Nothing Special   »   [go: up one dir, main page]

CN114554489A - An authentication method and related equipment - Google Patents

An authentication method and related equipment Download PDF

Info

Publication number
CN114554489A
CN114554489A CN202011354045.0A CN202011354045A CN114554489A CN 114554489 A CN114554489 A CN 114554489A CN 202011354045 A CN202011354045 A CN 202011354045A CN 114554489 A CN114554489 A CN 114554489A
Authority
CN
China
Prior art keywords
authentication
terminal device
network device
request
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011354045.0A
Other languages
Chinese (zh)
Inventor
邱建军
李友国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Huawei Technologies Co Ltd
Original Assignee
Shanghai Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Huawei Technologies Co Ltd filed Critical Shanghai Huawei Technologies Co Ltd
Priority to CN202011354045.0A priority Critical patent/CN114554489A/en
Priority to PCT/CN2021/130786 priority patent/WO2022111328A1/en
Publication of CN114554489A publication Critical patent/CN114554489A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The application provides an authentication method and related equipment. First, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device can confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, wherein the session response is used for indicating the terminal device to authenticate the network device. Under the scene that the RRC connection is not established between the terminal equipment and the network equipment, the information required by the authentication can be transmitted between the terminal equipment and the network equipment through a common channel, and the authentication between the terminal equipment and the network equipment is further realized.

Description

一种鉴权方法以及相关设备An authentication method and related equipment

技术领域technical field

本申请实施例涉及通信领域,尤其是一种鉴权方法以及相关设备。The embodiments of the present application relate to the field of communications, and in particular, to an authentication method and related devices.

背景技术Background technique

第三代合作伙伴计划(third generation partnership project,3GPP)标准组织制定的第五代蜂窝移动通信系统的协议标准,与长期演进(long term evolution,LTE)系统相比,新空口(New Radio,NR)系统支持更大的传输带宽,更多的收发天线阵列,更高的传输速率以及更灵活、粒度更小的调度机制,NR系统的上述特性提供了更多的适用范围。The protocol standard of the fifth generation cellular mobile communication system formulated by the third generation partnership project (3GPP) standard organization, compared with the long term evolution (LTE) system, the new radio (New Radio, NR) ) system supports larger transmission bandwidth, more transceiver antenna arrays, higher transmission rate and more flexible scheduling mechanism with smaller granularity. The above characteristics of NR system provide more applicable scope.

网络安全是第五代移动通信技术(5th generation,5G)中重要的一个功能。针对2C场景下有无线资源控制(radio resource control,RRC)连接的过程,5G定义了5G中特有的认证与密钥协商协议(authentication and key agreement,AKA),通过5G AKA的方式进行双向鉴权和数据加密。双向鉴权是指网络设备对终端设备进行鉴权,终端设备也对网络设备进行鉴权。Network security is an important function in the fifth generation mobile communication technology (5th generation, 5G). For the process of radio resource control (RRC) connection in the 2C scenario, 5G defines a unique authentication and key agreement (AKA) in 5G, and two-way authentication is performed through 5G AKA. and data encryption. Two-way authentication means that the network device authenticates the terminal device, and the terminal device also authenticates the network device.

但是对于某些场景下,例如2B场景,为了降低终端设备侧的功耗,终端设备与网络设备之间通常无需进行RRC连接,针对无RRC连接的场景,终端设备与网络设备之间无法进行鉴权。However, in some scenarios, such as 2B scenarios, in order to reduce the power consumption on the terminal device side, RRC connection is usually not required between the terminal device and the network device. For scenarios without RRC connection, authentication between the terminal device and the network device cannot be performed. right.

发明内容SUMMARY OF THE INVENTION

本申请提供了一种鉴权方法以及相关设备,在终端设备与网络设备之间没有建立RRC连接的场景下,终端设备与网络设备之间可以通过公共信道来传递鉴权所需要的信息,进而实现终端设备与网络设备之间的鉴权。The present application provides an authentication method and related equipment. In the scenario where no RRC connection is established between the terminal equipment and the network equipment, the information required for authentication can be transmitted between the terminal equipment and the network equipment through a common channel, and further Realize authentication between terminal equipment and network equipment.

本申请第一方面提供一种鉴权方法,在该方法中:网络设备在上行公共信道上接收终端设备发送的会话请求,所述会话请求用于请求所述网络设备对所述终端设备鉴权;所述网络设备根据所述会话请求确认所述终端设备通过鉴权;所述网络设备在下行公共信道上向所述终端设备发送会话响应,所述会话响应用于指示所述终端设备对所述网络设备鉴权。A first aspect of the present application provides an authentication method, in which: a network device receives a session request sent by a terminal device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device ; the network device confirms that the terminal device has passed the authentication according to the session request; the network device sends a session response to the terminal device on the downlink common channel, and the session response is used to instruct the terminal device to Describe the network device authentication.

本申请提供了一种鉴权方法。首先,网络设备在上行公共信道上接收终端设备发送的会话请求,网络设备可以根据会话请求确认终端设备通过鉴权。然后,网络设备在下行公共信道上向终端设备发送会话响应,会话响应用于指示终端设备对网络设备鉴权。在终端设备与网络设备之间没有建立RRC连接的场景下,终端设备与网络设备之间可以通过公共信道来传递鉴权所需要的信息,进而实现终端设备与网络设备之间的鉴权。The present application provides an authentication method. First, the network device receives the session request sent by the terminal device on the uplink common channel, and the network device can confirm that the terminal device has passed the authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device. In a scenario where no RRC connection is established between the terminal device and the network device, the terminal device and the network device can transmit information required for authentication through a common channel, thereby realizing authentication between the terminal device and the network device.

在第一方面的一种可能的实现方式中,所述会话请求包括用户隐藏标识SUCI和第一响应参数。In a possible implementation manner of the first aspect, the session request includes a user hidden identifier SUCI and a first response parameter.

该种可能的实现方式中,提供了会话请求中可能包括的参数的类型,提升了方案的可实现性。In this possible implementation manner, the types of parameters that may be included in the session request are provided, which improves the implementability of the solution.

在第一方面的一种可能的实现方式中,所述网络设备包括接入及移动性管理功能AMF和鉴权服务功能AUSF;所述网络设备根据所述会话请求确认所述终端设备通过鉴权,包括:所述AMF将第一鉴权请求发送至AUSF,所述第一鉴权请求包括所述SUCI、所述第一响应参数以及所述终端设备接收到的第一随机参数;所述AUSF根据所述第一鉴权请求确认所述终端设备通过鉴权;所述AUSF向所述AMF发送第一鉴权响应,所述第一鉴权响应包括第二随机参数、第二响应参数、鉴权令牌AUTN和安全锚点功能密钥Kseaf;所述AMF根据所述第一鉴权响应确认所述终端设备通过鉴权。In a possible implementation manner of the first aspect, the network device includes an access and mobility management function AMF and an authentication service function AUSF; the network device confirms that the terminal device has passed the authentication according to the session request , including: the AMF sends a first authentication request to the AUSF, where the first authentication request includes the SUCI, the first response parameter, and the first random parameter received by the terminal device; the AUSF Confirm that the terminal device has passed the authentication according to the first authentication request; the AUSF sends a first authentication response to the AMF, where the first authentication response includes a second random parameter, a second response parameter, an authentication The right token AUTN and the security anchor function key Kseaf; the AMF confirms that the terminal device has passed the authentication according to the first authentication response.

该种可能的实现方式中,网络设备采用两步法的方式对终端设备进行鉴权,将鉴权流程嵌入到会话建立流程中,利用会话建立在空口使用的一对消息完成鉴权,信息交互少,鉴权流程简单,更利于终端设备省电。In this possible implementation manner, the network device uses a two-step method to authenticate the terminal device, embeds the authentication process into the session establishment process, and uses a pair of messages used by the session establishment over the air interface to complete the authentication and exchange information. less, the authentication process is simple, and it is more conducive to the power saving of terminal equipment.

在第一方面的一种可能的实现方式中,所述网络设备包括统一数据管理功能UDM,所述AUSF根据所述第一鉴权请求确认所述终端设备通过鉴权,包括:所述AUSF根据所述第一鉴权请求向所述UDM发送第一请求信息,所述第一请求信息包括第一随机参数以及SUCI,所述第一请求信息用于指示所述UDM向所述AUSF发送鉴权向量;所述AUSF接收所述UDM发送的所述鉴权向量,所述鉴权向量包括所述第二随机参数、第三响应参数、加密密钥CK、完整性密钥IK和所述AUTN;所述AUSF根据所述鉴权向量确定所述终端设备通过鉴权。In a possible implementation manner of the first aspect, the network device includes a unified data management function UDM, and the AUSF confirms that the terminal device has passed the authentication according to the first authentication request, including: the AUSF according to The first authentication request sends first request information to the UDM, where the first request information includes a first random parameter and SUCI, and the first request information is used to instruct the UDM to send authentication to the AUSF vector; the AUSF receives the authentication vector sent by the UDM, and the authentication vector includes the second random parameter, the third response parameter, the encryption key CK, the integrity key IK, and the AUTN; The AUSF determines that the terminal device has passed the authentication according to the authentication vector.

该种可能的实现方式中,网络设备采用两步法的方式对终端设备进行鉴权,将鉴权流程嵌入到会话建立流程中,利用会话建立在空口使用的一对消息完成鉴权,信息交互少,鉴权流程简单,更利于终端设备省电。In this possible implementation manner, the network device uses a two-step method to authenticate the terminal device, embeds the authentication process into the session establishment process, and uses a pair of messages used by the session establishment over the air interface to complete the authentication and exchange information. less, the authentication process is simple, and it is more conducive to the power saving of terminal equipment.

