Nothing Special   »   [go: up one dir, main page]

CN108513295A - Rapid authentication method, server and user equipment - Google Patents

Rapid authentication method, server and user equipment Download PDF

Info

Publication number
CN108513295A
CN108513295A CN201810326912.6A CN201810326912A CN108513295A CN 108513295 A CN108513295 A CN 108513295A CN 201810326912 A CN201810326912 A CN 201810326912A CN 108513295 A CN108513295 A CN 108513295A
Authority
CN
China
Prior art keywords
key
identifier
user equipment
response information
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810326912.6A
Other languages
Chinese (zh)
Inventor
周明宇
云翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baicells Technologies Co Ltd
Original Assignee
Baicells Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Baicells Technologies Co Ltd filed Critical Baicells Technologies Co Ltd
Priority to CN201810326912.6A priority Critical patent/CN108513295A/en
Publication of CN108513295A publication Critical patent/CN108513295A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/14Reselecting a network or an air interface

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention proposes a kind of rapid authentication method, server and user equipment, the method includes:Authentication response information is received, first identifier is carried in the authentication response information;According to the first identifier, it is determined whether be stored with the corresponding first key of the first identifier;When determine be stored with the first identifier corresponding first key when, the second key that the first key or the first key generate is sent to mobile management entity, so that the mobile management entity generates third key according to the first key or the second key;Wherein, the first identifier is the correlated identities for the user equipment for providing the authentication response information or the correlated identities of first key.Technical scheme of the present invention, the method for providing rapid authentication user equipment reduce mobile authentication flow between net, shorten the inter-network handover time.

