network access device sends the determined key identifier corresponding to each non-cellular network access device to the non-cellular network access device corresponding to the identifier of each non-cellular network access device by using a logical function entity, and
- the key identifier list is sent to the UE, where the key identifier list includes an identifier of each non-cellular network access device managed by the logical function entity and a key identifier corresponding to each non-cellular network access device.
- the UE when the UE associates the non-cellular network access device, the UE selects a non-cellular network access device, and determines whether the selected non-cellular network access device is the same as the identifier of the non-cellular network access device in the key identifier list. If the same, the non-cellular access device is used as the target non-cellular network access device.
- the cellular network access device may determine the key identifier for the UE associated non-cellular network access device by using the following methods:
- the key corresponding to the identifier is authenticated with the non-cellular network access device.
- the non-cellular network access device to which the UE is to be associated is selected by the cellular network access device for the UE.
- the specific selection manner may be as follows: after receiving the measurement configuration request message sent by the cellular network access device, the UE may measure the signal quality of the WLAN network where the UE is located, and send the measurement report formed by the measurement result to the cellular network. Into the device.
- the cellular network access device determines, according to the measurement report sent by the UE, the non-cellular network access device that the UE needs to associate. For example, the cellular network access device selects a non-cellular network access device of a better quality WLAN network for the UE.
- the UE when the UE associates the non-cellular network access device, the UE performs association according to the non-cellular network access device indicated by the cellular network access device.
- the non-cellular network access device indicated by the cellular access device is the front
- the key identifies multiple corresponding non-cellular network access devices.
- the cellular network access device may determine the key identifier for the UE associated non-cellular network access device by using the following methods:
- the cellular network access device determines a logical function entity to which the non-cellular network access device to which the UE is to be associated belongs; the logical function entity manages at least one non-non-cellular network access device to be associated Cellular access device;
- the identifier is the same, and the key identifier is used for security authentication by the non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device.
- the cellular network access device sends the determined key identifier to the non-cellular network access device corresponding to the identifier of each non-cellular network access device and the UE through the logical function entity.
- An embodiment of the present invention further provides an access authentication method. As shown in FIG. 2, the method includes:
- Step 201 The UE receives the key identifier sent by the cellular network access device.
- the key identifier is used to indicate that the UE performs security authentication with the non-cellular network access device based on the key corresponding to the key identifier.
- Step 202 The UE determines a key corresponding to the key identifier.
- Step 203 The UE performs security authentication with the non-cellular network access device according to the received key identifier and the determined key.
- the determining, by the UE, the key corresponding to the key identifier may be, but is not limited to, the following:
- the UE receives a key corresponding to the key identifier sent by the cellular network access device.
- the cellular network access device sends the key identifier correspondingly when transmitting the key identifier.
- Key can be sent separately, which is not specifically limited in the embodiment of the present invention.
- the UE negotiates with the cellular network access device to determine a key corresponding to the key identifier.
- the UE may negotiate with the cellular network access device to determine a key mode corresponding to the key identifier, and then determine the key according to the determined manner. Identifies the corresponding key. Or the UE obtains a derivation rule for determining a key corresponding to the key identifier, and then the UE determines a key corresponding to the key identifier based on the derivation rule.
- the UE determines a key corresponding to the key identifier according to a predetermined derivation rule.
- the predetermined deduction rule may be sent in advance by the cellular network access device, or the pre-UE may negotiate with the cellular network access device to obtain a derivation rule, and then the UE saves the derivation rule.
- the predetermined derivation rule is the same as the derivation rule used by the cellular access device to determine the key corresponding to the key identifier for the UE. After the cellular network access device derives the key according to the predetermined derivation rule, the obtained key is sent to the non-cellular network access device.
- the non-cellular network access device determines whether the received key identifier is the same as the key identifier saved by itself, and if the same, the UE and the UE The cellular access device performs four-way handshake authentication based on the key corresponding to the key identifier.
- the UE receives the key identifier sent by the cellular network access device for the UE to associate with the non-cellular network access device, including:
- the UE Receiving, by the UE, a key identifier list sent by the cellular network access device, where the key identifier list includes identifiers of each non-cellular network access device to be selected by the UE and each non-cellular network access Key ID corresponding to the device.
- the identifier of each non-cellular network access device is a non-cellular network access device in the non-cellular access device group indicated by the cellular network access device.
- the UE performs security authentication on the non-cellular network access device based on the received key corresponding to the key identifier, including:
- the UE Determining, by the UE, that the key identifier list includes a target non-cellular network access device
- the UE performs security authentication with the target non-cellular network access device according to the key identifier corresponding to the identifier of the target non-cellular network access device and the key corresponding to the key identifier in the key identifier list.
- the UE receives a key identifier sent by the cellular network access device, and the key identifier corresponds to an identifier of multiple non-cellular network access devices.
- the identifier of each non-cellular network access device is a non-cellular network access device in the non-cellular access device group indicated by the cellular network access device.
- the UE performs security authentication with the target non-cellular network access device according to the key identifier corresponding to the identifier of the target non-cellular network access device and the key corresponding to the key identifier.
- the UE receives a key identifier sent by the cellular network access device, and the key identifier corresponds to an identifier of a non-cellular network access device. Then the UE determines that the non-cellular network access device is the target non-cellular network access device.
- the UE performs security authentication with the target non-cellular network access device according to the key identifier corresponding to the identifier of the target non-cellular network access device and the key corresponding to the key identifier.
- the UE receives the key identifier sent by the cellular network access device, and then the UE determines the key corresponding to the key identifier.
- the UE directly performs security authentication with the non-cellular network access device according to the received key identifier and the determined key, and the authentication time is short, and the signaling overhead is small.
- An embodiment of the present invention further provides an access authentication method. As shown in FIG. 3, the method includes:
- Step 301 The non-cellular network access device receives the key identifier sent by the cellular network access device, where the key identifier is used to indicate that the non-cellular network access device performs security authentication on the UE associated with the UE.
- Step 302 The non-cellular network access device performs security authentication with the UE according to the key corresponding to the key identifier when receiving the association request initiated by the UE and the non-cellular network access device. .
- the UE sends an association request to the non-cellular network access device, and carries the secret in the association request. Key identification; then the non-cellular network access device determines that the received key identifier sent by the UE is the same as the key identifier stored by itself. Then, the UE and the non-cellular network access device perform a four-way handshake process based on the key corresponding to the key identifier. After the four-way handshake authentication is passed, the cellular network access device can perform multi-stream aggregation data transmission with the UE through the non-cellular network access device.
- the non-cellular network access device receives the key identifier sent by the cellular network access device, and the key identifier is used to instruct the authentication unit to perform security authentication on the user equipment UE associated with itself.
- the key identifier is used to indicate that the user equipment UE performs security authentication with the non-cellular network access device based on the key corresponding to the key identifier.
- the UE and the non-cellular network access device obtain the key identifier, so that the UE and the non-cellular network access device directly perform the security authentication by using the key corresponding to the key identifier, the authentication time is short, and the signaling overhead is small.
- the cellular network is LTE
- the cellular access device is the eNB
- the non-cellular network is the WLAN
- the non-cellular access device is the AP
- the logical functional entity is the WT.
- FIG. 4A and FIG. 4B are schematic diagrams showing the structure of a network system for distributed aggregation according to an embodiment of the present invention.
- the AP supports the LTE data transmission.
- the network system of the embodiment of the present invention may further include a WT for managing the AP, and the WT and the AP may be the same node, as shown in FIG. 4A.
- the WT and the AP may also be different nodes, as shown in FIG. 4B.
- the UE and the eNB and the WT can be connected in a wireless manner, for example, using air interface communication. If the WT and the AP are different nodes, the two are wired connections.
- FIG. 5 is a schematic diagram of an access authentication method according to an embodiment of the present invention. Among them, the optional steps in Figure 5 are indicated by dashed lines.
- the eNB determines a PMKID for the UE.
- PMKID is a key identifier.
- the PMKID is used by the UE and the AP to perform security authentication according to the PMK corresponding to the PMKID.
- step 502 the eNB sends a PMKID to the UE.
- the PMKID can be sent separately or in the PMKSA information.
- the PMKID can also be sent in the LWA command message sent by the eNB to the UE, or other newly defined messages, which can be carried in the radio resource control (English: Radio Resource Control, referred to as: RRC)
- RRC Radio Resource Control
- the connection reconfiguration message is used to instruct the UE to perform LWA. After the RRC connection reconfiguration is completed, an RRC Connection Reconfiguration Complete message is sent to the eNB.
- the LWA request message may further include an identifier of the WLAN AP or a WLAN AP group, where the identifier of the AP may be a BSSID/ESSID/SSID, and the AP group includes an identifier list of the WLAN AP, and the identifier of the AP may be Is BSSID/ESSID/SSID.
- PMKSA information can be sent in the LWA command message, or other newly defined messages.
- the PMKID is included in the PMKSA, and the PMKSA is sent in the LWA command message as an example for description.
- the PMKID includes the PMKID, and may further include:
- PMK is a key for the eNB to assist WLAN authentication.
- the PMK may be a key shared by the eNB and the UE, for example, keNB, Krrc.int, krrc.enc, Kup.enc, Kup.int, and the like. It may also be a key derived from one or more of these keys. PMK is optional.
- the eNB may send the derivation rule of the derivation key to the UE in advance, or negotiate with the UE to use the shared key as the PMK.
- Lifetime which is used to indicate the validity period of the PMKID and the validity period of the PMK. Lifetime is optional.
- the authentication mode indication information is used to indicate an authentication type adopted by the UE, and the foregoing authentication type may be an authentication type specified by AKMP, for example, an 802.1X EAP AKA cache mode.
- the PMKID may be determined by the eNB based on the identity of the UE.
- the identity of the UE may be the WLAN MAC address of the UE.
- the identifier of the AP is determined or determined based only on the identifier of the UE, and may also be determined by the key PMK, the identifier of the UE, the identifier of the AP, or the identifier of the key PMK or the UE.
- the eNB maintains a counter counter for the UE. To ensure that the PMKID of each UE is different.
- PMKID HMAC-SHA1-128 (PMK, "PMK_name”
- the PMK_name represents the key name
- the MAC_UE represents the UE identifier, that is, the MAC address of the UE in the WLAN.
- MAC_AP indicates the identity of the AP, that is, the MAC address of the AP.
- HMAC is a key-related hash authentication message authentication code (English: Hash-based Message Authentication Code).
- SHA1 refers to the Secure Hash Algorithm.
- the method may further include: acquiring, by the eNB, an identifier of the UE, such as a WLAN MAC address of the UE.
- the eNB may actively request the UE to report, or carry the identifier in the UE capability report message.
- the method may further include:
- Step 501a The eNB sends a measurement configuration request message to the UE.
- the measurement configuration request message is used to request the UE to measure the signal quality of the WLAN network where the UE is located.
- the UE measures the signal quality of the WLAN network and obtains the measurement result.
- step 501b the UE reports the measurement result to the eNB.
- the measurement result includes the identifier of the AP of the WLAN and the signal quality value corresponding to the AP identifier.
- the eNB thus determines the WT that performs the data transmission of the LWA based on the measurement result. Specifically, the AP with the strongest signal is selected as the AP to be associated with the UE according to the measurement result, and then the WT to which the AP belongs is determined, and the WT is used as the WT for performing LWA data transmission.
- the eNB may determine, for the UE, an identical key identifier for each AP under the WT, or may also determine, for the UE, an identical key for each AP under each AP group under the WT.
- the identifier may be determined by the UE for each AP under all AP groups under the WT. And when the key identifiers are the same, the keys are also the same; the key identifiers are different and the keys are different.
- step 503 the eNB sends the PMKID to the WT.
- the WT can send the PMKID to the AP through the private interface of the WT and the AP.