在第一方面的一种可能的实现方式中,所述会话响应包括所述第二随机参数、AUTN以及配置信息,所述配置信息用于指示所述终端设备配置与网络设备间的会话。In a possible implementation manner of the first aspect, the session response includes the second random parameter, the AUTN, and configuration information, where the configuration information is used to instruct the terminal device to configure a session between the network device.

该种可能的实现方式中,提供了会话响应中可能包括的参数的类型,提升了方案的可实现性。In this possible implementation manner, the types of parameters that may be included in the session response are provided, which improves the implementability of the solution.

在第一方面的一种可能的实现方式中,所述会话请求包括所述SUCI。In a possible implementation manner of the first aspect, the session request includes the SUCI.

该种可能的实现方式中,提供了会话请求中可能包括的参数的类型,提升了方案的可实现性。In this possible implementation manner, the types of parameters that may be included in the session request are provided, which improves the implementability of the solution.

在第一方面的一种可能的实现方式中,所述网络设备根据所述会话请求确认所述终端设备通过鉴权,包括:所述网络设备根据所述会话请求向所述终端设备发送第二鉴权请求,所述第二鉴权请求用于指示所述终端设备对所述网络设备鉴权;所述网络设备接收终端设备发送的第二鉴权响应;所述网络设备根据所述第二鉴权响应确认所述终端设备通过鉴权。In a possible implementation manner of the first aspect, confirming, by the network device, that the terminal device has passed the authentication according to the session request includes: the network device sending a second message to the terminal device according to the session request. an authentication request, where the second authentication request is used to instruct the terminal device to authenticate the network device; the network device receives the second authentication response sent by the terminal device; The authentication response confirms that the terminal device has passed the authentication.

该种可能的实现方式中,只需要简单修改或不修改现有UDM和AUSF的算法或者流程便可以实现终端设备与网络设备之间的鉴权过程。对于现有网络设备的改动小,对2C网络影响较小。In this possible implementation manner, the authentication process between the terminal device and the network device can be implemented only by simply modifying or not modifying the algorithms or processes of the existing UDM and AUSF. The changes to the existing network equipment are small, and the impact on the 2C network is small.

本申请第二方面提供一种鉴权方法,在该方法中:终端设备在上行公共信道上向网络设备发送会话请求,所述会话请求用于请求所述网络设备对所述终端设备鉴权;所述终端设备在下行公共信道上接收所述网络设备发送的会话响应,所述会话响应用于指示所述终端设备对所述网络设备鉴权。A second aspect of the present application provides an authentication method, in which: a terminal device sends a session request to a network device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device; The terminal device receives a session response sent by the network device on the downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.

本申请提供了一种鉴权方法,在终端设备与网络设备之间没有建立RRC连接的场景下,终端设备与网络设备之间可以通过公共信道来传递鉴权所需要的信息,进而实现终端设备与网络设备之间的鉴权。The present application provides an authentication method. In the scenario where no RRC connection is established between the terminal device and the network device, the terminal device and the network device can transmit the information required for authentication through a common channel, thereby realizing the terminal device and the network device. Authentication with network devices.

在第二方面的一种可能的实现方式中,所述会话响应包括配置信息,所述配置信息用于指示所述终端设备配置与网络设备间的会话。In a possible implementation manner of the second aspect, the session response includes configuration information, where the configuration information is used to instruct the terminal device to configure a session between the network device.

在第二方面的一种可能的实现方式中,所述会话响应还包括鉴权参数,所述方法还包括:所述终端设备根据所述鉴权参数对所述网络设备鉴权。In a possible implementation manner of the second aspect, the session response further includes an authentication parameter, and the method further includes: the terminal device authenticates the network device according to the authentication parameter.

本申请第三方面提供一种网络设备,该网络设备包括处理包括处理器,所述处理器与存储器耦合,所述存储器用于存储计算机程序或指令,所述处理器用于执行存储器中的所述计算机程序或指令,使得第一方面或第一方面的任意可能的实现方式中的方法被执行。A third aspect of the present application provides a network device, the network device includes a processor, the processor is coupled with a memory, the memory is used for storing computer programs or instructions, and the processor is used for executing the memory in the memory. A computer program or instructions to cause the method of the first aspect or any possible implementation of the first aspect to be performed.

本申请第四方面提供一种终端设备,该设备包括处理包括处理器,所述处理器与存储器耦合,所述存储器用于存储计算机程序或指令,所述处理器用于执行存储器中的所述计算机程序或指令,使得第二方面或第二方面的任意可能的实现方式中的方法被执行。A fourth aspect of the present application provides a terminal device, the device includes a processor, the processor is coupled with a memory, the memory is used for storing computer programs or instructions, and the processor is used for executing the computer in the memory. Programs or instructions to cause the method of the second aspect or any possible implementation of the second aspect to be performed.

本申请第五方面提供了一种计算机可读存储介质,该计算机可读存储介质存储有程序,该程序使得上述第一方面或第一方面的任意可能的实现方式中的方法被执行。A fifth aspect of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a program, and the program causes the method in the first aspect or any possible implementation manner of the first aspect to be executed.

本申请第六方面提供了一种计算机可读存储介质,该计算机可读存储介质存储有程序,该程序使得上述第二方面或第二方面的任意可能的实现方式中的方法被执行。A sixth aspect of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a program, and the program causes the method in the second aspect or any possible implementation manner of the second aspect to be executed.

本申请第七方面提供一种存储一个或多个计算机执行指令的计算机程序产品,当所述计算机执行指令被所述处理器执行时,使得上述第一方面或第一方面任意一种可能实现方式的方法被执行。A seventh aspect of the present application provides a computer program product that stores one or more computer-executable instructions, which, when the computer-executable instructions are executed by the processor, enable the first aspect or any one of the possible implementations of the first aspect method is executed.

本申请第八方面提供一种存储一个或多个计算机执行指令的计算机程序产品,当所述计算机执行指令被所述处理器执行时,使得上述第二方面或第二方面任意一种可能实现方式的方法被执行。An eighth aspect of the present application provides a computer program product that stores one or more computer-executable instructions. When the computer-executable instructions are executed by the processor, the second aspect or any one of the possible implementation manners of the second aspect is enabled. method is executed.

本申请第九方面提供了一种芯片系统,该芯片系统包括处理器,用于支持终端设备或网络设备实现上述方面中所涉及的功能,例如发送或处理上述方法中所涉及的数据和/或信息。在一种可能的设计中,所述芯片系统还包括存储器,所述存储器,用于保存必要的程序指令和数据。该芯片系统,可以由芯片构成,也可以包括芯片和其他分立器件。A ninth aspect of the present application provides a chip system, where the chip system includes a processor for supporting a terminal device or a network device to implement the functions involved in the above aspects, such as sending or processing the data involved in the above method and/or information. In a possible design, the chip system further includes a memory for storing necessary program instructions and data. The chip system may be composed of chips, or may include chips and other discrete devices.

从以上技术方案可以看出,本申请实施例具有以下优点:As can be seen from the above technical solutions, the embodiments of the present application have the following advantages:

本申请提供了一种鉴权方法以及相关设备。首先,网络设备在上行公共信道上接收终端设备发送的会话请求,网络设备可以根据会话请求确认终端设备通过鉴权。然后,网络设备在下行公共信道上向终端设备发送会话响应,会话响应用于指示终端设备对网络设备鉴权。在终端设备与网络设备之间没有建立RRC连接的场景下,终端设备与网络设备之间可以通过公共信道来传递鉴权所需要的信息,进而实现终端设备与网络设备之间的鉴权。The present application provides an authentication method and related equipment. First, the network device receives the session request sent by the terminal device on the uplink common channel, and the network device can confirm that the terminal device has passed the authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device. In a scenario where no RRC connection is established between the terminal device and the network device, the terminal device and the network device can transmit information required for authentication through a common channel, thereby realizing authentication between the terminal device and the network device.

附图说明Description of drawings

图1为本申请提供的一种基于RRC连接的鉴权方式的实施例示意图;1 is a schematic diagram of an embodiment of an RRC connection-based authentication method provided by the present application;

图2为本申请提供的鉴权系统的应用场景示意图;2 is a schematic diagram of an application scenario of the authentication system provided by the present application;

图3为本申请提供的鉴权方法的一实施例示意图;3 is a schematic diagram of an embodiment of an authentication method provided by the present application;

图4为本申请提供的鉴权方法的另一实施例示意图;4 is a schematic diagram of another embodiment of the authentication method provided by the present application;

图5为本申请提供的鉴权方法的另一实施例示意图;5 is a schematic diagram of another embodiment of the authentication method provided by the present application;

图6为本申请提供的网络设备的一结构示意图;6 is a schematic structural diagram of a network device provided by the present application;

图7为本申请提供的终端设备的一结构示意图;7 is a schematic structural diagram of a terminal device provided by the present application;

图8为本申请提供的通信设备的一结构示意图;8 is a schematic structural diagram of a communication device provided by the present application;

图9为本申请提供的通信设备的另一结构示意图。FIG. 9 is another schematic structural diagram of the communication device provided by the present application.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments in the present invention, all other embodiments obtained by those skilled in the art fall within the protection scope of the present invention.

本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。The terms "first", "second", "third", "fourth", etc. (if present) in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used may be interchanged under appropriate circumstances such that the embodiments described herein can be practiced in sequences other than those illustrated or described herein.

在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念,便于理解。In the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner to facilitate understanding.

本申请中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。并且,在本申请的描述中,除非另有说明,“多个”是指两个或多于两个。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。In this application, "and/or" is only an association relationship to describe associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, it can mean that A exists alone, A and B exist simultaneously, and there are independent The three cases of B, where A and B can be singular or plural. Also, in the description of the present application, unless stated otherwise, "plurality" means two or more than two. "At least one item(s) below" or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (a) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c may be single or multiple .

本申请实施例的技术方案可以应用于各种通信系统,例如:长期演进(long termevolution,LTE)系统、LTE频分双工(frequency division duplex,FDD)系统、LTE时分双工(time division duplex,TDD)、第五代(5th generation,5G)系统即新无线(new radio,NR)以及未来的移动通信系统等。The technical solutions of the embodiments of the present application can be applied to various communication systems, such as: long term evolution (long term evolution, LTE) system, LTE frequency division duplex (frequency division duplex, FDD) system, LTE time division duplex (time division duplex, TDD), fifth generation (5th generation, 5G) systems, namely new radio (new radio, NR) and future mobile communication systems, etc.

第三代合作伙伴计划(third generation partnership project,3GPP)标准组织制定的第五代蜂窝移动通信系统的协议标准,与长期演进(long term evolution,LTE)系统相比,新空口(New Radio,NR)系统支持更大的传输带宽,更多的收发天线阵列,更高的传输速率以及更灵活、粒度更小的调度机制,NR系统的上述特性提供了更多的适用范围。The protocol standard of the fifth generation cellular mobile communication system formulated by the third generation partnership project (3GPP) standard organization, compared with the long term evolution (LTE) system, the new radio (New Radio, NR) ) system supports larger transmission bandwidth, more transceiver antenna arrays, higher transmission rate and more flexible scheduling mechanism with smaller granularity. The above characteristics of NR system provide more applicable scope.

网络安全是5G中重要的一个功能。针对2C场景下有无线资源控制(radioresource control,RRC)连接的过程,5G定义了5G中特有的认证与密钥协商协议(authentication and key agreement,AKA),通过5G AKA的方式进行双向鉴权和数据加密。双向鉴权是指网络设备对终端设备进行鉴权,终端设备也对网络设备进行鉴权。Cybersecurity is an important function in 5G. For the process of radio resource control (RRC) connection in the 2C scenario, 5G defines the unique authentication and key agreement (AKA) in 5G, and the two-way authentication and key agreement (AKA) are carried out through 5G AKA. data encryption. Two-way authentication means that the network device authenticates the terminal device, and the terminal device also authenticates the network device.

图1为本申请提供的一种基于RRC连接的鉴权方式的实施例示意图。FIG. 1 is a schematic diagram of an embodiment of an authentication method based on an RRC connection provided by the present application.

本申请实施例中,终端设备与网络设备之间建立通信的流程由三个部分组成,这三个部分分别是RACH接入过程、RRC建立过程和5G AKA鉴权过程。首先,终端设备向接入网设备发起随机接入请求,终端设备接收到接入网设备发送的随机接入响应。终端设备根据随机接入响应确认随机接入成功后,终端设备向接入网设备发送RRC建立请求。终端设备接收到接入网设备发送的RRC建立响应,终端设备根据RRC建立响应确认RRC建立成功后开始执行5G AKA鉴权流程。下面详细介绍5G AKA鉴权过程。In the embodiment of the present application, the process of establishing communication between the terminal device and the network device consists of three parts, and the three parts are the RACH access process, the RRC establishment process, and the 5G AKA authentication process, respectively. First, the terminal device initiates a random access request to the access network device, and the terminal device receives a random access response sent by the access network device. After the terminal device confirms that the random access is successful according to the random access response, the terminal device sends an RRC establishment request to the access network device. The terminal device receives the RRC establishment response sent by the access network device, and the terminal device starts to perform the 5G AKA authentication process after confirming that the RRC establishment is successful according to the RRC establishment response. The 5G AKA authentication process is described in detail below.

本申请中,终端设备和接入网设备之间建立RRC连接后,后续的空口信息均通过上行的物理上行共享信道(physical uplink shared channel,PUSCH)和下行的物理下行共享信道(physical downlink shared channel,PDSCH)来进行传递。这里只描述一下鉴权的流程。In this application, after the RRC connection is established between the terminal device and the access network device, subsequent air interface information is passed through the uplink physical uplink shared channel (PUSCH) and the downlink physical downlink shared channel (physical downlink shared channel). , PDSCH) to transmit. Only the authentication process is described here.

本申请中,网络设备可以是核心网设备,网络设备可以包括接入及移动性管理功能(access and mobility management function,AMF)、鉴权服务功能(authenticationserver function,AUSF)和统一数据管理功能(unified data management,UDM)。终端设备通过接入网设备向AMF发起注册请求,该注册请求中包括用户隐藏标识(subscriptionconcealed identifier,SUCI),AMF发现该注册请求是初始注册请求后,AMF向AUSF请求鉴权。AUSF接收到鉴权请求后,向UDM请求鉴权向量,UDM生成鉴权向量并返回给AUSF。AUSF将5元组鉴权向量转换成4元组鉴权向量,并发送给AMF。AMF根据4元组鉴权向量生成随机数(RANDom number,RAND)和鉴权令牌(AUthentication TokeN,AUTN),并将生成的RAND和AUTN发送给终端设备,其中AUTN中包括MAC数据。终端设备根据AUTN获取MAC数据,并且计算XMAC数据是否与MAC数据一致,若一致,则认为网络设备通过鉴权,若不一致,则认为网络设备未通过鉴权。鉴权通过后,计算响应参数(RES*),将响应参数(RES*)在鉴权响应中发送给AMF。AMF通过RES*计算哈希响应参数(HRES*),判断HRES*与期望哈希响应参数(HXRES*)是否一致从而对终端设备鉴权。若一致,则鉴权通过,若不一致,则鉴权未通过。AMF对终端设备鉴权通过后,AMF发送包括RES*的鉴权信息给AUSF进行二次认证。AUSF比较RES*是否同期望响应(XRES*)一致从而对终端设备二次鉴权,若一致,则鉴权通过,若不一致,则鉴权未通过。AUSF对终端设备鉴权通过后,AUSF向AMF回鉴权成功信息。In this application, the network device may be a core network device, and the network device may include an access and mobility management function (AMF), an authentication server function (AUSF), and a unified data management function (unified data management function). data management, UDM). The terminal device sends a registration request to the AMF through the access network device, and the registration request includes a subscription concealed identifier (SUCI). After the AMF finds that the registration request is an initial registration request, the AMF requests the AUSF for authentication. After receiving the authentication request, the AUSF requests an authentication vector from the UDM, and the UDM generates the authentication vector and returns it to the AUSF. The AUSF converts the 5-tuple authentication vector into a 4-tuple authentication vector and sends it to the AMF. The AMF generates a random number (RANDom number, RAND) and an authentication token (AUthentication Token, AUTN) according to the 4-tuple authentication vector, and sends the generated RAND and AUTN to the terminal device, where the AUTN includes MAC data. The terminal device obtains the MAC data according to the AUTN, and calculates whether the XMAC data is consistent with the MAC data. If they are consistent, the network device is considered to have passed the authentication. If they are inconsistent, the network device is considered to have failed the authentication. After the authentication is passed, the response parameter (RES*) is calculated, and the response parameter (RES*) is sent to the AMF in the authentication response. The AMF calculates the hash response parameter (HRES*) through RES*, determines whether the HRES* is consistent with the expected hash response parameter (HXRES*), and authenticates the terminal device. If they are consistent, the authentication is passed; if they are inconsistent, the authentication is not passed. After the AMF authenticates the terminal device, the AMF sends the authentication information including the RES* to the AUSF for secondary authentication. The AUSF compares whether the RES* is consistent with the expected response (XRES*) so as to authenticate the terminal device twice. After the AUSF authenticates the terminal device, the AUSF returns the authentication success information to the AMF.

但是对于某些场景下,例如2B场景,为了降低终端设备侧的功耗,终端设备与网络设备之间通常无需进行RRC连接,针对无RRC连接的场景,终端设备与网络设备之间无法进行鉴权。However, in some scenarios, such as 2B scenarios, in order to reduce the power consumption on the terminal device side, RRC connection is usually not required between the terminal device and the network device. For scenarios without RRC connection, authentication between the terminal device and the network device cannot be performed. right.

在终端设备与网络设备无RRC连接的场景下,本申请提供了一种鉴权方法以及相关设备。首先,网络设备在上行公共信道上接收终端设备发送的会话请求,网络设备可以根据会话请求确认终端设备通过鉴权。然后,网络设备在下行公共信道上向终端设备发送会话响应,会话响应用于指示终端设备对网络设备鉴权。在终端设备与网络设备之间没有建立RRC连接的场景下,终端设备与网络设备之间可以通过公共信道来传递鉴权所需要的信息,进而实现终端设备与网络设备之间的鉴权。In a scenario where a terminal device and a network device have no RRC connection, the present application provides an authentication method and related devices. First, the network device receives the session request sent by the terminal device on the uplink common channel, and the network device can confirm that the terminal device has passed the authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device. In a scenario where no RRC connection is established between the terminal device and the network device, the terminal device and the network device can transmit information required for authentication through a common channel, thereby realizing authentication between the terminal device and the network device.

图2为本申请提供的鉴权系统的应用场景示意图。FIG. 2 is a schematic diagram of an application scenario of the authentication system provided by the present application.

请参阅图2,本申请实施例中,网络设备、无线接入网络以及终端设备组成鉴权系统。Referring to FIG. 2 , in this embodiment of the present application, a network device, a wireless access network, and a terminal device constitute an authentication system.