Description

Rapid authentication method, server and user equipment
【Technical field】
The present invention relates to a kind of field of communication technology more particularly to rapid authentication method, server and user equipmenies.
【Background technology】
Currently, MulteFire is a kind of new wirelessly connecing based on LTE (Long Term Evolution, long term evolution) Enter technology, which can not be by authorized spectrum band carrier wave independent operating in unlicensed spectrum.MulteFire extends LTE Into unlicensed spectrum, physical layer introduces listem-before-talk (LBT, the Listen Before of the carrier sense technology of similar Wi-Fi Talk) mechanism, to realize and unauthorized frequency range equipment fair competition interface-free resources.MulteFire can be used for existing 3GPP networks It in framework, is docked with existing 3GPP core nets, capacity, the covering that unlicensed spectrum is brought is provided for conventional mobile network operator And load shedding, the service quality of Incumbent is improved by the supplement or hot spot that authorize frequency spectrum.MulteFire also draws simultaneously The new network architecture is entered, has provided a kind of neutral host (Neutral Host) network of unified planning and self-organizing, has serviced Provider, equipment supplier or user can participate in network deployment, anyone can serve various services by the network disposed Provider, including Internet Service Provider, cable television, Mobile Network Operator, enterprise and public place ISP, And authentication and network insertion can be provided to the terminal of not SIM card.The alliance organization of MulteFire is pushed to set up at present And run, to promote the development of MulteFire global technology specifications, the following evolution of promotion MulteFire and ensure Other equipment (such as Wi-Fi) carries out fair competition to unlicensed spectrum resource in MulteFire equipment and unlicensed spectrum.
In the NH network modes of MulteFire, MF access points (AP, Access Point) be connected to NH core nets (CN, Core Network), NH CN are similar to the LTE core network of 3GPP, including NH mobility management units (MME, Mobility Management Element), NH gateways (GW, Gateway) and NH authentication, authorization, accountings (AAA, Authentication Authorization Accounting) server.NH CN are the neutrality of unified planning and self-organizing that MulteFire is introduced The UE of network, access NH networks passes through Extensible Authentication Protocol (EAP, Extensive Authentication by aaa server Protocol authentication and certification) are carried out.
NHN nets have following characteristic:Network provider is detached with service provider;Consolidated network can support one to more A service provider;The same service provider can use multiple networks of a network provider, can also use multiple Multiple networks that network provider provides, for example, service provider is adjacent or be covered with overlapping using two simultaneously Network provides business to the user.
If accessing NHN networks, when UE (User Equipment, user equipment) accesses network, need to use the side EAP Formula is authenticated;When UE is moved to another network, need to use EAP re-authentications.
In NHN certifications, NHN support EAP authentication 3 in Method, i.e. EAP-AKA', EAP-TLS and EAP-TTLS.When When PSP is 3GPP, using EAP-AKA' identifying procedures, i.e. the EAP Authenticator (being normally in NH MME) of NHN are logical It crosses AAA interfaces to interact with Local AAA proxy, Local AAA are interacted by AAA interfaces with 3GPP AAA again;When PSP's When AAA Server use EAP-TLS Server, EAP-TLS identifying procedures are used;When the AAA Server of PSP are used Be EAP-TTLS Server when, use EAP-TTLS Server identifying procedures;When UE is EAP Peer, MME includes EAP Authenticator, PSP AAA Server are EAP Server.
The identifying procedure of EAP includes identification request, EAP Method exchange, key generates and key is by EAP Server is issued to EAP Authenticator.In identifying procedure, Identity (mark) can be with unique mark UE.This Identity can be mark, can also be the certificate etc. for certification consulted before with PSP.
Based on the above, in the prior art, when the UE of NHN networks is moved to NHN2 from NHN1, that is, cut between being netted When changing, NHN2 needs again to be authenticated UE, and the process complexity of certification is cumbersome, is unfavorable for the promotion of integrated communication efficiency.
Therefore, the inter-network handover of user equipment how is easily completed, the time cost brought by re-authentication is reduced, at For a technical problem to be solved urgently.
【Invention content】
An embodiment of the present invention provides a kind of rapid authentication method, server and user equipmenies, it is intended to solve the relevant technologies Middle user equipment carries out the technical issues of inter-network handover needs re-authentication, can promote the efficiency of inter-network handover, reduces because of weight The time cost that new certification is brought.
In a first aspect, an embodiment of the present invention provides a kind of rapid authentication methods, including:Receive authentication response information, institute It states and carries first identifier in authentication response information;According to the first identifier, it is determined whether be stored with the first identifier and correspond to First key;When determine be stored with the first identifier corresponding first key when, by the first key or described first The second key that key generates is sent to mobile management entity, for the mobile management entity according to the first key or Second key generates third key;Wherein, the first identifier is the correlation for the user equipment for providing the authentication response information The correlated identities of mark or first key.
In the above embodiment of the present invention, optionally, key string identifier is carried in the authentication response information, it is described First identifier includes the key string identifier.
In the above embodiment of the present invention, optionally, when determination is not stored with the corresponding first key of the first identifier When, further include:Authentication failed message, which is sent, to user equipment or initiates integrity authentication method exchanges flow.
In the above embodiment of the present invention, optionally, further include:It completes the verification method and exchanges flow, and successfully test After demonstrate,proving the user equipment, the first key is generated;The first key and the first identifier are associated storage.
In the above embodiment of the present invention, optionally, when determination is not stored with the corresponding first key of the first identifier When, further include:Authentication failed message is sent to user equipment.
In the above embodiment of the present invention, optionally, further include:For the first key, life duration is set.
In the above embodiment of the present invention, optionally, further include:Again to described after being authenticated to the user equipment Life duration carries out timing;Or after receiving the message of the user equipment, timing is carried out to the life duration again.
In the above embodiment of the present invention, optionally, further include:It is close that described first is deleted after the life duration is expired Key;Or according to the first notice received, delete the first key, wherein first notice includes user equipment off-network Notice deletes notice.
Second aspect, an embodiment of the present invention provides a kind of servers, including:Receiving module receives authentication response information, First identifier is carried in the authentication response information;Key determining module, according to the first identifier, it is determined whether storage is State the corresponding first key of first identifier;Key sending module, when determination is stored with the corresponding first key of the first identifier When, the second key that the first key or the first key generate is sent to mobile management entity, for the movement Management entity generates third key according to the first key or the second key;Wherein, the first identifier is described to provide The correlated identities of the user equipment of authentication response information or the correlated identities of first key.
In the above embodiment of the present invention, optionally, key string identifier is carried in the authentication response information, it is described First identifier includes the key string identifier.
In the above embodiment of the present invention, optionally, further include:Initiation module is verified, described the is not stored with when determining When the one corresponding first key of mark, initiates verification method to the user equipment and exchange flow.
In the above embodiment of the present invention, optionally, further include:First secret key generation module, completes the verification method Flow is exchanged, and after user equipment described in good authentication, generates the first key;Associated storage module, it is close by described first Key is associated storage with the first identifier.
In the above embodiment of the present invention, optionally, further include:Information sending module is not stored with described the when determining When the one corresponding first key of mark, authentication failed message is sent to user equipment.
In the above embodiment of the present invention, optionally, further include:Setup module, when life is set for the first key It is long.
In the above embodiment of the present invention, optionally, further include:Timing module, after being authenticated to the user equipment Again timing is carried out to the life duration, or after receiving the message of the user equipment, again to the life when progress Row timing.
In the above embodiment of the present invention, optionally, further include:Removing module is deleted after the life duration is expired The first key, or according to the first notice received, delete the first key, wherein first notice includes using Family equipment off-network notice deletes notice.
The third aspect, an embodiment of the present invention provides a kind of servers, including at least one processor;And with it is described The memory of at least one processor communication connection;Wherein, the memory, which is stored with, to be held by least one processor Capable instruction, described instruction are arranged to be used for executing the method described in any one of above-mentioned first aspect embodiment.
Fourth aspect, an embodiment of the present invention provides a kind of rapid authentication methods, including:Receive checking request message, hair Send authentication response information to server, wherein first identifier to be carried in the authentication response information, so that the server judges Whether the first identifier corresponding first key is stored with;Wherein, the first identifier is to provide the authentication response information User equipment correlated identities or first key correlated identities.
In the above embodiment of the present invention, optionally, before the step of transmission authentication response information is to server, Further include:Generate the correlated identities of the first key.
In the above embodiment of the present invention, optionally, key string identifier is also carried in the authentication response information.
In the above embodiment of the present invention, optionally, in the correlated identities that the first identifier is first key, and service In the case that device does not store the first key, further include:Receive authentication failed message.
In the above embodiment of the present invention, optionally, the reception authentication failed message the step of after, further include: Receive checking request message;Authentication response information is sent, first identifier is carried, wherein first identifier is the related mark of user equipment Know.
In the above embodiment of the present invention, optionally, the reception authentication failed message the step of after, further include: Authentication response information is sent, first identifier is carried, wherein first identifier is the correlated identities of user equipment.
5th aspect, an embodiment of the present invention provides a kind of user equipmenies, including:Communication unit is verified, verification is received and asks Message is sought, sends authentication response information to server, wherein first identifier is carried in the authentication response information, for described Server judges whether to be stored with the corresponding first key of the first identifier;Wherein, the first identifier is to provide described test Demonstrate,prove the correlated identities of the user equipment of response message or the correlated identities of first key.
In the above embodiment of the present invention, optionally, further include:Correlated identities generation unit, in the verification communication unit Before member sends authentication response information to server, the correlated identities of the first key are generated.
In the above embodiment of the present invention, optionally, key string identifier is also carried in the authentication response information.
In the above embodiment of the present invention, optionally, the verification communication unit is additionally operable to:It is the in the first identifier The correlated identities of one key, and in the case that server does not store the first key, receive authentication failed message.
In the above embodiment of the present invention, optionally, the verification communication unit is additionally operable to:Receiving authentication failed message Later, checking request message is received, and sends authentication response information, carries first identifier, wherein first identifier sets for user Standby correlated identities.
In the above embodiment of the present invention, optionally, the verification communication unit is additionally operable to:Receiving authentication failed message Later, authentication response information is sent, first identifier is carried, wherein first identifier is the correlated identities of user equipment.
6th aspect, an embodiment of the present invention provides a kind of user equipmenies, including at least one processor;And with institute State the memory of at least one processor communication connection;Wherein, be stored with can be by least one processor for the memory The instruction of execution, described instruction are arranged to be used for executing the method described in any one of fourth aspect.
Above technical scheme carries out inter-network handover for user equipment in the related technology and needs re-authentication complicated and time consumption The technical issues of, verification process can be simplified, specifically, can receive the authentication response information from user equipment, the verification First identifier is carried in response message, it is then determined whether being stored with the corresponding first key of the first identifier in server. Wherein, the first identifier is the correlated identities for the user equipment for providing the authentication response information, such as the identity of user equipment Information etc. or the first identifier are alternatively the correlated identities of first key, such as EMSK key titles.
When determine be stored with the first identifier corresponding first key when, illustrate server once associated storage first identifier And first key, illustrate that a upper network for user equipment access and the current network of user equipment requests access use together The business that one PSP is provided is contracted with the same PSP, so server preserves this user equipment and passes through a upper network The first key stored after certification.
Therefore, the second key that first key or first key generate can be sent to mobile management entity, mobile management Entity includes but not limited to network, for being generated according to the second key of first key or first key generation for being set to user The standby third key verified.
By above technical scheme, rapid authentication when realizing inter-network handover simplifies mobile authentication flow between net, shortens Switching time promotes communication efficiency.
【Description of the drawings】
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached Figure is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this field For those of ordinary skill, without creative efforts, other attached drawings are can also be obtained according to these attached drawings.
Fig. 1 shows the flow chart of the rapid authentication method of one embodiment of the present of invention;
Fig. 2 shows the flow charts of the rapid authentication method of an alternative embodiment of the invention;
Fig. 3 shows the flow chart of the rapid authentication method of yet another embodiment of the present invention;
Fig. 4 shows that the UE of one embodiment of the present of invention is attached to the flow chart that the first NHN networks are authenticated;
Fig. 5 shows the flow chart of the rapid authentication method of yet another embodiment of the present invention;
Fig. 6 shows the block diagram of the server of one embodiment of the present of invention;
Fig. 7 shows the block diagram of the server of an alternative embodiment of the invention;
Fig. 8 shows the flow chart of the rapid authentication method of yet another embodiment of the present invention;
Fig. 9 shows the block diagram of the user equipment of one embodiment of the present of invention;
Figure 10 shows the block diagram of the user equipment of an alternative embodiment of the invention.
【Specific implementation mode】
For a better understanding of the technical solution of the present invention, being retouched in detail to the embodiment of the present invention below in conjunction with the accompanying drawings It states.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base Embodiment in the present invention, those of ordinary skill in the art obtained without creative efforts it is all its Its embodiment, shall fall within the protection scope of the present invention.
The term used in embodiments of the present invention is the purpose only merely for description specific embodiment, is not intended to be limiting The present invention.In the embodiment of the present invention and "an" of singulative used in the attached claims, " described " and "the" It is also intended to including most forms, unless context clearly shows that other meanings.
Fig. 1 shows the flow chart of the rapid authentication method of one embodiment of the present of invention.
As shown in Figure 1, the rapid authentication method of one embodiment of the present of invention, is applied to user equipment from a moving tube Reason entity switches to the verification process of another mobile management entity, including:
Step 102, authentication response information is received, first identifier is carried in the authentication response information.
Step 104, according to the first identifier, it is determined whether be stored with the corresponding first key of the first identifier.
Step 106, when determine be stored with the first identifier corresponding first key when, by the first key or described The second key that first key generates is sent to mobile management entity, so that the mobile management entity is according to the first key Or second key generate third key.
Wherein, the first identifier is the correlated identities or first key for the user equipment for providing the authentication response information Correlated identities.
Specifically, the authentication response information from user equipment is can receive, first is carried in the authentication response information Mark, it is then determined whether being stored with the corresponding first key of the first identifier in server.Wherein, the first identifier For provide the authentication response information user equipment correlated identities, such as the identity information of user equipment or described The correlated identities of one mark or first key if first key is EMSK keys, and include EMSK key titles in identifying Deng.
When determine be stored with the first identifier corresponding first key when, illustrate server once associated storage first identifier And first key, illustrate that a upper network for user equipment access and the current network of user equipment requests access use together The business that one PSP is provided is contracted with the same PSP, so server preserves this user equipment and passes through a upper network The first key stored after certification.
Therefore, the second key that first key or first key generate can be sent to mobile management entity, mobile management Entity includes but not limited to network, for being generated according to the second key of first key or first key generation for being set to user The standby third key verified.
By above technical scheme, rapid authentication when realizing inter-network handover simplifies mobile authentication flow between net, shortens Switching time promotes communication efficiency.
In the above embodiment of the present invention, optionally, key string identifier is carried in the authentication response information, it is described First identifier includes the key string identifier.Key string identifier can together with first identifier with first key associated storage, Server can determine corresponding first key according to the first identifier and/or key string identifier received, be obtained to be promoted The confidentiality of the step for first key promotes the security performance of server and user equipment.
