CN114554489A - Authentication method and related equipment - Google Patents
Authentication method and related equipment Download PDFInfo
- Publication number
- CN114554489A CN114554489A CN202011354045.0A CN202011354045A CN114554489A CN 114554489 A CN114554489 A CN 114554489A CN 202011354045 A CN202011354045 A CN 202011354045A CN 114554489 A CN114554489 A CN 114554489A
- Authority
- CN
- China
- Prior art keywords
- authentication
- session
- request
- response
- network device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The application provides an authentication method and related equipment. First, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device can confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, wherein the session response is used for indicating the terminal device to authenticate the network device. Under the scene that the RRC connection is not established between the terminal equipment and the network equipment, the information required by the authentication can be transmitted between the terminal equipment and the network equipment through a common channel, and the authentication between the terminal equipment and the network equipment is further realized.
Description
Technical Field
The embodiment of the application relates to the field of communication, in particular to an authentication method and related equipment.
Background
Compared with a Long Term Evolution (LTE) system, a New Radio (NR) system supports a larger transmission bandwidth, more transmit-receive antenna arrays, a higher transmission rate, and a more flexible and smaller-granularity scheduling mechanism, and the above characteristics of the NR system provide a wider application range.
Network security is an important function in the fifth generation mobile communication technology (5th generation, 5G). For a process of Radio Resource Control (RRC) connection in a 2C scenario, 5G defines an Authentication and Key Agreement (AKA) specific to 5G, and performs bidirectional authentication and data encryption by using a 5G AKA method. The bidirectional authentication means that the network equipment authenticates the terminal equipment, and the terminal equipment also authenticates the network equipment.
However, in some scenarios, for example, in a 2B scenario, in order to reduce power consumption on the terminal device side, the terminal device and the network device do not need to perform RRC connection, and for a scenario without RRC connection, authentication cannot be performed between the terminal device and the network device.
Disclosure of Invention
The application provides an authentication method and related equipment, under the scene that RRC connection is not established between terminal equipment and network equipment, information required by authentication can be transmitted between the terminal equipment and the network equipment through a public channel, and then the authentication between the terminal equipment and the network equipment is realized.
A first aspect of the present application provides an authentication method, in which: receiving a session request sent by a terminal device on an uplink common channel by a network device, wherein the session request is used for requesting the network device to authenticate the terminal device; the network equipment confirms that the terminal equipment passes authentication according to the session request; and the network equipment sends a session response to the terminal equipment on a downlink common channel, wherein the session response is used for indicating the terminal equipment to authenticate the network equipment.
The application provides an authentication method. First, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device can confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, wherein the session response is used for indicating the terminal device to authenticate the network device. Under the scene that the RRC connection is not established between the terminal equipment and the network equipment, the information required by the authentication can be transmitted between the terminal equipment and the network equipment through a common channel, and the authentication between the terminal equipment and the network equipment is further realized.
In a possible implementation manner of the first aspect, the session request includes a user hidden identity SUCI and a first response parameter.
In this possible implementation manner, the types of parameters that may be included in the session request are provided, and the implementability of the scheme is improved.
In a possible implementation manner of the first aspect, the network device includes an access and mobility management function AMF and an authentication service function AUSF; the network device confirms that the terminal device passes the authentication according to the session request, and the method comprises the following steps: the AMF sends a first authentication request to an AUSF, wherein the first authentication request comprises the SUCI, the first response parameter and a first random parameter received by the terminal equipment; the AUSF confirms that the terminal equipment passes authentication according to the first authentication request; the AUSF sends a first authentication response to the AMF, wherein the first authentication response comprises a second random parameter, a second response parameter, an authentication token AUTN and a security anchor point function key Kseaf; and the AMF confirms that the terminal equipment passes the authentication according to the first authentication response.
In the possible implementation mode, the network device authenticates the terminal device in a two-step method, the authentication flow is embedded into the session establishment flow, and the pair of messages used by the session establishment at the air interface is used to complete the authentication, so that the information interaction is less, the authentication flow is simple, and the power saving of the terminal device is facilitated.
In a possible implementation manner of the first aspect, the network device includes a unified data management function UDM, and the AUSF confirms that the terminal device passes authentication according to the first authentication request, including: the AUSF sends first request information to the UDM according to the first authentication request, wherein the first request information comprises first random parameters and SUCI, and the first request information is used for indicating the UDM to send authentication vectors to the AUSF; the AUSF receives the authentication vector sent by the UDM, wherein the authentication vector comprises the second random parameter, a third response parameter, an encryption key CK, an integrity key IK and the AUTN; and the AUSF determines that the terminal equipment passes the authentication according to the authentication vector.
In the possible implementation mode, the network device authenticates the terminal device in a two-step method, the authentication flow is embedded into the session establishment flow, and the pair of messages used by the session establishment at the air interface is used to complete the authentication, so that the information interaction is less, the authentication flow is simple, and the power saving of the terminal device is facilitated.
In a possible implementation manner of the first aspect, the session response includes the second random parameter, the AUTN, and configuration information, where the configuration information is used to indicate that the terminal device configures a session with a network device.
In this possible implementation manner, the types of parameters possibly included in the session response are provided, and the implementability of the scheme is improved.
In one possible implementation manner of the first aspect, the session request includes the SUCI.
In this possible implementation manner, the types of parameters that may be included in the session request are provided, and the implementability of the scheme is improved.