本申请提供的鉴权系统包括:网络设备101,无线接入网络(radio accessnetwork,RAN)102、RAN103和RAN104以及终端设备105、终端设备106、终端设备107和终端设备108。其中,网络设备101包括AMF109、AUSF110以及UDM111,The authentication system provided by this application includes: a network device 101 , a radio access network (RAN) 102 , RAN 103 and RAN 104 , and a terminal device 105 , a terminal device 106 , a terminal device 107 and a terminal device 108 . Wherein, the network device 101 includes AMF109, AUSF110 and UDM111,

其中,终端设备105和终端设备106通过RAN102与网络设备101中包括的AMF109进行数据交互,终端设备107通过RAN103与网络设备101中包括的AMF109进行数据交互,终端设备108通过RAN104与网络设备101中包括的AMF109进行数据交互,AMF109与AUSF110进行数据交互,AUSF110与UDM111进行数据交互。The terminal device 105 and the terminal device 106 conduct data interaction with the AMF 109 included in the network device 101 through the RAN 102 , the terminal device 107 conducts data interaction with the AMF 109 included in the network device 101 through the RAN 103 , and the terminal device 108 communicates with the network device 101 through the RAN 104 . The included AMF109 performs data interaction, AMF109 performs data interaction with AUSF110, and AUSF110 performs data interaction with UDM111.

本申请实施例中,仅以一个网络设备、三个RAN和四个终端设备为例进行示意性说明。实际应用中,可选的,本申请实施例的应用场景中可以包括比图2所示实施例中所提供的更多或者更少的RAN和终端设备。本申请实施例对网络设备、RAN以及终端设备的数目不进行限定。In the embodiments of the present application, only one network device, three RANs, and four terminal devices are used as examples for schematic illustration. In practical applications, optionally, the application scenarios of the embodiments of the present application may include more or less RANs and terminal devices than those provided in the embodiment shown in FIG. 2 . The embodiments of the present application do not limit the number of network devices, RANs, and terminal devices.

本申请实施例中的网络设备101可以是核心网设备,可选的,AMF、AUSF以及UDM可以集成于同一设备上,AMF、AUSF以及UDM可以集成于不同设备上,具体此处不做限定。The network device 101 in this embodiment of the present application may be a core network device. Optionally, AMF, AUSF, and UDM may be integrated on the same device, and AMF, AUSF, and UDM may be integrated on different devices, which are not specifically limited here.

本申请中,RAN用于传递网络设备与终端设备之间交互的信息,鉴权流程中的作用基本是透传信息。In this application, the RAN is used to transmit the information exchanged between the network device and the terminal device, and the role in the authentication process is basically to transmit the information transparently.

本申请中,AMF用于发起网络设备内部的鉴权流程,处理终端设备的鉴权消息,从AUSF获得鉴权向量,对终端设备进行鉴权,生成加密密钥。In this application, the AMF is used to initiate the authentication process inside the network device, process the authentication message of the terminal device, obtain the authentication vector from the AUSF, authenticate the terminal device, and generate an encryption key.

本申请中,AUSF用于与UDM进行通信,从UDM获得鉴权向量,将鉴权向量处理后传递给AMF,对终端设备进行鉴权。In this application, the AUSF is used to communicate with the UDM, obtain the authentication vector from the UDM, process the authentication vector and transfer it to the AMF, and authenticate the terminal device.

本申请中,UDM用于保存开户信息和用户密钥,并且生成鉴权向量。In this application, UDM is used to store account opening information and user key, and to generate an authentication vector.

本申请实施例中的终端设备可以是指向用户提供语音和/或数据连通性的设备,具有无线连接功能的手持式设备、或连接到无线调制解调器的其他处理设备。终端设备可以是移动终端,如移动电话(或称为“蜂窝”电话)和具有移动终端的计算机,例如,可以是便携式、袖珍式、手持式、计算机内置的或者车载的移动装置,它们与网络设备交换语言和/或数据。例如,个人通信业务(personal communication service,PCS)电话、无绳电话、会话发起协议(SIP)话机、无线本地环路(wireless local loop,WLL)站、个人数字助理(personal digital assistant,PDA)等设备。终端设备也可以称为系统、订户单元(subscriber unit)、订户站(subscriber station),移动站(mobile station)、移动台(mobile)、远程站(remote station)、接入点(access point)、远程终端(remoteterminal)、接入终端(access terminal)、用户代理(user agent)、用户设备(userdevice)、或用户装备(user equipment)、用户站、远方站、用户终端(terminal equipment,TE)、终端、无线通信设备以及用户代理或用户装置。另外,终端设备也可以是用于实现UE功能的芯片系统。具体此处不做限定。The terminal device in this embodiment of the present application may be a device that provides voice and/or data connectivity to a user, a handheld device with a wireless connection function, or other processing device connected to a wireless modem. Terminal devices may be mobile terminals, such as mobile phones (or "cellular" phones) and computers with mobile terminals, for example, may be portable, pocket-sized, hand-held, computer-built, or vehicle-mounted mobile devices, which are connected to a network Devices exchange language and/or data. For example, personal communication service (PCS) phones, cordless phones, Session Initiation Protocol (SIP) phones, wireless local loop (WLL) stations, personal digital assistants (PDAs) and other devices . A terminal device may also be referred to as a system, subscriber unit, subscriber station, mobile station, mobile station, remote station, access point, Remote terminal (remote terminal), access terminal (access terminal), user agent (user agent), user equipment (user device), or user equipment (user equipment), user station, remote station, user terminal (terminal equipment, TE), Terminals, wireless communication devices, and user agents or user equipment. In addition, the terminal device may also be a chip system for implementing UE functions. There is no specific limitation here.

基于图2所描述的鉴权系统,对本申请提供的鉴权方法进行描述。Based on the authentication system described in FIG. 2 , the authentication method provided by this application is described.

图3为本申请提供的鉴权方法的一实施例示意图。请参阅图3,该鉴权方法包括步骤201至步骤203。FIG. 3 is a schematic diagram of an embodiment of an authentication method provided by the present application. Please refer to FIG. 3 , the authentication method includes steps 201 to 203 .

201、网络设备在上行公共信道上接收终端设备发送的会话请求,相应的,终端设备在上行公共信道上向网络设备发送会话请求。201. The network device receives the session request sent by the terminal device on the uplink common channel, and correspondingly, the terminal device sends the session request to the network device on the uplink common channel.

本申请中,终端设备与网络设备之间没有建立RRC连接,终端设备与网络设备之间无法通过专有信道实现信息交互。因此,终端设备通过上行公共信道向网络设备发送会话请求,会话请求用于请求网络设备对终端设备鉴权。In this application, no RRC connection is established between the terminal device and the network device, and information exchange between the terminal device and the network device cannot be achieved through a dedicated channel. Therefore, the terminal device sends a session request to the network device through the uplink common channel, and the session request is used to request the network device to authenticate the terminal device.

202、网络设备根据会话请求确认终端设备通过鉴权。202. The network device confirms that the terminal device has passed the authentication according to the session request.

本申请中,会话请求中包括鉴权参数,网络设备可以根据会话请求中包括的鉴权参数对终端设备鉴权。In this application, the session request includes authentication parameters, and the network device can authenticate the terminal device according to the authentication parameters included in the session request.

203、网络设备在下行公共信道上向终端设备发送会话响应,相应的,终端设备在下行公共信道上接收网络设备发送的会话响应。203. The network device sends a session response to the terminal device on the downlink common channel, and correspondingly, the terminal device receives the session response sent by the network device on the downlink common channel.

本申请中,终端设备与网络设备之间没有建立RRC连接,终端设备与网络设备之间无法通过专有信道实现信息交互。因此,网络设备通过下行公共信道向终端设备发送会话响应,会话响应用于指示终端设备对网络设备鉴权。In this application, no RRC connection is established between the terminal device and the network device, and information exchange between the terminal device and the network device cannot be achieved through a dedicated channel. Therefore, the network device sends a session response to the terminal device through the downlink common channel, and the session response is used to instruct the terminal device to authenticate the network device.

本申请中,上述图3所示的实施例中步骤202有具体的实现方式,该种具体的实现方式将在下面进行详细说明。In the present application, step 202 in the embodiment shown in FIG. 3 has a specific implementation manner, and the specific implementation manner will be described in detail below.

方式1:两步鉴权法Method 1: Two-step authentication method

图4为本申请提供的鉴权方法的另一实施例示意图。请参阅图4,本实施例中,网络设备可以是核心网设备,网络设备包括AMF、AUSF和UDM,会话请求包括SUCI和第一响应参数(RES*)。FIG. 4 is a schematic diagram of another embodiment of the authentication method provided by the present application. Referring to FIG. 4 , in this embodiment, the network device may be a core network device, the network device includes AMF, AUSF, and UDM, and the session request includes SUCI and a first response parameter (RES*).

AMF将第一鉴权请求发送至AUSF。The AMF sends the first authentication request to the AUSF.

本实施例中,第一鉴权请求包括SUCI、RES*以及终端设备接收到的R0。R0由网络设备生成,且网络设备会周期性更新R0。终端设备接收到R0后,终端设备可以根据R0和开户密钥计算RES*,进而将RES*与SUCI包含于会话请求中通过RAN发送至AMF。In this embodiment, the first authentication request includes SUCI, RES*, and R0 received by the terminal device. R0 is generated by a network device, and the network device periodically updates R0. After the terminal device receives the R0, the terminal device can calculate the RES* according to the R0 and the account opening key, and then include the RES* and the SUCI in the session request and send it to the AMF through the RAN.

AUSF根据第一鉴权请求向UDM发送第一请求信息。The AUSF sends the first request information to the UDM according to the first authentication request.

本实施例中,第一请求信息包括R0以及SUCI,第一请求信息用于指示UDM向AUSF发送鉴权向量。In this embodiment, the first request information includes R0 and SUCI, and the first request information is used to instruct the UDM to send an authentication vector to the AUSF.

AUSF接收UDM发送的鉴权向量。The AUSF receives the authentication vector sent by the UDM.

本申请中,鉴权向量包括第二随机参数(R1)、期望响应(eXpected RESponse,XRES)、加密密钥(encryption key,CK)、完整性密钥(integrity key,IK)和鉴权令牌(aUthentication TokeN,AUTN)。UDM收到第一请求信息,第一请求信息中包括R0和SUCI,UDM根据R0、R1和终端开户的密钥等数据生成鉴权向量,并将鉴权向量发送至AUSF。算法与5G AKA相类似。终端设备计算RES*等相关参数时是通过R0来进行计算的,UDM计算XRES时采用的是R0,计算CK、IK、AUTN是使用的R1。In this application, the authentication vector includes a second random parameter (R1), an expected response (eXspected RESponse, XRES), an encryption key (encryption key, CK), an integrity key (integrity key, IK) and an authentication token (aUthentication TokeN, AUTN). The UDM receives the first request information, and the first request information includes R0 and SUCI. The UDM generates an authentication vector according to data such as R0, R1 and the key for opening an account of the terminal, and sends the authentication vector to the AUSF. The algorithm is similar to 5G AKA. When the terminal device calculates RES* and other related parameters, it uses R0 to calculate it. When UDM calculates XRES, it uses R0, and it calculates CK, IK, and AUTN. It uses R1.

AUSF根据鉴权向量确定终端设备通过鉴权。The AUSF determines that the terminal device has passed the authentication according to the authentication vector.

本申请中,AUSF判断RES*和XRES的一致性对终端设备鉴权,若RES*和XRES一致,则AUSF确认终端设备通过鉴权,若RES*和XRES不一致,则确认终端设备未通过鉴权。AUSF确认终端设备通过鉴权后向AMF发送第一鉴权响应。In this application, the AUSF determines the consistency of RES* and XRES to authenticate the terminal device. If RES* and XRES are consistent, the AUSF confirms that the terminal device has passed the authentication. If the RES* and XRES are inconsistent, it confirms that the terminal device has not passed the authentication. . The AUSF confirms that the terminal device sends a first authentication response to the AMF after passing the authentication.

AUSF向AMF发送第一鉴权响应。The AUSF sends the first authentication response to the AMF.

本申请中,第一鉴权响应包括第二随机参数(R1)、哈希期望响应(hash eXpectedRESponse,HXRES*)、AUTN和安全锚点功能密钥(key for SEAF,Kseaf)。In this application, the first authentication response includes a second random parameter (R1), a hash expected response (hash eXpectedRESponse, HXRES*), AUTN and a security anchor function key (key for SEAF, Kseaf).

AMF根据第一鉴权响应确认终端设备通过鉴权。The AMF confirms that the terminal device has passed the authentication according to the first authentication response.

本申请中,AMF通过RES*计算HRES*,判断HRES*与HXRES*是否一致从而对终端设备鉴权。若AMF确认HRES*与HXRES*一致,则AMF确认终端设备通过鉴权。若AMF确认HRES*与HXRES*不一致,则AMF确认终端设备未通过鉴权。鉴权通过后,AMF分配会话ID,分配上行业务信道资源,计算NAS加密密钥(key for NAS encryption,Knasenc)和NAS完整性密钥(keyfor NAS integrity,Knasint)。使用密钥对分配的会话ID和上行业务信道资源数据进行加密和完整性保护,并且将加密数据(会话ID和业务信道资源)和R1,AUTN通过RAN发送给终端设备。In this application, AMF calculates HRES* through RES*, determines whether HRES* and HXRES* are consistent, and authenticates the terminal device. If the AMF confirms that HRES* is consistent with HXRES*, the AMF confirms that the terminal device has passed the authentication. If the AMF confirms that HRES* and HXRES* are inconsistent, the AMF confirms that the terminal device has not passed the authentication. After passing the authentication, the AMF allocates a session ID, allocates uplink traffic channel resources, and calculates a NAS encryption key (key for NAS encryption, Knasenc) and a NAS integrity key (key for NAS integrity, Knasint). The assigned session ID and uplink traffic channel resource data are encrypted and integrity protected using the key, and the encrypted data (session ID and traffic channel resource) and R1, AUTN are sent to the terminal device through the RAN.

本申请中,网络设备确认终端设备通过鉴权后,网络设备与终端设备开展业务的过程中,使用会话ID(Session Id)标识用户,而非采用用户永久标识(SubscriptionPermanent Identifier,SUPI)。In this application, after the network device confirms that the terminal device has passed the authentication, in the process of conducting business between the network device and the terminal device, the session ID (Session Id) is used to identify the user instead of using the Subscription Permanent Identifier (SUPI).

本申请中,业务的加密数据中包含消息序号,AMF需要判断消息序号是否递增,以防止业务数据重放攻击。为防止会话请求重放攻击,除了R0可周期更新外,AMF也需要保存分配的Session Id和SUCI,以及对应的RES*和密钥等信息,如果该SUCI已经分配了SessionId,不会再次触发向UDM请求鉴权向量的流程,而直接将之前分配的数据加密后发送给终端。In this application, the encrypted data of the service includes a message sequence number, and the AMF needs to determine whether the message sequence number is incremented to prevent service data replay attacks. In order to prevent session request replay attacks, in addition to the periodic update of R0, AMF also needs to save the assigned Session Id and SUCI, as well as the corresponding RES* and key information. The UDM requests the authentication vector process, and directly encrypts the previously allocated data and sends it to the terminal.

本申请中,为避免Session Id长期不更新,而降低系统安全性,广播的系统消息中可以增加字段,指示终端是否重新进行鉴权和建立会话。In this application, in order to prevent the Session Id from not being updated for a long time and thus reducing the security of the system, a field may be added to the broadcast system message to indicate whether the terminal performs authentication again and establishes a session.

本申请中,网络设备在鉴权过程中若出现失败,则终止后续流程,网络设备中包括的网元间可以发送失败通知消息,空口不发送消息,不通知终端。同样终端设备如果出现鉴权失败,也不通知核心网。In this application, if the network device fails in the authentication process, the subsequent process is terminated, and the network elements included in the network device may send a failure notification message, but the air interface does not send a message and does not notify the terminal. Likewise, if the terminal device fails to authenticate, it will not notify the core network.

方式二:四步鉴权法Method 2: Four-step authentication method

图5为本申请提供的鉴权方法的另一实施例示意图。请参阅图5,本实施例中,会话请求包括SUCI。网络设备包括AMF、AUSF和UDM。FIG. 5 is a schematic diagram of another embodiment of the authentication method provided by the present application. Referring to FIG. 5 , in this embodiment, the session request includes SUCI. Network equipment includes AMF, AUSF and UDM.

网络设备根据会话请求向终端设备发送第二鉴权请求。The network device sends a second authentication request to the terminal device according to the session request.

本申请中,网络设备中包括的AMF接收到会话请求后,AMF向AUSF请求鉴权。AUSF接收到鉴权请求后,向UDM请求鉴权向量,UDM生成鉴权向量并返回给AUSF。AMF根据4元组鉴权向量生成随机数(RANDom number,RAND)和鉴权令牌(AUthentication TokeN,AUTN),并将生成的RAND和AUTN携带于第二鉴权请求中发送给终端设备。第二鉴权请求用于指示终端设备对网络设备鉴权。In this application, after the AMF included in the network device receives the session request, the AMF requests the AUSF for authentication. After receiving the authentication request, the AUSF requests an authentication vector from the UDM, and the UDM generates the authentication vector and returns it to the AUSF. The AMF generates a random number (RANDom number, RAND) and an authentication token (AUthentication Token, AUTN) according to the 4-tuple authentication vector, and sends the generated RAND and AUTN in the second authentication request to the terminal device. The second authentication request is used to instruct the terminal device to authenticate the network device.

网络设备接收终端设备发送的第二鉴权响应。The network device receives the second authentication response sent by the terminal device.

本申请中,终端设备根据第二鉴权请求获取AUTN,AUTN中包括MAC数据。终端设备根据AUTN获取MAC数据,并且计算XMAC数据是否与MAC数据一致,若一致,则认为网络设备通过鉴权,若不一致,则认为网络设备未通过鉴权。鉴权通过后,终端设备计算响应参数(RES*),将响应参数(RES*)在第二鉴权响应中发送至AMF。In this application, the terminal device obtains the AUTN according to the second authentication request, and the AUTN includes MAC data. The terminal device obtains the MAC data according to the AUTN, and calculates whether the XMAC data is consistent with the MAC data. If they are consistent, the network device is considered to have passed the authentication. If they are inconsistent, the network device is considered to have failed the authentication. After the authentication is passed, the terminal device calculates the response parameter (RES*), and sends the response parameter (RES*) to the AMF in the second authentication response.

网络设备根据第二鉴权响应确认终端设备通过鉴权。The network device confirms that the terminal device has passed the authentication according to the second authentication response.

本申请中,网络设备根据第二鉴权响应获取响应参数(RES*),AMF通过RES*计算哈希响应参数(HRES*),判断HRES*与期望哈希响应参数(HXRES*)是否一致从而对终端设备鉴权。若一致,则鉴权通过,若不一致,则鉴权未通过。AMF对终端设备鉴权通过后,AMF发送包括RES*的鉴权信息给AUSF进行二次认证。AUSF比较RES*是否同期望响应(XRES*)一致从而对终端设备二次鉴权,若一致,则鉴权通过,若不一致,则鉴权未通过。AUSF对终端设备鉴权通过后,AUSF向AMF回复鉴权成功信息。In this application, the network device obtains the response parameter (RES*) according to the second authentication response, the AMF calculates the hash response parameter (HRES*) through the RES*, and judges whether the HRES* and the expected hash response parameter (HXRES*) are consistent so as to Authenticate the terminal device. If they are consistent, the authentication is passed; if they are inconsistent, the authentication is not passed. After the AMF authenticates the terminal device, the AMF sends the authentication information including the RES* to the AUSF for secondary authentication. The AUSF compares whether the RES* is consistent with the expected response (XRES*) so as to authenticate the terminal device twice. If they are consistent, the authentication passes. If they are inconsistent, the authentication fails. After the AUSF authenticates the terminal device, the AUSF returns an authentication success message to the AMF.

本实施例中,终端设备与网络设备之间无RRC连接的场景下,终端设备与网络设备之间交互的信息不是通过物理上行共享信道(physical downlink shared channel,PUSCH)和物理下行共享信道(physical uplink shared channel,PDSCH)传输,而是通过上行接入信道和下行公共控制信道传输。In this embodiment, in a scenario where there is no RRC connection between the terminal device and the network device, the information exchanged between the terminal device and the network device does not pass through a physical uplink shared channel (PUSCH) and a physical downlink shared channel (physical downlink shared channel). uplink shared channel, PDSCH) transmission, but transmitted through the uplink access channel and the downlink common control channel.

本申请提供了一种鉴权方法以及相关设备。首先,网络设备在上行公共信道上接收终端设备发送的会话请求,网络设备可以根据会话请求确认终端设备通过鉴权。然后,网络设备在下行公共信道上向终端设备发送会话响应,会话响应用于指示终端设备对网络设备鉴权。在终端设备与网络设备之间没有建立RRC连接的场景下,终端设备与网络设备之间可以通过公共信道来传递鉴权所需要的信息,进而实现终端设备与网络设备之间的鉴权。The present application provides an authentication method and related equipment. First, the network device receives the session request sent by the terminal device on the uplink common channel, and the network device can confirm that the terminal device has passed the authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device. In a scenario where no RRC connection is established between the terminal device and the network device, the information required for authentication can be transmitted between the terminal device and the network device through a common channel, thereby realizing authentication between the terminal device and the network device.

上述实施例提供了一种鉴权方法的不同的实施方式,下面提供了一种网络设备30,如图6所示,该网络设备30用于执行上述实施例中网络设备执行的步骤,该执行步骤以及相应的有益效果具体请参照上述相应的实施例进行理解,此处不再赘述,该网络设备30包括:The foregoing embodiments provide different implementations of an authentication method. The following provides a network device 30. As shown in FIG. 6, the network device 30 is configured to perform the steps performed by the network device in the foregoing embodiments. The steps and the corresponding beneficial effects can be understood with reference to the above-mentioned corresponding embodiments, which will not be repeated here. The network device 30 includes:

接收单元301,用于在上行公共信道上接收终端设备发送的会话请求,所述会话请求用于请求所述网络设备对所述终端设备鉴权;a receiving unit 301, configured to receive a session request sent by a terminal device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device;

处理单元302,用于根据所述会话请求确认所述终端设备通过鉴权;a processing unit 302, configured to confirm that the terminal device has passed the authentication according to the session request;

发送单元303,用于在下行公共信道上向所述终端设备发送会话响应,所述会话响应用于指示所述终端设备对所述网络设备鉴权。The sending unit 303 is configured to send a session response to the terminal device on the downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.

一种可能的实现方式中,所述会话请求包括用户隐藏标识SUCI和第一响应参数,In a possible implementation, the session request includes a user hidden identifier SUCI and a first response parameter,

一种可能的实现方式中,所述网络设备包括接入及移动性管理功能AMF和鉴权服务功能AUSF;In a possible implementation manner, the network device includes an access and mobility management function AMF and an authentication service function AUSF;

所述AMF将第一鉴权请求发送至AUSF,所述第一鉴权请求包括所述SUCI、所述第一响应参数以及所述终端设备接收到的第一随机参数;The AMF sends a first authentication request to the AUSF, where the first authentication request includes the SUCI, the first response parameter, and the first random parameter received by the terminal device;

所述AUSF根据所述第一鉴权请求确认所述终端设备通过鉴权;confirming, by the AUSF, that the terminal device has passed the authentication according to the first authentication request;

所述AUSF向所述AMF发送第一鉴权响应,所述第一鉴权响应包括第二随机参数、第二响应参数、鉴权令牌AUTN和安全锚点功能密钥Kseaf;The AUSF sends a first authentication response to the AMF, where the first authentication response includes a second random parameter, a second response parameter, an authentication token AUTN and a security anchor function key Kseaf;

所述AMF根据所述第一鉴权响应确认所述终端设备通过鉴权。The AMF confirms that the terminal device has passed the authentication according to the first authentication response.

一种可能的实现方式中,所述网络设备包括统一数据管理功能UDM;In a possible implementation manner, the network device includes a unified data management function UDM;

所述AUSF根据所述第一鉴权请求向所述UDM发送第一请求信息,所述第一请求信息包括第一随机参数以及SUCI,所述第一请求信息用于指示所述UDM向所述AUSF发送鉴权向量;The AUSF sends first request information to the UDM according to the first authentication request, where the first request information includes a first random parameter and SUCI, and the first request information is used to instruct the UDM to send the UDM to the UDM. AUSF sends the authentication vector;

所述AUSF接收所述UDM发送的所述鉴权向量,所述鉴权向量包括所述第二随机参数、第三响应参数、加密密钥CK、完整性密钥IK和所述AUTN;The AUSF receives the authentication vector sent by the UDM, where the authentication vector includes the second random parameter, the third response parameter, the encryption key CK, the integrity key IK, and the AUTN;

所述AUSF根据所述鉴权向量确定所述终端设备通过鉴权。The AUSF determines that the terminal device has passed the authentication according to the authentication vector.

一种可能的实现方式中,所述会话响应包括所述第二随机参数、AUTN以及配置信息,所述配置信息用于指示所述终端设备配置与网络设备间的会话。In a possible implementation manner, the session response includes the second random parameter, the AUTN, and configuration information, where the configuration information is used to instruct the terminal device to configure a session between the network device.

一种可能的实现方式中,所述会话请求包括所述SUCI。In a possible implementation manner, the session request includes the SUCI.

一种可能的实现方式中,In one possible implementation,

所述发送单元303,还用于根据所述会话请求向所述终端设备发送第二鉴权请求,所述第二鉴权请求用于指示所述终端设备对所述网络设备鉴权;The sending unit 303 is further configured to send a second authentication request to the terminal device according to the session request, where the second authentication request is used to instruct the terminal device to authenticate the network device;

所述接收单元301,还用于接收终端设备发送的第二鉴权响应;The receiving unit 301 is further configured to receive a second authentication response sent by the terminal device;

所述处理单元302,还用于根据所述第二鉴权响应确认所述终端设备通过鉴权。The processing unit 302 is further configured to confirm that the terminal device has passed the authentication according to the second authentication response.

需要说明的是,上述网络设备30的各模块之间的信息交互、执行过程等内容,由于与本申请方法实施例基于同一构思,其带来的技术效果与本发明方法实施例相同,具体内容可参见本申请前述所示的方法实施例中的叙述,此处不再赘述。It should be noted that the information exchange, execution process and other contents between the modules of the above network device 30 are based on the same concept as the method embodiments of the present application, and the technical effects brought by them are the same as those of the method embodiments of the present invention. The specific content Reference may be made to the descriptions in the method embodiments shown above in this application, and details are not repeated here.

上述实施例提供了一种网络设备30的不同的实施方式,下面提供了一种终端设备40,如图7所示,该终端设备40用于执行上述实施例中终端设备执行的步骤,该执行步骤以及相应的有益效果具体请参照上述相应的实施例进行理解,此处不再赘述,该终端设备40包括:The above embodiments provide different implementations of a network device 30. The following provides a terminal device 40. As shown in FIG. 7, the terminal device 40 is configured to perform the steps performed by the terminal device in the above embodiments. The steps and the corresponding beneficial effects can be understood with reference to the above-mentioned corresponding embodiments, which will not be repeated here. The terminal device 40 includes:

发送单元401,用于在上行公共信道上向网络设备发送会话请求,所述会话请求用于请求所述网络设备对所述终端设备鉴权;a sending unit 401, configured to send a session request to a network device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device;

接收单元402,用于在下行公共信道上接收所述网络设备发送的会话响应,所述会话响应用于指示所述终端设备对所述网络设备鉴权。The receiving unit 402 is configured to receive, on the downlink common channel, a session response sent by the network device, where the session response is used to instruct the terminal device to authenticate the network device.

一种可能的实现方式中,所述会话响应包括配置信息,所述配置信息用于指示所述终端设备配置与网络设备间的会话。In a possible implementation manner, the session response includes configuration information, where the configuration information is used to instruct the terminal device to configure a session between the network device.

一种可能的实现方式中,所述会话响应还包括鉴权参数;处理单元,用于根据所述鉴权参数对所述网络设备鉴权。In a possible implementation manner, the session response further includes an authentication parameter; and a processing unit is configured to authenticate the network device according to the authentication parameter.

需要说明的是,上述终端设备40的各模块之间的信息交互、执行过程等内容,由于与本申请方法实施例基于同一构思,其带来的技术效果与本发明方法实施例相同,具体内容可参见本申请前述所示的方法实施例中的叙述,此处不再赘述。It should be noted that the information exchange, execution process and other contents between the modules of the above-mentioned terminal device 40 are based on the same concept as the method embodiments of the present application, and the technical effects brought by them are the same as those of the method embodiments of the present invention. Reference may be made to the descriptions in the method embodiments shown above in this application, and details are not repeated here.

参阅图8所示,为本申请实施例提供一种通信设备50的结构示意图,该通信设备50包括:处理器502、通信接口503、存储器501以及总线504。其中,通信接口503、处理器502以及存储器501通过总线504相互连接;总线504可以是外围部件互连标准(PeripheralComponent Interconnect,PCI)总线或扩充工业标准体系结构(extended industrystandard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图8中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。该通信设备50可以实现图6所示的实施例中的网络设备的功能或图7所示实施例中的终端设备的功能。通信接口503可以执行上述方法示例中网络设备或终端设备中接收单元和发送单元对应的相应功能,处理器502可以执行上述方法实施例中网络设备或终端设备中包括的处理单元所执行的功能。Referring to FIG. 8 , a schematic structural diagram of a communication device 50 is provided according to an embodiment of the present application. The communication device 50 includes a processor 502 , a communication interface 503 , a memory 501 and a bus 504 . Wherein, the communication interface 503, the processor 502 and the memory 501 are connected to each other through a bus 504; the bus 504 may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus or the like. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 8, but it does not mean that there is only one bus or one type of bus. The communication device 50 may implement the function of the network device in the embodiment shown in FIG. 6 or the function of the terminal device in the embodiment shown in FIG. 7 . The communication interface 503 can perform corresponding functions corresponding to the receiving unit and the sending unit in the network device or terminal device in the above method examples, and the processor 502 can perform the functions performed by the processing units included in the network device or terminal device in the above method embodiments.

下面结合图7对通信设备50的各个构成部件进行具体的介绍:Each component of the communication device 50 will be specifically introduced below with reference to FIG. 7 :

处理器502是控制器的控制中心,可以是一个中央处理器(central processingunit,CPU),也可以是特定集成电路(application specific integrated circuit,ASIC),或者是被配置成实施本申请实施例的一个或多个集成电路,例如:一个或多个数字信号处理器(digital signal processor,DSP),或,一个或者多个现场可编程门阵列(fieldprogrammable gate array,FPGA)。The processor 502 is the control center of the controller, which may be a central processing unit (CPU), a specific integrated circuit (application specific integrated circuit, ASIC), or one configured to implement the embodiments of the present application. or multiple integrated circuits, such as one or more digital signal processors (DSP), or one or more field programmable gate arrays (FPGA).

通信接口503用于与其他设备进行通信。The communication interface 503 is used to communicate with other devices.

该处理器502可以执行前述图6所示实施例中网络设备30所执行的操作,该处理器502可以执行前述图7所示实施例中终端设备40所执行的操作,具体此处不再赘述。The processor 502 may perform the operations performed by the network device 30 in the aforementioned embodiment shown in FIG. 6 , and the processor 502 may perform the operations performed by the terminal device 40 in the aforementioned embodiment shown in FIG. 7 , and details will not be repeated here. .

本申请实施例还提供一种通信装置60,该通信装置60可以是终端设备也可以是芯片。该通信装置60可以用于执行上述方法实施例中由终端设备所执行的操作。当该通信装置60为终端设备时,图9示出了一种简化的终端设备的结构示意图。便于理解和图示方便,图9中,终端设备以手机作为例子。如图9所示,终端设备包括处理器、存储器、射频电路、天线以及输入输出装置。处理器主要用于对通信协议以及通信数据进行处理,以及对终端设备进行控制,执行软件程序,处理软件程序的数据等。存储器主要用于存储软件程序和数据。射频电路主要用于基带信号与射频信号的转换以及对射频信号的处理。天线主要用于收发电磁波形式的射频信号。输入输出装置,例如触摸屏、显示屏,键盘等主要用于接收用户输入的数据以及对用户输出数据。需要说明的是,有些种类的终端设备可以不具有输入输出装置。The embodiment of the present application further provides a communication apparatus 60, where the communication apparatus 60 may be a terminal device or a chip. The communication apparatus 60 may be configured to perform the operations performed by the terminal device in the foregoing method embodiments. When the communication apparatus 60 is a terminal device, FIG. 9 shows a schematic structural diagram of a simplified terminal device. For the convenience of understanding and illustration, in FIG. 9 , the terminal device takes a mobile phone as an example. As shown in FIG. 9 , the terminal device includes a processor, a memory, a radio frequency circuit, an antenna, and an input and output device. The processor is mainly used to process communication protocols and communication data, control terminal equipment, execute software programs, and process data of software programs. The memory is mainly used to store software programs and data. The radio frequency circuit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal. Antennas are mainly used to send and receive radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users. It should be noted that some types of terminal equipment may not have input and output devices.

当需要发送数据时,处理器对待发送的数据进行基带处理后,输出基带信号至射频电路,射频电路将基带信号进行射频处理后将射频信号通过天线以电磁波的形式向外发送。当有数据发送到终端设备时,射频电路通过天线接收到射频信号,将射频信号转换为基带信号,并将基带信号输出至处理器,处理器将基带信号转换为数据并对该数据进行处理。为便于说明,图9中仅示出了一个存储器和处理器,在实际的终端设备产品中,可以存在一个或多个处理器和一个或多个存储器。存储器也可以称为存储介质或者存储设备等。存储器可以是独立于处理器设置,也可以是与处理器集成在一起,本申请实施例对此不做限制。When data needs to be sent, the processor performs baseband processing on the data to be sent, and outputs the baseband signal to the radio frequency circuit. The radio frequency circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal through the antenna in the form of electromagnetic waves. When data is sent to the terminal device, the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, which converts the baseband signal into data and processes the data. For the convenience of description, only one memory and one processor are shown in FIG. 9 , in an actual terminal device product, there may be one or more processors and one or more memories. The memory may also be referred to as a storage medium or a storage device or the like. The memory may be set independently of the processor, or may be integrated with the processor, which is not limited in this embodiment of the present application.

在本申请实施例中,可以将具有收发功能的天线和射频电路视为终端设备的收发单元,将具有处理功能的处理器视为终端设备的处理单元。In the embodiments of the present application, the antenna and the radio frequency circuit with a transceiver function may be regarded as a transceiver unit of the terminal device, and the processor with a processing function may be regarded as a processing unit of the terminal device.

终端设备包括收发单元601和处理单元602。收发单元601也可以称为收发器、收发机、收发装置等。处理单元602也可以称为处理器,处理单板,处理模块、处理装置等。The terminal device includes a transceiver unit 601 and a processing unit 602 . The transceiver unit 601 may also be referred to as a transceiver, a transceiver, a transceiver, or the like. The processing unit 602 may also be referred to as a processor, a processing board, a processing module, a processing device, or the like.

可选地,可以将收发单元601中用于实现接收功能的器件视为接收单元,将收发单元601中用于实现发送功能的器件视为发送单元,即收发单元601包括接收单元和发送单元。收发单元有时也可以称为收发机、收发器、或收发电路等。接收单元有时也可以称为接收机、接收器、或接收电路等。发送单元有时也可以称为发射机、发射器或者发射电路等。Optionally, the device for implementing the receiving function in the transceiver unit 601 may be regarded as a receiving unit, and the device for implementing the transmitting function in the transceiver unit 601 may be regarded as a transmitting unit, that is, the transceiver unit 601 includes a receiving unit and a transmitting unit. The transceiver unit may also sometimes be referred to as a transceiver, a transceiver, or a transceiver circuit. The receiving unit may also sometimes be referred to as a receiver, receiver, or receiving circuit, or the like. The transmitting unit may also sometimes be referred to as a transmitter, a transmitter, or a transmitting circuit, or the like.

例如,在一种实现方式中,收发单元601用于执行终端设备的接收操作。处理单元602用于执行终端设备侧的处理动作。For example, in an implementation manner, the transceiver unit 601 is configured to perform a receiving operation of a terminal device. The processing unit 602 is configured to perform processing actions on the terminal device side.

应理解,图9仅为示例而非限定,上述包括收发单元和处理单元的终端设备可以不依赖于图9所示的结构。It should be understood that FIG. 9 is only an example and not a limitation, and the above-mentioned terminal device including a transceiver unit and a processing unit may not depend on the structure shown in FIG. 9 .

当该通信装置60为芯片时,该芯片包括收发单元和处理单元。其中,收发单元可以是输入/输出电路或通信接口;处理单元可以为该芯片上集成的处理器或者微处理器或者集成电路。输入电路可以为输入管脚,输出电路可以为输出管脚,处理电路可以为晶体管、门电路、触发器和各种逻辑电路等。输入电路所接收的输入的信号可以是由例如但不限于接收器接收并输入的,输出电路所输出的信号可以是例如但不限于输出给发射器并由发射器发射的,且输入电路和输出电路可以是不同的电路,也可以是同一电路,这种情况下该电路在不同的时刻分别用作输入电路和输出电路。When the communication device 60 is a chip, the chip includes a transceiver unit and a processing unit. Wherein, the transceiver unit may be an input/output circuit or a communication interface; the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip. The input circuit can be an input pin, the output circuit can be an output pin, and the processing circuit can be a transistor, a gate circuit, a flip-flop, and various logic circuits. The input signal received by the input circuit may be received and input by, for example, but not limited to, a receiver, the signal output by the output circuit may be, for example, but not limited to, output to and transmitted by a transmitter, and the input circuit and output The circuits can be different circuits or the same circuit, in which case the circuit is used as an input circuit and an output circuit respectively at different times.

需要说明的是,上述实施例提供的设备60的各模块之间的信息交互、执行过程等内容,由于与本申请方法实施例基于同一构思,其带来的技术效果与本发明方法实施例相同,具体内容可参见本申请前述所示的方法实施例中的叙述,此处不再赘述。It should be noted that the information exchange, execution process and other contents between the modules of the device 60 provided in the above embodiments are based on the same concept as the method embodiments of the present application, and the technical effects brought by them are the same as those of the method embodiments of the present invention. , and the specific content may refer to the description in the method embodiments shown in the foregoing application, and details are not repeated here.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above may refer to the corresponding process in the foregoing method embodiments, which will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,read-onlymemory)、随机存取存储器(RAM,random access memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, removable hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disk or optical disk and other media that can store program codes.

Claims (22)

1. An authentication method, comprising:
receiving a session request sent by a terminal device on an uplink common channel by a network device, wherein the session request is used for requesting the network device to authenticate the terminal device;
the network equipment confirms that the terminal equipment passes authentication according to the session request;
and the network equipment sends a session response to the terminal equipment on a downlink common channel, wherein the session response is used for indicating the terminal equipment to authenticate the network equipment.
2. The authentication method according to claim 1, wherein the session request comprises a user hidden identity, SUCI, and a first response parameter.
3. The authentication method according to claim 2, characterized in that said network equipment comprises an access and mobility management function AMF and an authentication service function AUSF;
the network device confirms that the terminal device passes the authentication according to the session request, and the method comprises the following steps:
the AMF sends a first authentication request to an AUSF, wherein the first authentication request comprises the SUCI, the first response parameter and a first random parameter received by the terminal equipment;
the AUSF confirms that the terminal equipment passes authentication according to the first authentication request;
the AUSF sends a first authentication response to the AMF, wherein the first authentication response comprises a second random parameter, a second response parameter, an authentication token AUTN and a security anchor point function key Kseaf;
and the AMF confirms that the terminal equipment passes the authentication according to the first authentication response.
4. The authentication method according to claim 3, wherein the network device comprises a unified data management function (UDM), and the AUSF confirms that the terminal device passes the authentication according to the first authentication request, comprising:
the AUSF sends first request information to the UDM according to the first authentication request, wherein the first request information comprises first random parameters and SUCI, and the first request information is used for indicating the UDM to send authentication vectors to the AUSF;
the AUSF receives the authentication vector sent by the UDM, wherein the authentication vector comprises the second random parameter, a third response parameter, an encryption key CK, an integrity key IK and the AUTN;
and the AUSF determines that the terminal equipment passes the authentication according to the authentication vector.
5. The authentication method according to claims 2 to 4, wherein the session response includes the second random parameter, AUTN, and configuration information, and the configuration information is used to indicate that the terminal device configures a session with a network device.
6. The authentication method of claim 1, wherein the session request comprises the SUCI.
7. The authentication method as claimed in claim 6, wherein the network device confirms that the terminal device passes the authentication according to the session request, comprising:
the network equipment sends a second authentication request to the terminal equipment according to the session request, wherein the second authentication request is used for indicating the terminal equipment to authenticate the network equipment;
the network equipment receives a second authentication response sent by the terminal equipment;
and the network equipment confirms that the terminal equipment passes the authentication according to the second authentication response.
8. An authentication method, comprising:
a terminal device sends a session request to a network device on an uplink common channel, wherein the session request is used for requesting the network device to authenticate the terminal device;
and the terminal equipment receives a session response sent by the network equipment on a downlink common channel, wherein the session response is used for indicating the terminal equipment to authenticate the network equipment.
9. The authentication method according to claim 8, wherein the session response comprises configuration information indicating that the terminal device configures a session with a network device.
10. The authentication method according to claim 8 or 9, wherein the session response further comprises authentication parameters, the method further comprising:
and the terminal equipment authenticates the network equipment according to the authentication parameters.
11. A network device, comprising:
a receiving unit, configured to receive, on an uplink common channel, a session request sent by a terminal device, where the session request is used to request the network device to authenticate the terminal device;
the processing unit is used for confirming that the terminal equipment passes the authentication according to the session request;
a sending unit, configured to send a session response to the terminal device on a downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.
12. The network device of claim 11, wherein the session request comprises a user hidden identity (SUCI) and a first response parameter.
13. Network device according to claim 12, characterized in that it comprises an access and mobility management function AMF and an authentication service function AUSF;
the AMF sends a first authentication request to an AUSF, wherein the first authentication request comprises the SUCI, the first response parameter and a first random parameter received by the terminal equipment;
the AUSF confirms that the terminal equipment passes authentication according to the first authentication request;
the AUSF sends a first authentication response to the AMF, wherein the first authentication response comprises a second random parameter, a second response parameter, an authentication token AUTN and a security anchor point function key Kseaf;
and the AMF confirms that the terminal equipment passes the authentication according to the first authentication response.
14. The network device of claim 13, wherein the network device comprises a unified data management function (UDM);
the AUSF sends first request information to the UDM according to the first authentication request, wherein the first request information comprises first random parameters and SUCI, and the first request information is used for indicating the UDM to send authentication vectors to the AUSF;
the AUSF receives the authentication vector sent by the UDM, wherein the authentication vector comprises the second random parameter, a third response parameter, an encryption key CK, an integrity key IK and the AUTN;
and the AUSF determines that the terminal equipment passes the authentication according to the authentication vector.
15. The network device according to claims 12 to 14, wherein the session response comprises the second random parameter, AUTN, and configuration information, and the configuration information is used to indicate that the terminal device configures a session with a network device.
16. The network device of claim 11, wherein the session request comprises the SUCI.
17. The network device of claim 16,
the sending unit is further configured to send a second authentication request to the terminal device according to the session request, where the second authentication request is used to instruct the terminal device to authenticate the network device;
the receiving unit is further configured to receive a second authentication response sent by the terminal device;
and the processing unit is further used for confirming that the terminal equipment passes the authentication according to the second authentication response.
18. A terminal device, comprising:
a sending unit, configured to send a session request to a network device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device;
a receiving unit, configured to receive, on a downlink common channel, a session response sent by the network device, where the session response is used to indicate that the terminal device authenticates the network device.
19. The terminal device of claim 18, wherein the session response comprises configuration information indicating that the terminal device is configured to configure a session with a network device.
20. A terminal device according to claim 18 or 19, characterised in that the session response further comprises authentication parameters;
and the processing unit is used for authenticating the network equipment according to the authentication parameters.
21. A communications apparatus comprising a processor coupled with a memory, the memory to store a computer program or instructions, the processor to execute the computer program or instructions in memory such that:
the method of any one of claims 1 to 7 is performed; or
The method of any of claims 8 to 10 being performed.
22. A computer-readable storage medium having stored therein instructions that, when executed on a computer, cause:
the method of any one of claims 1 to 7 is performed; or
The method of any of claims 8 to 10 being performed.
CN202011354045.0A 2020-11-26 2020-11-26 An authentication method and related equipment Pending CN114554489A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202011354045.0A CN114554489A (en) 2020-11-26 2020-11-26 An authentication method and related equipment
PCT/CN2021/130786 WO2022111328A1 (en) 2020-11-26 2021-11-16 Authentication method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011354045.0A CN114554489A (en) 2020-11-26 2020-11-26 An authentication method and related equipment

Publications (1)

Publication Number Publication Date
CN114554489A true CN114554489A (en) 2022-05-27

Family

ID=81667759

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011354045.0A Pending CN114554489A (en) 2020-11-26 2020-11-26 An authentication method and related equipment

Country Status (2)

Country Link
CN (1) CN114554489A (en)
WO (1) WO2022111328A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101137121A (en) * 2007-02-12 2008-03-05 中兴通讯股份有限公司 Method of controlling non-limitation traditional group calling of scheduling section
CN103179558A (en) * 2012-09-20 2013-06-26 中兴通讯股份有限公司 Method and system for implementing group call encryption in trunking system
WO2020091281A1 (en) * 2018-11-02 2020-05-07 엘지전자 주식회사 Method and apparatus for performing proxy authentication for access permission by terminal in wireless communication system
CN111526503A (en) * 2020-04-29 2020-08-11 中国电子科技集团公司第五十四研究所 GEO satellite Internet of things authentication method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101964976B (en) * 2009-07-21 2016-08-24 中兴通讯股份有限公司 Terminal authentication method and base station
CN109922474B (en) * 2017-08-07 2020-03-20 华为技术有限公司 Method for triggering network authentication and related equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101137121A (en) * 2007-02-12 2008-03-05 中兴通讯股份有限公司 Method of controlling non-limitation traditional group calling of scheduling section
CN103179558A (en) * 2012-09-20 2013-06-26 中兴通讯股份有限公司 Method and system for implementing group call encryption in trunking system
WO2020091281A1 (en) * 2018-11-02 2020-05-07 엘지전자 주식회사 Method and apparatus for performing proxy authentication for access permission by terminal in wireless communication system
CN111526503A (en) * 2020-04-29 2020-08-11 中国电子科技集团公司第五十四研究所 GEO satellite Internet of things authentication method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHINA MOBILE COM. CORPORATION, THALES: "S3-161775 "pCR Security enhancement to the attach procedure without relying on PKI"", 3GPP TSG_SA\\WG3_SECURITY, no. 3, 31 October 2016 (2016-10-31) *

Also Published As

Publication number Publication date
WO2022111328A1 (en) 2022-06-02

Similar Documents

Publication Publication Date Title
US11889405B2 (en) Handling a UE that is in the idle state
JP7286751B2 (en) Communication method and communication device
US20180359633A1 (en) Neighbor Awareness Networking Device Pairing
US20230254233A1 (en) Measuring round trip time in a mobile communication network
WO2013116976A1 (en) A fast-accessing method and apparatus
CN110891271A (en) Authentication method and device
US20180095500A1 (en) Tap-to-dock
WO2012040686A2 (en) Method and apparatus for wireless device authentication and association
WO2018166338A1 (en) Key update method and apparatus
US20190149326A1 (en) Key obtaining method and apparatus
WO2023016395A1 (en) Method and communication apparatus for secure communication
CN115380622A (en) Relocating access gateway
WO2021031768A1 (en) Method and device for secure encryption
CN112019489B (en) Verification method and device
US20240064853A1 (en) Rrc connection maintenance method, related device, and readable storage medium
WO2022111328A1 (en) Authentication method and related device
WO2023273880A1 (en) Transmission mode switching method and related apparatus
KR20240003733A (en) Enhanced address changing for wireless networking systems
WO2022133912A1 (en) Sidelink communication method, apparatus and system
CN112398943B (en) Information intercommunication method and device, storage medium and electronic equipment
CN115277035A (en) Security configuration method and communication device under switching scene
WO2024092529A1 (en) Determining authentication credentials for a device-to-device service
US20230276231A1 (en) Authentication Between Wireless Devices and Edge Servers
CN114513860B (en) Terminal attachment method, device and storage medium
US20240365120A1 (en) Data transmission method and communication apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination