WO2020147602A1

WO2020147602A1 - Authentication method, apparatus and system

Info

Publication number: WO2020147602A1
Application number: PCT/CN2020/070450
Authority: WO
Inventors: 张博; 赵绪文
Original assignee: 华为技术有限公司
Priority date: 2019-01-18
Filing date: 2020-01-06
Publication date: 2020-07-23
Also published as: CN114245372A; CN114245372B; CN111465007B; CN111465007A

Abstract

Embodiments of the present application provide an authentication method, apparatus and system. The authentication method comprises: a terminal device receives an authentication request message sent by an access and mobility management function; the terminal device performs authentication according to the authentication request message; if the authentication fails, the terminal device performs encryption processing on a reason value corresponding to the authentication failure type to obtain failure encryption information; the terminal device sends the failure encryption information to the access and mobility management function. According to the embodiments of the present application, by encrypting a reason value of an authentication failure type, even an attacker intercepts an authentication failure message, the attacker is unable to distinguish the specific authentication failure type, so that the attacker is unable to position the user, and it is ensured that the privacy of the user is not leaked.

Description

一种认证方法、装置和***Authentication method, device and system

本申请要求于2019年01月18日提交中国专利局、申请号为201910049182.4、申请名称为“一种认证方法、装置和***”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on January 18, 2019, the application number is 201910049182.4, and the application name is "a authentication method, device and system", the entire content of which is incorporated into this application by reference in.

技术领域Technical field

本申请涉及通信领域，并且，更具体地，涉及一种认证方法、装置和***。This application relates to the field of communications, and, more specifically, to an authentication method, device, and system.

背景技术Background technique

在第三代移动通信***(The 3rd Generation，3G)和***移动通信***(The 4rd Generation，4G)中，一直存在鉴权协议可链接攻击(AKA protocol linkability attack)的问题。攻击者可以通过空口消息截获某个终端设备的用户标识，并且控制伪基站截获从网络侧发送给该终端设备的认证请求消息，然后攻击者控制多个伪基站对吸引到下面的每个终端设备重放该认证请求消息，触发各终端设备进行认证。In the third generation mobile communication system (The 3rd Generation, 3G) and the fourth generation mobile communication system (The 4th Generation, 4G), there has always been the problem of AKA protocol linkability attack. The attacker can intercept the user ID of a terminal device through the air interface message, and control the pseudo base station to intercept the authentication request message sent from the network side to the terminal device, and then the attacker controls multiple pseudo base station pairs to attract each terminal device below Replaying the authentication request message triggers each terminal device to perform authentication.

该终端设备在收到该认证请求消息后，由于该认证请求消息是被重放的，因此消息认证码(message authentication code，MAC)认证成功，而序列号(sequence number，SQN)认证失败，该终端设备向伪基站反馈类型为同步失败的认证失败信息。而其他终端设备在收到该认证请求消息后，消息认证码认证失败，并且向伪基站反馈类型为消息认证码失败的认证失败消息。伪基站根据该认证失败消息的类型即可以确定该终端设备在某一个或者多个伪基站的覆盖范围内，从而可以采用三角定位等方法对该用户设备进行精确定位。After the terminal device receives the authentication request message, since the authentication request message is replayed, the message authentication code (MAC) authentication succeeds, but the sequence number (SQN) authentication fails. The terminal device feeds back the authentication failure information of the synchronization failure type to the pseudo base station. After receiving the authentication request message, other terminal equipment fails the authentication of the message authentication code, and feeds back an authentication failure message of the message authentication code failure type to the pseudo base station. The pseudo base station can determine that the terminal device is within the coverage of one or more pseudo base stations according to the type of the authentication failure message, so that methods such as triangulation can be used to accurately locate the user equipment.

在第五代移动通信***(The 5rd Generation，5G)中，用户标识被加密，攻击者无法准确的通过用户标识识别某一个终端设备的身份，但仍然可以通过实施两次上述攻击实现对某终端设备的定位。比如，第一次实施攻击时，设置伪基站信号覆盖范围很小，只吸引该终端设备到伪基站上(此时伪基站可以尽量靠近该终端设备)，完成对其认证请求消息的截获，当该终端设备移动到其他区域后，攻击者可以继续实施上述类似的步骤，最终实现对该终端设备的定位。In the fifth generation mobile communication system (The 5rd Generation, 5G), the user ID is encrypted, and the attacker cannot accurately identify the identity of a certain terminal device through the user ID, but it is still possible to perform the above attacks twice to achieve a certain terminal. Positioning of the device. For example, when the first attack is carried out, the signal coverage of the pseudo base station is set to be small, and only the terminal device is attracted to the pseudo base station (the pseudo base station can be as close as possible to the terminal device), and the authentication request message is intercepted. After the terminal device moves to another area, the attacker can continue to perform the above-mentioned similar steps, and finally locate the terminal device.

基于上述分析，提供一种能够保护用户隐私的认证方法成为业界亟需解决的问题。Based on the above analysis, providing an authentication method that can protect user privacy has become an urgent problem in the industry.

发明内容Summary of the invention

本申请提供一种认证方法、装置和***，具有更高的安全性能。This application provides an authentication method, device and system with higher security performance.

第一方面，提供了一种认证方法，该方法包括：终端设备接收接入与移动管理功能实体发送的认证请求消息；该终端设备根据该认证请求消息进行认证；若认证失败，该终端设备对认证失败类型对应的原因值进行加密处理，以得到失败加密信息；该终端设备向该接入与移动管理功能实体发送该失败加密信息。In a first aspect, an authentication method is provided. The method includes: a terminal device receives an authentication request message sent by an access and mobility management function entity; the terminal device performs authentication according to the authentication request message; if the authentication fails, the terminal device The reason value corresponding to the authentication failure type is encrypted to obtain the failure encryption information; the terminal device sends the failure encryption information to the access and mobility management function entity.

本申请实施例中对认证失败类型的原因值进行加密，使得攻击者即使截获到认证失败消息，也无法区分具体是哪一种认证失败类型，从而使得攻击者无法对用户进行定位，保障了用户的隐私不被泄露，提高了***安全性能。In the embodiment of the application, the reason value of the authentication failure type is encrypted, so that even if the attacker intercepts the authentication failure message, he cannot distinguish the specific authentication failure type, so that the attacker cannot locate the user and protects the user. Your privacy is not leaked, which improves system security performance.

结合第一方面，在第一方面的某些实现方式中，该终端设备对认证失败类型对应的原因值进行加密处理，以得到失败加密信息，包括：若认证失败类型为同步失败，则对该同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理，以得到该失败加密信息；或者，若认证失败类型为消息认证码失败，则对该消息认证码失败对应的原因值进行加密处理，以得到该失败加密信息。With reference to the first aspect, in some implementations of the first aspect, the terminal device encrypts the cause value corresponding to the authentication failure type to obtain the failure encryption information, including: if the authentication failure type is synchronization failure, The reason value corresponding to the synchronization failure and the local serial number information of the terminal device are encrypted to obtain the failure encryption information; or, if the authentication failure type is a message authentication code failure, the reason value corresponding to the message authentication code failure is performed Encryption processing to obtain the failed encrypted information.

结合第一方面，在第一方面的某些实现方式中，对于不同的认证失败类型，该失败加密信息的长度相同。With reference to the first aspect, in some implementations of the first aspect, for different authentication failure types, the length of the failure encryption information is the same.

根据本实施例，攻击者无法通过该失败加密信息的长度来区分究竟是哪一种认证失败类型，从而攻击者无法定位或者关联被追踪用户的位置，保证用户的隐私不被泄露。According to this embodiment, the attacker cannot distinguish which authentication failure type is based on the length of the failed encryption information, so that the attacker cannot locate or correlate the location of the tracked user, ensuring that the user's privacy is not leaked.

结合第一方面，在第一方面的某些实现方式中，该对所述同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理，以得到所述失败加密信息，包括：对该同步失败对应的原因值和该终端设备的本地序列号信息进行串联运算，以得到第一中间值；对该第一中间值进行加密运算，以得到该失败加密信息。With reference to the first aspect, in some implementations of the first aspect, the encryption processing of the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain the failure encryption information includes: The cause value corresponding to the synchronization failure and the local serial number information of the terminal device are serially operated to obtain a first intermediate value; an encryption operation is performed on the first intermediate value to obtain the failed encrypted information.

结合第一方面，在第一方面的某些实现方式中，对该消息认证码失败对应的原因值进行加密处理，以得到该失败加密信息，包括：对所述消息认证码失败对应的原因值与N个比特的二进制数进行串联运算，以得到第二中间值；对所述第二中间值进行加密运算，以得到该失败加密信息，其中，N为大于等于1的整数。With reference to the first aspect, in some implementations of the first aspect, the reason value corresponding to the failure of the message authentication code is encrypted to obtain the failure encryption information, including: the reason value corresponding to the failure of the message authentication code Perform a series operation with a binary number of N bits to obtain a second intermediate value; perform an encryption operation on the second intermediate value to obtain the failed encryption information, where N is an integer greater than or equal to 1.

结合第一方面，在第一方面的某些实现方式中，该失败加密信息通过认证失败消息进行发送，该认证失败消息还包括：加密指示信息，用于指示该认证失败消息携带该失败加密信息。With reference to the first aspect, in some implementations of the first aspect, the failed encryption information is sent through an authentication failure message, and the authentication failure message further includes: encryption indication information for indicating that the authentication failure message carries the failed encryption information .

结合第一方面，在第一方面的某些实现方式中，该终端设备的本地序列号信息包括该终端设备的本地序列号或该终端设备的本地序列号经过处理后生成的参数。With reference to the first aspect, in some implementations of the first aspect, the local serial number information of the terminal device includes the local serial number of the terminal device or a parameter generated after the local serial number of the terminal device is processed.

结合第一方面，在第一方面的某些实现方式中，该方法还包括：根据认证失败类型对应的原因值获取第一认证码，该第一认证码用于对该认证失败类型进行验证；所述终端设备向该接入与移动管理功能实体发送该第一认证码。With reference to the first aspect, in some implementations of the first aspect, the method further includes: obtaining a first authentication code according to a cause value corresponding to the authentication failure type, where the first authentication code is used to verify the authentication failure type; The terminal device sends the first authentication code to the access and mobility management function entity.

结合第一方面，在第一方面的某些实现方式中，该方法还包括：该终端设备生成共享秘钥；该终端设备对认证失败类型对应的原因值进行加密处理，以得到失败加密信息，包括：该终端设备使用该共享秘钥对认证失败类型对应的原因值进行加密处理，以得到失败加密信息。With reference to the first aspect, in some implementations of the first aspect, the method further includes: the terminal device generates a shared secret key; the terminal device encrypts the cause value corresponding to the authentication failure type to obtain the failure encryption information, Including: the terminal device uses the shared secret key to encrypt the cause value corresponding to the authentication failure type to obtain the failure encryption information.

第二方面，提供了一种认证方法，该方法包括：接入与移动管理功能实体向终端设备发送认证请求消息；该接入与移动管理功能实体接收该终端设备发送的失败加密信息，该失败加密信息由认证失败类型对应的原因值进行加密处理后得到。In a second aspect, an authentication method is provided. The method includes: an access and mobility management function entity sends an authentication request message to a terminal device; the access and mobility management function entity receives failure encryption information sent by the terminal device, and the failure The encrypted information is obtained after encrypting the reason value corresponding to the authentication failure type.

结合第二方面，在第二方面的某些实现方式中，该失败加密信息由认证失败类型对应的原因值进行加密处理后得到，包括：若该认证失败类型为同步失败，则该失败加密信息由该同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理后得到；或者，若该认证失败类型为消息认证码失败，则该失败加密信息由该消息认证码失败对应的原因值进行加密处理后得到。With reference to the second aspect, in some implementations of the second aspect, the failed encryption information is obtained after encryption processing is performed on the cause value corresponding to the authentication failure type, including: if the authentication failure type is a synchronization failure, the failed encryption information Obtained after encryption processing is performed on the reason value corresponding to the synchronization failure and the local serial number information of the terminal device; or, if the authentication failure type is a message authentication code failure, the failure encryption information is determined by the reason corresponding to the message authentication code failure The value is obtained after encryption processing.

结合第二方面，在第二方面的某些实现方式中，对于不同的认证失败类型，该失败加密信息的长度相同。With reference to the second aspect, in some implementations of the second aspect, for different authentication failure types, the length of the failure encryption information is the same.

结合第二方面，在第二方面的某些实现方式中，该失败加密信息由该同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理后得到，包括：对该同步失败对应的原因值和该终端设备的本地序列号信息进行串联运算，以得到第一中间值；对该第一中间值进行加密运算，以得到该失败加密信息。With reference to the second aspect, in some implementations of the second aspect, the failed encryption information is obtained by encrypting the cause value corresponding to the synchronization failure and the local serial number information of the terminal device, including: corresponding to the synchronization failure The cause value of and the local serial number information of the terminal device are concatenated to obtain the first intermediate value; the first intermediate value is encrypted to obtain the failed encryption information.

结合第二方面，在第二方面的某些实现方式中，该失败加密信息由该消息认证码失败对应的原因值进行加密处理后得到，包括：With reference to the second aspect, in some implementations of the second aspect, the failed encryption information is obtained after encryption processing is performed on the cause value corresponding to the failure of the message authentication code, including:

对该消息认证码失败对应的原因值与N个比特的二进制数进行串联运算，以得到第二中间值；对该第二中间值进行加密运算，以得到该失败加密信息，其中，N为大于等于1的整数。The cause value corresponding to the failure of the message authentication code is concatenated with a binary number of N bits to obtain a second intermediate value; the second intermediate value is encrypted to obtain the failed encryption information, where N is greater than An integer equal to 1.

结合第二方面，在第二方面的某些实现方式中，该失败加密信息通过认证失败消息进行发送，该认证失败消息还包括：加密指示信息，用于指示所述认证失败消息携带所述失败加密信息。With reference to the second aspect, in some implementations of the second aspect, the failure encryption information is sent through an authentication failure message, and the authentication failure message further includes: encryption indication information for indicating that the authentication failure message carries the failure Encrypt information.

结合第二方面，在第二方面的某些实现方式中，该终端设备的本地序列号信息包括该终端设备的本地序列号或该终端设备的本地序列号经过处理后生成的参数。With reference to the second aspect, in some implementations of the second aspect, the local serial number information of the terminal device includes the local serial number of the terminal device or a parameter generated after the local serial number of the terminal device is processed.

结合第二方面，在第二方面的某些实现方式中，该方法还包括：该接入与移动管理功能实体向鉴权服务器功能实体发送该失败加密信息。With reference to the second aspect, in some implementations of the second aspect, the method further includes: the access and mobility management function entity sends the failure encryption information to the authentication server function entity.

结合第二方面，在第二方面的某些实现方式中，该方法还包括：该接入与移动管理功能实体对该失败加密信息进行解密处理。With reference to the second aspect, in some implementations of the second aspect, the method further includes: the access and mobility management function entity decrypts the failed encrypted information.

结合第二方面，在第二方面的某些实现方式中，该认证失败消息还包括第一认证码，该第一认证码根据该认证失败类型的原因值获取得到，该第一认证码用于对该认证失败类型进行验证；该方法还包括：对该第一认证码同第二认证码进行匹配，根据匹配结果确定该认证失败类型，其中该第二认证码根据第一认证失败类型对应的原因值获取得到，该第一认证失败类型为消息验证码失败或者同步失败。With reference to the second aspect, in some implementations of the second aspect, the authentication failure message further includes a first authentication code that is obtained according to the cause value of the authentication failure type, and the first authentication code is used for Verifying the authentication failure type; the method further includes: matching the first authentication code with the second authentication code, and determining the authentication failure type according to the matching result, wherein the second authentication code corresponds to the first authentication failure type The reason value is obtained, and the first authentication failure type is message verification code failure or synchronization failure.

结合第二方面，在第二方面的某些实现方式中，该方法还包括：该接入与移动管理功能实体生成共享秘钥；该接入与移动管理功能实体对该失败加密信息进行解密处理，包括：该接入与移动管理功能实体使用该共享秘钥对该失败加密信息进行解密处理。With reference to the second aspect, in some implementations of the second aspect, the method further includes: the access and mobility management function entity generates a shared secret key; the access and mobility management function entity decrypts the failed encrypted information , Including: the access and mobility management function entity uses the shared secret key to decrypt the failed encrypted information.

第三方面，提供了一种认证方法，该方法包括：鉴权服务器功能实体接收接入与移动管理功能实体发送的失败加密信息，该失败加密信息由认证失败类型对应的原因值进行加密处理后得到。In a third aspect, an authentication method is provided. The method includes: the authentication server function entity receives the failure encryption information sent by the access and mobility management function entity, and the failure encryption information is encrypted by the reason value corresponding to the authentication failure type. get.

结合第三方面，在第三方面的某些实现方式中，该失败加密信息由认证失败类型对应的原因值进行加密处理后得到，包括：若该认证失败类型为同步失败，则该失败加密信息由该同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理后得到；或者，若该认证失败类型为消息认证码失败，则该失败加密信息由该消息认证码失败对应的原因值进行加密处理后得到。With reference to the third aspect, in some implementations of the third aspect, the failed encryption information is obtained after encryption processing is performed on the cause value corresponding to the authentication failure type, including: if the authentication failure type is a synchronization failure, the failed encryption information Obtained after encryption processing is performed on the reason value corresponding to the synchronization failure and the local serial number information of the terminal device; or, if the authentication failure type is a message authentication code failure, the failure encryption information is determined by the reason corresponding to the message authentication code failure The value is obtained after encryption processing.

结合第三方面，在第三方面的某些实现方式中，对于不同的认证失败类型，该失败加密信息的长度相同。With reference to the third aspect, in some implementations of the third aspect, for different authentication failure types, the length of the failure encryption information is the same.

结合第三方面，在第三方面的某些实现方式中，该失败加密信息由该同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理后得到，包括：对该同步失败对应的原因值和该终端设备的本地序列号信息进行串联运算，以得到第一中间值；对该第一中间值进行加密运算，以得到该失败加密信息。With reference to the third aspect, in some implementations of the third aspect, the failed encryption information is obtained by encrypting the cause value corresponding to the synchronization failure and the local serial number information of the terminal device, including: corresponding to the synchronization failure The cause value of and the local serial number information of the terminal device are concatenated to obtain the first intermediate value; the first intermediate value is encrypted to obtain the failed encryption information.

结合第三方面，在第三方面的某些实现方式中，该失败加密信息由该消息认证码失败对应的原因值进行加密处理后得到，包括：对该消息认证码失败对应的原因值与N个比特的二进制数进行串联运算，以得到第二中间值；对该第二中间值进行加密运算，以得到该失败加密信息，其中，N为大于等于1的整数。With reference to the third aspect, in some implementation manners of the third aspect, the failed encryption information is obtained by encrypting the reason value corresponding to the message authentication code failure, including: the reason value corresponding to the message authentication code failure and N A binary number of bits is concatenated to obtain a second intermediate value; an encryption operation is performed on the second intermediate value to obtain the failed encryption information, where N is an integer greater than or equal to 1.

结合第三方面，在第三方面的某些实现方式中，该终端设备的本地序列号信息包括该终端设备的本地序列号或该终端设备的本地序列号经过处理后生成的参数。With reference to the third aspect, in some implementations of the third aspect, the local serial number information of the terminal device includes the local serial number of the terminal device or a parameter generated after the local serial number of the terminal device is processed.

结合第三方面，在第三方面的某些实现方式中，该方法还包括：该鉴权服务器功能实体向统一数据管理实体发送该失败加密信息。With reference to the third aspect, in some implementations of the third aspect, the method further includes: the authentication server function entity sends the failed encryption information to the unified data management entity.

结合第三方面，在第三方面的某些实现方式中，该方法还包括：该鉴权服务器功能实体对该失败加密信息进行解密处理。With reference to the third aspect, in some implementations of the third aspect, the method further includes: the authentication server functional entity decrypts the failed encrypted information.

结合第三方面，在第三方面的某些实现方式中，该方法还包括：该鉴权服务器功能实体生成共享秘钥；该鉴权服务器功能实体对该失败加密信息进行解密处理，包括：该鉴权服务器功能实体使用该共享秘钥对该失败加密信息进行解密处理。With reference to the third aspect, in some implementations of the third aspect, the method further includes: the authentication server functional entity generates a shared secret key; the authentication server functional entity decrypts the failed encrypted information, including: The authentication server functional entity uses the shared secret key to decrypt the failed encrypted information.

结合第三方面，在第三方面的某些实现方式中，该方法还包括：该鉴权服务器功能实体生成第二认证码，该第二认证码用于对认证失败类型进行验证；该鉴权服务器功能实体向接入与移动管理功能实体发送该第二认证码。With reference to the third aspect, in some implementations of the third aspect, the method further includes: the authentication server functional entity generates a second authentication code, and the second authentication code is used to verify the authentication failure type; the authentication The server function entity sends the second authentication code to the access and mobility management function entity.

第四方面，提供了一种认证方法，该方法包括：统一数据管理实体接收鉴权服务器功能实体发送的失败加密信息，该失败加密信息由认证失败类型对应的原因值进行加密处理后得到；该统一数据管理实体对该失败加密信息进行解密处理。In a fourth aspect, an authentication method is provided, the method includes: a unified data management entity receives failure encryption information sent by an authentication server functional entity, the failure encryption information is obtained after encryption processing is performed on a cause value corresponding to an authentication failure type; The unified data management entity decrypts the failed encrypted information.

结合第四方面，在第四方面的某些实现方式中，该失败加密信息由认证失败类型对应的原因值进行加密处理后得到，包括：若该认证失败类型为同步失败，则该失败加密信息由该同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理后得到；或者，若该认证失败类型为消息认证码失败，则该失败加密信息由该消息认证码失败对应的原因值进行加密处理后得到。With reference to the fourth aspect, in some implementations of the fourth aspect, the failed encryption information is obtained after encryption processing is performed on the cause value corresponding to the authentication failure type, including: if the authentication failure type is a synchronization failure, the failed encryption information Obtained after encryption processing is performed on the reason value corresponding to the synchronization failure and the local serial number information of the terminal device; or, if the authentication failure type is a message authentication code failure, the failure encryption information is determined by the reason corresponding to the message authentication code failure The value is obtained after encryption processing.

结合第四方面，在第四方面的某些实现方式中，对于不同的认证失败类型，该失败加密信息的长度相同。With reference to the fourth aspect, in some implementations of the fourth aspect, for different authentication failure types, the length of the failure encryption information is the same.

结合第四方面，在第四方面的某些实现方式中，该失败加密信息由该同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理后得到，包括：对该同步失败对应的原因值和该终端设备的本地序列号信息进行串联运算，以得到第一中间值；对该第一中间值进行加密运算，以得到该失败加密信息。With reference to the fourth aspect, in some implementation manners of the fourth aspect, the failed encryption information is obtained by encrypting the cause value corresponding to the synchronization failure and the local serial number information of the terminal device, including: corresponding to the synchronization failure The cause value of and the local serial number information of the terminal device are concatenated to obtain the first intermediate value; the first intermediate value is encrypted to obtain the failed encryption information.

结合第四方面，在第四方面的某些实现方式中，该失败加密信息由所述消息认证码失败对应的原因值进行加密处理后得到，包括：对该消息认证码失败对应的原因值与N个比特的二进制数进行串联运算，以得到第二中间值；对该第二中间值进行加密运算，以得到该失败加密信息，其中，N为大于等于1的整数。With reference to the fourth aspect, in some implementation manners of the fourth aspect, the failure encryption information is obtained by encrypting the reason value corresponding to the failure of the message authentication code, including: the reason value corresponding to the failure of the message authentication code and The binary numbers of N bits are concatenated to obtain the second intermediate value; the second intermediate value is encrypted to obtain the failed encryption information, where N is an integer greater than or equal to 1.

结合第四方面，在第四方面的某些实现方式中，该终端设备的本地序列号信息包括该终端设备的本地序列号或该终端设备的本地序列号经过处理后生成的参数。With reference to the fourth aspect, in some implementations of the fourth aspect, the local serial number information of the terminal device includes the local serial number of the terminal device or a parameter generated after the local serial number of the terminal device is processed.

结合第四方面，在第四方面的某些实现方式中，该方法还包括：该统一数据管理实体生成共享秘钥；该统一数据管理实体对该失败加密信息进行解密处理，包括：使用该共享秘钥对该失败加密信息进行解密处理。With reference to the fourth aspect, in some implementations of the fourth aspect, the method further includes: the unified data management entity generates a shared secret key; the unified data management entity decrypts the failed encrypted information, including: using the shared The secret key decrypts the failed encrypted information.

结合第四方面，在第四方面的某些实现方式中，该方法还包括：该统一数据管理实体生成第二认证码，该第二认证码用于对认证失败类型进行验证；该统一数据管理实体向接入与移动管理功能实体发送该第二认证码。With reference to the fourth aspect, in some implementations of the fourth aspect, the method further includes: the unified data management entity generates a second authentication code, the second authentication code is used to verify the type of authentication failure; the unified data management The entity sends the second authentication code to the access and mobility management function entity.

第五方面，提供了一种认证装置，包括用于执行上述第一至第四方面中任一种可能实现方式中的方法的各个模块或单元。In a fifth aspect, an authentication device is provided, including various modules or units for executing the method in any one of the foregoing first to fourth aspects.

第六方面，提供了一种认证设备，包括处理器。该处理器与存储器耦合，可用于执行存储器中的指令，以实现上述第一至第四方面中任一种可能实现方式中的方法。可选地，该安全会话设备还包括存储器。可选地，该安全会话设备还包括通信接口，处理器与通信接口耦合。In a sixth aspect, an authentication device is provided, including a processor. The processor is coupled with the memory, and can be used to execute instructions in the memory to implement the method in any one of the possible implementation manners of the first to fourth aspects. Optionally, the secure conversation device further includes a memory. Optionally, the secure conversation device further includes a communication interface, and the processor is coupled with the communication interface.

在一种实现方式中，该认证设备为通信设备，如本申请实施例中的终端设备、AMF、AUSF或UDM。当该认证设备为通信设备时，所述通信接口可以是收发器，或，输入/输出接口。In an implementation manner, the authentication device is a communication device, such as a terminal device, AMF, AUSF, or UDM in the embodiment of this application. When the authentication device is a communication device, the communication interface may be a transceiver, or an input/output interface.

在另一种实现方式中，该认证设备为配置于通信设备中的芯片，如配置于如本申请实施例中的终端设备、AMF、AUSF或UDM的芯片。当该认证设备为配置于通信设备中的芯片时，所述通信接口可以是输入/输出接口。In another implementation manner, the authentication device is a chip configured in a communication device, such as a chip configured in a terminal device, AMF, AUSF, or UDM as in the embodiment of the present application. When the authentication device is a chip configured in a communication device, the communication interface may be an input/output interface.

可选地，所述收发器可以为收发电路。可选地，所述输入/输出接口可以为输入/输出电路。Optionally, the transceiver may be a transceiver circuit. Optionally, the input/output interface may be an input/output circuit.

第七方面，提供了一种处理器，包括：输入电路、输出电路和处理电路。所述处理电路用于通过所述输入电路接收信号，并通过所述输出电路发射信号，使得所述处理器执行上述第一至第四方面任一种可能实现方式中的方法。In a seventh aspect, a processor is provided, including: an input circuit, an output circuit, and a processing circuit. The processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes the method in any one of the possible implementation manners of the first to fourth aspects.

在具体实现过程中，上述处理器可以为芯片，输入电路可以为输入管脚，输出电路可以为输出管脚，处理电路可以为晶体管、门电路、触发器和各种逻辑电路等。输入电路所接收的输入的信号可以是由例如但不限于接收器接收并输入的，输出电路所输出的信号可以是例如但不限于输出给发射器并由发射器发射的，且输入电路和输出电路可以是同一电路，该电路在不同的时刻分别用作输入电路和输出电路。本申请实施例对处理器及各种电路的具体实现方式不做限定。In a specific implementation process, the processor may be a chip, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, and various logic circuits. The input signal received by the input circuit may be received and input by, for example, but not limited to a receiver, the signal output by the output circuit may be, for example but not limited to, output to and transmitted by the transmitter, and the input circuit and output The circuit may be the same circuit, which is used as an input circuit and an output circuit at different times, respectively. The embodiments of the present application do not limit the specific implementation manner of the processor and various circuits.

第八方面，提供了一种处理装置，包括处理器和存储器。该处理器用于读取存储器中存储的指令，并可通过接收器接收信号，通过发射器发射信号，以执行上述第一至第四方面任一种可能实现方式中的方法。In an eighth aspect, a processing device is provided, including a processor and a memory. The processor is configured to read instructions stored in the memory, and can receive signals through a receiver, and transmit signals through a transmitter, so as to execute the method in any one of the possible implementation manners of the first to fourth aspects.

可选地，所述处理器为一个或多个，所述存储器为一个或多个。Optionally, there are one or more processors and one or more memories.

可选地，所述存储器可以与所述处理器集成在一起，或者所述存储器与处理器分离设置。Optionally, the memory may be integrated with the processor, or the memory and the processor are provided separately.

在具体实现过程中，存储器可以为非瞬时性(non-transitory)存储器，例如只读存储器(read only memory，ROM)，其可以与处理器集成在同一块芯片上，也可以分别设置在不同的芯片上，本申请实施例对存储器的类型以及存储器与处理器的设置方式不做限定。In the specific implementation process, the memory may be non-transitory (non-transitory) memory, such as read-only memory (read only memory (ROM), which may be integrated with the processor on the same chip, or may be set in different On the chip, the embodiments of the present application do not limit the type of memory and the manner of setting the memory and the processor.

应理解，相关的数据交互过程例如发送指示信息可以为从处理器输出指示信息的过程，接收能力信息可以为处理器接收输入能力信息的过程。具体地，处理输出的数据可以输出给发射器，处理器接收的输入数据可以来自接收器。其中，发射器和接收器可以统称为收发器。It should be understood that the related data interaction process, for example, sending instruction information may be a process of outputting instruction information from the processor, and receiving capability information may be a process of receiving input capability information by the processor. Specifically, the processed output data may be output to the transmitter, and the input data received by the processor may come from the receiver. Among them, the transmitter and the receiver may be collectively referred to as a transceiver.

上述第八方面中的处理装置可以是一个芯片，该处理器可以通过硬件来实现也可以通过软件来实现，当通过硬件实现时，该处理器可以是逻辑电路、集成电路等；当通过软件来实现时，该处理器可以是一个通用处理器，通过读取存储器中存储的软件代码来实现，该存储器可以集成在处理器中，可以位于该处理器之外，独立存在。The processing device in the eighth aspect may be a chip, and the processor may be implemented by hardware or software. When implemented by hardware, the processor may be a logic circuit, an integrated circuit, etc.; when implemented by software In implementation, the processor may be a general-purpose processor, implemented by reading software codes stored in a memory, the memory may be integrated in the processor, or may be located outside the processor and exist independently.

第九方面，提供了一种计算机程序产品，所述计算机程序产品包括：计算机程序(也可以称为代码，或指令)，当所述计算机程序被运行时，使得计算机执行上述第一至第四方面中任一种可能实现方式中的方法。In a ninth aspect, a computer program product is provided. The computer program product includes: a computer program (also called code, or instruction), which when the computer program is executed, causes the computer to execute the first to fourth The method in any possible implementation of the aspect.

第十方面，提供了一种计算机可读介质，所述计算机可读介质存储有计算机程序(也可以称为代码，或指令)当其在计算机上运行时，使得计算机执行上述第一至第四方面中任一种可能实现方式中的方法。In a tenth aspect, a computer-readable medium is provided, and the computer-readable medium stores a computer program (also called code, or instruction) when it runs on a computer, so that the computer executes the first to fourth The method in any possible implementation of the aspect.

第十一方面，提供了一种通信***，包括前述的终端设备、接入与移动管理功能实体、鉴权服务器功能实体或统一数据管理实体。In an eleventh aspect, a communication system is provided, which includes the aforementioned terminal equipment, access and mobility management function entity, authentication server function entity, or unified data management entity.

附图说明BRIEF DESCRIPTION

图1是适用于本申请实施例提供的方法的网络架构的示意图；FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application;

图2是根据本申请的认证方法的一例的示意性流程图；Fig. 2 is a schematic flowchart of an example of the authentication method according to the present application;

图3是根据本申请的认证方法的另一例的示意性流程图；Fig. 3 is a schematic flowchart of another example of the authentication method according to the present application;

图4是根据本申请的认证方法的再一例的示意性流程图；Fig. 4 is a schematic flowchart of another example of the authentication method according to the present application;

图5是根据本申请的认证方法的再一例的示意性流程图；Fig. 5 is a schematic flowchart of another example of the authentication method according to the present application;

图6是根据本申请的认证装置的示意性框图；Fig. 6 is a schematic block diagram of an authentication device according to the present application;

图7是根据本申请的认证设备的示意性框图。Fig. 7 is a schematic block diagram of an authentication device according to the present application.

具体实施方式detailed description

下面将结合附图，对本申请中的技术方案进行描述。The technical solution in this application will be described below in conjunction with the drawings.

本申请实施例的技术方案可以应用于各种通信***，例如：全球移动通信(global system for mobile communications，GSM)***、码分多址(code division multiple access，CDMA)***、宽带码分多址(wideband code division multiple access，WCDMA)***、通用分组无线业务(general packet radio service，GPRS)、长期演进(long term evolution，LTE)***、LTE频分双工(frequency division duplex，FDD)***、LTE时分双工(time division duplex，TDD)、通用移动通信***(universal mobile telecommunication system，UMTS)、全球互联微波接入(worldwide interoperability for microwave access，WiMAX)通信***、未来的第五代(5th generation，5G)***或新无线(new radio，NR)等。The technical solutions of the embodiments of the present application can be applied to various communication systems, such as: global mobile communication (global system for mobile communications, GSM) system, code division multiple access (code division multiple access (CDMA) system, broadband code division multiple access) (wideband code division multiple access (WCDMA) system, general packet radio service (general packet radio service, GPRS), long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE Time division duplex (time division duplex, TDD), universal mobile communication system (universal mobile telecommunication system, UMTS), global interconnection microwave access (worldwide interoperability for microwave access, WiMAX) communication system, future fifth generation (5th generation, 5G) system or new radio (NR), etc.

应理解，本申请实施例并未对本申请实施例提供的方法的执行主体的具体结构特别限定，只要能够通过运行记录有本申请实施例的提供的方法的代码的程序，以根据本申请实施例提供的方法进行通信即可，例如，本申请实施例提供的方法的执行主体可以是终端设备或网络设备，或者，是终端设备或网络设备中能够调用程序并执行程序的功能模块。It should be understood that the embodiments of the application do not specifically limit the specific structure of the execution body of the method provided in the embodiments of the application, as long as the program that records the code of the method provided in the embodiments of the application can be executed according to the embodiments of the application. The provided method can be used for communication. For example, the execution subject of the method provided in the embodiments of the present application may be a terminal device or a network device, or a functional module in the terminal device or network device that can call and execute the program.

为便于理解本申请实施例，首先结合图1详细说明本申请实施例的一个应用场景。In order to facilitate the understanding of the embodiment of the present application, first, an application scenario of the embodiment of the present application is described in detail with reference to FIG. 1.

图1是适用于本申请实施例提供的方法的网络架构的示意图。如图所示，该网络架构例如可以是非漫游(non-roaming)架构。该网络架构具体可以包括下列网元：FIG. 1 is a schematic diagram of a network architecture suitable for the method provided in the embodiment of the present application. As shown in the figure, the network architecture may be a non-roaming architecture, for example. The network architecture may specifically include the following network elements:

1、终端设备(user equipment，UE)：可以称用户设备、终端、接入终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、无线通信设备、用户代理或用户装置。UE还可以是蜂窝电话、无绳电话、会话启动协议(session initiation protocol，SIP)电话、无线本地环路(wireless local loop，WLL)站、个人数字助理(personal digital assistant，PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备，未来5G网络中的终端设备或者未来演进的公用陆地移动通信网络(public land mobile network，PLMN)中的终端设备等，还可以是端设备，逻辑实体，智能设备，如手机，智能终端等终端设备，或者服务器，网关，基站，控制器等通信设备，或者物联网设备，如传感器，电表，水表等物联网(Internet of things，IoT)设备。本申请实施例对此并不限定。1. Terminal equipment (user equipment, UE): can be called user equipment, terminal, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile equipment, user terminal, wireless communication equipment, User agent or user device. The UE may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), and a wireless communication function Handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in future 5G networks or terminals in future public land mobile communication networks (PLMN) Devices, etc., can also be end devices, logical entities, smart devices such as mobile phones, smart terminals and other terminal devices, or communication devices such as servers, gateways, base stations, controllers, or Internet of Things devices such as sensors, electricity meters, water meters, etc. Internet of Things (IoT) devices. This embodiment of the application does not limit this.

2、接入网(access network，AN)：为特定区域的授权用户提供入网功能，并能够根据用户的级别，业务的需求等使用不同质量的传输隧道。接入网络可以为采用不同接入技术的接入网络。目前的无线接入技术有两种类型：第三代合作伙伴计划(3rd Generation Partnership Project，3GPP)接入技术(例如3G、4G或5G***中采用的无线接入技术)和非第三代合作伙伴计划(non-3GPP)接入技术。3GPP接入技术是指符合3GPP标准规范的接入技术，采用3GPP接入技术的接入网络称为无线接入网络(Radio Access Network，RAN)，其中，5G***中的接入网设备称为下一代基站节点(next generation Node Base station，gNB)。非3GPP接入技术是指不符合3GPP标准规范的接入技术，例如，以wifi中的接入点(access point，AP)为代表的空口技术。2. Access network (AN): provides network access functions for authorized users in a specific area, and can use different quality transmission tunnels according to user levels and business needs. The access network may be an access network that uses different access technologies. There are currently two types of wireless access technologies: 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) access technologies (such as the wireless access technologies used in 3G, 4G or 5G systems) and non-third generation cooperation Partnership Project (non-3GPP) access technology. The 3GPP access technology refers to the access technology that conforms to the 3GPP standard. The access network that uses the 3GPP access technology is called a radio access network (Radio Access Network, RAN). Among them, the access network equipment in the 5G system is called The next generation base station node (next generation Node Base station, gNB). A non-3GPP access technology refers to an access technology that does not comply with the 3GPP standard specifications, for example, an air interface technology represented by an access point (AP) in wifi.

基于无线通信技术实现接入网络功能的接入网可以称为无线接入网(radio access network，RAN)。无线接入网能够管理无线资源，为终端提供接入服务，进而完成控制信号和用户数据在终端和核心网之间的转发。An access network that implements access network functions based on wireless communication technology may be called a radio access network (RAN). The wireless access network can manage wireless resources, provide access services for the terminal, and then complete the forwarding of control signals and user data between the terminal and the core network.

无线接入网例如可以是基站(NodeB)、演进型基站(evolved NodeB，eNB或eNodeB)、5G移动通信***中的基站(gNB)、未来移动通信***中的基站或WiFi***中的AP等，还可以是云无线接入网络(cloud radio access network，CRAN)场景下的无线控制器，或者该接入网设备可以为中继站、接入点、车载设备、可穿戴设备以及未来5G网络中的网络设备或者未来演进的PLMN网络中的网络设备等。本申请的实施例对无线接入网设备所采用的具体技术和具体设备形态不做限定。The wireless access network may be, for example, a base station (NodeB), an evolved base station (evolved NodeB, eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system or an AP in a WiFi system, etc. It can also be a wireless controller in a cloud radio access network (CRAN) scenario, or the access network device can be a relay station, an access point, an in-vehicle device, a wearable device, and a network in a future 5G network Equipment or network equipment in the future evolved PLMN network. The embodiments of the present application do not limit the specific technology and specific device form adopted by the wireless access network device.

3、接入与移动管理功能(access and mobility management function，AMF)实体：主要用于移动性管理和接入管理等，可以用于实现移动性管理实体(mobility management entity，MME)功能中除会话管理之外的其它功能，例如，合法监听、或接入授权(或鉴权)等功能。在本申请实施例中，可用于实现接入和移动管理网元的功能。3. Access and mobility management function (AMF) entities: mainly used for mobility management and access management, etc., and can be used to implement mobility management entity (mobility management entity, MME) functions in addition to sessions Functions other than management, such as lawful interception, or access authorization (or authentication) functions. In the embodiment of this application, it can be used to realize the functions of access and mobility management network elements.

4、会话管理功能(session management function，SMF)实体：主要用于会话管理、UE的网际协议(Internet Protocol，IP)地址分配和管理、选择可管理用户平面功能、策略控制、或收费功能接口的终结点以及下行数据通知等。在本申请实施例中，可用于实现会话管理网元的功能。4. Session management function (SMF) entity: mainly used for session management, UE's Internet Protocol (IP) address allocation and management, selection of manageable user plane functions, policy control, or charging function interfaces End point and downlink data notification, etc. In the embodiment of this application, it can be used to realize the function of the session management network element.

5、用户平面功能(User Plane Function，UPF)实体：即，数据面网关。可用于分组路由和转发、或用户面数据的服务质量(quality of service，QoS)处理等。用户数据可通过该网元接入到数据网络(data network，DN)。在本申请实施例中，可用于实现用户面网关的功能。5. User plane function (User Plane Function, UPF) entity: namely, the data plane gateway. It can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, etc. User data can be accessed to the data network (DN) through the network element. In the embodiments of the present application, it can be used to implement the function of the user plane gateway.

6、数据网络(DN)：用于提供传输数据的网络。例如，运营商业务的网络、因特(Internet)网、第三方的业务网络等。6. Data Network (DN): A network used to provide data transmission. For example, the operator's business network, the Internet (Internet) network, third-party business network, etc.

7、鉴权服务器功能(authentication server function，AUSF)实体：主要用于用户鉴权等。7. Authentication server function (authentication server function, AUSF) entity: mainly used for user authentication.

8、网络开放功能(network exposure function，NEF)实体：用于安全地向外部开放由3GPP网络功能提供的业务和能力等。8. Network Open Function (NEF) entity: It is used to safely open the services and capabilities provided by 3GPP network functions to the outside.

9、网络存储功能((network function(NF)repository function，NRF)实体：用于保存网络功能实体以及其提供服务的描述信息，以及支持服务发现，网元实体发现等。9. Network storage function (NF) repository function (NRF) entity: used to store network function entities and description information of the services they provide, and support service discovery, network element entity discovery, etc.

10、策略控制功能(policy control function，PCF)实体：用于指导网络行为的统一策略框架，为控制平面功能网元(例如AMF，SMF网元等)提供策略规则信息等。10. Policy control function (PCF) entity: a unified policy framework used to guide network behavior, and provide policy rule information for control plane function network elements (such as AMF, SMF network elements, etc.).

11、统一数据管理(unified data management，UDM)实体：用于处理用户标识、接入鉴权、注册、或移动性管理等。11. Unified data management (unified data management, UDM) entity: used to handle user identification, access authentication, registration, or mobility management.

12、应用功能(application function，AF)实体：用于进行应用影响的数据路由，接入网络开放功能网元，或，与策略框架交互进行策略控制等。12. Application function (AF) entity: used for data routing influenced by applications, accessing network open function network elements, or interacting with a policy framework for policy control, etc.

在该网络架构中，N1接口为终端与AMF实体之间的参考点；N2接口为AN和AMF实体的参考点，用于非接入层(non-access stratum，NAS)消息的发送等；N3接口为(R)AN和UPF实体之间的参考点，用于传输用户面的数据等；N4接口为SMF实体和UPF实体之间的参考点，用于传输例如N3连接的隧道标识信息，数据缓存指示信息，以及下行数据通知消息等信息；N6接口为UPF实体和DN之间的参考点，用于传输用户面的数据等。In this network architecture, the N1 interface is the reference point between the terminal and the AMF entity; the N2 interface is the reference point between the AN and the AMF entity, used for non-access stratum (NAS) message transmission, etc.; N3 The interface is the reference point between the (R)AN and the UPF entity, used to transmit user plane data, etc.; the N4 interface is the reference point between the SMF entity and the UPF entity, used to transmit, for example, the tunnel identification information and data of the N3 connection Cache indication information, downlink data notification message and other information; N6 interface is the reference point between UPF entity and DN, used to transmit user plane data, etc.

应理解，上述应用于本申请实施例的网络架构仅是举例说明的从传统点到点的架构和服务化架构的角度描述的网络架构，适用本申请实施例的网络架构并不局限于此，任何能够实现上述各个网元的功能的网络架构都适用于本申请实施例。It should be understood that the above-mentioned network architecture applied to the embodiment of the present application is only an example of a network architecture described from the perspective of a traditional point-to-point architecture and a service-oriented architecture, and the network architecture applicable to the embodiment of the present application is not limited to this. Any network architecture that can realize the functions of the above-mentioned network elements is applicable to the embodiments of the present application.

还应理解，图1中所示的AMF实体、SMF实体、UPF实体、NSSF实体、NEF实体、AUSF实体、NRF实体、PCF实体、UDM实体可以理解为核心网中用于实现不同功能的网元，例如可以按需组合成网络切片。这些核心网网元可以各自独立的设备，也可以集成于同一设备中实现不同的功能，本申请对此不做限定。It should also be understood that the AMF entity, SMF entity, UPF entity, NSSF entity, NEF entity, AUSF entity, NRF entity, PCF entity, and UDM entity shown in Figure 1 can be understood as network elements used to implement different functions in the core network. , For example, can be combined into network slices on demand. These core network elements can be independent devices or can be integrated in the same device to achieve different functions, which is not limited in this application.

下文中，为便于说明，将用于实现AMF的实体记作AMF，将用于实现AUSF的实体记作AUSF，将用于实现UDM功能的实体记作UDM。应理解，上述命名仅为用于区分不同的功能，并不代表这些网元分别为独立的物理设备，本申请对于上述网元的具体形态不作限定，例如，可以集成在同一个物理设备中，也可以分别是不同的物理设备。此外，上述命名仅为便于区分不同的功能，而不应对本申请构成任何限定，本申请并不排除在5G网络以及未来其它的网络中采用其他命名的可能。例如，在6G网络中，上述各个网元中的部分或全部可以沿用5G中的术语，也可能采用其他名称等。在此进行统一说明，以下不再赘述。In the following, for ease of description, the entity used to implement AMF is referred to as AMF, the entity used to implement AUSF is referred to as AUSF, and the entity used to implement UDM functions is referred to as UDM. It should be understood that the above naming is only used to distinguish different functions, and does not mean that these network elements are separate physical devices. This application does not limit the specific form of the above network elements. For example, they can be integrated in the same physical device. They can also be different physical devices. In addition, the above naming is only for the purpose of distinguishing different functions, and should not constitute any limitation to this application. This application does not exclude the possibility of adopting other naming in 5G networks and other networks in the future. For example, in a 6G network, some or all of the above network elements may follow the terms in 5G, or may use other names. Here is a unified description, and will not be repeated below.

还应理解，图1中的各个网元之间的接口名称只是一个示例，具体实现中接口的名称可能为其他的名称，本申请对此不作具体限定。此外，上述各个网元之间的所传输的消息(或信令)的名称也仅仅是一个示例，对消息本身的功能不构成任何限定。It should also be understood that the name of the interface between the various network elements in FIG. 1 is only an example, and the name of the interface in a specific implementation may be other names, which is not specifically limited in this application. In addition, the name of the message (or signaling) transmitted between the various network elements is only an example, and does not constitute any limitation on the function of the message itself.

图2是本申请实施例提供的一种认证方法200的示意性流程图。如图2所示，该方法200包括以下内容。FIG. 2 is a schematic flowchart of an authentication method 200 provided by an embodiment of the present application. As shown in FIG. 2, the method 200 includes the following contents.

在步骤S210中，AMF向终端设备发送认证请求消息。In step S210, the AMF sends an authentication request message to the terminal device.

具体地，AMF向该终端设备发送认证请求消息，准备对该终端设备进行认证。作为示例，该认证请求消息中可以携带鉴权随机数(random，RAND)、鉴权令牌(authentication token，AUTN)，并且该AUTN中可以包括消息认证码和序列号。Specifically, the AMF sends an authentication request message to the terminal device to prepare to authenticate the terminal device. As an example, the authentication request message may carry an authentication random number (random, RAND) and an authentication token (authentication token, AUTN), and the AUTN may include a message authentication code and a serial number.

在步骤S221中，该终端设备根据该认证请求消息进行认证。In step S221, the terminal device performs authentication according to the authentication request message.

例如，该终端设备可以根据该RAND和AUTN进行认证。For example, the terminal device can be authenticated according to the RAND and AUTN.

具体地，该终端设备可以将该RAND和AUTN发送给全球用户标识模块(universal subscriber identity module，USIM)，USIM首先根据AUTN、RAND和根秘钥K计算出期望的消息认证码XMAC，然后将该XMAC与该AUTN中的MAC对比校验，若校验失败(例如，二者不相等)，则确定认证失败，并且认证失败类型为消息认证码失败(MAC failure)，此时，该终端设备生成消息认证码失败对应的原因值。Specifically, the terminal device can send the RAND and AUTN to the universal subscriber identity module (USIM). The USIM first calculates the expected message authentication code XMAC based on the AUTN, RAND and the root key K, and then XMAC compares the verification with the MAC in the AUTN. If the verification fails (for example, the two are not equal), it is determined that the authentication has failed, and the authentication failure type is a message authentication code failure (MAC failure). At this time, the terminal device generates The reason value corresponding to the message authentication code failure.

若该XMAC与该AUTN中的MAC对比校验成功(例如，二者相等)，则继续校验该AUTN中的SQN是否在有效的范围内(例如，校验该SQN是否大于该终端设备的本地序列号SQN _MS)，若校验失败(例如，SQN小于或者等于SQN _MS)，则确定认证失败，并且认证失败类型为同步失败(synch failure)，此时，该终端设备同样生成同步失败对应的原因值。 If the XMAC and the MAC in the AUTN are successfully compared and verified (for example, the two are equal), continue to check whether the SQN in the AUTN is within the valid range (for example, check whether the SQN is greater than the local terminal device Serial number SQN _MS ), if the verification fails (for example, SQN is less than or equal to SQN _MS ), it is determined that the authentication has failed, and the authentication failure type is synch failure. At this time, the terminal device also generates a synchronization failure corresponding Reason value.

其中，该消息认证码失败对应的原因值用于指示认证失败类型为消息认证码失败，而该同步失败对应的原因值用于指示认证失败类型为同步失败，二者不相同。Wherein, the reason value corresponding to the message authentication code failure is used to indicate that the authentication failure type is message authentication code failure, and the reason value corresponding to the synchronization failure is used to indicate the authentication failure type is synchronization failure, and the two are different.

作为示例，该消息认证码失败对应的原因值以及该同步失败对应的原因值可以为8个比特的二进制数，例如，消息认证码失败对应的原因值可以为“00010100”，同样地，同步失败对应的原因值可以为“00010101”。As an example, the reason value corresponding to the message authentication code failure and the reason value corresponding to the synchronization failure may be 8-bit binary numbers. For example, the reason value corresponding to the message authentication code failure may be "00010100". Similarly, the synchronization failure The corresponding reason value can be "00010101".

在步骤222中，若认证失败，则对认证失败类型对应的原因值进行加密处理，得到失败加密信息。In step 222, if the authentication fails, the reason value corresponding to the authentication failure type is encrypted to obtain the failure encryption information.

例如，该认证失败类型为消息认证码失败，则对消息认证码失败对应的原因值进行加密处理。For example, if the type of authentication failure is a message authentication code failure, the reason value corresponding to the message authentication code failure is encrypted.

再例如，该认证失败类型为同步失败，则对同步失败对应的原因值进行加密处理。For another example, if the authentication failure type is synchronization failure, then the cause value corresponding to the synchronization failure is encrypted.

应理解，本申请实施例对该认证失败类型对应的原因值进行加密处理的方法并不做限定，作为示例，该终端设备可以和网络侧设备(例如，AMF、AUSF、UDM中的任意一个)协商对该认证失败类型对应的原因值进行加密处理的方法。It should be understood that the method of encrypting the cause value corresponding to the authentication failure type in the embodiment of the present application is not limited. As an example, the terminal device may be connected to a network side device (for example, any one of AMF, AUSF, and UDM) Negotiate a method for encrypting the cause value corresponding to the authentication failure type.

作为示例，可以使用对称加密的方式对该认证失败类型对应的原因值进行加密处理，例如，所述终端设备使用根秘钥K来对该认证失败类型对应的原因值进行加密处理，则网络侧设备(例如，AMF、AUSF、UDM中的任意一个)可以使用相同的秘钥来对该失败加密信息进行解密。再例如，所述终端设备可以使用与网络侧设备相同的共享密钥(例如，基于认证功能密钥K _ausf计算的共享秘钥)来对该认证失败类型对应的原因值进行加密处理，同样地，网络侧设备(例如，AMF、AUSF、UDM中的任意一个)可以使用该共享秘钥来对该失败加密信息进行解密。 As an example, the cause value corresponding to the authentication failure type can be encrypted using a symmetric encryption method. For example, the terminal device uses the root key K to encrypt the cause value corresponding to the authentication failure type, and the network side The device (for example, any one of AMF, AUSF, and UDM) can use the same secret key to decrypt the failed encrypted information. For another example, the terminal device may use the same shared key as the network side device (for example, a shared secret key calculated based on the authentication function key _Kausf ) to encrypt the cause value corresponding to the authentication failure type, and similarly The network-side device (for example, any one of AMF, AUSF, and UDM) can use the shared secret key to decrypt the failed encrypted information.

作为示例，也可以使用非对称加密的方式对该认证失败类型对应的原因值进行加密处理，例如，可以使用归属网络的公钥(私钥)来对该认证失败类型信息进行加密处理，则网络侧设备可以使用对应的私钥(公钥)来对该失败加密信息进行解密。As an example, asymmetric encryption can also be used to encrypt the cause value corresponding to the authentication failure type. For example, the public key (private key) of the home network can be used to encrypt the authentication failure type information. The side device can use the corresponding private key (public key) to decrypt the failed encrypted information.

作为示例，可以使用基于用户隐藏标识符(subscription concealed identifier，SUCI)加密的方法或者基于重同步参数(resynchronization token，AUTS)加密的方法来对该认证失败类型对应的原因值进行加密处理，则网络侧设备可以使用对应的基于SUCI解密的方法或者基于AUTS解密的方法来对该失败加密信息进行解密。As an example, a method based on user concealed identifier (subscription concealed identifier, SUCI) encryption or a method based on resynchronization parameter (resynchronization token, AUTS) encryption can be used to encrypt the cause value corresponding to the authentication failure type, then the network The side device can use the corresponding SUCI-based decryption method or the AUTS-based decryption method to decrypt the failed encrypted information.

应理解，对该认证失败类型对应的原因值进行加密处理的所使用的秘钥可以是该终端设备本身具有的，也可以是通过网络获取的，也可以其本身推演出来的。It should be understood that the secret key used for encrypting the cause value corresponding to the authentication failure type may be possessed by the terminal device itself, may also be obtained through the network, or may be derived by itself.

在步骤230中，该终端设备向AMF发送该失败加密信息。In step 230, the terminal device sends the failed encryption information to the AMF.

具体地，该终端设备向AMF发送该失败加密信息，用于向AMF等网络侧设备反馈认证失败的结果，以方便AMF等网络侧设备根据该认证失败的结果确定下一步的动作(例如，重新发起认证)。Specifically, the terminal device sends the failure encryption information to the AMF, which is used to feed back the result of the authentication failure to the AMF and other network-side devices, so that the AMF and other network-side devices can determine the next action according to the result of the authentication failure. Initiate authentication).

例如，该终端设备可以通过认证失败消息向AMF发送该失败加密信息。For example, the terminal device may send the failure encryption information to the AMF through an authentication failure message.

AMF等网络侧设备可以按照预定的方式对该失败加密信息进行解密，以获得认证失败类型对应的原因值，最终确定认证失败类型。The network-side device such as AMF can decrypt the failed encrypted information in a predetermined manner to obtain the cause value corresponding to the authentication failure type, and finally determine the authentication failure type.

本申请实施例能够对认证失败类型对应的原因值进行加密处理，得到失败加密信息，即使该失败加密信息被攻击者在空口截获，攻击者也无法解密该失败加密信息，进而也无法区分究竟是哪一种认证失败类型，从而攻击者无法定位或者关联被追踪用户的位置，保证用户的隐私不被泄露。The embodiment of the application can encrypt the reason value corresponding to the authentication failure type to obtain the failed encrypted information. Even if the failed encrypted information is intercepted by an attacker over the air, the attacker cannot decrypt the failed encrypted information, and thus cannot distinguish whether it is Which type of authentication failure, so that the attacker cannot locate or associate the location of the tracked user to ensure that the user's privacy is not leaked.

可选地，在步骤S222中，对于不同的认证失败类型对应的原因值进行加密处理的方式可以不同。Optionally, in step S222, the manner of performing encryption processing on the cause values corresponding to different authentication failure types may be different.

例如，若该认证失败类型为消息认证码失败，则对消息认证码失败对应的原因值进行加密处理。For example, if the type of authentication failure is a message authentication code failure, the reason value corresponding to the message authentication code failure is encrypted.

若该认证失败类型为同步失败，则可以对同步失败对应的原因值和该终端设备的本地序列号信息同时进行加密处理。If the authentication failure type is a synchronization failure, the cause value corresponding to the synchronization failure and the local serial number information of the terminal device can be simultaneously encrypted.

具体地，对于同步失败，该认证失败信息中通常还会包括终端设备的本地序列号信息，从而使UDM能够获取该终端设备的本地序列号SQN _MS，并且根据该SQN _MS发起新的认证。然而，对于消息认证码失败，通常该认证失败信息中并不包括该终端设备的本地序列号信息，为了防止攻击者根据该终端设备的本地序列号信息来区分认证失败类型，对于同步失败，可以对同步失败对应的原因值和该终端设备的本地序列号信息同时进行加密处理。 Specifically, for synchronization failures, the authentication failure information usually also includes the local serial number information of the terminal device, so that the UDM can obtain the local serial number SQN _{MS of} the terminal device and initiate a new authentication based on the SQN _MS . However, for message authentication code failures, usually the authentication failure information does not include the local serial number information of the terminal device. In order to prevent an attacker from distinguishing the type of authentication failure based on the local serial number information of the terminal device, for synchronization failures, you can The reason value corresponding to the synchronization failure and the local serial number information of the terminal device are simultaneously encrypted.

具体地，通过该终端设备的本地序列号信息能够获取该终端设备的本地序列号SQN _MS，该终端设备的本地序列号信息可以包括终端设备的本地序列号或终端设备的本地序列号经过处理后生成的参数，例如，该终端设备的本地序列号信息可以包括认证失败参数(authentication failure parameter)。 Specifically, the local serial number SQN _MS of the terminal device can be obtained through the local serial number information of the terminal device. The local serial number information of the terminal device may include the local serial number of the terminal device or the local serial number of the terminal device after processing The generated parameter, for example, the local serial number information of the terminal device may include an authentication failure parameter (authentication failure parameter).

此外，该认证失败参数通常包括参数名称、参数长度以及AUTS。其中AUTS通过对SQN _MS与AK的异或，并带上MAC-S，从而实现了对该SQN _MS的加密和完整性保护，AUTS 的计算公式如下： In addition, the authentication failure parameters usually include the parameter name, parameter length, and AUTS. Wherein AUTS by AK and SQN _MS of heterologous or, and bring MAC-S, thereby realizing the ciphering and integrity protection of the SQN _MS, AUTS calculated as follows:

AUTS＝SQN _MS⊕AK||MAC-S AUTS＝SQN _MS ⊕AK||MAC-S

其中，AK为匿名秘钥(anonymity key，AK)，“⊕”表示进行异或运算，“||”表示进行串联运算，MAC-S为重同步消息认证码(message authentication code synchronization)。Among them, AK is an anonymous key (anonymity key, AK), "⊕" means performing an exclusive OR operation, "||" means performing a series operation, and MAC-S is a resynchronization message authentication code (message authentication code synchronization).

也就是说，该终端设备的本地序列号信息还可以包括重同步参数AUTS、该终端设备的本地序列号SQN _MS与匿名秘钥AK的异或运算的结果SQN _MS⊕AK或该终端设备的本地序列号SQN _MS。 That is to say, the local serial number information of the terminal device may also include the resynchronization parameter AUTS, the local serial number SQN _{MS of} the terminal device and the anonymous secret key AK, the result of the exclusive OR operation SQN _MS ⊕AK or the local The serial number SQN _MS .

因此，对于同步失败，可以同时对该同步失败对应的原因值和该认证失败参数进行加密处理，以得到该失败加密信息。Therefore, for a synchronization failure, the reason value corresponding to the synchronization failure and the authentication failure parameter can be encrypted at the same time to obtain the failure encryption information.

或者，对于同步失败，可以同时对该同步失败对应的原因值和该AUTS进行加密处理，以得到该失败加密信息。Or, for synchronization failure, the cause value corresponding to the synchronization failure and the AUTS can be encrypted at the same time to obtain the failure encryption information.

或者，对于同步失败，可以同时对该同步失败对应的原因值和该SQN _MS⊕AK进行加密处理，以得到该失败加密信息。 Or, for a synchronization failure, the reason value corresponding to the synchronization failure and the SQN _MS ⊕AK can be encrypted at the same time to obtain the failed encryption information.

或者，对于同步失败，可以同时对该同步失败对应的原因值和该SQN _MS进行加密处理，以得到该失败加密信息。 Or, for the synchronization failure, the cause value corresponding to the synchronization failure and the SQN _MS can be encrypted at the same time to obtain the failure encryption information.

可选地，作为一个实施例，对于同步失败，对同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理，得到该失败加密信息可以通过如下方式：Optionally, as an embodiment, for a synchronization failure, the cause value corresponding to the synchronization failure and the local serial number information of the terminal device are encrypted, and the failure encryption information can be obtained in the following manner:

对该同步失败对应的原因值(记作cause#1)和该终端设备的本地序列号信息(记作SQN#1)进行串联运算，得到第一中间值，可以记作：cause#1||SQN#1，对该第一中间值进行加密运算，得到该失败加密信息，可以记作：Enc(cause#1||SQN#1)。The cause value corresponding to the synchronization failure (denoted as cause#1) and the local serial number information of the terminal device (denoted as SQN#1) are concatenated to obtain the first intermediate value, which can be denoted as: cause#1|| SQN#1, the first intermediate value is encrypted, and the failed encryption information is obtained, which can be recorded as: Enc(cause#1||SQN#1).

具体地，对该同步失败对应的原因值和该终端设备的本地序列号信息进行串联运算是指将该同步失败对应的原因值和该终端设备的本地序列号信息首尾相连拼在一起(二者的先后顺序并不限定)，以得到该第一中间值，继续对该第一中间值进行加密运算，以得到该失败加密信息。Specifically, the serial operation of the cause value corresponding to the synchronization failure and the local serial number information of the terminal device means that the cause value corresponding to the synchronization failure and the local serial number information of the terminal device are joined end to end (both The order of is not limited), to obtain the first intermediate value, continue to perform the encryption operation on the first intermediate value to obtain the failed encryption information.

例如，对该同步失败对应的原因值和该认证失败参数(记作AFP#1)进行串联运算，得到的第一中间值，可以记作：cause#1||AFP#1，接着对该第一中间值进行加密运算，以得到该加密失败信息，可以记作：Enc(cause#1||AFP#1)。For example, if the cause value corresponding to the synchronization failure and the authentication failure parameter (denoted as AFP#1) are concatenated, the first intermediate value obtained can be denoted as: cause#1||AFP#1, and then the first intermediate value An intermediate value is encrypted to obtain the encryption failure information, which can be recorded as: Enc(cause#1||AFP#1).

再例如，对该同步失败对应的原因值和该AUTS进行串联运算，得到的第一中间值，可以记作：cause#1||AUTS，接着对该第一中间值进行加密运算，以得到该加密失败信息，可以记作：Enc(cause#1||AUTS)。For another example, the cause value corresponding to the synchronization failure is concatenated with the AUTS, and the first intermediate value obtained can be recorded as: cause#1||AUTS, and then the first intermediate value is encrypted to obtain the Encryption failure information can be recorded as: Enc(cause#1||AUTS).

再例如，对该同步失败对应的原因值和该SQN _MS⊕AK进行串联运算，得到的第一中间值，可以记作：cause#1||SQN _MS⊕AK，接着对该第一中间值进行加密运算，以得到该加密失败信息，可以记作：Enc(cause#1||SQN _MS⊕AK)。 For another example, the serial operation of the cause value corresponding to the synchronization failure and the SQN _MS ⊕AK, the first intermediate value obtained can be written as: cause#1||SQN _MS ⊕AK, and then the first intermediate value is performed Encryption operation to obtain the encryption failure information can be recorded as: Enc(cause#1||SQN _MS ⊕AK).

再例如，对该同步失败对应的原因值和该终端设备的本地序列号SQN _MS进行串联运算，得到的第一中间值，可以记作：cause#1||SQN _MS，接着对该第一中间值进行加密运算，以得到该加密失败信息，可以记作：Enc(cause#1||SQN _MS)。 For another example, if the cause value corresponding to the synchronization failure and the local serial number SQN _{MS of} the terminal device are concatenated, the first intermediate value obtained can be recorded as: cause#1||SQN _MS , and then the first intermediate value The value is encrypted to obtain the encryption failure information, which can be recorded as: Enc(cause#1||SQN _MS ).

应理解，对同步失败对应的原因值和该终端设备的本地序列号信息进行加密处理，以得到该失败加密信息，也可以通过其他方式进行。例如，可以对同步失败对应的原因值和该终端设备的本地序列号信息进行其他运算(例如，异或运算)，以得到该第一中间值，之后对该第一中间值进行加密运算，本申请对此并不限定。It should be understood that performing encryption processing on the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain the failed encryption information may also be performed in other ways. For example, other operations (for example, exclusive OR operation) may be performed on the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain the first intermediate value, and then an encryption operation is performed on the first intermediate value. The application is not limited.

可选地，对于不同的认证失败类型，失败加密信息的长度相同。Optionally, for different authentication failure types, the length of the failure encryption information is the same.

具体地，通常情况下，同步失败对应的原因值和消息认证码失败对应的原因值长度相同，在认证失败类型为同步失败的情况下，可以对该同步失败对应的原因值和该终端设备的本地序列号信息进行串联运算，得到第一中间值，对该第一中间值进行加密运算，得到该失败加密信息。Specifically, under normal circumstances, the length of the reason value corresponding to the synchronization failure and the reason value corresponding to the message authentication code failure are the same. When the authentication failure type is a synchronization failure, the reason value corresponding to the synchronization failure can be compared with the terminal device's The local serial number information is concatenated to obtain the first intermediate value, and the first intermediate value is encrypted to obtain the failed encryption information.

由于有该终端设备的本地序列号信息的存在，使得在认证失败类型为同步失败的情况下，其所对应的该加密失败信息的长度可能会明显大于消息认证码失败对应的该加密失败信息的长度，基于该原因，攻击者可能根据该加密失败信息的长度区分出究竟是哪一种认证失败类型。Due to the existence of the local serial number information of the terminal device, when the authentication failure type is synchronization failure, the length of the encryption failure information corresponding to it may be significantly greater than the encryption failure information corresponding to the message authentication code failure. For this reason, the attacker may distinguish which authentication failure type is based on the length of the encryption failure message.

有鉴于此，该终端设备对认证失败类型对应的原因值进行加密处理时，对于不同的认证失败类型，可以使该失败加密信息的长度相同。In view of this, when the terminal device encrypts the cause value corresponding to the authentication failure type, for different authentication failure types, the length of the failed encryption information may be the same.

作为示例，可以通过如下至少一种方式使该失败加密信息的长度相同：As an example, the length of the failed encryption information can be made the same in at least one of the following ways:

方式1Way 1

使用特定的加密方式(例如，特定的加密秘钥)对消息认证码失败对应的原因值进行加密，或者，使用特定的加密方式对同步失败对应的原因值和该终端设备的本地序列号信息进行加密。不同的加密方式可能会改变加密后的该失败加密信息的长度，因此，可以使用特定的加密方式进行加密处理，使对于不同的认证失败类型，该失败加密信息的长度为某一相同的值。Use a specific encryption method (for example, a specific encryption key) to encrypt the cause value corresponding to the failure of the message authentication code, or use a specific encryption method to encrypt the cause value corresponding to the synchronization failure and the local serial number information of the terminal device encryption. Different encryption methods may change the length of the failed encrypted information after encryption. Therefore, a specific encryption method can be used for encryption processing, so that for different authentication failure types, the length of the failed encrypted information is the same value.

方式2Way 2

对加密运算前的内容和一定长度的二进制数进行数学运算(例如，进行串联运算、异或运算等)，之后再进行加密处理。Perform mathematical operations (for example, concatenation operations, exclusive OR operations, etc.) on the content before the encryption operation and binary numbers of a certain length, and then perform the encryption processing.

作为示例，可以对加密运算前的内容和一定长度的二进制数进行串联运算，之后再进行加密运算，从而能够使该失败加密信息的长度相同。其中，对于消息认证码失败，该加密运算前的内容可以是其对应的原因值，对于同步失败，该加密运算前的内容可以是其对应的原因值与该终端设备的本地序列号信息进行串联运算的结果，即该第一中间值。As an example, a series operation can be performed on the content before the encryption operation and a binary number of a certain length, and then the encryption operation is performed, so that the length of the failed encryption information can be the same. Among them, for the message authentication code failure, the content before the encryption operation can be its corresponding cause value, and for the synchronization failure, the content before the encryption operation can be the corresponding cause value in series with the local serial number information of the terminal device The result of the operation is the first intermediate value.

例如，对该消息认证码失败对应的原因值进行加密处理前，可以对该消息认证码失败对应的原因值(记作cause#2)与N个比特的二进制数(记作string#1)进行串联运算，得到第二中间值，可以记作：cause#2||string#1，对该第二中间值进行加密运算，得到该失败加密信息，可以记作：Enc(cause#2||string#1)，其中，N为大于等于1的整数。For example, before encrypting the cause value corresponding to the message authentication code failure, the cause value corresponding to the message authentication code failure (denoted as cause#2) and N-bit binary number (denoted as string#1) can be performed Concatenation operation to obtain the second intermediate value, which can be recorded as: cause#2||string#1, the second intermediate value is encrypted, and the failed encryption information is obtained, which can be recorded as: Enc(cause#2||string #1), where N is an integer greater than or equal to 1.

其中，N个比特的二进制数的组成可以和网络侧设备(例如，AMF、AUSF、UDM中的任意一个)协商确定，比如，N个比特的二进制数可以由任意个比特的“0”和任意个比特的“1”组成，再比如，N个比特的二进制数可以由N个“0”组成，再比如，N个比特的二进制数也可以由N个“1”组成。Among them, the composition of the N-bit binary number can be determined through negotiation with the network side device (for example, any one of AMF, AUSF, and UDM). For example, the N-bit binary number can consist of any number of bits of "0" and any number of bits. For example, a binary number of N bits may be composed of N “0”s, and for another example, a binary number of N bits may also be composed of N “1s”.

对于同步失败和消息认证码失败两种认证失败类型，可以使二者对应的失败加密信息的长度相同(即，使该Enc(cause#1||SQN#1)与Enc(cause#2||string#1)的长度相同)。For the two types of authentication failure, synchronization failure and message authentication code failure, the length of the failed encryption information corresponding to the two can be made the same (that is, the Enc(cause#1||SQN#1) and Enc(cause#2|| string#1) has the same length).

因此，对于相同的加密运算方式，只需要使该string#1的长度和该SQN#1的长度相同即可，或者说，使该N的值与该终端设备的本地序列号信息的长度值相等。例如，该N的值可以与该AFP#1、AUTS、SQN _MS⊕AK、SQN _MS中的任意一个长度值相等。 Therefore, for the same encryption operation method, it is only necessary to make the length of string#1 the same as the length of SQN#1, or in other words, make the value of N equal to the length of the local serial number information of the terminal device . For example, the value of N may be equal to any one of the length values of AFP#1, AUTS, SQN _MS ⊕ AK, and SQN _MS .

应理解，对于未来可能出现的其他形式的编码方式，同样可以根据上述“与N个比特的二进制数进行串联运算”类似的方法来使两种不同认证失败类型的认证失败信息的长度为相同的固定值，例如，“N个比特的二进制数”也可以等效为“N个位的十进制数”、“N个位的十六进制数”或者“N个位的字符”等等，上述各种未来可能出现的形式都应当在本申请技术方案囊括的范围内。It should be understood that for other encoding methods that may appear in the future, the length of the authentication failure information of the two different authentication failure types can be the same according to the method similar to the above-mentioned "concatenation operation with N-bit binary numbers" Fixed value, for example, "N-digit binary number" can also be equivalent to "N-digit decimal number", "N-digit hexadecimal number" or "N-digit character", etc. Various forms that may appear in the future should be within the scope of the technical solution of this application.

应理解，针对同步失败和消息认证码失败两种认证失败类型，可以采用相同或者不同的数学运算方式，并且可以采用相同或者不同的加密方式，只要能够使两种认证失败类型对应的失败加密信息的长度相同即可，本申请对此并不做限定，各种可能出现的形式都应当在本申请技术方案囊括的范围内。It should be understood that for the two types of authentication failures: synchronization failure and message authentication code failure, the same or different mathematical calculation methods can be used, and the same or different encryption methods can be used, as long as the two types of authentication failures correspond to the failure encryption information The length of is the same, this application does not limit this, and various possible forms should be within the scope of the technical solution of this application.

根据本申请实施例，攻击者无法通过该失败加密信息的长度来区分究竟是哪一种认证失败类型，从而攻击者无法定位或者关联被追踪用户的位置，保证用户的隐私不被泄露。According to the embodiment of the present application, the attacker cannot distinguish which authentication failure type is based on the length of the failed encrypted information, so that the attacker cannot locate or correlate the location of the tracked user to ensure that the user's privacy is not leaked.

可选地，作为另外一个可能的实施例，为了使攻击者无法通过该失败加密信息的长度来区分究竟是哪一种认证失败类型，也可以使对于不同的认证失败类型，其对应的失败加密信息的长度是可变的，并且均处于相同的变化范围内。Optionally, as another possible embodiment, in order to prevent the attacker from distinguishing which authentication failure type is based on the length of the failed encryption information, it is also possible to make the corresponding failure encryption for different authentication failure types The length of the information is variable and all within the same range of variation.

例如，同样可以通过上述方式1和/或方式2来使消息认证码失败对应的失败加密信息的长度是可变的，并且处于第一变化范围内；For example, the above method 1 and/or method 2 can also be used to make the length of the failed encryption information corresponding to the failure of the message authentication code variable and within the first variation range;

可以通过上述方式1和/或方式2来使同步失败对应的失败加密信息的长度是可变的，并且也处于第一变化范围内。The length of the failed encryption information corresponding to the synchronization failure can be made variable by means 1 and/or means 2 above, and it is also within the first variation range.

通过上述实施例，同样能够使攻击者无法通过失败加密信息的长度来区分究竟是哪一种认证失败类型。Through the foregoing embodiments, it is also possible for an attacker to be unable to distinguish which authentication failure type is based on the length of the failed encryption information.

图3是本申请另一实施例提供的一种认证方法300的示意性流程图。如图3所示，该方法300包括以下内容。FIG. 3 is a schematic flowchart of an authentication method 300 according to another embodiment of the present application. As shown in FIG. 3, the method 300 includes the following contents.

在步骤S300中，UDM和终端设备之间发起认证流程。In step S300, an authentication process is initiated between the UDM and the terminal device.

具体地，UDM首先根据鉴权请求创建5G归属环境鉴权向量(5G home environment authentication vector，5G HE AV)，该5G HE AV可以包括RAND、AUTN、预期响应参数(expected response，XRES)等鉴权参数，之后将该5G HE AV发送给AUSF，AUSF根据该5G HE AV生成5G拜访环境鉴权向量(5G serving environment authentication vector，5G SE HV)，该5G SE HV可以包括该RAND、AUTN以及哈希预期响应(hash expected response，HXRES)等鉴权参数，之后将该5G SE HV发送给AMF，AMF根据该5G SE HV生成认证请求消息。Specifically, UDM first creates a 5G home environment authentication vector (5G HE AV) according to the authentication request. The 5G HE AV may include authentication such as RAND, AUTN, and expected response parameters (XRES). After that, the 5G HE AV is sent to AUSF, and AUSF generates a 5G visiting environment authentication vector (5G serving environment authentication vector, 5G SE HV) based on the 5G HE AV. The 5G SE HV may include the RAND, AUTN, and hash The expected response (hash expected response, HXRES) and other authentication parameters are then sent to the 5G SE HV to the AMF, and the AMF generates an authentication request message based on the 5G SE HV.

在步骤S310中，AMF向该终端设备发送该认证请求消息。In step S310, the AMF sends the authentication request message to the terminal device.

在步骤S321中，该终端设备根据该认证请求消息进行认证。In step S321, the terminal device performs authentication according to the authentication request message.

在步骤S322中，若认证失败，则对认证失败类型对应的原因值进行加密处理，得到失败加密信息。In step S322, if the authentication fails, the reason value corresponding to the authentication failure type is encrypted to obtain the failure encryption information.

上述步骤S310、S321、S322可参考方法200中的步骤S210、S221、S222进行理解即可，在此不再赘述。The above steps S310, S321, and S322 can be understood with reference to the steps S210, S221, and S222 in the method 200, and will not be repeated here.

在步骤S330中，该终端设备向AMF发送认证失败消息，该认证失败消息包括该失败加密信息。In step S330, the terminal device sends an authentication failure message to the AMF, and the authentication failure message includes the failure encryption information.

具体地，该失败加密信息可以通过该认证失败消息发送给AMF，也可以通过其他形式(例如单独发送)给AMF。Specifically, the failed encryption information may be sent to the AMF through the authentication failure message, or may be sent to the AMF in other forms (for example, sent separately).

在步骤S350中，AMF向UDM发送该失败加密信息。In step S350, AMF sends the failed encryption information to UDM.

在步骤S360中，UDM对该失败加密信息进行解密。In step S360, UDM decrypts the failed encrypted information.

具体地，该终端设备可以通过该认证失败消息向AMF发送该失败加密信息，AMF收到该失败加密信息之后，AMF可以直接向UDM发送该失败加密信息，也可以通过AUSF向UDM发送该失败加密信息。例如，该失败加密信息也可以随着认证流程的服务调用发送给UDM。Specifically, the terminal device can send the failed encryption information to the AMF through the authentication failure message. After the AMF receives the failed encryption information, the AMF can directly send the failed encryption information to UDM, or send the failed encryption information to UDM through AUSF. information. For example, the failed encryption information can also be sent to UDM along with the service invocation of the authentication process.

具体地，AMF向UDM发送该失败加密信息，UDM获取该失败加密信息，并且对该失败加密信息进行解密，从而获取该认证失败类型对应的原因值，最终确定认证失败类型。此外，UDM还可以获取该终端设备的本地序列号信息，最终获取该终端设备的本地序列号SQN _MS。UDM根据获取到的上述信息，确定下一步的动作(例如，重新发起认证)。 Specifically, the AMF sends the failure encryption information to the UDM, and the UDM obtains the failure encryption information, and decrypts the failure encryption information, thereby obtaining the cause value corresponding to the authentication failure type, and finally determining the authentication failure type. In addition, UDM can also obtain the local serial number information of the terminal device, and finally obtain the local serial number SQN _{MS of} the terminal device. The UDM determines the next action (for example, re-initiating authentication) according to the acquired information.

UDM可以根据该终端设备进行加密处理的具体方式，确定对该失败加密信息进行解密的方式。The UDM can determine the way to decrypt the failed encrypted information according to the specific way the terminal device performs encryption processing.

例如，可以使用根秘钥K、归属网络的公钥(私钥)对应的私钥(公钥)、基于用户隐藏标识符SUCI解密的方法、基于重同步参数AUTS解密的方法、UDM或AUSF推演出来的共享秘钥中的任意一种方式对该失败加密信息进行解密处理。For example, you can use the root key K, the private key (public key) corresponding to the public key (private key) of the home network, the method of decrypting based on the user hidden identifier SUCI, the method of decrypting based on the resynchronization parameter AUTS, UDM or AUSF deduction Any one of the shared secret keys will decrypt the failed encrypted information.

UDM使用上述任意一种方式对该失败加密信息进行解密，从而获取该认证失败类型对应的原因值，最终确定认证失败类型，UDM可以根据该认证失败类型确定下一步的动作，例如，包括下述的情况A和情况B。UDM uses any of the above methods to decrypt the failed encrypted information to obtain the cause value corresponding to the authentication failure type, and finally determine the authentication failure type. UDM can determine the next action according to the authentication failure type, for example, including the following Case A and Case B.

情况ASituation A

若认证失败类型为消息认证码失败或者同步失败，则UDM可以执行步骤S370，在步骤S370中，UDM重新发起认证流程。If the type of authentication failure is a message authentication code failure or synchronization failure, the UDM can perform step S370. In step S370, the UDM re-initiates the authentication process.

情况BSituation B

若认证失败类型为消息认证码失败，则UDM可以执行步骤S380，在步骤S380中，UDM将消息认证码失败对应的原因值发送给AMF，由AMF重新发起认证流程，或者进行其他操作。If the authentication failure type is a message authentication code failure, the UDM may perform step S380. In step S380, the UDM sends the reason value corresponding to the message authentication code failure to the AMF, and the AMF re-initiates the authentication process or performs other operations.

具体地，UDM可以直接向AMF发送该消息认证码失败对应的原因值，也可以通过AUSF向AMF发送该消息认证码失败对应的原因值。Specifically, the UDM may directly send the cause value corresponding to the message authentication code failure to the AMF, or may send the cause value corresponding to the message authentication code failure to the AMF through AUSF.

可选地，该方法300还可以包括以下内容。Optionally, the method 300 may also include the following content.

在步骤S323中，该终端设备生成加密指示信息。In step S323, the terminal device generates encryption instruction information.

具体地，该加密指示信息用于指示所述认证失败消息携带所述失败加密信息，其中，该认证失败消息包括该加密指示信息。Specifically, the encryption indication information is used to indicate that the authentication failure message carries the failure encryption information, where the authentication failure message includes the encryption indication information.

具体地，终端设备可以通过该认证失败消息将该加密指示信息发送给AMF，也可以通过其他方式(例如单独发送)将该加密指示信息发送给AMF。Specifically, the terminal device may send the encryption instruction information to the AMF through the authentication failure message, or may send the encryption instruction information to the AMF through other methods (for example, sending separately).

作为示例，该加密指示信息可以是5GMM Cause信元包含的某个新的原因值，例如，该新的原因值可以用于指示认证失败类型为“消息验证码失败或者同步失败”或者“未知失败(unknown failure)”。As an example, the encryption indication information may be a new cause value contained in the 5GMMCause cell. For example, the new cause value may be used to indicate that the authentication failure type is "message verification code failure or synchronization failure" or "unknown failure" (unknown failure)".

在步骤340中，AMF判断该认证失败消息内是否包括该加密指示信息。In step 340, the AMF determines whether the authentication failure message includes the encryption indication information.

具体地，AMF判断该认证失败消息内是否包括该加密指示信息，若判断出存在该加密指示信息，则可以确定接收到的失败加密信息是经过加密处理后得到的，则AMF可以将该失败加密信息发送给AUSF，AUSF再将该失败加密信息发送给UDM，或者AMF可以直接将该失败加密信息发送给UDM。Specifically, the AMF determines whether the authentication failure message includes the encryption instruction information, and if it determines that the encryption instruction information exists, it can be determined that the received failure encryption information is obtained after encryption processing, and the AMF can encrypt the failure The information is sent to AUSF, and AUSF then sends the failed encrypted information to UDM, or AMF can directly send the failed encrypted information to UDM.

此外，在生成失败加密信息的同时生成该加密指示信息，AMF判断该认证失败消息内是否包括该加密指示信息，从而能够防止AMF将该失败加密信息错认为是某一种认证失败类型对应的原因值，或者防止AMF将该失败加密信息错认为某种异常信元。In addition, the encryption indication information is generated at the same time when the failed encryption information is generated, and the AMF determines whether the authentication failure message includes the encryption indication information, thereby preventing the AMF from mistakenly thinking the failed encryption information as the cause of a certain type of authentication failure Value, or to prevent AMF from mistakenly interpreting the failed encryption information as some kind of abnormal cell.

此外，AMF也可以将该加密指示信息发送给UDM。In addition, AMF may also send the encryption instruction information to UDM.

具体地，AMF可以直接向UDM发送该加密指示信息，也可以通过AUSF向UDM发送该加密指示信息。例如，该失败加密信息也可以随着认证流程的服务调用发送给UDM。Specifically, the AMF may directly send the encryption instruction information to the UDM, or may send the encryption instruction information to the UDM through the AUSF. For example, the failed encryption information can also be sent to UDM along with the service invocation of the authentication process.

图4是5G网络架构下，根据本申请的认证方法400的示意性流程图。如图4所示，该方法400包括以下内容。FIG. 4 is a schematic flowchart of the authentication method 400 according to the present application under the 5G network architecture. As shown in FIG. 4, the method 400 includes the following contents.

步骤S400、S410、S421、S422、S430可参考方法300中的步骤S300、S310、S321、S322、S330进行理解即可，在此不再赘述。Steps S400, S410, S421, S422, and S430 can be understood with reference to steps S300, S310, S321, S322, and S330 in the method 300, and will not be repeated here.

在步骤S401中，UDM生成(或者说，推演)用于解密该认证失败信息的共享秘钥。In step S401, UDM generates (or deduces) a shared secret key for decrypting the authentication failure information.

在步骤S402中，UDM向AMF发送该共享秘钥。In step S402, UDM sends the shared secret key to AMF.

具体地，本申请实施例对UDM生成该共享秘钥的方法，以及生成该共享秘钥所需要的参数并不做限定，例如，UDM可以基于认证功能密钥K _ausf推演得到该共享秘钥，之后将该共享秘钥发送给AMF，AMF对该共享秘钥进行储存。 Specifically, the embodiment of the present application does not limit the method for UDM to generate the shared secret key and the parameters required to generate the shared secret key. For example, UDM can derive the shared secret key based on the authentication function key _Kausf . Then the shared secret key is sent to the AMF, and the AMF stores the shared secret key.

UDM可以和终端设备协商生成该共享秘钥的方法，以及生成该共享秘钥所需要的参数。The UDM can negotiate with the terminal device a method for generating the shared secret key and the parameters required for generating the shared secret key.

UDM可以直接向AMF发送该共享秘钥，也可以通过AUSF向AMF发送该共享秘钥。例如，该共享秘钥可以随5G归属环境鉴权向量发送至AUSF，并且随5G拜访环境鉴权向量发送至AMF。UDM can send the shared secret key to AMF directly, or send the shared secret key to AMF through AUSF. For example, the shared secret key may be sent to AUSF along with the 5G home environment authentication vector, and sent to the AMF along with the 5G visited environment authentication vector.

此外，该共享秘钥也可以由AUSF生成，并且AUSF向AMF发送该共享秘钥。例如，该共享秘钥可以随5G拜访环境鉴权向量发送至AMF。In addition, the shared secret key can also be generated by the AUSF, and the AUSF sends the shared secret key to the AMF. For example, the shared secret key can be sent to the AMF along with the 5G visited environment authentication vector.

此外，该共享秘钥也可以由AMF自身进行计算得到。In addition, the shared secret key can also be calculated by the AMF itself.

在步骤S4211中，终端设备生成该共享秘钥，该共享秘钥用于对认证失败类型对应的原因值进行加密。In step S4211, the terminal device generates the shared secret key, and the shared secret key is used to encrypt the cause value corresponding to the authentication failure type.

具体地，终端设备也可以生成该共享秘钥，并且用该共享秘钥对认证失败类型对应的原因值(可能还包括该终端设备本地序列号信息)进行加密。Specifically, the terminal device may also generate the shared secret key, and use the shared secret key to encrypt the cause value corresponding to the authentication failure type (which may also include the local serial number information of the terminal device).

例如，终端设备也可以基于认证功能密钥K _ausf推演得到该共享秘钥，并使用该共享秘钥进行加密处理。 For example, the terminal device can also derive the shared secret key based on the authentication function key _Kausf , and use the shared secret key to perform encryption processing.

或者，终端设备也可以和UDM(或者AUSF，或者AMF)协商使用其他的方法以及其他的参数生成该共享秘钥。Alternatively, the terminal device may also negotiate with UDM (or AUSF, or AMF) to use other methods and other parameters to generate the shared secret key.

在步骤S422中，若认证失败，终端设备使用该共享秘钥对认证失败类型对应的原因值(可能还包括该终端设备本地序列号信息)进行加密处理，得到该失败加密信息。In step S422, if the authentication fails, the terminal device uses the shared secret key to encrypt the cause value (which may also include the terminal device's local serial number information) corresponding to the authentication failure type to obtain the failed encryption information.

在步骤S441中，AMF对该失败加密信息进行解密。In step S441, AMF decrypts the failed encrypted information.

具体地，AMF获取该失败加密信息，并且使用该共享秘钥对该失败加密信息进行解密，从而获取该认证失败类型对应的原因值，最终确定认证失败类型。此外，AMF还可以获取该终端设备的本地序列号信息。AMF根据获取到的上述信息，确定下一步的动作(例如，重新发起认证)。Specifically, the AMF obtains the failed encryption information, and uses the shared secret key to decrypt the failed encryption information, thereby obtaining the cause value corresponding to the authentication failure type, and finally determines the authentication failure type. In addition, AMF can also obtain the local serial number information of the terminal device. The AMF determines the next action (for example, re-initiating authentication) based on the acquired information.

AMF使用该共享秘钥对该失败加密信息进行解密，从而获取该认证失败类型对应的原因值，最终确定认证失败类型，AMF可以根据该认证失败类型确定下一步的动作，例如，包括下述的情况X和情况Y。AMF uses the shared secret key to decrypt the failed encrypted information, thereby obtaining the cause value corresponding to the authentication failure type, and finally determining the authentication failure type. AMF can determine the next action according to the authentication failure type, for example, including the following Case X and Case Y.

情况XSituation X

认证失败类型为消息认证码失败，则执行步骤S442，AMF发起重新认证流程，或者进行其他操作。If the authentication failure type is a message authentication code failure, step S442 is executed, and the AMF initiates a re-authentication process, or performs other operations.

情况YSituation Y

认证失败类型为同步失败，则执行步骤S450-460。If the authentication failure type is synchronization failure, steps S450-460 are executed.

在步骤S450中，AMF向UDM发送同步失败对应的原因值和该终端设备的本地序列号信息。In step S450, the AMF sends the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to the UDM.

具体地，AMF可以直接向UDM发送该同步失败对应的原因值和该终端设备的本地序列号信息，也可以通过AUSF向UDM发送该同步失败对应的原因值和该终端设备的本地序列号信息。例如，该同步失败对应的原因值和该终端设备的本地序列号信息也可以随着认证流程的服务调用发送给UDM。Specifically, the AMF may directly send the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to the UDM, or may send the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to the UDM through AUSF. For example, the reason value corresponding to the synchronization failure and the local serial number information of the terminal device can also be sent to the UDM along with the service invocation of the authentication process.

在步骤S460中，UDM发起重新认证流程。In step S460, UDM initiates a re-authentication process.

具体地，UDM获取该同步失败对应的原因值和该终端设备的本地序列号信息，确定该认证失败的类型为同步失败，同时确定该终端设备的本地序列号SQN _MS。UDM可以根据该终端设备的本地序列号SQN _MS发起重新认证流程。 Specifically, UDM obtains the cause value corresponding to the synchronization failure and the local serial number information of the terminal device, determines that the type of authentication failure is a synchronization failure, and determines the local serial number SQN _{MS of} the terminal device at the same time. UDM can initiate a re-authentication process based on the local serial number SQN _{MS of} the terminal device.

本实施例提供的方法400以及前述实施例提供的方法300分别由UDM和AMF来对该失败加密信息进行解密，应理解，AUSF也可以对该失败加密信息进行解密，并且将解密后获得的认证失败类型对应的原因值(可能还包括该终端设备的本地序列号信息)发送给UDM。The method 400 provided in this embodiment and the method 300 provided in the foregoing embodiment respectively use UDM and AMF to decrypt the failed encrypted information. It should be understood that AUSF can also decrypt the failed encrypted information, and the authentication obtained after decryption The reason value corresponding to the failure type (which may also include the local serial number information of the terminal device) is sent to the UDM.

图5是5G网络架构下，根据本申请的一种认证方法500的示意性流程图。如图5所示，该方法500包括以下内容。FIG. 5 is a schematic flowchart of an authentication method 500 according to the present application under the 5G network architecture. As shown in FIG. 5, the method 500 includes the following contents.

步骤S500、S510、S521、S522可参考方法300中的步骤S300、S310、S321、S322进行理解即可，在此不再赘述。Steps S500, S510, S521, and S522 can be understood with reference to steps S300, S310, S321, and S322 in the method 300, which will not be repeated here.

在步骤S501中，UDM根据第一认证失败类型对应的原因值获取第二认证码。In step S501, the UDM obtains the second authentication code according to the cause value corresponding to the first authentication failure type.

例如，UDM可以根据第一认证失败类型对应的原因值计算得到该第二认证码，该第二认证码用于对认证失败类型进行验证，该第一认证失败类型为消息验证码失败或者同步失败。For example, UDM may calculate the second authentication code according to the reason value corresponding to the first authentication failure type, the second authentication code is used to verify the authentication failure type, and the first authentication failure type is the message verification code failure or synchronization failure .

在步骤S502中，UDM向AMF发送该第二认证码。In step S502, UDM sends the second authentication code to AMF.

例如，该第一认证失败类型为消息验证码失败，UDM可以根据消息验证码失败对应的原因值计算得到该第二认证码。For example, the first authentication failure type is a message verification code failure, and UDM may calculate the second authentication code according to the reason value corresponding to the message verification code failure.

再例如，该第一认证失败类型为同步失败，UDM可以根据同步失败对应的原因值计算得到该第二认证码。For another example, the first authentication failure type is synchronization failure, and UDM may calculate the second authentication code according to the cause value corresponding to the synchronization failure.

本申请实施例对根据第一认证失败类型对应的原因值计算第二认证码的方法并不做限定，对计算所需要的其他参数也不做限定。例如，可以基于根秘钥K、RAND以及认证失败类型对应的原因值共同计算得到该第二认证码。The embodiment of the present application does not limit the method of calculating the second authentication code according to the cause value corresponding to the first authentication failure type, nor does it limit other parameters required for the calculation. For example, the second authentication code can be calculated based on the root key K, RAND, and the cause value corresponding to the authentication failure type.

UDM可以和终端设备协商计算该第二认证码的方法，以及计算该第二认证码所需要的参数。The UDM can negotiate with the terminal device a method for calculating the second authentication code and the parameters required for calculating the second authentication code.

具体地，UDM计算得到该第二认证码，并且将该第二认证码发送给AMF，AMF接收到该第二认证码之后，可以对其进行储存。Specifically, the UDM calculates the second authentication code, and sends the second authentication code to the AMF. After the AMF receives the second authentication code, it can store it.

UDM可以直接向AMF发送该第二认证码，也可以通过AUSF向AMF发送该第二认证码。例如，该第二认证码可以随5G归属环境鉴权向量发送至AUSF，并且随5G拜访环境鉴权向量发送至AMF。UDM can send the second authentication code directly to AMF, or can send the second authentication code to AMF through AUSF. For example, the second authentication code can be sent to AUSF along with the 5G home environment authentication vector, and sent to the AMF along with the 5G visited environment authentication vector.

此外，该第二认证码也可以由AUSF计算得到，并且AUSF向AMF发送该第二认证码。例如，该第二认证码可以随5G拜访环境鉴权向量发送至AMF。In addition, the second authentication code may also be calculated by the AUSF, and the AUSF sends the second authentication code to the AMF. For example, the second authentication code can be sent to the AMF along with the 5G visited environment authentication vector.

此外，该第二认证码也可以由AMF自身进行计算得到。In addition, the second authentication code can also be calculated by the AMF itself.

在步骤S523中，该终端设备根据认证失败类型对应的原因值获取第一认证码。In step S523, the terminal device obtains the first authentication code according to the cause value corresponding to the authentication failure type.

例如，终端设备根据认证失败类型对应的原因值计算第一认证码，该第一认证码用于对认证失败类型进行验证。For example, the terminal device calculates the first authentication code according to the cause value corresponding to the authentication failure type, and the first authentication code is used to verify the authentication failure type.

具体地，终端设备在确定认证失败类型之后，根据认证失败类型对应的原因值计算第一认证码，该第一认证码用于对认证失败类型进行验证。Specifically, after determining the authentication failure type, the terminal device calculates the first authentication code according to the cause value corresponding to the authentication failure type, and the first authentication code is used to verify the authentication failure type.

例如，若认证失败类型为消息认证码失败，则根据消息认证码失败对应的原因值计算得到该第一认证码。For example, if the authentication failure type is message authentication code failure, the first authentication code is calculated according to the reason value corresponding to the message authentication code failure.

再例如，若认证失败类型为同步失败，则根据同步失败对应的原因值计算得到该第一认证码。For another example, if the authentication failure type is synchronization failure, the first authentication code is calculated according to the cause value corresponding to the synchronization failure.

本申请实施例对根据认证失败类型对应的原因值计算第一认证码的方法并不做限定，对计算所需要的其他参数也不做限定。The embodiment of the present application does not limit the method for calculating the first authentication code according to the cause value corresponding to the authentication failure type, nor does it limit other parameters required for the calculation.

应理解，终端设备根据认证失败类型对应的原因值计算第一认证码的方法和UDM根据第一认证失败类型对应的原因值计算第二认证码的方法可以相同，也可以不相同，二者进行计算所需要的其他参数可以相同，也可以不同。It should be understood that the method for the terminal device to calculate the first authentication code according to the cause value corresponding to the authentication failure type and the method for UDM to calculate the second authentication code according to the cause value corresponding to the first authentication failure type may be the same or different. The other parameters required for the calculation can be the same or different.

例如，二者可以采用相同的计算方法，终端设备也可以基于根秘钥K、RAND以及认证失败类型对应的原因值共同计算得到该第一认证码。For example, the two can use the same calculation method, and the terminal device can also calculate the first authentication code based on the root key K, RAND, and the cause value corresponding to the authentication failure type.

在步骤S530中，终端设备向AMF发送认证失败消息，该认证失败消息包括失败加密信息以及该第一认证码。In step S530, the terminal device sends an authentication failure message to the AMF, where the authentication failure message includes failure encryption information and the first authentication code.

具体地，该失败加密信息以及该第一认证码也可以不通过该认证失败消息发送给AMF，或者说，该失败加密信息以及该第一认证码也可以通过其他方式单独或者同时发送给AMF。Specifically, the failed encryption information and the first authentication code may also be sent to the AMF without passing the authentication failure message, or in other words, the failed encryption information and the first authentication code may also be sent to the AMF separately or at the same time in other ways.

在步骤S541中，AMF根据第一认证码，以及该第二验证码，确定认证失败类型。In step S541, the AMF determines the type of authentication failure according to the first authentication code and the second authentication code.

具体地，参见前文的描述，该第一认证码和第二认证码可以采用相同的方法以及参数计算得到。作为示例，该第一认证失败类型可以是消息验证码失败，也即，根据消息验证码失败对应的原因值计算得到该第二认证码。可以对该第一认证码同第二认证码进行匹配，根据匹配结果确定所述认证失败类型。Specifically, referring to the foregoing description, the first authentication code and the second authentication code can be calculated using the same method and parameters. As an example, the first authentication failure type may be a message verification code failure, that is, the second authentication code is calculated according to the reason value corresponding to the message verification code failure. The first authentication code can be matched with the second authentication code, and the authentication failure type can be determined according to the matching result.

例如，若匹配成功(如，二者大小相等)，则可以确定认证失败的类型为第一认证失败类型，即可以确定认证失败的类型为消息验证码失败。For example, if the matching is successful (for example, the two are equal in size), it can be determined that the type of authentication failure is the first authentication failure type, and the type of authentication failure can be determined as the message verification code failure.

再例如，若匹配失败(如，二者大小不相等)，则可以确定认证失败的类型为第一认证失败类型之外的类型，即可以确定认证失败的类型为同步失败。For another example, if the matching fails (eg, the sizes of the two are not equal), it can be determined that the type of authentication failure is a type other than the first type of authentication failure, and the type of authentication failure can be determined to be a synchronization failure.

应理解，在步骤S501中，也可以根据不同的认证失败类型同时生成该第二认证码。It should be understood that in step S501, the second authentication code can also be generated simultaneously according to different authentication failure types.

例如，根据消息验证码失败对应的原因值计算得到一个第二认证码，同时，根据同步失败对应的原因值也计算得到一个第二认证码。For example, a second authentication code is calculated according to the reason value corresponding to the message verification code failure, and at the same time, a second authentication code is also calculated according to the reason value corresponding to the synchronization failure.

在步骤S541中，AMF可以根据该第一认证码，以及上述两个第二验证码，共同确定认证失败类型。例如，可以将该第一认证码和上述两个第二验证码同时进行匹配，根据匹配结果共同确定认证失败类型。In step S541, the AMF may jointly determine the authentication failure type according to the first authentication code and the two second authentication codes. For example, the first authentication code and the above two second authentication codes can be matched simultaneously, and the authentication failure type can be jointly determined according to the matching result.

相对于前述实施例，本实施例能够根据第一认证码和第二认证码的匹配结果提前获知认证失败类型，不需要统一通过对失败加密信息进行解密处理后来能得知认证失败类型，流程更精简，效率更高。Compared with the foregoing embodiment, this embodiment can learn the authentication failure type in advance according to the matching result of the first authentication code and the second authentication code, and does not need to decrypt the failed encrypted information and then know the authentication failure type. The process is more Streamlined and more efficient.

AMF可以根据该认证失败类型确定下一步的动作，例如，包括下述的情况M和情况N。AMF can determine the next action according to the type of authentication failure, for example, including the following cases M and N.

情况MSituation M

认证失败类型为消息认证码失败，则执行步骤S542，AMF发起重新认证流程，或者进行其他操作。If the authentication failure type is a message authentication code failure, step S542 is executed, and the AMF initiates a re-authentication process or performs other operations.

情况NCase N

认证失败类型为同步失败，则执行步骤S550-570。If the authentication failure type is synchronization failure, steps S550-570 are executed.

在步骤S550中，AMF向UDM发送同步失败对应的失败加密信息。In step S550, the AMF sends the failure encryption information corresponding to the synchronization failure to the UDM.

具体地，AMF可以直接向UDM发送该同步失败对应的失败加密信息，也可以通过AUSF向UDM发送该同步失败对应的失败加密信息。例如，该同步失败对应的失败加密信息也可以随着认证流程的服务调用发送给UDM。Specifically, the AMF may directly send the failure encryption information corresponding to the synchronization failure to the UDM, or may also send the failure encryption information corresponding to the synchronization failure to the UDM through AUSF. For example, the failure encryption information corresponding to the synchronization failure can also be sent to UDM along with the service invocation of the authentication process.

在步骤S560中，UDM对该同步失败对应的失败加密信息进行解密处理。In step S560, UDM decrypts the failed encrypted information corresponding to the synchronization failure.

在步骤S570中，UDM发起重新认证流程。In step S570, UDM initiates a re-authentication process.

具体地，UDM可以根据该终端设备进行加密处理的具体方式，确定对该失败加密信息进行解密的方式。Specifically, the UDM may determine the manner of decrypting the failed encrypted information according to the specific manner in which the terminal device performs encryption processing.

UDM使用上述任意一种方式对该失败加密信息进行解密，从而获取该认证失败类型对应的原因值，以及该终端设备的本地序列号信息。UDM根据获取到的上述信息，发起重新认证流程。UDM uses any of the above methods to decrypt the failed encryption information, thereby obtaining the cause value corresponding to the authentication failure type and the local serial number information of the terminal device. UDM initiates a re-authentication process based on the above-mentioned information obtained.

以上，结合图2至图5详细说明了本申请实施例提供的认证方法。以下，结合图6至图7详细说明本申请实施例提供的认证装置。Above, the authentication method provided by the embodiment of the present application has been described in detail with reference to FIGS. 2 to 5. Hereinafter, the authentication device provided by the embodiment of the present application will be described in detail with reference to FIGS. 6 to 7.

图6是本申请实施例提供的认证装置800的示意性框图。如图所示，该认证装置800可以包括：收发单元810和处理单元820。FIG. 6 is a schematic block diagram of an authentication device 800 provided by an embodiment of the present application. As shown in the figure, the authentication device 800 may include: a transceiver unit 810 and a processing unit 820.

在一种可能的设计中，该认证装置800可以是上文方法实施例中的终端设备，也可以是用于实现上文方法实施例中终端设备的功能的芯片。In a possible design, the authentication apparatus 800 may be the terminal device in the above method embodiment, or may be a chip for implementing the function of the terminal device in the above method embodiment.

具体地，该认证装置800可对应于根据本申请实施例的方法200至500中的终端设备，该认证装置800可以包括用于执行图2中的方法200至图5中的方法500中的终端设备执行的方法的单元。并且，该认证装置800中的各单元和上述其他操作和/或功能分别为了实现图2中的方法200、图3中的方法300、图4中的方法400、图5中的方法500的相应流程。应理解，各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明，为了简洁，在此不再赘述。Specifically, the authentication apparatus 800 may correspond to the terminal equipment in the methods 200 to 500 according to the embodiments of the present application, and the authentication apparatus 800 may include the terminal used to execute the method 200 in FIG. 2 to the method 500 in FIG. The unit of the method performed by the device. In addition, the units in the authentication device 800 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.

在另一种可能的设计中，该认证装置800可以是上文方法实施例中的AMF，也可以是用于实现上文方法实施例中AMF的功能的芯片。In another possible design, the authentication device 800 may be the AMF in the above method embodiment, or may be a chip for implementing the function of the AMF in the above method embodiment.

具体地，该认证装置800可对应于根据本申请实施例的方法200至500中的AMF，该认证装置800可以包括用于执行图2中的方法200至图5中的方法500中的AMF执行的方法的单元。并且，该认证装置800中的各单元和上述其他操作和/或功能分别为了实现图2中的方法200、图3中的方法300、图4中的方法400、图5中的方法500的相应流程。应理解，各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明，为了简洁，在此不再赘述。Specifically, the authentication device 800 may correspond to the AMF in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 800 may include a method for performing the AMF execution in the method 200 in FIG. 2 to the method 500 in FIG. 5 Unit of method. In addition, the units in the authentication device 800 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.

在另一种可能的设计中，该认证装置800可以是上文方法实施例中的AUSF，也可以是用于实现上文方法实施例中AUSF的功能的芯片。In another possible design, the authentication device 800 may be the AUSF in the above method embodiment, or may be a chip for realizing the function of the AUSF in the above method embodiment.

具体地，该认证装置800可对应于根据本申请实施例的方法200至500中的AUSF，该认证装置800可以包括用于执行图2中的方法200至图5中的方法500中的AUSF执行的方法的单元。并且，该认证装置800中的各单元和上述其他操作和/或功能分别为了实现图2中的方法200、图3中的方法300、图4中的方法400、图5中的方法500的相应流程。应理解，各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明，为了简洁，在此不再赘述。Specifically, the authentication device 800 may correspond to the AUSF in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 800 may include a method for executing the AUSF in the method 200 in FIG. 2 to the method 500 in FIG. Unit of method. In addition, the units in the authentication device 800 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.

在另一种可能的设计中，该认证装置800可以是上文方法实施例中的UDM，也可以是用于实现上文方法实施例中UDM的功能的芯片。In another possible design, the authentication device 800 may be the UDM in the above method embodiment, or may be a chip for implementing the function of the UDM in the above method embodiment.

具体地，该认证装置800可对应于根据本申请实施例的方法200至500中的UDM，该认证装置800可以包括用于执行图2中的方法200至图5中的方法500中的UDM执行的方法的单元。并且，该认证装置800中的各单元和上述其他操作和/或功能分别为了实现图2中的方法200、图3中的方法300、图4中的方法400、图5中的方法500的相应流程。应理解，各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明，为了简洁，在此不再赘述。Specifically, the authentication device 800 may correspond to the UDM in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 800 may include a method for executing the UDM in the method 200 in FIG. 2 to the method 500 in FIG. 5 Unit of method. In addition, the units in the authentication device 800 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.

应理解，该认证装置800中的收发单元可对应于图7中示出的认证设备900中的收发器920，该认证装置800中的处理单元820可对应于图7中示出的认证设备900中的处理器910。It should be understood that the transceiving unit in the authentication device 800 may correspond to the transceiver 920 in the authentication device 900 shown in FIG. 7, and the processing unit 820 in the authentication device 800 may correspond to the authentication device 900 shown in FIG. In the processor 910.

图7是本申请实施例提供的认证设备900的示意性框图。如图所示，该认证设备900包括：处理器910和收发器920。该处理器910与存储器耦合，用于执行存储器中存储的指令，以控制收发器920发送信号和/或接收信号。可选地，该认证设备900还包括存储器930，用于存储指令。FIG. 7 is a schematic block diagram of an authentication device 900 provided in an embodiment of the present application. As shown in the figure, the authentication device 900 includes a processor 910 and a transceiver 920. The processor 910 is coupled with the memory, and is configured to execute instructions stored in the memory to control the transceiver 920 to send signals and/or receive signals. Optionally, the authentication device 900 further includes a memory 930 for storing instructions.

应理解，上述处理器910和存储器930可以合成一个处理装置，处理器910用于执行存储器930中存储的程序代码来实现上述功能。具体实现时，该存储器930也可以集成在处理器910中，或者独立于处理器910。It should be understood that the foregoing processor 910 and the memory 930 may be combined into one processing device, and the processor 910 is configured to execute the program code stored in the memory 930 to implement the foregoing functions. During specific implementation, the memory 930 may also be integrated in the processor 910 or independent of the processor 910.

还应理解，收发器920可以包括接收器(或者称，接收机)和发射器(或者称，发射机)。收发器还可以进一步包括天线，天线的数量可以为一个或多个。It should also be understood that the transceiver 920 may include a receiver (or called a receiver) and a transmitter (or called a transmitter). The transceiver may further include an antenna, and the number of antennas may be one or more.

在一种可能的设计中，该认证设备900可以是上文方法实施例中的终端设备，也可以是用于实现上文方法实施例中终端设备的功能的芯片。In a possible design, the authentication device 900 may be the terminal device in the above method embodiment, or may be a chip for implementing the function of the terminal device in the above method embodiment.

具体地，该认证设备900可对应于根据本申请实施例的方法200至500中的终端设备，该认证设备900可以包括用于执行图2中的方法200至图5中的方法500中的终端设备执行的方法的单元。并且，该认证设备900中的各单元和上述其他操作和/或功能分别为了实现图2中的方法200、图3中的方法300、图4中的方法400、图5中的方法500的相应流程。应理解，各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明，为了简洁，在此不再赘述。Specifically, the authentication device 900 may correspond to a terminal device in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 900 may include a terminal for executing the method 200 in FIG. 2 to the method 500 in FIG. 5 The unit of the method performed by the device. In addition, the units in the authentication device 900 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.

在另一种可能的设计中，该认证设备900可以是上文方法实施例中的AMF，也可以是用于实现上文方法实施例中AMF的功能的芯片。In another possible design, the authentication device 900 may be the AMF in the above method embodiment, or may be a chip for realizing the function of the AMF in the above method embodiment.

具体地，该认证设备900可对应于根据本申请实施例的方法200至500中的AMF，该认证设备900可以包括用于执行图2中的方法200至图5中的方法500中的AMF执行的方法的单元。并且，该认证设备900中的各单元和上述其他操作和/或功能分别为了实现图2中的方法200、图3中的方法300、图4中的方法400、图5中的方法500的相应流程。应理解，各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明，为了简洁，在此不再赘述。Specifically, the authentication device 900 may correspond to the AMF in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 900 may include a method for executing the AMF in the method 200 in FIG. 2 to the method 500 in FIG. Unit of method. In addition, the units in the authentication device 900 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.

在另一种可能的设计中，该认证设备900可以是上文方法实施例中的AUSF，也可以是用于实现上文方法实施例中AUSF的功能的芯片。In another possible design, the authentication device 900 may be the AUSF in the above method embodiment, or may be a chip for realizing the function of the AUSF in the above method embodiment.

具体地，该认证设备900可对应于根据本申请实施例的方法200至500中的AUSF，该认证设备900可以包括用于执行图2中的方法200至图5中的方法500中的AUSF执行的方法的单元。并且，该认证设备900中的各单元和上述其他操作和/或功能分别为了实现图2中的方法200、图3中的方法300、图4中的方法400、图5中的方法500的相应流程。应理解，各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明，为了简洁，在此不再赘述。Specifically, the authentication device 900 may correspond to the AUSF in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 900 may include a method for executing the AUSF in the method 200 in FIG. 2 to the method 500 in FIG. Unit of method. In addition, the units in the authentication device 900 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.

在另一种可能的设计中，该认证设备900可以是上文方法实施例中的UDM，也可以是用于实现上文方法实施例中UDM的功能的芯片。In another possible design, the authentication device 900 may be the UDM in the above method embodiment, or may be a chip for implementing the function of the UDM in the above method embodiment.

具体地，该认证设备900可对应于根据本申请实施例的方法200至500中的UDM，该认证设备900可以包括用于执行图2中的方法200至图5中的方法500中的UDM执行的方法的单元。并且，该认证设备900中的各单元和上述其他操作和/或功能分别为了实现图2中的方法200、图3中的方法300、图4中的方法400、图5中的方法500的相应流程。应理解，各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明，为了简洁，在此不再赘述。Specifically, the authentication device 900 may correspond to the UDM in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 900 may include a method for executing the UDM in the method 200 in FIG. 2 to the method 500 in FIG. 5 Unit of method. In addition, the units in the authentication device 900 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.

根据本申请实施例提供的方法，本申请还提供一种计算机程序产品，该计算机程序产品包括：计算机程序代码，当该计算机程序代码在计算机上运行时，使得该计算机执行图2至图5所示实施例中任意一个实施例的认证方法。According to the method provided in the embodiments of the present application, the present application also provides a computer program product. The computer program product includes: computer program code, which when the computer program code runs on a computer, causes the computer to execute the steps shown in FIGS. 2 to 5 The authentication method of any one of the embodiments is shown.

根据本申请实施例提供的方法，本申请还提供一种计算机可读介质，该计算机可读介质存储有程序代码，当该程序代码在计算机上运行时，使得该计算机执行图2至图5所示实施例中任意一个实施例的认证方法。According to the method provided in the embodiments of the present application, the present application also provides a computer-readable medium that stores program code, and when the program code runs on a computer, the computer executes the steps shown in FIGS. 2 to 5 The authentication method of any one of the embodiments is shown.

根据本申请实施例提供的方法，本申请还提供一种***，其包括前述的用户设备、AMF、AUSF以及UDM。According to the method provided in the embodiments of the present application, the present application also provides a system, which includes the aforementioned user equipment, AMF, AUSF, and UDM.

在上述实施例中，可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机指令时，全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line，DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如，软盘、硬盘、磁带)、光介质(例如，高密度数字视频光盘(digital video disc，DVD))、或者半导体介质(例如，固态硬盘(solid state disk，SSD))等。In the above embodiments, it can be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, computer, server or data center Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more available medium integrated servers, data centers, and the like. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a high-density digital video disc (DVD)), or a semiconductor medium (for example, a solid state disk, SSD)) etc.

上述各个装置实施例中各网元可以和方法实施例中的各网元完全对应，由相应的模块或单元执行相应的步骤，例如收发单元(收发器)执行方法实施例中接收或发送的步骤，除发送、接收外的其它步骤可以由处理单元(处理器)执行。具体单元的功能可以参考相应的方法实施例。其中，处理器可以为一个或多个。Each network element in the above device embodiments can completely correspond to each network element in the method embodiment, and the corresponding module or unit executes the corresponding steps, for example, the transceiver unit (transceiver) executes the receiving or sending steps in the method embodiment In addition to sending and receiving, other steps can be executed by the processing unit (processor). The function of the specific unit can refer to the corresponding method embodiment. There may be one or more processors.

本申请中，“至少一个”是指一个或者多个，“多个”是指两个或两个以上。“和/或”，描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B的情况，其中A、B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达，是指的这些项中的任意组合，包括单项(个)或复数项(个)的任意组合。例如，a、b或c中的至少一项(个)，可以表示：a，或b，或c，或a和b，或a和c，或b和c，或a、b和c，其中a、b或c分别可以是单个，也可以是多个。In this application, "at least one" refers to one or more, and "multiple" refers to two or more. "And/or" describes the relationship of the related objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, A and B exist at the same time, B exists alone, where A B can be singular or plural. The character "/" generally indicates that the related object is a "or" relationship. "At least one of the following" or similar expressions refers to any combination of these items, including any combination of single items or plural items. For example, at least one of a, b, or c can mean: a, or b, or c, or a and b, or a and c, or b and c, or a, b and c, where A, b, or c may be single or multiple.

应理解，说明书通篇中提到的“一个实施例”或“一实施例”意味着与实施例有关的特定特征、结构或特性包括在本申请的至少一个实施例中。因此，在整个说明书各处出现的“在一个实施例中”或“在一实施例中”未必一定指相同的实施例。此外，这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。应理解，在本申请的各种实施例中，上述各过程的序号的大小并不意味着执行顺序的先后，各过程的执行顺序应以其功能和内在逻辑确定，而不应对本发明实施例的实施过程构成任何限定。It should be understood that “one embodiment” or “one embodiment” mentioned throughout the specification means that a specific feature, structure, or characteristic related to the embodiment is included in at least one embodiment of the present application. Therefore, “in one embodiment” or “in one embodiment” appearing throughout the specification does not necessarily refer to the same embodiment. In addition, these specific features, structures, or characteristics may be combined in one or more embodiments in any suitable manner. It should be understood that, in various embodiments of the present application, the size of the sequence numbers of the above processes does not mean that the execution order is sequential, and the execution order of each process should be determined by its function and inherent logic, and should not correspond to the embodiments of the present invention. The implementation process constitutes no limitation.

在本说明书中使用的术语“部件”、“模块”、“***”等用于表示计算机相关的实体、硬件、固件、硬件和软件的组合、软件、或执行中的软件。例如，部件可以是但不限于，在处理器上运行的进程、处理器、对象、可执行文件、执行线程、程序和/或计算机。通过图示，在计算设备上运行的应用和计算设备都可以是部件。一个或多个部件可驻留在进程和/或执行线程中，部件可位于一个计算机上和/或分布在2个或更多个计算机之间。此外，这些部件可从在上面存储有各种数据结构的各种计算机可读介质执行。部件可例如根据具有一个或多个数据分组(例如来自与本地***、分布式***和/或网络间的另一部件交互的二个部件的数据，例如通过信号与其它***交互的互联网)的信号通过本地和/或远程进程来通信。The terms "component", "module", "system", etc. used in this specification are used to denote computer-related entities, hardware, firmware, a combination of hardware and software, software, or software in execution. For example, a component may be, but is not limited to, a process running on a processor, a processor, an object, an executable file, an execution thread, a program, and/or a computer. By way of illustration, both the application running on the computing device and the computing device can be components. One or more components can reside in a process and/or thread of execution, and a component can be localized on one computer and/or distributed between 2 or more computers. In addition, these components can execute from various computer readable media having various data structures stored thereon. A component can be based on a signal having one or more data packets (for example, data from two components interacting with another component between a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals) Communicate through local and/or remote processes.

本领域普通技术人员可以意识到，结合本文中所公开的实施例描述的各种说明性逻辑块(illustrative logical block)和步骤(step)，能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行，取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能，但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art may realize that the various illustrative logical blocks and steps described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware achieve. Whether these functions are executed in hardware or software depends on the specific application of the technical solution and design constraints. Professional technicians can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，上述描述的***、装置和单元的具体工作过程，可以参考前述方法实施例中的对应过程，在此不再赘述。Those skilled in the art can clearly understand that for the convenience and conciseness of the description, the specific working processes of the above-described systems, devices, and units can refer to the corresponding processes in the foregoing method embodiments, and details are not described herein again.

在本申请所提供的几个实施例中，应该理解到，所揭露的***、装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅仅是示意性的，例如，所述单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个***，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the unit is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical, or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.

在上述实施例中，各功能单元的功能可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令(程序)。在计算机上加载和执行所述计算机程序指令(程序)时，全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质，(例如，软盘、硬盘、磁带)、光介质(例如，DVD)、或者半导体介质(例如固态硬盘(solid state disk，SSD))等。In the above embodiments, the functions of each functional unit may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions (programs). When the computer program instructions (programs) are loaded and executed on the computer, the processes or functions according to the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, computer, server or data center Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more available medium integrated servers, data centers, and the like. The usable medium may be a magnetic medium (eg, floppy disk, hard disk, magnetic tape), optical medium (eg, DVD), or semiconductor medium (eg, solid state disk (SSD)), or the like.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(read-only memory，ROM)、随机存取存储器(random access memory，RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application essentially or part of the contribution to the existing technology or part of the technical solution can be embodied in the form of a software product, the computer software product is stored in a storage medium, including Several instructions are used to enable a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .

以上所述，仅为本申请的具体实施方式，但本申请的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本申请揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本申请的保护范围之内。因此，本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of this application, but the scope of protection of this application is not limited thereto. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

一种认证方法，其特征在于，包括：An authentication method, characterized by comprising:

终端设备接收接入与移动管理功能实体发送的认证请求消息；The terminal device receives the authentication request message sent by the access and mobility management function entity;

所述终端设备根据所述认证请求消息进行认证；The terminal device performs authentication according to the authentication request message;

若认证失败，所述终端设备对认证失败类型对应的原因值进行加密处理，以得到失败加密信息；If the authentication fails, the terminal device encrypts the cause value corresponding to the authentication failure type to obtain failed encryption information;

所述终端设备向所述接入与移动管理功能实体发送所述失败加密信息。The terminal device sends the failure encryption information to the access and mobility management function entity.
根据权利要求1所述的认证方法，其特征在于，所述终端设备对认证失败类型对应的原因值进行加密处理，以得到失败加密信息，包括：The authentication method according to claim 1, wherein the terminal device encrypts the cause value corresponding to the authentication failure type to obtain the failure encryption information, comprising:

若认证失败类型为同步失败，则对所述同步失败对应的原因值和所述终端设备的本地序列号信息进行加密处理，以得到所述失败加密信息；或者，If the authentication failure type is synchronization failure, encrypting the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain the failure encryption information; or,

若认证失败类型为消息认证码失败，则对所述消息认证码失败对应的原因值进行加密处理，以得到所述失败加密信息。If the type of authentication failure is a message authentication code failure, then encrypting the reason value corresponding to the message authentication code failure to obtain the failure encryption information.
根据权利要求1或2所述的认证方法，其特征在于，The authentication method according to claim 1 or 2, characterized in that:

对于不同的认证失败类型，所述失败加密信息的长度相同。For different authentication failure types, the length of the failed encryption information is the same.
根据权利要求2所述的认证方法，其特征在于，所述对所述同步失败对应的原因值和所述终端设备的本地序列号信息进行加密处理，以得到所述失败加密信息，包括：The authentication method according to claim 2, wherein the encrypting the reason value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain the failure encryption information comprises:

对所述同步失败对应的原因值和所述终端设备的本地序列号信息进行串联运算，以得到第一中间值；Performing a series operation on the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain a first intermediate value;

对所述第一中间值进行加密运算，以得到所述失败加密信息。An encryption operation is performed on the first intermediate value to obtain the failed encryption information.
根据权利要求2所述的认证方法，其特征在于，所述对所述消息认证码失败对应的原因值进行加密处理，以得到所述失败加密信息，包括：The authentication method according to claim 2, wherein the encrypting the reason value corresponding to the failure of the message authentication code to obtain the failure encryption information comprises:

对所述消息认证码失败对应的原因值与N个比特的二进制数进行串联运算，以得到第二中间值；Performing a series operation on the cause value corresponding to the message authentication code failure and the N-bit binary number to obtain a second intermediate value;

对所述第二中间值进行加密运算，以得到所述失败加密信息，其中，N为大于等于1的整数。Perform an encryption operation on the second intermediate value to obtain the failed encryption information, where N is an integer greater than or equal to 1.
根据权利要求1-5中任一项所述的认证方法，其特征在于，所述失败加密信息通过认证失败消息进行发送，所述认证失败消息还包括：The authentication method according to any one of claims 1-5, wherein the failed encryption information is sent through an authentication failure message, and the authentication failure message further comprises:

加密指示信息，用于指示所述认证失败消息携带所述失败加密信息。The encryption indication information is used to indicate that the authentication failure message carries the failure encryption information.
根据权利要求1-6中任一项所述的认证方法，其特征在于，所述方法还包括：The authentication method according to any one of claims 1-6, wherein the method further comprises:

根据认证失败类型对应的原因值获取第一认证码，所述第一认证码用于对所述认证失败类型进行验证；Obtaining a first authentication code according to the cause value corresponding to the authentication failure type, where the first authentication code is used to verify the authentication failure type;

所述终端设备向所述接入与移动管理功能实体发送所述第一认证码。The terminal device sends the first authentication code to the access and mobility management function entity.
一种终端设备，其特征在于，包括：A terminal device, characterized by comprising:

收发单元，用于接收接入与移动管理功能实体发送的认证请求消息；The transceiver unit is used to receive the authentication request message sent by the access and mobility management function entity;

处理单元，用于根据所述认证请求消息进行认证；A processing unit, configured to perform authentication according to the authentication request message;

若认证失败，所述处理单元对认证失败类型对应的原因值进行加密处理，以得到失败加密信息；If the authentication fails, the processing unit encrypts the cause value corresponding to the authentication failure type to obtain the failed encryption information;

所述收发单元还用于向所述接入与移动管理功能实体发送所述失败加密信息。The transceiver unit is further configured to send the failure encryption information to the access and mobility management function entity.
根据权利要求8所述的终端设备，其特征在于，所述处理单元还用于：The terminal device according to claim 8, wherein the processing unit is further configured to:

若认证失败类型为同步失败，则对所述同步失败对应的原因值和所述终端设备的本地序列号信息进行加密处理，以得到所述失败加密信息；或者，If the authentication failure type is synchronization failure, encrypting the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain the failure encryption information; or,

若认证失败类型为消息认证码失败，则对所述消息认证码失败对应的原因值进行加密处理，以得到所述失败加密信息。If the type of authentication failure is a message authentication code failure, then encrypting the reason value corresponding to the message authentication code failure to obtain the failure encryption information.
根据权利要求8或9所述的终端设备，其特征在于，所述处理单元还用于：The terminal device according to claim 8 or 9, wherein the processing unit is further configured to:

对于不同的认证失败类型，所述失败加密信息的长度相同。For different authentication failure types, the length of the failed encryption information is the same.
根据权利要求9所述的终端设备，其特征在于，所述处理单元还用于：The terminal device according to claim 9, wherein the processing unit is further configured to:

对所述同步失败对应的原因值和所述终端设备的本地序列号信息进行串联运算，以得到第一中间值；Performing a series operation on the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain a first intermediate value;

对所述第一中间值进行加密运算，以得到所述失败加密信息。An encryption operation is performed on the first intermediate value to obtain the failed encryption information.
根据权利要求9所述的终端设备，其特征在于，所述处理单元还用于：The terminal device according to claim 9, wherein the processing unit is further configured to:

对所述消息认证码失败对应的原因值与N个比特的二进制数进行串联运算，以得到第二中间值；Performing a series operation on the cause value corresponding to the message authentication code failure and the N-bit binary number to obtain a second intermediate value;

对所述第二中间值进行加密运算，以得到所述失败加密信息，其中，N为大于等于1的整数。Perform an encryption operation on the second intermediate value to obtain the failed encryption information, where N is an integer greater than or equal to 1.
根据权利要求8-12中任一项所述的终端设备，其特征在于，所述失败加密信息通过认证失败消息进行发送，所述认证失败消息还包括：The terminal device according to any one of claims 8-12, wherein the failed encryption information is sent through an authentication failure message, and the authentication failure message further comprises:

加密指示信息，用于指示所述认证失败消息携带所述失败加密信息。The encryption indication information is used to indicate that the authentication failure message carries the failure encryption information.
根据权利要求8-13中任一项所述的终端设备，其特征在于，所述处理单元还用于：The terminal device according to any one of claims 8-13, wherein the processing unit is further configured to:

根据认证失败类型对应的原因值获取第一认证码，所述第一认证码用于对所述认证失败类型进行验证；Obtaining a first authentication code according to the cause value corresponding to the authentication failure type, where the first authentication code is used to verify the authentication failure type;

所述终端设备向所述接入与移动管理功能实体发送所述第一认证码。The terminal device sends the first authentication code to the access and mobility management function entity.
一种认证装置，包括至少一个处理器，所述至少一个处理器用于执行如权利要求1至7中任一项所述的方法。An authentication device includes at least one processor, and the at least one processor is configured to execute the method according to any one of claims 1 to 7.
一种计算机可读介质，其特征在于，包括计算机程序，当所述计算机程序在计算机上运行时，使得所述计算机执行如权利要求1至7中任一项所述的方法。A computer-readable medium, characterized by comprising a computer program, which when the computer program runs on a computer, causes the computer to execute the method according to any one of claims 1 to 7.