In a possible implementation manner of the first aspect, the determining, by the network device according to the session request, that the terminal device passes authentication includes: the network equipment sends a second authentication request to the terminal equipment according to the session request, wherein the second authentication request is used for indicating the terminal equipment to authenticate the network equipment; the network equipment receives a second authentication response sent by the terminal equipment; and the network equipment confirms that the terminal equipment passes the authentication according to the second authentication response.
In this possible implementation manner, the authentication process between the terminal device and the network device can be implemented only by simply modifying or not modifying the existing algorithms or flows of the UDM and the AUSF. The change of the existing network equipment is small, and the influence on the 2C network is small.
A second aspect of the present application provides an authentication method, in which: a terminal device sends a session request to a network device on an uplink common channel, wherein the session request is used for requesting the network device to authenticate the terminal device; and the terminal equipment receives a session response sent by the network equipment on a downlink common channel, wherein the session response is used for indicating the terminal equipment to authenticate the network equipment.
The application provides an authentication method, which can transmit information required by authentication through a public channel between a terminal device and a network device under the scene that RRC connection is not established between the terminal device and the network device, thereby realizing the authentication between the terminal device and the network device.
In a possible implementation manner of the second aspect, the session response includes configuration information, where the configuration information is used to indicate that the terminal device configures a session with a network device.
In a possible implementation manner of the second aspect, the session response further includes an authentication parameter, and the method further includes: and the terminal equipment authenticates the network equipment according to the authentication parameters.
A third aspect of the present application provides a network device comprising a processor coupled with a memory for storing a computer program or instructions, the processor being configured to execute the computer program or instructions in the memory such that the method of the first aspect or any possible implementation manner of the first aspect is performed.
A fourth aspect of the application provides a terminal device comprising a processor coupled with a memory for storing a computer program or instructions, the processor being configured to execute the computer program or instructions in the memory such that the method of the second aspect or any possible implementation of the second aspect is performed.
A fifth aspect of the present application provides a computer-readable storage medium storing a program that causes a method in the first aspect or any possible implementation manner of the first aspect to be performed.
A sixth aspect of the present application provides a computer-readable storage medium storing a program that causes the method of the second aspect or any possible implementation manner of the second aspect to be performed.
A seventh aspect of the present application provides a computer program product storing one or more computer executable instructions that, when executed by the processor, cause the method of the first aspect or any one of the possible implementations of the first aspect to be performed.
An eighth aspect of the present application provides a computer program product storing one or more computer executable instructions that, when executed by the processor, cause the method of any one of the possible implementations of the second aspect or the second aspect described above to be performed.
A ninth aspect of the present application provides a chip system, which comprises a processor for enabling a terminal device or a network device to implement the functions referred to in the above aspects, such as sending or processing data and/or information referred to in the above methods. In one possible design, the system-on-chip further includes a memory for storing necessary program instructions and data. The chip system may be formed by a chip, or may include a chip and other discrete devices.
According to the technical scheme, the embodiment of the application has the following advantages:
the application provides an authentication method and related equipment. First, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device can confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, wherein the session response is used for indicating the terminal device to authenticate the network device. Under the scene that the RRC connection is not established between the terminal equipment and the network equipment, the information required by the authentication can be transmitted between the terminal equipment and the network equipment through a common channel, and the authentication between the terminal equipment and the network equipment is further realized.
Drawings
Fig. 1 is a schematic diagram of an embodiment of an RRC connection based authentication method provided in the present application;
fig. 2 is a schematic view of an application scenario of the authentication system provided in the present application;
FIG. 3 is a schematic diagram of an embodiment of an authentication method provided in the present application;
fig. 4 is a schematic diagram of another embodiment of the authentication method provided in the present application;
fig. 5 is a schematic diagram of another embodiment of the authentication method provided in the present application;
fig. 6 is a schematic structural diagram of a network device provided in the present application;
fig. 7 is a schematic structural diagram of a terminal device provided in the present application;
fig. 8 is a schematic structural diagram of a communication device provided in the present application;
fig. 9 is another schematic structural diagram of a communication device provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be derived by one skilled in the art from the embodiments given herein are intended to be within the scope of the invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein.
In the embodiments of the present application, the words "exemplary" or "such as" are used herein to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present relevant concepts in a concrete fashion for ease of understanding.
In the present application, "and/or" is only an association relationship describing an associated object, and means that there may be three relationships, for example, a and/or B, and may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. Also, in the description of the present application, "a plurality" means two or more than two unless otherwise specified. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.
The technical scheme of the embodiment of the application can be applied to various communication systems, for example: a Long Term Evolution (LTE) system, an LTE Frequency Division Duplex (FDD) system, an LTE Time Division Duplex (TDD) system, a fifth generation (5G) system, i.e., a New Radio (NR) system, a future mobile communication system, and the like.
Compared with a Long Term Evolution (LTE) system, a New Radio (NR) system supports a larger transmission bandwidth, more transmit-receive antenna arrays, a higher transmission rate, and a more flexible and smaller-granularity scheduling mechanism, and the above characteristics of the NR system provide a wider application range.
Network security is an important function in 5G. For a process of Radio Resource Control (RRC) connection in a 2C scenario, 5G defines an Authentication and Key Agreement (AKA) specific to 5G, and performs bidirectional authentication and data encryption by using a 5G AKA method. The bidirectional authentication means that the network equipment authenticates the terminal equipment, and the terminal equipment also authenticates the network equipment.
Fig. 1 is a schematic diagram of an embodiment of an RRC connection based authentication method provided in the present application.
In the embodiment of the application, the process of establishing communication between the terminal device and the network device is composed of three parts, which are an RACH access procedure, an RRC establishment procedure, and a 5G AKA authentication procedure, respectively. Firstly, a terminal device initiates a random access request to an access network device, and the terminal device receives a random access response sent by the access network device. And after the terminal equipment confirms that the random access is successful according to the random access response, the terminal equipment sends an RRC establishment request to the access network equipment. And the terminal equipment receives the RRC establishment response sent by the access network equipment, and starts to execute the 5G AKA authentication process after confirming that the RRC establishment is successful according to the RRC establishment response. The 5G AKA authentication procedure is described in detail below.
In this application, after RRC connection is established between the terminal device and the access network device, subsequent air interface information is transmitted through an uplink Physical Uplink Shared Channel (PUSCH) and a downlink Physical Downlink Shared Channel (PDSCH). Only the procedure of authentication will be described here.
In this application, the network device may be a core network device, and the network device may include an access and mobility management function (AMF), an authentication service function (AUSF), and a unified data management function (UDM). The terminal device initiates a registration request to the AMF through the access network device, where the registration request includes a subscriber hidden identifier (suici), and after discovering that the registration request is an initial registration request, the AMF requests authentication from the AUSF. And after receiving the authentication request, the AUSF requests an authentication vector from the UDM, and the UDM generates the authentication vector and returns the authentication vector to the AUSF. The AUSF converts the 5-tuple authentication vector into a 4-tuple authentication vector and sends the 4-tuple authentication vector to the AMF. The AMF generates a RANDom number (RANDom number, RAND) and an AUthentication TokeN (AUTN) according to the 4-tuple AUthentication vector, and sends the generated RAND and AUTN to the terminal equipment, wherein the AUTN comprises MAC data. And the terminal equipment acquires the MAC data according to the AUTN, calculates whether the XMAC data is consistent with the MAC data or not, and if so, considers that the network equipment passes the authentication, and if not, considers that the network equipment does not pass the authentication. After the authentication is passed, a response parameter (RES) is calculated and sent to the AMF in an authentication response. And the AMF calculates the hash response parameter (HRES) through RES and judges whether the HRES is consistent with the expected hash response parameter (HXRES) or not so as to authenticate the terminal equipment. If the two types of authentication are consistent, the authentication is passed, and if the two types of authentication are inconsistent, the authentication is not passed. After the AMF passes the authentication of the terminal equipment, the AMF sends authentication information including RES to the AUSF for secondary authentication. And AUSF compares whether RES is consistent with expected response (XRES) or not so as to carry out secondary authentication on the terminal equipment, if so, the authentication is passed, and if not, the authentication is not passed. And after the AUSF passes the authentication of the terminal equipment, the AUSF returns the information of successful authentication to the AMF.
However, in some scenarios, for example, in a 2B scenario, in order to reduce power consumption on the terminal device side, RRC connection is not generally required between the terminal device and the network device, and for a scenario without RRC connection, authentication cannot be performed between the terminal device and the network device.
Under the scene that the terminal equipment and the network equipment are not in RRC connection, the application provides an authentication method and related equipment. First, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device can confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, wherein the session response is used for indicating the terminal device to authenticate the network device. Under the scene that RRC connection is not established between the terminal equipment and the network equipment, information required by authentication can be transmitted between the terminal equipment and the network equipment through a public channel, and then the authentication between the terminal equipment and the network equipment is realized.
Fig. 2 is a schematic view of an application scenario of the authentication system provided in the present application.
Referring to fig. 2, in the embodiment of the present application, a network device, a radio access network, and a terminal device form an authentication system.
The authentication system provided by the application comprises: network device 101, Radio Access Network (RAN) 102, RAN103, and RAN104, and terminal device 105, terminal device 106, terminal device 107, and terminal device 108. Wherein, the network device 101 comprises an AMF109, an AUSF110, and a UDM111,
the terminal device 105 and the terminal device 106 perform data interaction with the AMF109 included in the network device 101 through the RAN102, the terminal device 107 performs data interaction with the AMF109 included in the network device 101 through the RAN103, the terminal device 108 performs data interaction with the AMF109 included in the network device 101 through the RAN104, the AMF109 performs data interaction with the AUSF110, and the AUSF110 performs data interaction with the UDM 111.
In the embodiment of the present application, only one network device, three RANs, and four terminal devices are taken as an example for schematic description. In practical applications, optionally, more or fewer RANs and terminal devices than those provided in the embodiment shown in fig. 2 may be included in the application scenario of the embodiment of the present application. The embodiments of the present application do not limit the number of network devices, RANs, and terminal devices.
The network device 101 in this embodiment may be a core network device, and optionally, the AMF, the AUSF, and the UDM may be integrated on the same device, and the AMF, the AUSF, and the UDM may be integrated on different devices, which is not limited herein.
In the application, the RAN is used to transmit information exchanged between the network device and the terminal device, and the role in the authentication process is basically to transmit the information transparently.
In the application, the AMF is used to initiate an authentication procedure inside the network device, process an authentication message of the terminal device, obtain an authentication vector from the AUSF, authenticate the terminal device, and generate an encryption key.
In the application, the AUSF is used for communicating with the UDM, obtaining the authentication vector from the UDM, processing the authentication vector, transmitting the processed authentication vector to the AMF, and authenticating the terminal equipment.
In the present application, the UDM is configured to store account opening information and a user key, and generate an authentication vector.