In the above embodiment of the present invention, optionally, when determination is not stored with the corresponding first key of the first identifier When, further include:Verification method, which is initiated, to the user equipment exchanges flow.I.e. not to be stored with the first identifier corresponding In the case of first key, sends authentication failed message to user equipment or initiate integrity authentication method exchange flow.
In the above embodiment of the present invention, optionally, further include:It completes the verification method and exchanges flow, and successfully test After demonstrate,proving the user equipment, the first key is generated;The first key and the first identifier are associated storage.I.e. First key and the first identifier are associated storage in advance, to need to switch mobile management entity in user equipment When, the second key that the first key or the first key generate can be sent to shifting by server according to stored content Dynamic management entity.
In the above embodiment of the present invention, optionally, when determination is not stored with the corresponding first key of the first identifier When, further include:Authentication failed message is sent to user equipment.At this point, authentication failed, user equipment desires to switch to new movement Management entity needs gradually to be verified according to normal step.
In the above embodiment of the present invention, optionally, further include:For the first key, life duration is set.When life It is long to be used for countdown, it is equivalent to and effective time is set for first key, the first key can be used between netting cutting in life duration The verification work changed, beyond can assert that the first key is invalid after the life duration, can not use the first key can not to Family device authentication success.
In the above embodiment of the present invention, optionally, further include:Again to described after being authenticated to the user equipment Life duration carries out timing;Or after receiving the message of the user equipment, timing is carried out to the life duration again.With it is upper Segment description similarly, after the verification work for completing inter-network handover, or according to the message of user equipment, when reconfigurable life It is long, that is, restart countdown so that the first key can be used for other mobile management entities to user equipment again in life duration It is verified.
In the above embodiment of the present invention, optionally, further include:It is close that described first is deleted after the life duration is expired Key.In this way, can avoid first key leakage, the safety of server and user equipment both sides is protected.Alternatively, also can be according to receiving First notice, delete the first key, wherein it is described first notice include user equipment off-network notice or delete notify. First key is deleted in user equipment off-network or actively delete in the case of, the actual demand of user equipment is suitable for, can keep away Exempt from first key leakage, protects the safety of server and user equipment both sides.
Two kinds of rapid authentication methods of Fig. 2 and Fig. 3 are described below, wherein the rapid authentication method be happened at user equipment from During first NHN network switchings to the 2nd NHN networks, certainly, mobile management entity includes but not limited to the first NHN networks With the 2nd NHN networks.
Fig. 2 shows the flow charts of the rapid authentication method of another embodiment of the present invention.
As shown in Fig. 2, the rapid authentication method of an alternative embodiment of the invention, including:
Step 202, when user equipment is from the first NHN Network Mobilities being authenticated to the user equipment to not to institute When stating the 2nd NHN networks that user equipment is authenticated, the identity information of the user equipment is obtained.
In the present embodiment and following embodiments, executive agent is server.Wherein, the first NHN networks and institute The business that the same PSP of the 2nd NHN Web vector graphics is provided is stated, i.e., is contracted with the same PSP, so server is chosen as PSP Aaa server.
Step 204, according to the identity information of the user equipment, it is determined whether be stored with the identity information corresponding One key, wherein the first key is created on during the first NHN networks are authenticated the user equipment.
Step 206, when determine be stored with the identity information corresponding first key when, the first key is sent to The 2nd NHN networks, so that the 2nd NHN networks generate user equipment described in third key pair according to the first key It is authenticated.
Specifically, user equipment is first believed according to the identity of the first NHN networks after the certification by the first NHN networks The identity information of itself is reported to the first NHN networks by breath request, and the first NHN networks generate first key, and server can will be used The identity information of family equipment gets up with the first key associated storage.I.e. before step 202, in the first NHN networks pair During the user equipment is authenticated, the first key is generated;By the first key and the user equipment Identity information associated storage.
In this way, when user equipment is from the first NHN Network Mobilities being authenticated to the user equipment to not to described When the 2nd NHN networks that user equipment is authenticated, server need to only obtain the identity information of user equipment, and determine whether to deposit The corresponding first key of the identity information is contained, if do not stored, user equipment is recognized again by the 2nd NHN networks Card, if stored, is directly sent to the 2nd NHN networks by stored first key and verification can be completed.
Thus, it is possible to which it is the verification process for greatly simplifiing the 2nd NHN networks to user equipment to say, tested without complicated Card process, as long as the 2nd NHN networks can obtain first key associated with the identity information of user equipment i.e. from server Can, in this way, the 2nd NHN networks can produce third key according to first key, complete the verification to user equipment.
By above technical scheme, rapid authentication when realizing NHN inter-network handovers, since user equipment is in two NHN nets The business for using the same PSP to provide in network is contracted, it is possible to pass through this PSP aaa server with the same PSP The corresponding security information of this user equipment is preserved, so that user equipment can reduce mobile authentication flow between net, contracting with rapid authentication Handoff times short promotes communication efficiency.
In a kind of realization method of the present invention, optionally, further include:When for the first key, Dai-ichi Mutual Life Insurance is set It is long.Life duration is used for countdown, is equivalent to and effective time is arranged for first key, and the first key is available within effective time User equipment is verified in the 2nd NHN networks, beyond can assert that the first key is invalid after the effective time, the 2nd NHN The Web vector graphic first key can not be to user equipment authentication success.
In a kind of realization method of the present invention, optionally, further include:The user is set in the 2nd NHN networks It is standby be authenticated after timing is carried out to the Dai-ichi Mutual Life Insurance duration again.Similarly with upper segment description, in the 2nd NHN networks to described After user equipment completes certification, reconfigurable effective time restarts the countdown of life duration, within effective time this One key can be used for other NHN networks and be verified again to user equipment.
In a kind of realization method of the present invention, optionally, further include:It is deleted after the Dai-ichi Mutual Life Insurance duration timer expiration Except the first key.It can assert that the first key is invalid after the effective time for exceeding life duration, the 2nd NHN Web vector graphics The first key at this point, first key can be deleted, can not save memory space to user equipment authentication success, and avoid the One Key Exposure promotes safety.
Technical scheme of the present invention is described further below by specific implementation.Wherein, user equipment exists The service moved between two NHN nets, and provided using identical PSP aaa servers, then verification process includes following between its net Step:
1, PSP aaa servers and UE after certification, generate MSK, PSP respectively in NHN1 (i.e. the first NHN networks) Aaa server preserves this MSK, and this MSK is corresponding with this UE while MSK is issued Local aaa servers Identity (mark) is associated, and such as { Identity MSK } is right.
If after certification, PSP aaa servers and UE generate EMSK simultaneously, then preserve EMSK, separately generate and preserve EMSKname.EMSK can be used to generate root key and/or integrity verification key and be preserved, this EMSK and/or EMSK and its phase The key of pass is associated with EMSKname.
2, life duration is arranged in MSK or EMSK to PSP aaa servers thus.
3, after life duration, then this Identity corresponding MSK or EMSK and its derivative key are deleted.
4, when UE is moved to NHN2 (i.e. the 2nd NHN networks), NAS message is initiated, such as Attach or TAU, new MME (Mobility Management Entity, network node) triggers EAP authentication flow, i.e., needed for the EAP authentication of acquisition UE Identity。
5, UE reports Identity, this Identity can be the Identity to contract with PSP, can also be by The new Identity of EMSKname@PSP domain names composition, MME are transmitted to PSP Server.
6, after PSP aaa servers receive Identity, corresponding MSK EMSK association keys are searched.If this MSK In the presence of being then transmitted directly to new MME, the i.e. MME of NHN2, omit Method exchange flows, while updating the term of validity. If existed without corresponding MSK, identifying procedure is executed.
Alternatively, if EMSK exists, MSK2 is generated using the root key that EMSK or EMSK is generated, and be sent to new MME, before generating MSK2, if Integrity Key exists, PSP aaa servers can be tested using integrity verification key The integrality of this message is demonstrate,proved, if be proved to be successful, MSK2 is regenerated, if it fails, then returning to failure.
Fig. 3 shows the flow chart of the rapid authentication method of yet another embodiment of the present invention.
As shown in figure 3, the rapid authentication method of yet another embodiment of the present invention, including:
Step 302, when user equipment is from the first NHN Network Mobilities being authenticated to the user equipment to not to institute When stating the 2nd NHN networks that user equipment is authenticated, the authentication response information for the correlated identities for carrying first key is received. First key at this time is EMSK keys, and in the correlated identities of first key includes EMSK key titles
Step 304, according to the correlated identities of the first key, judge whether to be stored with associated first key, when Judging result is when being, to enter step 306, otherwise, enter step 308.
That is, after the first NHN networks are authenticated the user equipment before this, server and user equipment are simultaneously Generate EMSK, then preserve EMSK, separately generate and preserve EMSK key titles, and can use EMSK generate root key and/or Integrity verification key simultaneously preserves, this EMSK and/or EMSK and its relevant key are associated with EMSK key titles.
As a result, in step 304, it can determine whether that the correlated identities of first key correspond in existing incidence relation First key, if so, explanation, which can directly acquire corresponding first key, carries out simple authentication such as step 306, if do not had Have, then illustrates to lack the necessary condition for completing simple authentication, enter step 308 carry out integrity authentications.
Step 306, the second key that the first key generates is sent to the 2nd NHN networks, for the 2nd NHN Network generates third key according to second key.Second key includes using the EMSK root keys generated and/or integrality Authentication secret.
Step 308, authentication failed message is sent to user equipment, and with notifying user equipment, this correlated identities is invalid, uses Family equipment carries out full authentication using signatory mark.
That is, in the case of authentication failed, needs this correlated identities of user equipment invalid, i.e., can not complete certification, So that user equipment carries out full authentication using signatory mark.Further, signatory mark can be transmitted to server in user equipment, To be verified to user equipment by verifying entire flow.
Fig. 4 shows that the UE of one embodiment of the present of invention is attached to the flow chart that the first NHN networks are authenticated.
As shown in figure 4, UE is attached to the first NHN networks when being authenticated, by MME triggering authentication flows:
(1) MME sends EAP Request, obtains UE and is used for the Identity of certification, while carrying KSI1 (Key Set Identifier);
(2) UE sends EAP responses, wherein carrying the Identity of UE;
(3) the EPA responses that UE is sent are sent to PSP aaa servers by MME, wherein can carry KSI1;
(4) UE, MME and SPS aaa server start the exchange of EAP methods.
(5) PSP aaa servers and UE generate MSK or generation MSK and EMSK (if generating EMSK, while also using life At EMSKname, and/or the root key derived from EMSK and/or integrity verification key).It separately generates this MSK or EMSK is corresponding Life cycle, and start life duration or do not start life duration.If life duration expires, i.e. life cycle is already expired, then deletes MSK。
In a kind of realization method of the present invention, PSP aaa servers and UE store this MSK and this MSK with it is corresponding The correspondence of Identity and KSI, such as { Identity, MSK } are right.Or PSP aaa servers and UE storage EMSK or EMSK and its corresponding key and EMSKname, and the relationship of EMSKname and EMSK association keys is preserved, or preserve EMSK Relationship between association key and Identity.
In another realization method of the present invention, if KSI1 is carried in information before, PSP aaa servers The correspondence of this MSK, Identity and KSI1 are stored, such as { Identity, MSK, KSI1 } is right.Or PSP aaa servers EMSK and its corresponding key and EMSKname and KSI1 are stored, and preserves EMSKname, EMSK association key and the pass of KSI1 System, or preserve the relationship between EMSK association keys, Identity and KSI1.
(6) PSP aaa servers send MSK to MME.
(7) MME receives MSK, generates corresponding key.
(8) MME sends certification success message to UE, that is, completes certification.
(9) UE receives certification success message.
The life duration update mode in PSP aaa servers is described below.
In a kind of realization method of the present invention, PSP aaa servers oneself complete the update of life duration, specifically, The activity of PSP aaa servers monitoring UE monitors that UE is interacted with PSP aaa servers, then more when life duration is not out of date New life duration;Otherwise corresponding key is deleted.
In another realization method of the present invention, assisted to complete the update of life duration by MME, specifically, MME is used Life duration updates the life duration of PSP aaa servers;MME generates the second life duration corresponding with this key, and starts Second life duration.
When life duration expires, and UE is remained stuck in this network, directly or indirectly reports UE states, or update Long message gives PSP aaa servers when life, when PSP aaa servers receive message, when more new life duration is the second life It is long.
If life duration expires, after monitoring UE attachment removals or UE attachment removals, this life duration is deleted.
In another realization method of the present invention, MME is according to UE states, more new life duration.Specifically, PSP Life duration in aaa server does not start, and after MME has found UE attachment removals, directly or indirectly notifies PSP AAA services Device after PSP aaa servers are notified, then starts life duration, if before life duration is expired, receives the movable letters of UE Breath, including identifying procedure are closing life duration.
Furthermore it is also possible to more new life duration does not delete association key then only when life duration expires, but when life When life duration expires, if monitoring that UE is movable, terminate again after waiting for UE current actives.
On the basis of the UE shown in above-mentioned Fig. 4 is attached to the technical solution that the first NHN networks are authenticated, Fig. 5 is shown The flow chart of the rapid authentication method of yet another embodiment of the present invention.Wherein, user equipment moves between two NHN are netted, And the service provided using identical PSP aaa servers, as shown in figure 5, this method includes:
1, UE initiates NAS message, can be Attach or TAU.
2, new MME (i.e. the MME of NHN2) initiates identifying procedure:
(1) new MME initiates EAP Request to UE, obtains UE and is used for the Identity of certification, while carrying KSI2 (Key Set Identifier);
(2) UE sends EAP and responds to new MME, and carries Identity, this Identity can be original Identity can also be the Identity being made of EMSKname, such as EMSKname@PSPDomainName, wherein EAP is answered Old KSI1 can be carried in answering.
3, new MME sends EAP Response message and gives PSP aaa servers, and carries the Identity of UE.Wherein, KSI1 can be carried.
4, PSP aaa servers search corresponding MSK EMSK association keys by the Identity of UE, if deposited Then more new life duration either stops life duration or not more new life duration.If there is no then completing normal certification Flow.
If integrity verification key exists, before generating MSK2, the integrality of the information received is verified, if at Work(, reuse EMSK either EMSK generate root key generate MSK2 if there is no or verification it is unsuccessful, then return to failure Message re-initiates normal identifying procedure.
Wherein, KSI1 or KSI1 and Identity joints can also be used to search corresponding key;
5, PSP aaa servers send certification success message to new MME, and carry MSK or MSK2.Wherein, can also Carry KSI1.
6, MME generates corresponding key by the MSK or MSK2 received, wherein and MME directly receives MSK or MSK2, I.e. no method exchange flows or PSP aaa servers indicate that new MME is rapid authentication flow, and new MME is used The KSI1 that UE is sent substitutes the cipher key associateds such as KSI2 and this MSK or MSK2.Alternatively, KSI1 can be as the finger of rapid authentication flow Show, new MME substitutes the cipher key associateds such as KSI2 and this MSK or MSK2 using KSI1.
7, new MME sends certification success message to UE, wherein can carry sign, being used to indicate UE can use Key before.
8, UE receives certification success message, is continuing with existing MSK corresponding with this PSP and its Key of generation.If EMSK association keys are used, then the root key (if present) that EMSK or EMSK is generated is used to generate MSK2 and MSK2 Other derivative keys.
Wherein, if carrying sign, if the KSI1 that does not send is to new MME before UE, update KSI2 with The incidence relation of key is associated using new KSI2 and original key.And if the KSI1 sent before UE is to new MME then deletes KSI2.
If not carrying instruction message, UE judges, if being not carried out the method in verification process before Exchange flows, that is, sent carry Identity EAP responses after, directly received and be proved to be successful message, if UE it The preceding KSI1 not sent is associated with to new MME, by original key with new KSI2.If the KSI1 sent before UE to new MME, Then delete KSI2.
Fig. 6 shows the block diagram of the server of one embodiment of the present of invention.
As shown in fig. 6, server 600 includes:Receiving module 602 receives authentication response information, the authentication response information Middle carrying first identifier;Key determining module 604, according to the first identifier, it is determined whether be stored with the first identifier pair The first key answered;Key sending module 606, when determine be stored with the first identifier corresponding first key when, will be described The second key that first key or the first key generate is sent to mobile management entity, for the mobile management entity root Third key is generated according to the first key or the second key;Wherein, the first identifier is to provide the auth response to disappear The correlated identities of the user equipment of breath or the correlated identities of first key.
The server 600 is using scheme shown in any of the above-described embodiment, therefore, has above-mentioned all technique effects, Details are not described herein.Server 600 also has following technical characteristic:
In the above embodiment of the present invention, optionally, key string identifier is carried in the authentication response information, it is described First identifier includes the key string identifier.
In the above embodiment of the present invention, optionally, further include:Initiation module is verified, when determination is stored with described first When identifying corresponding first key, sends authentication failed message to user equipment or initiate integrity authentication method exchange flow.
In the above embodiment of the present invention, optionally, further include:First secret key generation module, completes the verification method Flow is exchanged, and after user equipment described in good authentication, generates the first key;Associated storage module, it is close by described first Key is associated storage with the first identifier.
In the above embodiment of the present invention, optionally, further include:Information sending module is not stored with described the when determining When the one corresponding first key of mark, sends authentication failed message to user equipment or initiate integrity authentication method exchange current Journey.
In the above embodiment of the present invention, optionally, further include:Setup module, when life is set for the first key It is long.
In the above embodiment of the present invention, optionally, further include:Timing module, after being authenticated to the user equipment Again timing is carried out to the life duration, or after receiving the message of the user equipment, again to the life when progress Row timing.
In the above embodiment of the present invention, optionally, further include:Removing module is deleted after the life duration is expired The first key, or according to the first notice received, delete the first key, wherein first notice includes using Family equipment off-network notice deletes notice.
Fig. 7 shows the block diagram of the server of an alternative embodiment of the invention.
As shown in fig. 7, an embodiment of the present invention provides a kind of server 700, including at least one processor 702;And With the memory 704 of at least one processor 702 communication connection;Wherein, the memory 704 be stored with can by it is described extremely The instruction that a few processor 702 executes, described instruction are arranged to be used for executing the method described in any of the above-described embodiment. Wherein, server 700 includes but not limited to PSP aaa servers.
Fig. 8 shows the flow chart of the rapid authentication method of yet another embodiment of the present invention.
As shown in figure 8, this method includes:
Step 802, checking request message is received, sends authentication response information to server, wherein the auth response disappears First identifier is carried in breath, so that the server judges whether to be stored with the corresponding first key of the first identifier;Wherein, The first identifier is the correlated identities for the user equipment for providing the authentication response information or the correlated identities of first key.
Wherein, before step 802, further include:Before the step of transmission authentication response information is to server, also Including:Generate the correlated identities of the first key.
That is, working as second that user equipment switches to the same PSP business of use from first mobile management entity When mobile management entity, second mobile management entity can send checking request message, server authentication user to user equipment Whether there is the first identifier that the when verified by first mobile management entity generates, if verification result is to have, explanation in equipment When user equipment is by first mobile management entity, user equipment and server can generate the first identifier simultaneously, then, The authentication response information for carrying first identifier can be sent to server, so that server further searches for whether itself stores There are the corresponding first key of the first identifier, the technical solution described in the subsequently i.e. executable Fig. 1 to Fig. 7 of server.Certainly, if testing Do not have the first identifier by being generated when first mobile management entity verification in card user equipment, then it can not according to this easily Pass through the verification of second mobile management entity.
In the above embodiment of the present invention, optionally, key string identifier is also carried in the authentication response information.If Key string identifier is carried in authentication response information, then server also may verify whether to be stored with and be closed with the key string identifier The first key of connection, or verification and key string identifier and the associated first key of the correlated identities, in this way, can be further Increase the reliability and safety of verification.
In addition, in the correlated identities that the first identifier is first key, and server does not store the first key In the case of, further include:Receive authentication failed message.I.e. server can not find the corresponding first key of the correlated identities, i.e., Authentication failed message can be sent to user equipment.
After user equipment is the reception authentication failed message the step of, authentication failed can be directly assert, it can also Checking request message is received again;Authentication response information is sent, first identifier is carried, wherein first identifier is the phase of user equipment Mark is closed, so that server verifies whether to be stored with and the associated first key of the correlated identities of user equipment or and server again Complete full authentication flow.
Fig. 9 shows the block diagram of the user equipment of one embodiment of the present of invention.
As shown in figure 9, user equipment 900 includes:Communication unit 900 is verified, checking request message is received, verification is sent and rings Answer message to server, wherein first identifier to be carried in the authentication response information, so that the server judges whether to store There is the corresponding first key of the first identifier;Wherein, the first identifier is to provide the user of the authentication response information to set The correlated identities of standby correlated identities or first key.
In the above embodiment of the present invention, optionally, further include:Correlated identities generation unit, in the verification communication unit Before member 900 sends authentication response information to server, the correlated identities of the first key are generated.
In the above embodiment of the present invention, optionally, key string identifier is also carried in the authentication response information.
In the above embodiment of the present invention, optionally, the verification communication unit 900 is additionally operable to:In the first identifier For the correlated identities of first key, and in the case that server does not store the first key, authentication failed message is received.
In the above embodiment of the present invention, optionally, the verification communication unit 900 is additionally operable to:Receiving authentication failed After message, checking request message is received, and send authentication response information, carry first identifier, wherein first identifier is to use The correlated identities of family equipment.
In the above embodiment of the present invention, optionally, the verification communication unit 900 is additionally operable to:Receiving authentication failed After message, authentication response information is sent, carries first identifier, wherein first identifier is the correlated identities of user equipment.
Figure 10 shows the block diagram of the user equipment of an alternative embodiment of the invention.
As shown in Figure 10, an embodiment of the present invention provides a kind of user equipmenies 1000, including at least one processor 1002; And the memory 1004 at least one processor 1002 communication connection;Wherein, be stored with can for the memory 1004 The instruction executed by least one processor 1002, described instruction are arranged to be used for executing institute in above-mentioned Fig. 8 embodiments The method stated.
Technical scheme of the present invention is described in detail above in association with attached drawing, technical solution through the invention provides fast The method of fast certification user equipment reduces mobile authentication flow between net, shortens the inter-network handover time.
It should be appreciated that term "and/or" used herein is only a kind of incidence relation of description affiliated partner, indicate There may be three kinds of relationships, for example, A and/or B, can indicate:Individualism A, exists simultaneously A and B, individualism B these three Situation.In addition, character "/" herein, it is a kind of relationship of "or" to typically represent forward-backward correlation object.
Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination " or " in response to detection ".Similarly, depend on context, phrase " if it is determined that " or " if detection (condition or event of statement) " can be construed to " when determining " or " in response to determination " or " when the detection (condition of statement Or event) when " or " in response to detection (condition or event of statement) ".
It should be noted that terminal involved in the embodiment of the present invention can include but is not limited to personal computer (Personal Computer, PC), personal digital assistant (Personal Digital Assistant, PDA), wireless handheld Equipment, tablet computer (Tablet Computer), mobile phone, MP3 player, MP4 players etc..
In several embodiments provided by the present invention, it should be understood that disclosed systems, devices and methods, it can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit It divides, only a kind of division of logic function, formula that in actual implementation, there may be another division manner, for example, multiple units or group Part can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown Or the mutual coupling, direct-coupling or communication connection discussed can be by some interfaces, device or unit it is indirect Coupling or communication connection can be electrical, machinery or other forms.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list The form that hardware had both may be used in member is realized, can also be realized in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can be stored in one and computer-readable deposit In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer It is each that device (can be personal computer, server or network equipment etc.) or processor (Processor) execute the present invention The part steps of embodiment the method.And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (Read- Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or CD etc. it is various The medium of program code can be stored.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention With within principle, any modification, equivalent substitution, improvement and etc. done should be included within the scope of protection of the invention god.

Claims (10)

1. a kind of rapid authentication method, which is characterized in that including:
Authentication response information is received, first identifier is carried in the authentication response information;
According to the first identifier, it is determined whether be stored with the corresponding first key of the first identifier;
When determine be stored with the first identifier corresponding first key when, the first key or the first key are generated The second key be sent to mobile management entity, so that the mobile management entity is according to the first key or the second key Generate third key;
Wherein, the first identifier is the correlated identities for the user equipment for providing the authentication response information or the phase of first key Close mark.
2. according to the method described in claim 1, it is characterized in that, carrying key string mark in the authentication response information Symbol, the first identifier includes the key string identifier.
3. method according to claim 1 or 2, which is characterized in that when determining that not to be stored with the first identifier corresponding When first key, further include:
Authentication failed message, which is sent, to user equipment or initiates integrity authentication method exchanges flow.
4. a kind of server, which is characterized in that including:
Receiving module receives authentication response information, first identifier is carried in the authentication response information;
Key determining module, according to the first identifier, it is determined whether be stored with the corresponding first key of the first identifier;
Key sending module, when determine be stored with the first identifier corresponding first key when, by the first key or institute The second key for stating first key generation is sent to mobile management entity, so that the mobile management entity is close according to described first Key or the second key generate third key;
Wherein, the first identifier is the correlated identities for the user equipment for providing the authentication response information or the phase of first key Close mark.
5. a kind of server, which is characterized in that including at least one processor;And at least one processor communication The memory of connection;
Wherein, the memory is stored with the instruction that can be executed by least one processor, and described instruction is arranged to use The method described in any one of 1 to 3 is required in perform claim.
6. a kind of rapid authentication method, which is characterized in that including:
Checking request message is received, sends authentication response information to server, wherein carry first in the authentication response information Mark, so that the server judges whether to be stored with the corresponding first key of the first identifier;
Wherein, the first identifier is the correlated identities for the user equipment for providing the authentication response information or the phase of first key Close mark.
7. according to the method described in claim 6, it is characterized in that, the step of the transmission authentication response information is to server Before, further include:
Generate the correlated identities of the first key.
8. according to the method described in claim 6, it is characterized in that, also carrying key string mark in the authentication response information Symbol.
9. a kind of user equipment, which is characterized in that including:
Communication unit is verified, checking request message is received, sends authentication response information to server, wherein the auth response First identifier is carried in message, so that the server judges whether to be stored with the corresponding first key of the first identifier;
Wherein, the first identifier is the correlated identities for the user equipment for providing the authentication response information or the phase of first key Close mark.
10. a kind of user equipment, which is characterized in that including at least one processor;And it is logical at least one processor Believe the memory of connection;
Wherein, the memory is stored with the instruction that can be executed by least one processor, and described instruction is arranged to use The method described in any one of 6 to 8 is required in perform claim.
CN201810326912.6A 2018-04-12 2018-04-12 Rapid authentication method, server and user equipment Pending CN108513295A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810326912.6A CN108513295A (en) 2018-04-12 2018-04-12 Rapid authentication method, server and user equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810326912.6A CN108513295A (en) 2018-04-12 2018-04-12 Rapid authentication method, server and user equipment

Publications (1)

Publication Number Publication Date
CN108513295A true CN108513295A (en) 2018-09-07

Family

ID=63381978

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810326912.6A Pending CN108513295A (en) 2018-04-12 2018-04-12 Rapid authentication method, server and user equipment

Country Status (1)

Country Link
CN (1) CN108513295A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110351725A (en) * 2018-04-08 2019-10-18 华为技术有限公司 Communication means and device
CN112242995A (en) * 2020-09-10 2021-01-19 西安电子科技大学 One-way safety authentication method and system in digital content protection system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007102702A2 (en) * 2006-03-07 2007-09-13 Electronics And Telecommunications Research Institute Fast re-authentication method in umts
CN101983517A (en) * 2008-04-02 2011-03-02 诺基亚西门子通信公司 Security for a non-3gpp access to an evolved packet system
WO2013181847A1 (en) * 2012-06-08 2013-12-12 华为技术有限公司 Method, apparatus and system for wlan access authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007102702A2 (en) * 2006-03-07 2007-09-13 Electronics And Telecommunications Research Institute Fast re-authentication method in umts
CN101983517A (en) * 2008-04-02 2011-03-02 诺基亚西门子通信公司 Security for a non-3gpp access to an evolved packet system
WO2013181847A1 (en) * 2012-06-08 2013-12-12 华为技术有限公司 Method, apparatus and system for wlan access authentication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ORANGE: "Add ERP support for TWAN Interworking", 《3GPP TSG CT4 MEETING #75,C4-166077》 *
Z. CAO等: "EAP Extensions for the EAP Re-authentication Protocol(ERP)", 《INTERNET ENGINEERING TASK FORCE (IETF),6696》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110351725A (en) * 2018-04-08 2019-10-18 华为技术有限公司 Communication means and device
CN110351725B (en) * 2018-04-08 2022-08-09 华为技术有限公司 Communication method and device
CN112242995A (en) * 2020-09-10 2021-01-19 西安电子科技大学 One-way safety authentication method and system in digital content protection system
CN112242995B (en) * 2020-09-10 2021-12-21 西安电子科技大学 One-way safety authentication method and system in digital content protection system

Similar Documents

Publication Publication Date Title
Hussain et al. LTEInspector: A systematic approach for adversarial testing of 4G LTE
EP2293515B1 (en) Method, network element, and mobile station for negotiating encryption algorithms
CN101536463B (en) Generating keys for protection in next generation mobile networks
CN100583767C (en) Key updating method and device
CN110476447A (en) The registration process of enhancing in the mobile system for supporting network slice
EP2790429B1 (en) Hnb or henb security access method and system, and core network element
CN102484790B (en) Pre-registration security support in multi-technology interworking
CN103781069B (en) Bidirectional-authentication method, device and system
CN103430582B (en) Prevention of eavesdropping type of attack in hybrid communication system
US8407474B2 (en) Pre-authentication method, authentication system and authentication apparatus
Hwang et al. Provably secure mutual authentication and key exchange scheme for expeditious mobile communication through synchronously one-time secrets
CN110121196A (en) A kind of security identifier management method and device
Huang et al. A fast authentication scheme for WiMAX–WLAN vertical handover
CN108513295A (en) Rapid authentication method, server and user equipment
CN106304056A (en) The inspection method of a kind of device identification and system, equipment
Lee et al. Secure handover for Proxy Mobile IPv6 in next‐generation communications: scenarios and performance
CN102970678B (en) Cryptographic algorithm negotiating method, network element and mobile station
Abdel-Malek et al. Enabling second factor authentication for drones in 5G using network slicing
CN108540493B (en) Authentication method, user equipment, network entity and service side server
Bohák et al. An authentication scheme for fast handover between WiFi access points
Raja et al. Reduced overhead frequent user authentication in EAP-dependent broadband wireless networks
Lopez et al. Network-layer assisted mechanism to optimize authentication delay during handoff in 802.11 networks
Haddar et al. Securing fast pmipv6 protocol in case of vertical handover in 5g network
CN105848249A (en) Access point name (APN) processing method, device and system
CN113950051B (en) Authentication deduction method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180907

RJ01 Rejection of invention patent application after publication