- the PMKID can be sent separately, and can also be carried in the GTP-U tunnel setup message. Give WT. If the GTP-U tunnel is used to establish the message sending PMKID, step 503 needs to be implemented before step 502. If the PMKID is sent by other means, steps 503 and 502 are performed in no particular order.
- the PMK corresponding to the PMKID may be sent to the WT, and the key may also be carried in the GTP-U tunnel establishment message and sent to the WT.
- the PMK is a key for the eNB to assist in WLAN authentication.
- the PMK may be a key shared by the eNB and the UE, for example, keNB, Krrc.int, krrc.enc, Kup.enc, Kup.int, and the like. It may also be a key derived from one or more of these keys.
- the method may further include:
- step 503a the WT sends a key request message to the eNB, where the key request message is used to request the acquisition of the key and the PMKID.
- step 503a and step 501 and step 502 are in no particular order in time.
- Figure 5 is only an example and does not limit the order of time.
- the eNB may send the PMKID and the key derivation rule, or the PMKID and the PMK, in the key request response message to the WT.
- the eNB may actively send the PMKID and the key derivation rule, or the PMKID and the PMK, to the WT.
- Step 504 The UE sends an association request message to the WLAN AP.
- the association request message carries a PMKID.
- the UE independently selects one AP access in the AP group; if the eNB indicates the identity of the AP to the UE, the UE directly accesses the indicated AP.
- the UE Before the WLAN AP is associated with the WLAN AP, the UE first determines whether there is a PMK of the valid target AP, that is, whether the BSSID of the AP in the PMKSA matches the BSSID of the AP to be associated, and if it matches, the BSSID corresponding to the AP is used. PMK. After the PMKID is placed in the association request message, and the WLAN AP receives the PMKID included in the association request, the AP checks whether there is the same PMKID in the PMKSA. If they are the same, the UE and the AP use the PMK to perform the four-way handshake authentication. .
- the method may further include:
- Step 505 The UE sends a message to the eNB to indicate that the LWA succeeds or fails.
- the eNB When receiving the LWA success message sent by the UE, the eNB further includes:
- step 506 the eNB performs data transmission of the LWA with the UE via the AP.
- the key identifier is determined by the eNB, and then the eNB directly sends the determined key identifier to the UE and the AP.
- the UE and the AP obtain the key identifier, so that the UE and the AP directly perform the security authentication by using the key corresponding to the key identifier, the authentication time is short, and the signaling overhead is small.
- FIG. 6 is a schematic diagram of another access authentication method according to an embodiment of the present invention.
- Step 601 The eNB sends an LWA start command message to the UE.
- the active AP message is used to indicate that the UE accesses an AP
- the LWA start command message may indicate the BSSID of the WLAN AP.
- the security policy of the UE may also be included in the LWA start command message.
- the security policy is LWA type, which is the newly added authentication type.
- the eNB may instruct the UE to measure and report the WLAN signal quality.
- the eNB determines to add an appropriate WLAN network for LWA data transmission according to the measurement report sent by the UE.
- the eNB determines whether to instruct the UE to perform measurement and reporting of WLAN signal quality according to the cellular network load and/or the subscription information of the UE.
- Step 602 The UE discovers the designated AP by listening to a beacon frame or sending a Probe frame.
- the AP carries a robust security network (English: Robust Security Network, RSN) in the beacon or probe acknowledgement (English: Acknowledgement, ACK).
- RSN Robust Security Network
- the RSN cell indicates the security policy supported by the specified AP.
- the security policy is the newly added authentication type LWA Type.
- the RSN includes an automatic key management (English: Automatic Key Management, AKM) cell, and the AKM cell is used to indicate the authentication type.
- AKM Automatic Key Management
- the eNB Before the step 602, the eNB sends the indication information to the AP through the Xw interface between the eNB and the WLAN, where the indication information is used to indicate that the MSA Type is used as the unique authentication mode.
- Step 603 Open an authentication process (open authentication) between the UE and the AP.
- Step 604 The UE initiates an Association Request message to the AP.
- the association request message includes the security policy that the UE expects, for example, the authentication type is LWA Type, and the UE and the AP complete the negotiation of the security policy.
- Step 605 The AP sends a key request message to the eNB. After receiving the key request message, the eNB derives a new key Key according to the key of the access network side and the predetermined derivation rule, and sends the derived key key to the AP through the response message.
- Step 606 The AP returns an association response message to the UE.
- the UE completes association with the AP.
- Step 607 After receiving the association response message of the AP, the UE also derives the key Key according to the predetermined derivation rule. Then, according to the derived key Key and the AP, the WLAN four-way handshake security authentication process is completed.
- Step 608 The UE sends an LWA acknowledgement message to the eNB.
- Step 609 Perform LWA data transmission between the eNB and the UE through the AP.
- the embodiment of the present invention further provides an access authentication device, which may be set in a cellular network access device, or may be a cellular network access device itself. It can also be distinguished from a standalone device of a cellular access device but can communicate with a cellular access device, and the like.
- the access authentication apparatus includes:
- a determining unit 701, configured to determine a key identifier
- the sending unit 702 is configured to send the key identifier determined by the determining unit 701 to the UE and the non-cellular network access device, where the key identifier is used to indicate that the UE is corresponding to the key identifier.
- the key is securely authenticated with the non-cellular network access device.
- the determining unit 701 may be implemented by:
- Determining a logical function entity managing the non-cellular network access device the logical function entity managing at least one non-cellular network access device including the non-cellular network access device; and managing for the logical function entity
- Each of the non-cellular network access devices respectively performs the following steps: determining a key identifier corresponding to the identifier of each of the non-cellular network access devices.
- the sending unit 702 may specifically send the key identifier determined by the determining unit 701 to the UE and the non-cellular network access device respectively, including: determining the unit The key identifier corresponding to each non-cellular network access device determined by the 701 is sent to the non-cellular network access device corresponding to the identifier of each non-cellular network access device, and the key identifier list is sent to the UE.
- the key identification list includes an identifier of each non-cellular network access device managed by the logical function entity and a key identifier corresponding to each non-cellular network access device.
- the determining unit 701 may also be implemented by:
- a logical function entity managing the non-cellular network access device the logical function entity managing at least one non-cellular network access device including the non-cellular network access device; and for the logical functional entity Determining, by the at least one non-cellular network access device, a key identifier, wherein the identifiers of the identifiers of the non-cellular network access devices in the at least one non-cellular network access device are the same, and the key identifier is used by the identifier
- the non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device performs security authentication.
- the sending unit 702 separately sends the key identifiers determined by the determining unit 701 to the non-cellular network access devices corresponding to the identifiers of the respective non-cellular network access devices and the UE.
- the determining unit 701 is further configured to determine a key, where the key is used for secure authentication by the UE and the non-cellular network access device.
- the sending unit 702 associates the key determined by the determining unit 701 with the key identifier, and sends the key to the UE and the non-cellular network access device.
- the determining unit 701 determines a key according to a predetermined derivation rule; the key is used by the UE to perform security authentication with a non-cellular network access device; and the predetermined derivation rule is associated with the UE as a non-self
- the derivation rules used by the cellular access device to determine the key are the same.
- the sending unit 702 is specifically configured to associate the key determined by the determining unit 701 with the key identifier, and send the key to the non-cellular network access device, and send the key identifier to The UE.
- the sending unit 702 is further configured to send at least one of the following to the UE and/or the non-cellular network access device:
- the life cycle is used to indicate the validity period of the key and the key identifier
- the authentication mode indication information is used to indicate an authentication type adopted by the UE; the authentication type may be an authentication type specified by the AKMP. For example, 802.1X EAP AKA cache mode.
- the access authentication device and the access authentication method provided in the embodiment shown in FIG. 1 are based on the same inventive concept. Since the principles of the method and the device for solving the problem are similar, the implementation of the device and the method may refer to each other. , the repetition will not be repeated.
- the key identifier is determined by the cellular network access device, and then the determined key identifier is directly sent by the cellular network access device to the UE and the non-cellular network access device.
- the UE and the non-cellular network access device obtain the key identifier, so that the UE and the non-cellular network access device directly perform the security authentication by using the key corresponding to the key identifier, the authentication time is short, and the signaling overhead is small.
- the embodiment of the present invention further provides an access authentication device, which may be set to the user equipment, or may be the user equipment itself.
- the device includes:
- the receiving unit 801 is configured to receive a key identifier sent by the cellular network access device, where the key identifier is used to indicate that the authentication unit performs the key corresponding to the key identifier and the non-cellular network access device. safety certificate.
- the determining unit 802 is configured to determine a key corresponding to the key identifier received by the receiving unit 801.
- the authentication unit 803 is configured to perform security authentication with the non-cellular network access device according to the key identifier received by the receiving unit 801 and the key determined by the determining unit 802.
- the determining unit 802 is configured to: when the receiving unit 801 receives the key corresponding to the key identifier sent by the cellular network access device, determine the secret corresponding to the key identifier. Key; or, determining, by the cellular network access device, a key corresponding to the key identifier; or determining a key corresponding to the key identifier according to a predetermined derivation rule.
- the receiving unit 801 is specifically configured to receive the secret sent by the cellular network access device. And a key identifier list, where the key identifier list includes an identifier of each non-cellular network access device to which the UE is to be selected to be associated, and a key identifier corresponding to each non-cellular network access device.
- the determining unit 802 is further configured to determine a target non-cellular network access device.
- the authentication unit 803 is specifically configured to perform, according to the key identifier corresponding to the identifier of the target non-cellular network access device in the key identifier list, and the determined key and the target non-cellular network access device. Security authentication, wherein the target non-cellular network access device is determined by the determining unit or the cellular network access device.
- the access authentication apparatus and the access authentication method provided in the embodiment shown in FIG. 2 are based on the same inventive concept. Since the principles of the method and the apparatus for solving the problem are similar, the implementation of the apparatus and the method may refer to each other. , the repetition will not be repeated.
- the UE receives the key identifier sent by the cellular network access device, and then the UE determines the key corresponding to the key identifier.
- the UE performs security authentication directly with the non-cellular network access device according to the received key identifier and the determined key.
- the authentication time is short and the signaling overhead is small.
- the embodiment of the present invention further provides an access authentication device, which may be disposed in a non-cellular network access device, or may be a non-cellular network access device. It may itself be a standalone device but can communicate with non-cellular access devices and so on.
- an access authentication device which may be disposed in a non-cellular network access device, or may be a non-cellular network access device. It may itself be a standalone device but can communicate with non-cellular access devices and so on.
- the device includes:
- the receiving unit is 901 and an authentication unit 902.
- the receiving unit 901 is configured to receive a key identifier sent by the cellular network access device, where the key identifier is used to instruct the authentication unit to perform security authentication on the user equipment UE associated with the UE;
- the authentication unit 902 is configured to: when the receiving unit 901 receives an association request initiated by the UE to associate with the non-cellular network access device to which the authentication unit belongs, based on the key corresponding to the key identifier The UE performs security authentication.
- the access authentication apparatus and the access authentication method provided in the embodiment shown in FIG. 3 are based on the same inventive concept. Since the principles of the method and the apparatus for solving the problem are similar, the implementation of the apparatus and the method can refer to each other. , the repetition will not be repeated.
- the receiving unit receives the key identifier sent by the access device of the cellular network; the key identifier is used to instruct the authentication unit to perform security authentication on the UE associated with the UE; And configured to instruct the UE to perform security authentication according to the key corresponding to the key identifier and the access authentication device to which the authentication unit belongs.
- the UE and the access authentication device obtain the key identifier, so that the UE and the access authentication device directly perform the security authentication by using the key corresponding to the key identifier, the authentication time is short, and the signaling overhead is small.
- the embodiment of the present invention further provides a cellular network access device.
- the device includes a transceiver 1001, a processor 1002, and a memory 1003.
- the transceiver 1001, the processor 1002, and the memory 1003 are connected to each other.
- the specific connecting medium between the above components is not limited in the embodiment of the present invention.
- the memory 1003, the processor 1002, and the transceiver 1001 are connected by a bus 1004 in FIG. 10.
- the bus is indicated by a thick line in FIG. 10, and the connection manner between other components is only schematically illustrated. , not limited to.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 10, but it does not mean that there is only one bus or one type of bus.
- the memory 1003 is used to store the program code executed by the processor 1002, and may be a volatile memory, such as a random access memory (English: random-access memory, abbreviation: RAM);
- the memory 1003 may also be a non-volatile memory (English: non-volatile memory), such as read-only memory (English: read-only memory, abbreviation: ROM), flash memory (English: flash memory), hard disk (English: hard Disk drive, abbreviated: HDD) or solid state drive (English: solid-state drive, SSD), or memory 1003 can be used to carry or store desired program code in the form of an instruction or data structure and can be accessed by a computer. Any other medium, but not limited to this.
- the memory 1003 may be a combination of the above memories.
- the processor 1002 in the embodiment of the present invention may be a central processing unit (English: central processing unit, CPU for short).
- the processor 1002 determines a key identifier, and then the transceiver 1001 is configured to separately send the key identifier determined by the processor 1002 to the UE and the non-cellular network access device, where the key identifier is used to indicate The UE performs security authentication with the non-cellular network access device based on the key corresponding to the key identifier.
- the processor 1002 may be implemented by:
- Determining a logical function entity managing the non-cellular network access device the logical function entity managing at least one non-cellular network access device including the non-cellular network access device; and managing for the logical function entity
- Each of the non-cellular network access devices respectively performs the following steps: determining a key identifier corresponding to the identifier of each of the non-cellular network access devices.
- the transceiver 1001 may specifically send the key identifier determined by the processor 1002 to the UE and the non-cellular network access device, respectively, including: each non-cellular network determined by the processor 1002
- the key identifier corresponding to the access device is sent to the non-cellular network access device corresponding to the identifier of each non-cellular network access device, and the key identifier list is sent to the UE, where the key identifier list is included.
- the identifier of each non-cellular network access device managed by the logical function entity and the key identifier corresponding to each non-cellular network access device.
- the processor 1002 may also be implemented by:
- a logical function entity managing the non-cellular network access device the logical function entity managing at least one non-cellular network access device including the non-cellular network access device; and for the logical functional entity Determining, by the at least one non-cellular network access device, a key identifier, wherein the identifiers of the identifiers of the non-cellular network access devices in the at least one non-cellular network access device are the same, and the key identifier is used by the identifier
- the non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device performs security authentication.
- the transceiver 1001 sends the key identifiers determined by the processor 1002 to the non-cellular network access devices corresponding to the identifiers of the respective non-cellular network access devices and the UE.
- the processor 1002 is further configured to determine a key, where the key is used for secure authentication by the UE and the non-cellular network access device.
- the transceiver 1001 associates the key determined by the processor 1002 with the key identifier and sends the key to the UE and the non-cellular network access device.
- the processor 1002 determines a key based on a predetermined derivation rule; the key is used for The UE performs security authentication with the non-cellular network access device; the predetermined derivation rule is the same as the derivation rule used by the UE to determine the key for the non-cellular network access device associated with the UE.
- the transceiver 1001 is specifically configured to associate the key determined by the processor 1002 with the key identifier, send the identifier to the non-cellular network access device, and send the key identifier to the Said UE.
- the processor 1002 is further configured to send at least one of the following to the UE and/or the non-cellular network access device:
- the life cycle is used to indicate the validity period of the key and the key identifier
- the authentication mode indication information is used to indicate an authentication type adopted by the UE, and the authentication type may be an authentication key management protocol.
- Authentication type such as 802.1X EAP AKA cache mode.
- the access authentication method provided in the embodiment shown in FIG. 1 and the access authentication apparatus shown in FIG. 7 are based on the same inventive concept, and the method, the device, and the device solve the problem. The principles are similar, so the implementation of the devices, devices, and methods can be referred to each other, and the details are not repeated here.
- the embodiment of the present invention further provides a user equipment.
- the device includes a transceiver 1101, a processor 1102, and a memory 1103.
- the transceiver 1101, the processor 1102, and the memory 1103 are connected to each other.
- the specific connecting medium between the above components is not limited in the embodiment of the present invention.
- the memory 1103, the processor 1102, and the transceiver 1101 are connected by a bus 1104 in FIG. 11, and the bus is indicated by a thick line in FIG. 11, and the connection manner between other components is only schematically illustrated. , not limited to.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 11, but it does not mean that there is only one bus or one type of bus.
- the memory 1103 is used to store the program code executed by the processor 1102, and may be a volatile memory, such as a random access memory 1103 or a non-volatile memory, such as a read only memory, a flash memory, or the like.
- a hard disk or solid state hard disk, or memory 1103, can be used to carry or store desired program code in the form of instructions or data structures and can be calculated by Any other medium accessed by the machine, but is not limited to this.
- the memory 1103 may be a combination of the above memories.
- the processor 1102 in the embodiment of the present invention may be a CPU.
- the transceiver 1101 is configured to receive a key identifier sent by the cellular network access device, where the key identifier is used to indicate that the authentication unit performs the key corresponding to the key identifier and the non-cellular network access device. safety certificate.
- the processor 1102 is configured to determine a key corresponding to the key identifier received by the transceiver 1101.
- the security identification is performed with the non-cellular network access device according to the key identifier received by the transceiver 1101 and the key determined by the processor 1102.
- the processor 1102 is specifically configured to: when the transceiver 1101 receives the key corresponding to the key identifier sent by the cellular network access device, determine a key corresponding to the key identifier. Or determining, by the cellular network access device, a key corresponding to the key identifier; or determining a key corresponding to the key identifier according to a predetermined derivation rule.
- the transceiver 1101 is specifically configured to receive a key identifier list sent by the cellular network access device, where the key identifier list includes each non-cellular network access device to which the UE is to be selected to be associated. The identifier and the key identifier corresponding to each non-cellular network access device.
- the processor 1102 is further configured to determine a target non-cellular network access device. And performing security authentication according to the key identifier corresponding to the identifier of the target non-cellular network access device in the key identifier list and the determined key, and the target non-cellular network access device, where the target is not
- the cellular access device is determined by the determining unit or the cellular access device.
- the user equipment and the access authentication method provided in the embodiment shown in FIG. 2 and the access authentication apparatus shown in FIG. 8 are based on the same inventive concept, and the principles of the method, the device, and the device are similar. Therefore, the implementation of the devices, devices, and methods can be referred to each other, and the details are not described again.
- the UE receives the key identifier sent by the cellular network access device, and then the UE determines the key corresponding to the key identifier.
- the UE performs security authentication directly with the non-cellular network access device according to the received key identifier and the determined key.
- the authentication time is short and the signaling overhead is small.
- the embodiment of the present invention further provides a non-cellular network access device.
- the device includes a transceiver 1201, a processor 1202, and a memory 1203. .
- the transceiver 1201, the processor 1202, and the memory 1203 are connected to each other.
- the specific connecting medium between the above components is not limited in the embodiment of the present invention.
- the memory 1203, the processor 1202, and the transceiver 1201 are connected by a bus 1204 in FIG. 12, and the bus is indicated by a thick line in FIG. 12, and the connection manner between other components is only schematically illustrated. , not limited to.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 12, but it does not mean that there is only one bus or one type of bus.
- the memory 1203 is used to store the program code executed by the processor 1202, which may be a volatile memory, such as a RAM.
- the memory 1203 may also be a non-volatile memory, such as a ROM, a flash memory, an HDD or an SSD, or a memory.
- 1203 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
- the memory 1203 may be a combination of the above memories.
- the processor 1202 in the embodiment of the present invention may be a CPU.
- the transceiver 1201 is configured to receive a key identifier sent by the cellular network access device, where the key identifier is used to instruct the authentication unit to perform security authentication on the user equipment UE associated with the UE;
- the processor 1202 is configured to: when the transceiver 1201 receives the association request initiated by the UE to associate with the non-cellular network access device to which the authentication unit belongs, based on the key and the corresponding identifier of the key identifier The UE performs security authentication.
- non-cellular network access device and the access authentication method provided in the embodiment shown in FIG. 3 and the access authentication device shown in FIG. 9 are based on the same inventive concept, and are solved by the method, the device, and the device.
- the principles of the problem are similar, so the implementation of the devices, devices, and methods can be referred to each other, and the details are not repeated here.
- the non-cellular network access device receives the key identifier sent by the cellular network access device, and the key identifier is used to instruct the authentication unit to perform security authentication on the user equipment UE associated with itself.
- the key identifier is used to indicate that the user equipment UE performs security authentication with the non-cellular network access device based on the key corresponding to the key identifier.
- Both UE and non-cellular access devices are obtained The key identifier is obtained, so that the UE and the non-cellular network access device directly perform the security authentication by using the key corresponding to the key identifier, the authentication time is short, and the signaling overhead is small.
- an embodiment of the present invention provides an access authentication system, where the system includes:
- the three can be connected wirelessly.
- the system shown in FIG. 13 is described by taking two non-cellular network access devices as an example.
- FIG. 13 is only an example, and the number, structure, and the like of the devices are not specifically limited.
- the cellular network access device 1301 determines a key identifier, where the key identifier is used to indicate that the UE is based on a key corresponding to the key identifier and one of the at least one non-cellular network access device
- the network access device 1303 performs security authentication; and sends the key identifier to the UE and the one non-cellular network access device 1303, respectively;
- the UE 1302 is configured to receive the key identifier sent by the cellular network access device 1301, and perform security authentication with the non-cellular network access device 1303 based on the key corresponding to the key identifier;
- the one non-cellular network access device 1303 is configured to receive the key identifier sent by the cellular network access device 1301, and perform security authentication with the UE 1302 based on the key corresponding to the key identifier.
- the system can also include a logical function entity 1304 for managing the at least one non-cellular network access device.
- a logical function entity 1304 for managing the at least one non-cellular network access device.
- the two non-cellular network access devices 1303 shown in FIG. 13 can also include a logical function entity 1304 for managing the at least one non-cellular network access device.
- the cellular network access device 1301 is specifically configured to determine a logical function entity 1304 that manages the one non-cellular network access device 1303; and perform, for each non-cellular network access device 1303 managed by the logical function entity 1304. The following steps: determining a key identifier corresponding to the identifier of each of the non-cellular network access devices 1303; and transmitting the key identifier corresponding to each of the determined non-cellular network access devices 1303 to each non-cellular network connection
- the non-cellular network access device 1303 corresponding to the identifier of the ingress device 1303, and the key identifier list is sent to the UE, where the key identifier list includes each non-cellular network access managed by the logical function entity 1304. Identification of device 1303 and each a key identifier corresponding to a non-cellular network access device 1303;
- the UE 1302 is specifically configured to receive, according to the key identifier sent by the cellular network access device 1301, the key identifier list sent by the cellular network access device 1301; When the corresponding key is identified and the one non-cellular network access device 1303 performs security authentication, the key identifier corresponding to the identifier of the target non-cellular network access device in the key identifier list and the determined secret The key is securely authenticated with the target non-cellular network access device, wherein the target non-cellular network access device is determined by the UE 1302 or the cellular network access device 1301.
- system may further include a logical function entity 1304 for managing the at least one non-cellular network access device;
- the cellular network access device 1301 is specifically configured to determine a logical function entity 1304 that manages the non-cellular network access device 1303, and determine a key identifier for the at least one non-cellular network access device 1303, where the The identifiers of the identifiers of the non-cellular network access devices 1303 of the at least one non-cellular network access device 1303 are the same, and the key identifiers are used by the UEs 1302 and the identifiers of the non-cellular network access devices 1303.
- the non-cellular network access device 1303 performs security authentication; the determined key identifier is respectively sent to the non-cellular network access device 1303 corresponding to the identifier of each non-cellular network access device 1303 and the UE 1302;
- the UE 1302 is specifically configured to: according to the key identifier corresponding to the key identifier and the one non-cellular network access device 1303, perform key authentication according to the identifier of the target non-cellular network access device and The determined key is securely authenticated with the target non-cellular network access device, wherein the target non-cellular network access device is determined by the UE 1302 or the cellular network access device 1301.
- the cellular network access device 1301 is further configured to determine a key, where the key is used by the UE 1302 to perform security authentication with the non-cellular network access device 1303; and the key to be determined When the identifier is sent to the UE 1302 and the non-cellular network access device 1303, the key is associated with the key identifier and sent to the UE 1302 and the non-cellular network access device 1303;
- the UE 1302 is specifically configured to receive a key identifier and a key corresponding to the key identifier sent by the non-cellular network access device 1303, and the non-cellular network according to the received key identifier and key.
- the access device 1303 performs security authentication.
- the cellular network access device 1301 is further configured to determine a key according to a predetermined derivation rule; the key is used by the UE 1302 to perform security authentication with the non-cellular network access device 1303; When the determined key identifier is sent to the UE 1302 and the non-cellular network access device 1303, the key is associated with the key identifier and sent to the non-cellular network access device 1303, and Sending the key identifier to the UE 1302;
- the UE 1302 upon receiving the key identifier sent by the one non-cellular network access device 1303, determines a key based on the predetermined derivation rule, and based on the key identifier and the determined key and location
- the non-cellular network access device 1303 performs security authentication.
- the cellular network access device 1301 is further configured to send at least one of the following to the UE 1302 and/or the non-cellular network access device 1303:
- the life cycle is used to indicate the validity period of the key and the key identifier
- the authentication mode indication information is used to indicate the authentication type adopted by the UE 1302.
- the authentication type may be an authentication key management protocol.
- Authentication type such as 802.1X EAP AKA cache mode.
- the non-cellular network access device receives the key identifier sent by the cellular network access device; the key identifier is used to instruct the authentication unit to perform security authentication on the user equipment UE associated with itself; the key identifier is used to indicate The user equipment UE performs security authentication with the non-cellular network access device based on the key corresponding to the key identifier.
- the UE and the non-cellular network access device obtain the key identifier, so that the UE and the non-cellular network access device directly perform the security authentication by using the key corresponding to the key identifier, the authentication time is short, and the signaling overhead is small.
- the cellular network access device 1301 included in the access authentication system provided by the embodiment of the present invention may be the cellular network access device provided in the embodiment corresponding to FIG. 7 or FIG. 10; the UE 1302 may be corresponding to FIG. 8 or FIG.
- the non-cellular network access device 1303 may be a non-cellular network access device provided by the embodiment corresponding to FIG. 9 or FIG. Therefore, the function corresponding to the cellular network access device 1301 in the access authentication system may also refer to the embodiment corresponding to FIG. 7 or FIG. 10.
- the function corresponding to the UE 1302 in the access authentication system may also be referred to FIG. 8 or FIG.
- Corresponding embodiment For the function corresponding to the non-cellular network access device 1303 in the access authentication system, refer to the embodiment corresponding to FIG. 9 or FIG. 12, and the repeated description is omitted.
- An embodiment of the present invention further provides an access authentication method. As shown in FIG. 14, the method includes:
- Step 1401 The cellular network access device determines a key for the non-cellular network access device, where the key is used for user equipment UE to perform security authentication with the non-cellular network access device; the cellular network access device determines the key.
- the key is in the same manner as the UE determines the key.
- the cellular network access device may determine, for the UE, an identical key for each non-cellular access device under the logical function entity, or may also be for each non-cellular network access of the UE for the logical functional entity.
- Each non-cellular access device under the device group determines an identical key, or may determine different secrets for each non-cellular access device under the non-cellular access device group under the logical functional entity. key.
- the key determined by the cellular access device may be a shared key between the UE and the cellular access device, such as one of keNB, Krrc.int, krrc.enc, Kup.enc, Kup.int, and the like. It may also be a key derived from one or more of the above-described keys based on a derivation rule.
- determining, by the cellular network access device, the key for the non-cellular network access device can be implemented as follows:
- the cellular network access device derives a key for the non-cellular network access device based on the shared key with the UE.
- the derivation rule used to derive the key is pre-configured, and is the same as the derivation rule used to pre-configure the derivation key in the UE.
- the cellular network access device derives a key for the non-cellular network access device based on the shared key with the UE.
- the method may further include:
- the cellular network access device sends a deduction rule used to derive the key to the UE, and the derivation rule is used by the UE to perform security authentication and deduction with the non-cellular network access device. key. Therefore, after receiving the derivation rule, the UE derives a key used for performing security authentication with the non-cellular network access device according to the shared key with the cellular network access device.
- the cellular network access device may send the LWA command message by sending the derivation rule to the UE. Or other newly defined message, which is used to instruct the UE to perform LWA.
- Step 1402 The cellular network access device sends the determined key to the non-cellular network access device.
- the cellular network access device sends the key to the non-cellular access device through the logical function entity.
- the logical function entity and the non-cellular access device communicate with each other through a private interface, which is not limited by the present invention.
- the key can be sent separately.
- the key may also carry the user plane of GPRS Tunneling Protocol (GTP) in the user plane of the cellular network access device to the logical function entity (English: User plane of GPRS Tunneling Protocol, GTP for short) -U) sent in the tunnel establishment message, and can also be carried in other newly defined messages.
- GTP GPRS Tunneling Protocol
- the cellular network access device If the logical function entity and the non-cellular network access device are not the same node, the cellular network access device carries the key identifier in the GTP-U tunnel establishment message and sends the key identifier to the logical function entity, and then the logical function entity sends the message to the non-cellular Network access equipment.
- the key is determined by the cellular network access device, and then the determined key is sent by the cellular network access device to the non-cellular network access device.
- the manner in which the UE determines the key is the same as the manner in which the cellular network access device determines the key, so that the UE and the non-cellular network access device can directly perform the security authentication by using the key, the authentication time is short, and the signaling overhead is small.
- the non-cellular network access device and the logical function entity are the same node.
- the non-cellular network access device and the logical function entity are the same node, and the functions of the non-cellular network access device and the logical function entity may be implemented by one device, or the logic function entity may be embedded in the non-cellular network access device. If the logical function entity is embedded in the non-cellular network access device, the logical function entity has an internal interface with the non-cellular network access device, and the two exchange information through the internal interface.
- the cellular network access device determines the key for the UE to associate with the non-cellular network access device by using the following formula:
- the cellular network access device determines, according to the measurement report sent by the UE, the non-cellular network access device that the UE needs to associate.
- the measurement report includes the signal quality of the WLAN network where the UE is located, and the cellular network access device selects the non-cellular network access device of the WLAN network with better quality for the UE.
- the UE may measure the signal quality of the WLAN network where the UE is located, and send the measurement report formed by the measurement result to the cellular network access device.
- the cellular network access device determines a key corresponding to the non-cellular network access device selected by the UE, and the key is used for security authentication by the UE and the non-cellular network access device.
- the cellular network access device sends the determined key corresponding to the non-cellular network access device selected by the UE to the non-cellular network access device.
- the cellular network access device determines the key for the non-cellular network access device by using the following methods:
- the cellular network access device determines a logical function entity to which the non-cellular network access device to which the UE is to be associated belongs; the cellular network access device determines each non-cellular network access device managed by the logical function entity.
- the cellular network access device is configured to perform, for each of the non-cellular network access devices, a key corresponding to each non-cellular network access device, where the key is used by the UE to connect to the non-cellular network Enter the device for security certification.
- the non-cellular network access device to which the UE is to be associated is selected by the cellular network access device for the UE.
- the non-cellular network access device to be associated is selected to determine a logical function entity, thereby acquiring each non-cellular network access device managed by the logical function entity.
- the specific selection manner may be as follows: after receiving the measurement configuration request message sent by the cellular network access device, the UE may measure the signal quality of the WLAN network where the UE is located, and send the measurement report formed by the measurement result to the cellular network. Into the device.
- the cellular network access device determines, according to the measurement report sent by the UE, the non-cellular network access device that the UE needs to associate. For example, the cellular network access device selects a non-cellular network access device of a better quality WLAN network for the UE.
- the cellular access device then transmits the determined key to the non-cellular network access device
- the device can be implemented in the following ways:
- the cellular network access device sends the determined key corresponding to each non-cellular network access device to the non-cellular network access device corresponding to the identifier of each non-cellular network access device.
- the cellular network access device can determine the key for the non-cellular network access device by using the following methods:
- the cellular network access device determines a logical function entity that manages the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- the cellular network access device determines a key for the at least one non-cellular network access device, wherein an identifier of each non-cellular network access device in the at least one non-cellular network access device corresponds to a same key
- the key is used for security authentication by the non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device.
- the cellular access device then transmits the determined key to the non-cellular access device.
- the cellular network access device can determine the key for the non-cellular network access device by using the following methods:
- the cellular network access device determines a logical function entity that manages the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- the at least one non-cellular network access device is included in at least one non-cellular network access device group. That is, each non-cellular network access device managed by the logical function management entity is divided into non-cellular network access device groups, and each group includes at least one non-cellular network access device.
- the cellular network access device determines a key for each non-cellular network access device group, wherein each of the non-cellular network access device groups includes a same key corresponding to the identifier of each non-cellular network access device
- the key is used for security authentication by the non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device.
- the keys corresponding to different non-cellular network access device groups are different.
- the cellular network access device determines the key identifier corresponding to the key, and then sends the determined key identifier to the non-cellular network access device.
- the key identifier and the key may be sent simultaneously or separately.
- Cellular network access The manner of determining the key identifier corresponding to the key is the same as the manner of determining the key identifier corresponding to the key by the UE.
- the manner of determining the key identifier may be determined based on the identifier of the key, the identifier of the UE, and the identifier of the non-cellular network access device, or based on the identifier of the key and the UE, and may also be determined by the identifier of the UE and the non-cellular network.
- the identity of the incoming device is determined, or the identity and key of the non-cellular network access device are determined, or only determined by the identity of the UE.
- the key identifier in the embodiment of the present invention is used for the LWA, and thus can be distinguished from the traditional WLAN service. Specifically, if the traditional WLAN service is authenticated to the AAA server, a key identifier is generated. Unlike the key identifier used for the LWA, the key identifier can be marked to distinguish.
- An embodiment of the present invention further provides an access authentication method. As shown in FIG. 15, the method includes:
- Step 1501 The UE determines a key, where the key is used for security authentication by the UE and the non-cellular network access device.
- the determining the key by the UE may be implemented by:
- the UE uses a derivation rule to derive a key on a basis of a shared key with the cellular access device;
- the derivation rule can be sent by the cellular access device.
- a specific cellular access device may send a derivation rule to the UE in an LWA command message.
- the derivation rule may be pre-configured in the UE and is the same as the derivation rule used by the cellular access device to derive a key for the non-cellular access device. That is, the derivation rule can be configured in the UE and the cellular network access device in advance.
- Step 1502 The UE determines a key identifier corresponding to the key.
- the key identifier may be determined by the cellular network access device based on the key, the identifier of the UE, and the identifier of the non-cellular network access device, or determined based on the identifier of the key and the UE, and may also be connected by the identifier of the UE or the non-cellular network.
- the identity of the incoming device is determined, or the identity and key of the non-cellular access device are determined, or only determined by the identity of the UE.
- PMKID HMAC-SHA1-128(PMK, "PMK_name”
- the PMKID represents the key identifier
- the PMK represents the key
- the PMK_name represents the key name
- the MAC_UE represents the UE identifier, that is, the MAC address of the UE in the WLAN.
- MAC_AP indicates the identity of the non-cellular network access device, that is, the MAC address of the non-cellular network access device.
- HMAC is a key related hash operation message authentication code. SHA1 refers to the secure hash algorithm.
- Step 1503 The UE uses the key and the key identifier to perform security authentication with the non-cellular network access device.
- the UE initiates an association request to the non-cellular network access device, where the association request carries the identifier of the UE and a key identifier.
- the non-cellular access device may determine, according to the identifier of the UE, the key identifier corresponding to the key sent by the cellular network access device received in advance, and may also determine the key corresponding according to the identifier and the key of the UE.
- the key identifier of the cellular network access device confirms that the key identifier carried in the association request is the same as the determined key identifier, and uses the key corresponding to the key identifier to perform four-way handshake security authentication with the UE.
- the key identifier in the embodiment of the present invention is used for the LWA, and thus can be distinguished from the traditional WLAN service. Specifically, if the traditional WLAN service is authenticated to the AAA server, a key identifier is generated. Unlike the key identifier used for the LWA, the key identifier can be marked to distinguish.
- An embodiment of the present invention further provides an access authentication method. As shown in FIG. 16, the method includes:
- the non-cellular network access device receives the key sent by the cellular network access device, and the key is used to instruct the non-cellular network access device to perform security authentication on the user equipment UE associated with itself.
- Step 1602 The non-cellular network access device determines a key identifier corresponding to the key.
- the cellular network access device may determine, according to the key and the identifier of the cellular network access device, a key identifier corresponding to the key; and when receiving the association request sent by the UE, where the association request is received And carrying the identifier of the UE, determining the key identifier corresponding to the key according to the identifier and the key of the UE; and determining the key identifier corresponding to the key according to the identifier of the UE and the identifier and the key of the access device of the cellular network.
- the non-cellular network access device determines the key identifier corresponding to the key, and may also be implemented by: receiving, by the non-cellular network access device, the secret sent by the cellular network access device The key identifier corresponding to the key.
- Step 1603 the non-cellular network access device uses the key identifier and the key to perform security authentication with the UE.
- the UE sends an association request to the non-cellular network access device, and then the non-cellular network access device determines that the received key identifier sent by the UE is the same as the key identifier stored by the UE, and the UE and the non-cellular network access.
- the device performs a four-way handshake process based on the key corresponding to the key identifier. After the four-way handshake authentication is passed, the cellular network access device can perform multi-stream aggregation data transmission with the UE through the non-cellular network access device.
- the key identifier in the embodiment of the present invention is used for the LWA, and thus can be distinguished from the traditional WLAN service. Specifically, if the traditional WLAN service is authenticated to the AAA server, a key identifier is generated. Unlike the key identifier used for the LWA, the key identifier can be marked to distinguish.
- the cellular network is LTE
- the cellular access device is the eNB
- the non-cellular network is the WLAN
- the non-cellular access device is the AP
- the logical functional entity is the WT.
- the embodiment of the present invention will be specifically described by taking the network system of the split aggregation shown in FIG. 4A and FIG. 4B as an example.
- FIG. 17 is a schematic diagram of an access authentication method according to an embodiment of the present invention.
- the eNB determines a PMK for the AP.
- the PMK represents a key, and the PMK is used for security authentication between the UE and the AP.
- the eNB may determine one same key for each AP under the WT, or may also determine one same key for each AP under each AP group under the WT, or may also be for all AP groups under the WT. Each AP determines a different key.
- the PMK may be a key shared by the eNB and the UE, for example, keNB, Krrc.int, krrc.enc, Kup.enc, Kup.int, and the like. It can also be based on one or more of these keys. A key derived from the deduction rules.
- step 1702 the eNB sends the determined PMK to the WT.
- the WT can send the PMK corresponding to each AP to each AP through the private interface of the WT and the AP.
- the PMK can be sent separately, and can be carried in a GTP-U tunnel establishment message (for example, a WT addition request message) to be sent to the WT, and can also be carried in a customized message and the like.
- a GTP-U tunnel establishment message for example, a WT addition request message
- the method may further include:
- the WT sends a key request message to the eNB, where the key request message is used to instruct the eNB to determine a key for each AP managed by the WT.
- the eNB may also determine a PMKID corresponding to the PMK, and then send the PMKID to the WT.
- the manner in which the eNB determines the PMKID corresponding to the PMK is the same as the manner in which the UE determines the PMKID corresponding to the PMK in step 1704.
- the WT can send the PMKID to the AP through the private interface of the WT and the AP.
- Step 1703 The UE receives an LWA command message sent by the eNB.
- the LWA command message is used by the UE to perform related configuration of the LWA.
- the information of the AP group can be carried in the LWA command message.
- the LWA command message may carry a derivation rule that the eNB indicates the UE derivation key.
- the UE may determine a key for each AP included in the AP group based on the derivation rule, and thus is the same as the key sent by the eNB to each AP.
- the UE may select one AP as the target AP among the APs included in the AP group, and may be the AP with the best signal, and then perform security authentication with the AP to determine the key based on the deduction rule.
- Step 1704 the UE determines the PMKID corresponding to the PMK.
- the PMKID may be determined by the UE based on the identity of the UE.
- the identity of the UE may be the WLAN MAC address of the UE.
- the determination by the UE based on the identity of the AP may also be determined by the PMK, the identity of the UE, the identity of the AP, or by the key PMK, the identity of the UE, or by the identity of the PMK or the AP.
- the identity of the AP may be BSSID/ESSID/SSID.
- PMKID HMAC-SHA1-128(PMK, "PMK_name”
- the PMK_name represents the key name
- the MAC_UE represents the UE identifier, that is, the MAC address of the UE in the WLAN.
- MAC_AP indicates the identity of the AP, that is, the MAC address of the AP.
- HMAC is a key related hash operation message authentication code. SHA1 refers to the secure hash algorithm.
- Step 1705 The UE sends an association request message to the WLAN AP.
- the association request message carries a PMKID.
- step 1706 the AP determines the PMKID corresponding to the PMK.
- the PMKID may be determined by the AP based on the identity of the UE.
- the identity of the UE may be the WLAN MAC address of the UE.
- the determination by the AP based on the identity of the AP may also be determined by the PMK, the identity of the UE, the identity of the AP, or by the identifier of the key PMK, the UE, or by the identity of the PMK or the AP.
- the manner in which the AP determines the PMKID corresponding to the PMK is the same as the manner in which the UE determines the PMKID corresponding to the PMK.
- the PMKID corresponding to the PMK determined by the AP is the same as the PMKID sent by the received UE, and therefore the four-way handshake security authentication is performed using the PMK corresponding to the PMKID. If the PMKID corresponding to the PMK determined by the AP is different from the PMKID sent by the received UE, the authentication fails.
- the AP determines the PMKID corresponding to the PMK, and may also be implemented by: receiving, by the eNB, a PMKID corresponding to the PMK sent by the WT that manages the AP.
- the method may further include:
- Step 1707 The UE sends an LWA determination message to the eNB, where the message is used to indicate a message that the LWA succeeds or fails.
- an LWA determination message or a WT addition confirmation message
- the WT can be successfully sent to the WT through the AP, which is specifically implemented, and the present invention is not limited.
- the eNB When receiving the LWA success message sent by the UE or the WT, the eNB further includes:
- Step 1708 the eNB performs data transmission of the LWA with the UE via the AP.
- an embodiment of the present invention provides an access authentication apparatus, as shown in FIG. 18.
- the device is applied to a cellular network access device, and specifically may be
- the device standing on the cellular network access device may also be a device disposed inside the cellular network access device, or may be implemented by the cellular network access device.
- the access authentication device includes:
- the processing unit 1801 is configured to determine a key for the non-cellular network access device, where the key is used for performing security authentication by the user equipment UE and the non-cellular network access device; and the processing unit determines the manner and location of the key The manner in which the UE determines the key is the same;
- the transceiver unit 1802 is configured to send the key determined by the processing unit 1801 to the non-cellular network access device.
- the processing unit 1801 is configured to: when the key is determined for the non-cellular network access device, the derivation key is a non-cellular network access device based on the shared key with the UE;
- the derivation rules used by the key are pre-configured and are the same as the derivation rules used to pre-configure the derivation key in the UE.
- the processing unit 1801 is configured to: when the key is determined for the non-cellular network access device, the derivation key is used as the non-cellular network access device based on the shared key with the UE;
- the transceiver unit 1802 is further configured to send, to the UE, a derivation rule used to derive the key, where the derivation rule is used by the UE to perform security authentication and deduction with the non-cellular network access device. key.
- the processing unit 1801 determines a key for the non-cellular network access device, the processing unit 1801 is specifically configured to:
- Determining a logical function entity managing the non-cellular network access device the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- the transceiver unit 1802 is configured to: when the key determined by the processing unit 1801 is sent to the non-cellular network access device, specifically, to: access each non-cellular network determined by the processing unit 1801
- the keys corresponding to the devices are respectively sent to the non-cellular network access devices corresponding to the identifiers of each non-cellular network access device.
- the processing unit 1801 determines a key for the non-cellular network access device
- the specific use Determining, by a logical function entity, managing the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device;
- the keys are used for The non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device performs security authentication.
- the processing unit 1801 determines a key for the non-cellular network access device, the processing unit 1801 is specifically configured to:
- Determining a logical function entity managing the non-cellular network access device Determining a logical function entity managing the non-cellular network access device, the logical function entity managing at least one non-cellular network access device including the non-cellular network access device; the at least one non-cellular network connection The ingress device is included in at least one non-cellular network access device group;
- each of the non-cellular network access device groups includes a same key corresponding to the identifier of each non-cellular network access device, and the key is used for The non-cellular network access device corresponding to the identifier of the UE and the non-cellular network access device performs security authentication.
- the processing unit 1801 is further configured to: after determining a key for the non-cellular network access device, determine a key identifier corresponding to the key;
- the transceiver unit 1802 is further configured to send the key identifier determined by the processing unit to the non-cellular network access device.
- the embodiment of the present invention further provides an access authentication apparatus, as shown in FIG.
- the device is applied to the UE, and may be independent of the device of the UE, or may be an access authentication device that is set in the UE, and may also be implemented by the UE.
- the access authentication device includes:
- a determining unit 1901 configured to determine a key, where the key is used by the UE to perform security authentication with a non-cellular network access device; and determine a key identifier corresponding to the key;
- the authentication unit 1902 is configured to perform security authentication with the non-cellular network access device by using the key and the key identifier.
- the determining unit 1901 when determining a key, is specifically configured to use a derivation rule to derive a key on a basis of a shared key with the cellular network access device; wherein the derivation rule is connected by the cellular network
- the ingress device sends, or the derivation rule is pre-configured in the UE, and is the same as the derivation rule used by the cellular access device to derive a key for the non-cellular access device.
- the embodiment of the present invention further provides an access authentication apparatus, as shown in FIG.
- the device is applied to the non-cellular network access device, and may be an access authentication device independent of the non-cellular network access device, and may also be disposed in the non-cellular network access device, or may be accessed by the non-cellular network device.
- the access authentication device includes:
- the transceiver unit 2001 is configured to receive a key sent by the cellular network access device, where the key is used to instruct the non-cellular network access device to perform security authentication on the user equipment UE associated with the non-cellular network access device. ;
- the processing unit 2002 is configured to determine a key identifier corresponding to the key, and perform security authentication with the UE by using the key identifier and the key.
- the transceiver unit 2002 is further configured to receive a key identifier corresponding to the key sent by the cellular network access device.
- the embodiment of the present invention further provides an access authentication device, which may be a device independent of a cellular network access device, or may be configured on a cellular network.
- an access authentication device can also be implemented by a cellular access device.
- the device includes a transceiver 2101, a processor 2102, and a memory 2103.
- the transceiver 2101, the processor 2102, and the memory 2103 are connected to each other.
- the specific connecting medium between the above components is not limited in the embodiment of the present invention.
- the memory 2103, the processor 2102, and the transceiver 2101 are connected by a bus 2104 in FIG.
- the bus is indicated by a thick line in FIG. 21, and the connection manner between other components is only schematically illustrated. , not limited to.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 21, but it does not mean that there is only one bus or one type of bus.
- the memory 2103 is configured to store the program code executed by the processor 2102, and may be a volatile memory, such as a random access memory.
- Random-access memory abbreviation: RAM
- memory 2103 can also be non-volatile memory (English: non-volatile memory), such as read-only memory (English: read-only memory, abbreviation: ROM), flash memory (English) :flash memory), hard disk (English: hard disk drive, abbreviated: HDD) or solid state drive (English: solid-state drive, abbreviated: SSD), or memory 2103 can be used to carry or store in the form of instructions or data structures.
- the desired program code and any other medium that can be accessed by the computer but is not limited thereto.
- the memory 2103 may be a combination of the above memories.
- the processor 2102 in the embodiment of the present invention may be a central processing unit (CPU).
- CPU central processing unit
- the processor 2102 is configured to determine a key for the non-cellular network access device, where the key is used for performing security authentication by the user equipment UE and the non-cellular network access device; and the processing unit determines the manner and location of the key The manner in which the UE determines the key is the same.
- the transceiver 2101 is configured to send the key determined by the processor 2102 to the non-cellular network access device.
- processor 2102 can also perform other operations performed by the processing unit 1801 shown in FIG. 18, and the transceiver 2101 can also perform other operations performed by the transceiver unit 1802 shown in FIG. 18.
- the embodiment of the present invention further provides an access authentication device, which may be a device independent of the UE, or may be a device disposed in the UE. It can be implemented by the UE.
- the device includes a transceiver 2201, a processor 2202, and a memory 2203.
- the transceiver 2201, the processor 2202, and the memory 2203 are connected to each other.
- the specific connecting medium between the above components is not limited in the embodiment of the present invention.
- the memory 2203, the processor 2202, and the transceiver 2201 are connected by a bus 2204 in FIG. 22, and the bus is indicated by a thick line in FIG.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 22, but it does not mean that there is only one bus or one type of bus.
- the memory 2203 is used to store the program code executed by the processor 2202, and may be a volatile memory, such as a random access memory; the memory 2203 may also be a non-volatile memory.
- ROM, flash memory, HDD or SSD, or memory 2203 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
- the memory 2203 may be a combination of the above memories.
- the processor 2202 in the embodiment of the present invention may be a CPU.
- the processor 2202 is configured to determine a key, where the key is used for performing security authentication by the UE and the non-cellular network access device, and determining a key identifier corresponding to the key; using the key and the The key identifier is securely authenticated with the non-cellular network access device.
- processor 2202 can also perform other operations performed by the determining unit 1901 and the authenticating unit 1902 shown in FIG.
- the embodiment of the present invention further provides an access authentication device, which may be a device independent of the non-cellular network access device, or may be configured on One of the non-cellular network access devices can also be implemented by a non-cellular network access device.
- the device includes a transceiver 2301, a processor 2302, and a memory 2303.
- the transceiver 2301, the processor 2302, and the memory 2303 are connected to each other.
- the specific connecting medium between the above components is not limited in the embodiment of the present invention.
- the embodiment of the present invention is connected in FIG. 23 between the memory 2303, the processor 2302, and the transceiver 2301 via a bus 2304.
- the bus is indicated by a thick line in FIG. 23, and the connection manner between other components is merely illustrative. , not limited to.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 23, but it does not mean that there is only one bus or one type of bus.
- the memory 2303 is configured to store the program code executed by the processor 2302, and may be a volatile memory, such as a random access memory; the memory 2303 may also be a non-volatile memory.
- ROM, flash memory, HDD or SSD, or memory 2303 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
- the memory 2303 can It is a combination of the above memories.
- the processor 2302 in the embodiment of the present invention may be a CPU.
- the transceiver 2301 is configured to receive a key sent by the cellular network access device, where the key is used to instruct the non-cellular network access device to perform security authentication on the user equipment UE associated with the non-cellular network access device.
- the processor 2302 is configured to determine a key identifier corresponding to the key, and perform security authentication with the UE by using the key identifier and the key.
- processor 2302 can also perform other operations performed by the processing unit 2002 shown in FIG. 20, and the transceiver 2301 can also perform other operations performed by the transceiver unit 2001 shown in FIG.
- An embodiment of the present invention further provides an access authentication system, where the system includes a cellular network access device, a non-cellular network access device, and a UE.
- the cellular network access device may be the cellular network access device provided by the embodiment corresponding to FIG. 18 or FIG. 21; the UE may be the UE provided by the embodiment corresponding to FIG. 19 or FIG.
- the non-cellular network access device may be the non-cellular network access device provided by the embodiment corresponding to FIG. 20 or FIG. 23.
- the number of devices included in the access authentication system is not specifically limited.
- embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
- computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (42)
- 一种接入认证方法,其特征在于,包括:蜂窝网接入设备确定密钥标识;所述蜂窝网接入设备将所述密钥标识分别发送给用户设备UE以及非蜂窝网接入设备,所述密钥标识用于指示所述UE基于所述密钥标识对应的密钥与所述非蜂窝网接入设备进行安全认证。
- 如权利要求1所述的方法,其特征在于,所述蜂窝网接入设备确定密钥标识,包括:所述蜂窝网接入设备确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;所述蜂窝网接入设备针对所述逻辑功能实体管理的每一个非蜂窝网接入设备分别执行以下步骤:确定所述每一个非蜂窝网接入设备的标识所对应的密钥标识;所述蜂窝网接入设备将确定的所述密钥标识发送给所述UE以及所述非蜂窝网接入设备,包括:所述蜂窝网接入设备将确定的每一个非蜂窝网接入设备对应的密钥标识分别发送给每一个非蜂窝网接入设备的标识对应的非蜂窝网接入设备,并将密钥标识列表发送给所述UE,所述密钥标识列表中包括所述逻辑功能实体管理的每一个非蜂窝网接入设备的标识以及每一个非蜂窝网接入设备对应的密钥标识。
- 如权利要求1所述的方法,其特征在于,所述蜂窝网接入设备确定密钥标识,包括:所述蜂窝网接入设备确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;所述蜂窝网接入设备为所述至少一个非蜂窝网接入设备确定密钥标识,其中,所述至少一个非蜂窝网接入设备中的各个非蜂窝网接入设备的标识对应的密钥标识相同,所述密钥标识用于所述UE与非蜂窝网接入设备的标识对应的非蜂窝网接入设备进行安全认证;所述蜂窝网接入设备将确定的所述密钥标识发送给所述UE以及所述非蜂窝网接入设备,包括:所述蜂窝网接入设备将确定的所述密钥标识分别发送给各个非蜂窝网接入设备的标识对应的非蜂窝网接入设备以及所述UE。
- 如权利要求1~3任一所述的方法,其特征在于,还包括:所述蜂窝网接入设备确定密钥,所述密钥用于所述UE与非蜂窝网接入设备进行安全认证;所述蜂窝网接入设备将确定的所述密钥标识发送给所述UE以及非蜂窝网接入设备,包括:所述蜂窝网接入设备将所述密钥和所述密钥标识关联后发送给所述UE以及非蜂窝网接入设备。
- 如权利要求1~3任一所述的方法,其特征在于,还包括:所述蜂窝网接入设备基于预定推演规则确定密钥;所述密钥用于所述UE与所述非蜂窝网接入设备进行安全认证,所述预定推演规则与所述UE为自身关联非蜂窝网接入设备确定密钥所使用的推演规则相同;所述蜂窝网接入设备将确定的所述密钥标识发送给所述UE和所述非蜂窝网接入设备,包括:所述蜂窝网接入设备将所述密钥和所述密钥标识关联后发送给所述非蜂窝网接入设备,并将所述密钥标识发送给所述UE。
- 如权利要求2~5任一所述的方法,其特征在于,还包括:所述蜂窝网接入设备将以下至少一项发送给所述UE和/或所述非蜂窝网接入设备:生命周期、认证方式指示信息;其中,所述生命周期用于指示所述密钥和所述密钥标识的有效期,所述认证方式指示信息用于指示所述UE采用的认证类型。
- 一种接入认证方法,其特征在于,包括:用户设备UE接收到蜂窝网接入设备发送的密钥标识,所述密钥标识用于指示所述UE基于该密钥标识对应的密钥与非蜂窝网接入设备进行安全认证;所述UE确定所述密钥标识对应的密钥;所述UE根据接收到的所述密钥标识以及确定的所述密钥与所述非蜂窝网接入设备进行安全认证。
- 如权利要求7所述的方法,其特征在于,所述UE确定所述密钥标识对应的密钥,包括:所述UE接收到所述蜂窝网接入设备发送的所述密钥标识对应的密钥;或者,所述UE与所述蜂窝网接入设备协商确定所述密钥标识对应的密钥;或者,所述UE根据预定推演规则确定所述密钥标识对应的密钥。
- 如权利要求7或8所述的方法,其特征在于,所述UE接收到蜂窝网接入设备发送的密钥标识,包括:所述UE接收到所述蜂窝网接入设备发送的密钥标识列表,所述密钥标识列表中包括所述UE待选择关联的各个非蜂窝网接入设备的标识以及各个非蜂窝网接入设备对应的密钥标识;所述UE根据接收到的所述密钥标识以及确定的所述密钥与所述非蜂窝网接入设备进行安全认证,包括:所述UE根据所述密钥标识列表中的目标非蜂窝网接入设备的标识对应的密钥标识以及确定的所述密钥与所述目标非蜂窝网接入设备进行安全认证,其中,所述目标非蜂窝网接入设备由所述UE或所述蜂窝网接入设备确定。
- 一种接入认证方法,其特征在于,包括:非蜂窝网接入设备接收到蜂窝网接入设备发送的密钥标识;所述密钥标 识用于指示所述非蜂窝网接入设备对关联自身的用户设备UE进行安全认证;所述非蜂窝网接入设备在接收到所述UE发起的关联所述非蜂窝网接入设备的关联请求时,基于所述密钥标识对应的密钥与所述UE进行安全认证。
- 一种接入认证装置,其特征在于,包括:确定单元,用于确定密钥标识;发送单元,用于将所述确定单元确定的所述密钥标识分别发送给用户设备UE以及非蜂窝网接入设备,所述密钥标识用于指示所述UE基于所述密钥标识对应的密钥与所述非蜂窝网接入设备进行安全认证。
- 如权利要求11所述的装置,其特征在于,所述确定单元,具体用于确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;并针对所述逻辑功能实体管理的每一个非蜂窝网接入设备分别执行以下步骤:确定所述每一个非蜂窝网接入设备的标识所对应的密钥标识;所述发送单元,具体用于将所述确定单元确定的每一个非蜂窝网接入设备对应的密钥标识分别发送给每一个非蜂窝网接入设备的标识对应的非蜂窝网接入设备,并将密钥标识列表发送给所述UE,所述密钥标识列表中包括所述逻辑功能实体管理的每一个非蜂窝网接入设备的标识以及每一个非蜂窝网接入设备对应的密钥标识。
- 如权利要求11所述的装置,其特征在于,所述确定单元,具体用于确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;并为所述逻辑功能实体所述至少一个非蜂窝网接入设备确定密钥标识,其中,所述至少一个非蜂窝网接入设备中的各个非蜂窝网接入设备的标识对应的密钥标识相同,所述密钥标识用于所述UE与非蜂窝网接入设备的标识对应的非蜂窝网接入设备进行安全认证;所述发送单元,具体用于将所述确定单元确定的所述密钥标识分别发送给各个非蜂窝网接入设备的标识对应的非蜂窝网接入设备以及所述UE。
- 如权利要求11~13任一所述的装置,其特征在于,所述确定单元,还用于确定密钥,所述密钥用于所述UE与非蜂窝网接入设备进行安全认证;所述发送单元,具体用于将所述确定单元确定的所述密钥和所述密钥标识关联后发送给所述UE以及非蜂窝网接入设备。
- 如权利要求11~13任一所述的装置,其特征在于,所述确定单元,还用于基于预定推演规则确定密钥;所述密钥用于所述UE与非蜂窝网接入设备进行安全认证;所述预定推演规则与所述UE为自身关联非蜂窝网接入设备确定密钥所使用的推演规则相同;所述发送单元,具体用于将所述确定单元确定的所述密钥和所述密钥标识关联后发送给所述非蜂窝网接入设备,并将所述密钥标识发送给所述UE。
- 如权利要求12~15任一所述的装置,其特征在于,所述发送单元,还用于将以下至少一项发送给所述UE和/或所述非蜂窝网接入设备:生命周期、认证方式指示信息;其中,所述生命周期用于指示所述密钥和所述密钥标识的有效期,所述认证方式指示信息用于指示所述UE采用的认证类型。
- 一种接入认证装置,其特征在于,包括:接收单元、确定单元以及认证单元;所述接收单元,用于接收到蜂窝网接入设备发送的密钥标识,所述密钥标识用于指示所述认证单元基于该密钥标识对应的密钥与非蜂窝网接入设备进行安全认证;所述确定单元,用于确定所述接收单元接收到的所述密钥标识对应的密钥;所述认证单元,用于根据所述接收单元接收到的所述密钥标识以及所述确定单元确定的所述密钥与所述非蜂窝网接入设备进行安全认证。
- 如权利要求17所述的装置,其特征在于,所述确定单元,具体用于:在所述接收单元接收到所述蜂窝网接入设备发送的所述密钥标识对应的密钥时,确定所述密钥标识对应的密钥;或者,与所述蜂窝网接入设备协商确定所述密钥标识对应的密钥;或者,根据预定推演规则确定所述密钥标识对应的密钥。
- 如权利要求17或18所述的装置,其特征在于,所述接收单元,具体用于接收所述蜂窝网接入设备发送的密钥标识列表,所述密钥标识列表中包括所述UE待选择关联的各个非蜂窝网接入设备的标识以及各个非蜂窝网接入设备对应的密钥标识;所述确定单元,还用于确定目标非蜂窝网接入设备;所述认证单元,具体用于根据所述密钥标识列表中的目标非蜂窝网接入设备的标识对应的密钥标识以及确定的所述密钥与所述目标非蜂窝网接入设备进行安全认证,其中,所述目标非蜂窝网接入设备由所述确定单元或所述蜂窝网接入设备确定。
- 一种接入认证装置,其特征在于,包括:接收单元以及认证单元;所述接收单元,用于接收到蜂窝网接入设备发送的密钥标识;所述密钥标识用于指示所述认证单元对关联自身的用户设备UE进行安全认证;所述认证单元,用于在所述接收单元接收到所述UE发起的关联所述认证单元所属的非蜂窝网接入设备的关联请求时,基于所述密钥标识对应的密钥与所述UE进行安全认证。
- 一种接入认证方法,其特征在于,包括:蜂窝网接入设备为非蜂窝网接入设备确定密钥,所述密钥用于用户设备UE与所述非蜂窝网接入设备进行安全认证;所述蜂窝网接入设备确定密钥的方式与所述UE确定密钥的方式相同;所述蜂窝网接入设备将确定的密钥发送给所述非蜂窝网接入设备。
- 如权利要求21所述的方法,其特征在于,所述蜂窝网接入设备为非蜂窝网接入设备确定密钥,包括:所述蜂窝网接入设备基于与所述UE的共享密钥为非蜂窝网接入设备推演密钥;其中,推演密钥所使用的推演规则为预配置,且与预配置在所述UE 中推演密钥所使用的推演规则相同。
- 如权利要求21所述的方法,其特征在于,所述蜂窝网接入设备为非蜂窝网接入设备确定密钥,包括:所述蜂窝网接入设备基于与所述UE的共享密钥为非蜂窝网接入设备推演密钥;所述方法还包括:所述蜂窝网接入设备将推演所述密钥所使用的推演规则发送给所述UE,所述推演规则用于所述UE为与所述非蜂窝网接入设备进行安全认证推演密钥。
- 如权利要求21~23任一所述的方法,其特征在于,所述蜂窝网接入设备为非蜂窝网接入设备确定密钥,包括:所述蜂窝网接入设备确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;所述蜂窝网接入设备针对所述逻辑功能实体管理的每一个非蜂窝网接入设备分别执行以下步骤:确定所述每一个非蜂窝网接入设备的标识所对应的密钥;所述蜂窝网接入设备将确定的所述密钥发送给所述非蜂窝网接入设备,包括:所述蜂窝网接入设备将确定的每一个非蜂窝网接入设备对应的密钥分别发送给每一个非蜂窝网接入设备的标识对应的非蜂窝网接入设备。
- 如权利要求21~23任一所述的方法,其特征在于,所述蜂窝网接入设备为非蜂窝网接入设备确定密钥,包括:所述蜂窝网接入设备确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;所述蜂窝网接入设备为所述至少一个非蜂窝网接入设备确定密钥,其中, 所述至少一个非蜂窝网接入设备中的各个非蜂窝网接入设备的标识对应的密钥相同,所述密钥用于所述UE与非蜂窝网接入设备的标识对应的非蜂窝网接入设备进行安全认证。
- 如权利要求21~23任一所述的方法,其特征在于,所述蜂窝网接入设备为非蜂窝网接入设备确定密钥,包括:所述蜂窝网接入设备确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;所述至少一个非蜂窝网接入设备包括在至少一个非蜂窝网接入设备组;所述蜂窝网接入设备为每一个非蜂窝网接入设备组确定密钥,其中,所述每一个非蜂窝网接入设备组包括的各个非蜂窝网接入设备的标识对应的密钥相同,所述密钥用于所述UE与非蜂窝网接入设备的标识对应的非蜂窝网接入设备进行安全认证。
- 如权利要求21~26任一所述的方法,其特征在于,还包括:所述蜂窝网接入设备在为非蜂窝网接入设备确定密钥后,确定所述密钥对应的密钥标识;并将所述密钥标识发送给所述非蜂窝网接入设备。
- 一种接入认证方法,其特征在于,包括:用户设备UE确定密钥,所述密钥用于所述UE与非蜂窝网接入设备进行安全认证;所述UE确定所述密钥对应的密钥标识;所述UE采用所述密钥和所述密钥标识与所述非蜂窝网接入设备进行安全认证。
- 如权利要求28所述的方法,其特征在于,所述UE确定密钥,包括:所述UE使用推演规则在与所述蜂窝网接入设备的共享密钥的基础上推演密钥;其中,所述推演规则由所述蜂窝网接入设备发送,或者所述推演规则为预先配置在所述UE中,且与所述蜂窝网接入设备为所述非蜂窝网接入设备推 演密钥所使用的推演规则相同。
- 一种接入认证方法,其特征在于,包括:非蜂窝网接入设备接收到蜂窝网接入设备发送的密钥;所述密钥用于指示所述非蜂窝网接入设备对关联自身的用户设备UE进行安全认证;所述非蜂窝网接入设备确定所述密钥对应的密钥标识;所述非蜂窝网接入设备采用所述密钥标识以及所述密钥与所述UE进行安全认证。
- 如权利要求30所述的方法,其特征在于,所述非蜂窝网接入设备确定所述密钥对应的密钥标识,包括:所述非蜂窝网接入设备接收到所述蜂窝网接入设备发送的所述密钥对应的密钥标识。
- 一种接入认证装置,其特征在于,所述装置应用于蜂窝网接入设备,包括:处理单元,用于为非蜂窝网接入设备确定密钥,所述密钥用于用户设备UE与所述非蜂窝网接入设备进行安全认证;所述处理单元确定密钥的方式与所述UE确定密钥的方式相同;收发单元,用于将所述处理单元确定的密钥发送给所述非蜂窝网接入设备。
- 如权利要求32所述的装置,其特征在于,所述处理单元,具体用于基于与所述UE的共享密钥为非蜂窝网接入设备推演密钥;其中,推演密钥所使用的推演规则为预配置,且与预配置在所述UE中推演密钥所使用的推演规则相同。
- 如权利要求32所述的装置,其特征在于,所述处理单元,具体用于基于与所述UE的共享密钥为非蜂窝网接入设备推演密钥;所述收发单元,还用于将推演所述密钥所使用的推演规则发送给所述UE,所述推演规则用于所述UE为与所述非蜂窝网接入设备进行安全认证推演密钥。
- 如权利要求32~34任一所述的装置,其特征在于,所述处理单元,具体用于:确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;针对所述逻辑功能实体管理的每一个非蜂窝网接入设备分别执行以下步骤:确定所述每一个非蜂窝网接入设备的标识所对应的密钥;所述收发单元,在将所述处理单元确定的所述密钥发送给所述非蜂窝网接入设备时,具体用于:将所述处理单元确定的每一个非蜂窝网接入设备对应的密钥分别发送给每一个非蜂窝网接入设备的标识对应的非蜂窝网接入设备。
- 如权利要求32~34任一所述的装置,其特征在于,所述处理单元,具体用于:确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;为所述至少一个非蜂窝网接入设备确定密钥,其中,所述至少一个非蜂窝网接入设备中的各个非蜂窝网接入设备的标识对应的密钥相同,所述密钥用于所述UE与非蜂窝网接入设备的标识对应的非蜂窝网接入设备进行安全认证。
- 如权利要求32~34任一所述的装置,其特征在于,所述处理单元,具体用于:确定管理所述非蜂窝网接入设备的逻辑功能实体,所述逻辑功能实体管理包括所述非蜂窝网接入设备在内的至少一个非蜂窝网接入设备;所述至少一个非蜂窝网接入设备包括在至少一个非蜂窝网接入设备组;为每一个非蜂窝网接入设备组确定密钥,其中,所述每一个非蜂窝网接入设备组包括的各个非蜂窝网接入设备的标识对应的密钥相同,所述密钥用于所述UE与非蜂窝网接入设备的标识对应的非蜂窝网接入设备进行安全认证。
- 如权利要求32~37任一所述的装置,其特征在于,所述处理单元,还用于在为非蜂窝网接入设备确定密钥后,确定所述密钥对应的密钥标识;所述收发单元,还用于将所述处理单元确定的所述密钥标识发送给所述非蜂窝网接入设备。
- 一种接入认证装置,其特征在于,所述装置应用于用户设备UE,包括:确定单元,用于确定密钥,所述密钥用于所述UE与非蜂窝网接入设备进行安全认证;并确定所述密钥对应的密钥标识;认证单元,用于采用所述密钥和所述密钥标识与所述非蜂窝网接入设备进行安全认证。
- 如权利要求39所述的装置,其特征在于,所述确定单元,在确定密钥时,具体用于使用推演规则在与所述蜂窝网接入设备的共享密钥的基础上推演密钥;其中,所述推演规则由所述蜂窝网接入设备发送,或者所述推演规则为预先配置在所述UE中,且与所述蜂窝网接入设备为所述非蜂窝网接入设备推演密钥所使用的推演规则相同。
- 一种接入认证装置,其特征在于,所述装置应用于非蜂窝网接入设备,包括:收发单元,用于接收到蜂窝网接入设备发送的密钥;所述密钥用于指示所述非蜂窝网接入设备对关联所述非蜂窝网接入设备的用户设备UE进行安全认证;处理单元,用于确定所述密钥对应的密钥标识,并采用所述密钥标识以及所述密钥与所述UE进行安全认证。
- 如权利要求41所述的装置,其特征在于,所述收发单元,还用于接收所述蜂窝网接入设备发送的所述密钥对应的密钥标识。
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BR112018002544-5A BR112018002544A2 (zh) | 2015-08-11 | 2015-09-25 | An access authentication method and device |
RU2018108000A RU2699403C1 (ru) | 2015-08-11 | 2015-09-25 | Способ и аппаратура для аутентификации доступа |
JP2018506968A JP6702595B2 (ja) | 2015-08-11 | 2015-09-25 | アクセス認証の方法および装置 |
EP15900857.2A EP3328106B1 (en) | 2015-08-11 | 2015-09-25 | Access verification method and apparatus |
KR1020187006457A KR102022813B1 (ko) | 2015-08-11 | 2015-09-25 | 액세스 인증 방법 및 장치 |
CN201580001274.5A CN106797559B (zh) | 2015-08-11 | 2015-09-25 | 一种接入认证方法及装置 |
US15/892,817 US20180167811A1 (en) | 2015-08-11 | 2018-02-09 | Access authentication method and apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNPCT/CN2015/086637 | 2015-08-11 | ||
CN2015086637 | 2015-08-11 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/892,817 Continuation US20180167811A1 (en) | 2015-08-11 | 2018-02-09 | Access authentication method and apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017024662A1 true WO2017024662A1 (zh) | 2017-02-16 |
Family
ID=57982993
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/090766 WO2017024662A1 (zh) | 2015-08-11 | 2015-09-25 | 一种接入认证方法及装置 |
Country Status (8)
Country | Link |
---|---|
US (1) | US20180167811A1 (zh) |
EP (1) | EP3328106B1 (zh) |
JP (1) | JP6702595B2 (zh) |
KR (1) | KR102022813B1 (zh) |
CN (1) | CN106797559B (zh) |
BR (1) | BR112018002544A2 (zh) |
RU (1) | RU2699403C1 (zh) |
WO (1) | WO2017024662A1 (zh) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108449755A (zh) * | 2018-04-03 | 2018-08-24 | 新华三技术有限公司 | 一种终端接入方法和装置 |
US11121871B2 (en) * | 2018-10-22 | 2021-09-14 | International Business Machines Corporation | Secured key exchange for wireless local area network (WLAN) zero configuration |
US11197154B2 (en) * | 2019-12-02 | 2021-12-07 | At&T Intellectual Property I, L.P. | Secure provisioning for wireless local area network technologies |
EP4002766B1 (en) * | 2020-11-18 | 2024-04-24 | Deutsche Telekom AG | Method and system for reachability of services specific to one specific network access over a different network access and system thereof |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1663168A (zh) * | 2002-04-26 | 2005-08-31 | 汤姆森许可公司 | 接入网之间互配中可传递的认证、授权和记帐 |
CN101120534A (zh) * | 2003-12-19 | 2008-02-06 | 摩托罗拉公司 | 用于无线局域网(wlan)中的认证的***、方法与设备 |
CN103026745A (zh) * | 2011-07-29 | 2013-04-03 | 华为技术有限公司 | 一种简化无线局域网认证的方法、装置及*** |
WO2013181847A1 (zh) * | 2012-06-08 | 2013-12-12 | 华为技术有限公司 | 一种无线局域网接入鉴权方法、设备及*** |
Family Cites Families (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3105361B2 (ja) * | 1992-08-19 | 2000-10-30 | 日本電信電話株式会社 | 移動通信方式における認証方法 |
US6920559B1 (en) * | 2000-04-28 | 2005-07-19 | 3Com Corporation | Using a key lease in a secondary authentication protocol after a primary authentication protocol has been performed |
US7103359B1 (en) * | 2002-05-23 | 2006-09-05 | Nokia Corporation | Method and system for access point roaming |
JP4721739B2 (ja) * | 2005-03-18 | 2011-07-13 | 三洋電機株式会社 | 無線lanシステム |
US7606370B2 (en) * | 2005-04-05 | 2009-10-20 | Mcafee, Inc. | System, method and computer program product for updating security criteria in wireless networks |
JP5014608B2 (ja) * | 2005-09-30 | 2012-08-29 | 富士通株式会社 | グループ通信方法、利用装置および管理装置 |
US7339915B2 (en) * | 2005-10-11 | 2008-03-04 | Cisco Technology, Inc. | Virtual LAN override in a multiple BSSID mode of operation |
US8374122B2 (en) * | 2005-12-21 | 2013-02-12 | Cisco Technology, Inc. | System and method for integrated WiFi/WiMax neighbor AP discovery and AP advertisement |
US20070224988A1 (en) * | 2006-03-24 | 2007-09-27 | Interdigital Technology Corporation | Method and apparatus for performing a handover procedure between a 3gpp lte network and an alternative wireless network |
US8468338B2 (en) * | 2006-07-06 | 2013-06-18 | Apple, Inc. | Wireless access point security for multi-hop networks |
US8073428B2 (en) * | 2006-09-22 | 2011-12-06 | Kineto Wireless, Inc. | Method and apparatus for securing communication between an access point and a network controller |
US8320561B2 (en) * | 2007-08-08 | 2012-11-27 | Qualcomm Incorporated | Key identifier in packet data convergence protocol header |
US8667151B2 (en) * | 2007-08-09 | 2014-03-04 | Alcatel Lucent | Bootstrapping method for setting up a security association |
ES2589112T3 (es) * | 2007-11-30 | 2016-11-10 | Telefonaktiebolaget Lm Ericsson (Publ) | Gestión de claves para comunicación segura |
US8898474B2 (en) * | 2008-11-04 | 2014-11-25 | Microsoft Corporation | Support of multiple pre-shared keys in access point |
KR101556906B1 (ko) * | 2008-12-29 | 2015-10-06 | 삼성전자주식회사 | 선인증을 통한 이종 무선 통신망 간의 핸드오버 방법 |
US20100246416A1 (en) * | 2009-03-25 | 2010-09-30 | Amit Sinha | Systems and methods for remote testing of wireless lan access points |
BRPI0924982A2 (pt) * | 2009-04-10 | 2016-01-12 | Huawei Tech Co Ltd | método, aparelho e sistema para handover |
CN102045714B (zh) * | 2009-10-10 | 2013-07-10 | 上海贝尔股份有限公司 | 提供3gpp网络与无线局域网互通安全的方法和装置 |
US8630416B2 (en) * | 2009-12-21 | 2014-01-14 | Intel Corporation | Wireless device and method for rekeying with reduced packet loss for high-throughput wireless communications |
WO2012092604A2 (en) * | 2010-12-30 | 2012-07-05 | Interdigital Patent Holdings, Inc. | Authentication and secure channel setup for communication handoff scenarios |
EP2730112A4 (en) * | 2011-07-08 | 2015-05-06 | Nokia Corp | METHOD AND APPARATUS FOR AUTHENTICATING SUBSCRIBERS TO LONG-TERM EVOLUTION TELECOMMUNICATION NETWORKS OR UNIVERSAL MOBILE TELECOMMUNICATION SYSTEM |
US9143937B2 (en) * | 2011-09-12 | 2015-09-22 | Qualcomm Incorporated | Wireless communication using concurrent re-authentication and connection setup |
US8837741B2 (en) * | 2011-09-12 | 2014-09-16 | Qualcomm Incorporated | Systems and methods for encoding exchanges with a set of shared ephemeral key data |
US8594628B1 (en) * | 2011-09-28 | 2013-11-26 | Juniper Networks, Inc. | Credential generation for automatic authentication on wireless access network |
WO2013068033A1 (en) * | 2011-11-07 | 2013-05-16 | Option | Establishing a communication session |
CN103428690B (zh) * | 2012-05-23 | 2016-09-07 | 华为技术有限公司 | 无线局域网络的安全建立方法及***、设备 |
WO2014028691A1 (en) * | 2012-08-15 | 2014-02-20 | Interdigital Patent Holdings, Inc. | Enhancements to enable fast security setup |
US8923880B2 (en) * | 2012-09-28 | 2014-12-30 | Intel Corporation | Selective joinder of user equipment with wireless cell |
US9078131B2 (en) * | 2013-05-05 | 2015-07-07 | Intel IP Corporation | Apparatus, system and method of communicating location-enabling information for location estimation |
KR20140142677A (ko) * | 2013-06-04 | 2014-12-12 | 삼성전자주식회사 | 그룹키 사용하여 무선 도킹 기반 서비스를 위한 방법 및 장치 |
JP6304788B2 (ja) * | 2014-03-24 | 2018-04-04 | インテル アイピー コーポレーション | 無線ローカルエリアネットワークにおいてユーザ機器(ue)の通信をセキュアにする装置、システム及び方法 |
CN107211273B (zh) * | 2015-02-12 | 2021-03-12 | 瑞典爱立信有限公司 | 涉及用于网络信令的快速初始链路建立fils发现帧的无线通信 |
US9769661B2 (en) * | 2015-04-06 | 2017-09-19 | Qualcomm, Incorporated | Wireless network fast authentication / association using re-association object |
EP3281456B1 (en) * | 2015-04-10 | 2019-04-24 | Telefonaktiebolaget LM Ericsson (publ) | Autonomous lte-wlan interface setup and information exchange |
CN107683621A (zh) * | 2015-05-26 | 2018-02-09 | 英特尔Ip公司 | 针对lte/wlan聚合的wlan移动 |
-
2015
- 2015-09-25 RU RU2018108000A patent/RU2699403C1/ru active
- 2015-09-25 JP JP2018506968A patent/JP6702595B2/ja active Active
- 2015-09-25 WO PCT/CN2015/090766 patent/WO2017024662A1/zh active Application Filing
- 2015-09-25 EP EP15900857.2A patent/EP3328106B1/en active Active
- 2015-09-25 CN CN201580001274.5A patent/CN106797559B/zh active Active
- 2015-09-25 KR KR1020187006457A patent/KR102022813B1/ko active IP Right Grant
- 2015-09-25 BR BR112018002544-5A patent/BR112018002544A2/zh not_active IP Right Cessation
-
2018
- 2018-02-09 US US15/892,817 patent/US20180167811A1/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1663168A (zh) * | 2002-04-26 | 2005-08-31 | 汤姆森许可公司 | 接入网之间互配中可传递的认证、授权和记帐 |
CN101120534A (zh) * | 2003-12-19 | 2008-02-06 | 摩托罗拉公司 | 用于无线局域网(wlan)中的认证的***、方法与设备 |
CN103026745A (zh) * | 2011-07-29 | 2013-04-03 | 华为技术有限公司 | 一种简化无线局域网认证的方法、装置及*** |
WO2013181847A1 (zh) * | 2012-06-08 | 2013-12-12 | 华为技术有限公司 | 一种无线局域网接入鉴权方法、设备及*** |
Also Published As
Publication number | Publication date |
---|---|
EP3328106A4 (en) | 2018-08-29 |
BR112018002544A2 (zh) | 2018-09-18 |
CN106797559A (zh) | 2017-05-31 |
EP3328106B1 (en) | 2020-08-12 |
EP3328106A1 (en) | 2018-05-30 |
RU2699403C1 (ru) | 2019-09-05 |
KR20180038493A (ko) | 2018-04-16 |
JP2018527819A (ja) | 2018-09-20 |
JP6702595B2 (ja) | 2020-06-03 |
KR102022813B1 (ko) | 2019-09-18 |
US20180167811A1 (en) | 2018-06-14 |
CN106797559B (zh) | 2020-07-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3494759B1 (en) | Techniques for establishing a secure connection between a wireless device and a local area network via an access node | |
US20220272528A1 (en) | Wwan-wlan aggregation security | |
TWI620449B (zh) | 加速鏈結設置方法及裝置 | |
US11140725B2 (en) | Wireless communications involving a fast initial link setup, FILS, discovery frame for network signaling | |
US20170359719A1 (en) | Key generation method, device, and system | |
JP2017538345A (ja) | 方法、装置およびシステム | |
WO2015096138A1 (zh) | 分流方法、用户设备、基站和接入点 | |
US20180167811A1 (en) | Access authentication method and apparatus | |
KR101873391B1 (ko) | Ap에 접속된 sta에 대한 재연관 시간 감소 | |
WO2024145946A1 (en) | Apparatus, method, and computer program | |
TWI602446B (zh) | 處理認證程序的裝置及方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15900857 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2018506968 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015900857 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 20187006457 Country of ref document: KR Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2018108000 Country of ref document: RU |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112018002544 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 112018002544 Country of ref document: BR Kind code of ref document: A2 Effective date: 20180207 |