A terminal device in embodiments of the present application may refer to a device that provides voice and/or data connectivity to a user, a handheld device with wireless connection capability, or other processing device connected to a wireless modem. The terminal devices may be mobile terminals such as mobile telephones (or "cellular" telephones) and computers with mobile terminals, such as portable, pocket, hand-held, computer-included, or vehicle-mounted mobile devices, that exchange language and/or data with the network device. Such as Personal Communication Service (PCS) phones, cordless phones, Session Initiation Protocol (SIP) phones, Wireless Local Loop (WLL) stations, Personal Digital Assistants (PDAs), and the like. A terminal device may also be referred to as a system, a subscriber unit (subscriber unit), a subscriber station (subscriber station), a mobile station (mobile), a remote station (remote station), an access point (access point), a remote terminal (remote terminal), an access terminal (access terminal), a user agent (user agent), a user device (user device), or user equipment (user equipment), a subscriber station, a remote station, a user terminal (terminal equipment, TE), a terminal, a wireless communication device, and a user agent or user equipment. In addition, the terminal device may also be a chip system for implementing the UE function. The details are not limited herein.
The authentication method provided in the present application is described based on the authentication system described in fig. 2.
Fig. 3 is a schematic diagram of an embodiment of an authentication method provided in the present application. Referring to fig. 3, the authentication method includes steps 201 to 203.
201. The network device receives the session request sent by the terminal device on the uplink common channel, and correspondingly, the terminal device sends the session request to the network device on the uplink common channel.
In the application, no RRC connection is established between the terminal device and the network device, and information interaction between the terminal device and the network device cannot be achieved through a dedicated channel. Therefore, the terminal device sends a session request to the network device through the uplink common channel, and the session request is used for requesting the network device to authenticate the terminal device.
202. And the network equipment confirms that the terminal equipment passes the authentication according to the session request.
In the application, the session request includes the authentication parameter, and the network device may authenticate the terminal device according to the authentication parameter included in the session request.
203. The network device sends a session response to the terminal device on the downlink common channel, and correspondingly, the terminal device receives the session response sent by the network device on the downlink common channel.
In the application, no RRC connection is established between the terminal device and the network device, and information interaction between the terminal device and the network device cannot be achieved through a dedicated channel. Therefore, the network device sends a session response to the terminal device through the downlink common channel, and the session response is used for indicating the terminal device to authenticate the network device.
In the present application, step 202 in the embodiment shown in fig. 3 has a specific implementation manner, and this specific implementation manner will be described in detail below.
Mode 1: two-step authentication method
Fig. 4 is a schematic diagram of another embodiment of the authentication method provided in the present application. Referring to fig. 4, in this embodiment, the network device may be a core network device, the network device includes an AMF, an AUSF, and a UDM, and the session request includes a sui and a first response parameter (RES).
The AMF sends a first authentication request to the AUSF.
In this embodiment, the first authentication request includes SUCI, RES, and R0 received by the terminal device. R0 is generated by the network device and the network device will periodically update R0. After the terminal device receives R0, the terminal device may calculate RES according to R0 and the account opening key, and further include RES and sui in the session request to be sent to the AMF through the RAN.
And the AUSF sends first request information to the UDM according to the first authentication request.
In this embodiment, the first request information includes R0 and sui, and the first request information is used to instruct the UDM to send an authentication vector to the AUSF.
And the AUSF receives the authentication vector sent by the UDM.
In the present application, the aUthentication vector includes a second random parameter (R1), an eXpected RESponse (XRES), an encryption key (CK), an Integrity Key (IK), and an aUthentication TokeN (AUTN). And the UDM receives first request information, wherein the first request information comprises R0 and SUCI, generates an authentication vector according to data such as R0, R1 and a key opened by the terminal, and sends the authentication vector to the AUSF. The algorithm is similar to 5G AKA. The terminal device calculates relevant parameters such as RES through R0, calculates XRES through R0 when UDM calculates XRES, and calculates CK, IK and AUTN through R1.
And the AUSF determines that the terminal equipment passes the authentication according to the authentication vector.
In the application, the AUSF judges the consistency of RES and XRES to authenticate the terminal equipment, if RES is consistent with XRES, the AUSF confirms that the terminal equipment passes the authentication, and if RES is inconsistent with XRES, the AUSF confirms that the terminal equipment does not pass the authentication. And the AUSF confirms that the terminal equipment sends a first authentication response to the AMF after authentication.
The AUSF sends a first authentication response to the AMF.
In the present application, the first authentication RESponse includes the second random parameter (R1), the hash eXpected RESponse (HXRES ), the AUTN, and the security anchor function key (key for SEAF, Kseaf).
And the AMF confirms that the terminal equipment passes the authentication according to the first authentication response.
In the application, the AMF calculates HRES by RES, and determines whether HRES is consistent with HXRES, thereby authenticating the terminal device. And if the AMF confirms that the HRES is consistent with the HXRES, the AMF confirms that the terminal equipment passes the authentication. If the AMF confirms that the HRES is inconsistent with the HXRES, the AMF confirms that the terminal equipment is not authenticated. After the authentication is passed, the AMF allocates a session ID, allocates uplink service channel resources, and calculates an NAS encryption key (key for NAS encryption, Knasenc) and an NAS integrity key (key for NAS integrity, Knasint). The allocated session ID and uplink traffic channel resource data are encrypted and integrity protected using a key and the encrypted data (session ID and traffic channel resources) and R1, AUTN are sent to the terminal device through the RAN.
In this application, after the network device confirms that the terminal device passes authentication, in a process of service development between the network device and the terminal device, a session id (session id) is used to identify a user, instead of a user Permanent Identifier (SUPI).
In the application, the encrypted data of the service includes a message sequence number, and the AMF needs to determine whether the message sequence number is incremented or not to prevent the replay attack of the service data. In order to prevent Session request replay attack, in addition to that R0 can be periodically updated, AMF also needs to store the assigned Session Id and SUCI, and corresponding RES and key information, and if the SUCI has assigned the Session Id, it will not trigger the flow of requesting authentication vector from UDM again, but directly encrypt the previously assigned data and send it to the terminal.
In the application, in order to avoid that the Session Id is not updated for a long time and reduce the system security, a field may be added to the broadcasted system message to indicate whether the terminal performs authentication again and establishes a Session.
In the application, if the network device fails in the authentication process, the subsequent process is terminated, a failure notification message can be sent between network elements included in the network device, and the air interface does not send the message and does not notify the terminal. And similarly, if the terminal equipment fails to authenticate, the core network is not informed.
The second method comprises the following steps: four-step authentication method
Fig. 5 is a schematic diagram of another embodiment of the authentication method provided in the present application. Referring to fig. 5, in the present embodiment, the session request includes a SUCI. The network devices include AMF, AUSF and UDM.
And the network equipment sends a second authentication request to the terminal equipment according to the session request.
In the application, after receiving the session request, the AMF included in the network device requests authentication from the AUSF. And after receiving the authentication request, the AUSF requests an authentication vector from the UDM, and the UDM generates the authentication vector and returns the authentication vector to the AUSF. The AMF generates a RANDom number (RAND) and an AUthentication TokeN (AUTN) according to the 4-tuple AUthentication vector, and carries the generated RAND and AUTN in the second AUthentication request to send to the terminal device. The second authentication request is used for indicating the terminal equipment to authenticate the network equipment.
And the network equipment receives the second authentication response sent by the terminal equipment.
In the application, the terminal device obtains the AUTN according to the second authentication request, where the AUTN includes the MAC data. And the terminal equipment acquires the MAC data according to the AUTN, calculates whether the XMAC data is consistent with the MAC data or not, and if so, considers that the network equipment passes the authentication, and if not, considers that the network equipment does not pass the authentication. After the authentication is passed, the terminal device calculates a response parameter (RES), and sends the response parameter (RES) to the AMF in a second authentication response.
And the network equipment confirms that the terminal equipment passes the authentication according to the second authentication response.
In the application, the network device obtains the response parameter (RES) according to the second authentication response, and the AMF calculates the hash response parameter (HRES) through the RES, and determines whether the HRES is consistent with the expected hash response parameter (HXRES) to authenticate the terminal device. If the two types of authentication are consistent, the authentication is passed, and if the two types of authentication are inconsistent, the authentication is not passed. After the AMF passes the authentication of the terminal equipment, the AMF sends authentication information including RES to the AUSF for secondary authentication. And AUSF compares whether RES is consistent with expected response (XRES) or not so as to carry out secondary authentication on the terminal equipment, if so, the authentication is passed, and if not, the authentication is not passed. And after the AUSF passes the authentication of the terminal equipment, the AUSF replies authentication success information to the AMF.
In this embodiment, in a scenario where there is no RRC connection between the terminal device and the network device, information exchanged between the terminal device and the network device is transmitted not through a Physical Uplink Shared Channel (PUSCH) and a Physical Downlink Shared Channel (PDSCH), but through an uplink access channel and a downlink common control channel.
The application provides an authentication method and related equipment. First, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device may confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, wherein the session response is used for indicating the terminal device to authenticate the network device. Under the scene that the RRC connection is not established between the terminal equipment and the network equipment, the information required by the authentication can be transmitted between the terminal equipment and the network equipment through a common channel, and the authentication between the terminal equipment and the network equipment is further realized.
The foregoing embodiments provide different implementations of an authentication method, and a network device 30 is provided below, as shown in fig. 6, where the network device 30 is configured to execute steps executed by the network device in the foregoing embodiments, and the executing steps and corresponding beneficial effects are understood with reference to the foregoing corresponding embodiments, which are not described herein again, and the network device 30 includes:
a receiving unit 301, configured to receive, on an uplink common channel, a session request sent by a terminal device, where the session request is used to request the network device to authenticate the terminal device;
a processing unit 302, configured to confirm that the terminal device passes authentication according to the session request;
a sending unit 303, configured to send a session response to the terminal device on a downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.
In one possible implementation, the session request includes a user hidden identity SUCI and a first response parameter,
in a possible implementation manner, the network device includes an access and mobility management function AMF and an authentication service function AUSF;
the AMF sends a first authentication request to an AUSF, wherein the first authentication request comprises the SUCI, the first response parameter and a first random parameter received by the terminal equipment;
the AUSF confirms that the terminal equipment passes authentication according to the first authentication request;
the AUSF sends a first authentication response to the AMF, wherein the first authentication response comprises a second random parameter, a second response parameter, an authentication token AUTN and a security anchor point function key Kseaf;
and the AMF confirms that the terminal equipment passes the authentication according to the first authentication response.
In a possible implementation manner, the network device includes a unified data management function UDM;
the AUSF sends first request information to the UDM according to the first authentication request, wherein the first request information comprises first random parameters and SUCI, and the first request information is used for indicating the UDM to send authentication vectors to the AUSF;
the AUSF receives the authentication vector sent by the UDM, wherein the authentication vector comprises the second random parameter, a third response parameter, an encryption key CK, an integrity key IK and the AUTN;
and the AUSF determines that the terminal equipment passes the authentication according to the authentication vector.
In a possible implementation manner, the session response includes the second random parameter, the AUTN, and configuration information, where the configuration information is used to indicate a session between the terminal device and a network device.
In one possible implementation, the session request includes the SUCI.
In one possible implementation form of the method of the invention,
the sending unit 303 is further configured to send a second authentication request to the terminal device according to the session request, where the second authentication request is used to indicate that the terminal device authenticates the network device;
the receiving unit 301 is further configured to receive a second authentication response sent by the terminal device;
the processing unit 302 is further configured to confirm that the terminal device passes the authentication according to the second authentication response.
It should be noted that, because the contents of information interaction, execution process, and the like between the modules of the network device 30 are based on the same concept as the method embodiment of the present application, the technical effect brought by the contents is the same as the method embodiment of the present invention, and specific contents may refer to the description in the foregoing method embodiment of the present application, and are not described herein again.
The foregoing embodiments provide different implementations of a network device 30, and a terminal device 40 is provided below, as shown in fig. 7, where the terminal device 40 is configured to execute steps executed by the terminal device in the foregoing embodiments, and the executing steps and corresponding beneficial effects are specifically understood with reference to the foregoing corresponding embodiments, which are not described herein again, and the terminal device 40 includes:
a sending unit 401, configured to send a session request to a network device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device;
a receiving unit 402, configured to receive, on a downlink common channel, a session response sent by the network device, where the session response is used to instruct the terminal device to authenticate the network device.
In a possible implementation manner, the session response includes configuration information, and the configuration information is used to indicate that the terminal device configures a session with a network device.
In a possible implementation manner, the session response further includes an authentication parameter; and the processing unit is used for authenticating the network equipment according to the authentication parameters.
It should be noted that, because the contents of information interaction, execution process, and the like between the modules of the terminal device 40 are based on the same concept as the method embodiment of the present application, the technical effect brought by the contents is the same as the method embodiment of the present invention, and specific contents may refer to the description in the foregoing method embodiment of the present application, and are not described herein again.
Referring to fig. 8, a schematic structural diagram of a communication device 50 is provided for the embodiment of the present application, where the communication device 50 includes: a processor 502, a communication interface 503, a memory 501, and a bus 504. Wherein, the communication interface 503, the processor 502 and the memory 501 are connected to each other by a bus 504; the bus 504 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus. The communication device 50 may implement the functionality of a network device in the embodiment shown in fig. 6 or the functionality of a terminal device in the embodiment shown in fig. 7. The communication interface 503 may perform corresponding functions corresponding to the receiving unit and the sending unit in the network device or the terminal device in the above method examples, and the processor 502 may perform functions performed by a processing unit included in the network device or the terminal device in the above method examples.
The respective constituent elements of the communication device 50 will be specifically described below with reference to fig. 7:
the processor 502 is a control center of the controller, and may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application, for example: one or more Digital Signal Processors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs).
The communication interface 503 is used for communication with other devices.
The processor 502 may perform the operations performed by the network device 30 in the embodiment shown in fig. 6, and the processor 502 may perform the operations performed by the terminal device 40 in the embodiment shown in fig. 7, which are not described herein again.
The embodiment of the present application further provides a communication device 60, where the communication device 60 may be a terminal device or a chip. The communication device 60 may be used to perform the operations performed by the terminal device in the above-described method embodiments. When the communication device 60 is a terminal device, fig. 9 shows a simplified structure diagram of the terminal device. For easy understanding and illustration, in fig. 9, the terminal device is exemplified by a mobile phone. As shown in fig. 9, the terminal device includes a processor, a memory, a radio frequency circuit, an antenna, and an input-output device. The processor is mainly used for processing communication protocols and communication data, controlling the terminal equipment, executing software programs, processing data of the software programs and the like. The memory is used primarily for storing software programs and data. The radio frequency circuit is mainly used for converting baseband signals and radio frequency signals and processing the radio frequency signals. The antenna is mainly used for receiving and transmitting radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are used primarily for receiving data input by a user and for outputting data to the user. It should be noted that some kinds of terminal devices may not have input/output devices.
When data needs to be sent, the processor performs baseband processing on the data to be sent and outputs baseband signals to the radio frequency circuit, and the radio frequency circuit performs radio frequency processing on the baseband signals and sends the radio frequency signals to the outside in the form of electromagnetic waves through the antenna. When data is sent to the terminal equipment, the radio frequency circuit receives radio frequency signals through the antenna, converts the radio frequency signals into baseband signals and outputs the baseband signals to the processor, and the processor converts the baseband signals into the data and processes the data. For ease of illustration, only one memory and processor are shown in FIG. 9, and one or more processors and one or more memories may be present in an actual end device product. The memory may also be referred to as a storage medium or a storage device, etc. The memory may be provided independently of the processor, or may be integrated with the processor, which is not limited in this embodiment.
In the embodiment of the present application, the antenna and the radio frequency circuit having the transceiving function may be regarded as a transceiving unit of the terminal device, and the processor having the processing function may be regarded as a processing unit of the terminal device.
The terminal device includes a transceiving unit 601 and a processing unit 602. The transceiver unit 601 may also be referred to as a transceiver, a transceiving device, etc. The processing unit 602 may also be referred to as a processor, a processing board, a processing module, a processing device, and the like.
Alternatively, a device for implementing a receiving function in the transceiver 601 may be regarded as a receiving unit, and a device for implementing a transmitting function in the transceiver 601 may be regarded as a transmitting unit, that is, the transceiver 601 includes a receiving unit and a transmitting unit. A transceiver unit may also sometimes be referred to as a transceiver, transceiving circuitry, or the like. A receiving unit may also be referred to as a receiver, a receiving circuit, or the like. A transmitting unit may also sometimes be referred to as a transmitter, or a transmitting circuit, etc.
For example, in one implementation, the transceiver 601 is configured to perform a receiving operation of the terminal device. The processing unit 602 is configured to perform a processing action on the terminal device side.
It should be understood that fig. 9 is only an example and not a limitation, and the terminal device including the transceiving unit and the processing unit may not depend on the structure shown in fig. 9.
When the communication device 60 is a chip, the chip includes a transceiving unit and a processing unit. The transceiving unit can be an input/output circuit or a communication interface; the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip. The input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, various logic circuits, and the like. The input signal received by the input circuit may be received and input by, for example and without limitation, a receiver, the signal output by the output circuit may be, for example and without limitation, output to and transmitted by a transmitter, and the input circuit and the output circuit may be different circuits or the same circuit, in which case the circuits function as the input circuit and the output circuit, respectively, at different times.
It should be noted that, for the information interaction, the execution process, and other contents between the modules of the device 60 provided in the foregoing embodiment, since the same concept is based on the embodiment of the method of the present application, the technical effect brought by the embodiment of the method of the present invention is the same as that of the embodiment of the method of the present invention, and specific contents may refer to the description in the foregoing embodiment of the method of the present application, and are not described herein again.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.
Claims (22)
1. An authentication method, comprising:
receiving a session request sent by a terminal device on an uplink common channel by a network device, wherein the session request is used for requesting the network device to authenticate the terminal device;
the network equipment confirms that the terminal equipment passes authentication according to the session request;
and the network equipment sends a session response to the terminal equipment on a downlink common channel, wherein the session response is used for indicating the terminal equipment to authenticate the network equipment.
2. The authentication method according to claim 1, wherein the session request comprises a user hidden identity, SUCI, and a first response parameter.
3. The authentication method according to claim 2, characterized in that said network equipment comprises an access and mobility management function AMF and an authentication service function AUSF;
the network device confirms that the terminal device passes the authentication according to the session request, and the method comprises the following steps:
the AMF sends a first authentication request to an AUSF, wherein the first authentication request comprises the SUCI, the first response parameter and a first random parameter received by the terminal equipment;
the AUSF confirms that the terminal equipment passes authentication according to the first authentication request;
the AUSF sends a first authentication response to the AMF, wherein the first authentication response comprises a second random parameter, a second response parameter, an authentication token AUTN and a security anchor point function key Kseaf;
and the AMF confirms that the terminal equipment passes the authentication according to the first authentication response.
4. The authentication method according to claim 3, wherein the network device comprises a unified data management function (UDM), and the AUSF confirms that the terminal device passes the authentication according to the first authentication request, comprising:
the AUSF sends first request information to the UDM according to the first authentication request, wherein the first request information comprises first random parameters and SUCI, and the first request information is used for indicating the UDM to send authentication vectors to the AUSF;
the AUSF receives the authentication vector sent by the UDM, wherein the authentication vector comprises the second random parameter, a third response parameter, an encryption key CK, an integrity key IK and the AUTN;
and the AUSF determines that the terminal equipment passes the authentication according to the authentication vector.
5. The authentication method according to claims 2 to 4, wherein the session response includes the second random parameter, AUTN, and configuration information, and the configuration information is used to indicate that the terminal device configures a session with a network device.
6. The authentication method of claim 1, wherein the session request comprises the SUCI.
7. The authentication method as claimed in claim 6, wherein the network device confirms that the terminal device passes the authentication according to the session request, comprising:
the network equipment sends a second authentication request to the terminal equipment according to the session request, wherein the second authentication request is used for indicating the terminal equipment to authenticate the network equipment;
the network equipment receives a second authentication response sent by the terminal equipment;
and the network equipment confirms that the terminal equipment passes the authentication according to the second authentication response.
8. An authentication method, comprising:
a terminal device sends a session request to a network device on an uplink common channel, wherein the session request is used for requesting the network device to authenticate the terminal device;
and the terminal equipment receives a session response sent by the network equipment on a downlink common channel, wherein the session response is used for indicating the terminal equipment to authenticate the network equipment.
9. The authentication method according to claim 8, wherein the session response comprises configuration information indicating that the terminal device configures a session with a network device.
10. The authentication method according to claim 8 or 9, wherein the session response further comprises authentication parameters, the method further comprising:
and the terminal equipment authenticates the network equipment according to the authentication parameters.
11. A network device, comprising:
a receiving unit, configured to receive, on an uplink common channel, a session request sent by a terminal device, where the session request is used to request the network device to authenticate the terminal device;
the processing unit is used for confirming that the terminal equipment passes the authentication according to the session request;
a sending unit, configured to send a session response to the terminal device on a downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.
12. The network device of claim 11, wherein the session request comprises a user hidden identity (SUCI) and a first response parameter.
13. Network device according to claim 12, characterized in that it comprises an access and mobility management function AMF and an authentication service function AUSF;
the AMF sends a first authentication request to an AUSF, wherein the first authentication request comprises the SUCI, the first response parameter and a first random parameter received by the terminal equipment;
the AUSF confirms that the terminal equipment passes authentication according to the first authentication request;
the AUSF sends a first authentication response to the AMF, wherein the first authentication response comprises a second random parameter, a second response parameter, an authentication token AUTN and a security anchor point function key Kseaf;
and the AMF confirms that the terminal equipment passes the authentication according to the first authentication response.
14. The network device of claim 13, wherein the network device comprises a unified data management function (UDM);
the AUSF sends first request information to the UDM according to the first authentication request, wherein the first request information comprises first random parameters and SUCI, and the first request information is used for indicating the UDM to send authentication vectors to the AUSF;
the AUSF receives the authentication vector sent by the UDM, wherein the authentication vector comprises the second random parameter, a third response parameter, an encryption key CK, an integrity key IK and the AUTN;
and the AUSF determines that the terminal equipment passes the authentication according to the authentication vector.
15. The network device according to claims 12 to 14, wherein the session response comprises the second random parameter, AUTN, and configuration information, and the configuration information is used to indicate that the terminal device configures a session with a network device.
16. The network device of claim 11, wherein the session request comprises the SUCI.
17. The network device of claim 16,
the sending unit is further configured to send a second authentication request to the terminal device according to the session request, where the second authentication request is used to instruct the terminal device to authenticate the network device;
the receiving unit is further configured to receive a second authentication response sent by the terminal device;
and the processing unit is further used for confirming that the terminal equipment passes the authentication according to the second authentication response.
18. A terminal device, comprising:
a sending unit, configured to send a session request to a network device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device;
a receiving unit, configured to receive, on a downlink common channel, a session response sent by the network device, where the session response is used to indicate that the terminal device authenticates the network device.
19. The terminal device of claim 18, wherein the session response comprises configuration information indicating that the terminal device is configured to configure a session with a network device.
20. A terminal device according to claim 18 or 19, characterised in that the session response further comprises authentication parameters;
and the processing unit is used for authenticating the network equipment according to the authentication parameters.
21. A communications apparatus comprising a processor coupled with a memory, the memory to store a computer program or instructions, the processor to execute the computer program or instructions in memory such that:
the method of any one of claims 1 to 7 is performed; or
The method of any of claims 8 to 10 being performed.
22. A computer-readable storage medium having stored therein instructions that, when executed on a computer, cause:
the method of any one of claims 1 to 7 is performed; or
The method of any of claims 8 to 10 being performed.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011354045.0A CN114554489A (en) | 2020-11-26 | 2020-11-26 | Authentication method and related equipment |
| PCT/CN2021/130786 WO2022111328A1 (en) | 2020-11-26 | 2021-11-16 | Authentication method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011354045.0A CN114554489A (en) | 2020-11-26 | 2020-11-26 | Authentication method and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114554489A true CN114554489A (en) | 2022-05-27 |
Family
ID=81667759
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011354045.0A Pending CN114554489A (en) | 2020-11-26 | 2020-11-26 | Authentication method and related equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114554489A (en) |
| WO (1) | WO2022111328A1 (en) |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964976B (en) * | 2009-07-21 | 2016-08-24 | 中兴通讯股份有限公司 | Terminal authentication method and base station |
| CN109922474B (en) * | 2017-08-07 | 2020-03-20 | 华为技术有限公司 | Method for triggering network authentication and related equipment |
| CN111526503B (en) * | 2020-04-29 | 2022-06-24 | 中国电子科技集团公司第五十四研究所 | Authentication method and system for GEO satellite Internet of things |
-
2020
- 2020-11-26 CN CN202011354045.0A patent/CN114554489A/en active Pending
-
2021
- 2021-11-16 WO PCT/CN2021/130786 patent/WO2022111328A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022111328A1 (en) | 2022-06-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111447678B (en) | Communication method and communication device | |
| US20180359633A1 (en) | Neighbor Awareness Networking Device Pairing | |
| US10142840B2 (en) | Method and apparatus for operating a user client wireless communication device on a wireless wide area network | |
| US11856396B2 (en) | System and method for security activation with session granularity | |
| US20180095500A1 (en) | Tap-to-dock | |
| WO2018166338A1 (en) | Key update method and apparatus | |
| WO2023016395A1 (en) | Method and communication apparatus for secure communication | |
| WO2020238957A1 (en) | Verification method and apparatus | |
| US10142834B2 (en) | Method and apparatus for operating a user client wireless communication device on a wireless wide area network | |
| CN110933709B (en) | Protocol data unit session management method and communication device | |
| CN113873492A (en) | Communication method and related device | |
| CN113453222B (en) | Communication method and device | |
| WO2023273880A1 (en) | Transmission mode switching method and related apparatus | |
| US20190149326A1 (en) | Key obtaining method and apparatus | |
| CN114554489A (en) | Authentication method and related equipment | |
| WO2022133912A1 (en) | Sidelink communication method, apparatus and system | |
| CN110913507B (en) | Communication method and device | |
| WO2020093860A1 (en) | Fake network device identification method and communication apparatus | |
| EP4333479A1 (en) | Rrc connection maintenance method, related device, and readable storage medium | |
| EP4447511A1 (en) | Method and apparatus for data processing in random access process | |
| EP4231189A1 (en) | Flexible authentication | |
| CN116528234B (en) | Virtual machine security and credibility verification method and device | |
| US20230276231A1 (en) | Authentication Between Wireless Devices and Edge Servers | |
| WO2024207784A1 (en) | Random access method and apparatus | |
| WO2024092529A1 (en) | Determining authentication credentials for a device-to-device service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |