+

WO2018103655A1 - Method of accessing network apparatus, terminal apparatus thereof, and network apparatus - Google Patents

Method of accessing network apparatus, terminal apparatus thereof, and network apparatus Download PDF

Info

Publication number
WO2018103655A1
WO2018103655A1 PCT/CN2017/114765 CN2017114765W WO2018103655A1 WO 2018103655 A1 WO2018103655 A1 WO 2018103655A1 CN 2017114765 W CN2017114765 W CN 2017114765W WO 2018103655 A1 WO2018103655 A1 WO 2018103655A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
cell
terminal device
request message
network
Prior art date
Application number
PCT/CN2017/114765
Other languages
French (fr)
Chinese (zh)
Inventor
杨铮杰
曾信
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2018103655A1 publication Critical patent/WO2018103655A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present application relates to the field of communications, and in particular, to a method for accessing a network device, a terminal device thereof, and a network device.
  • GSM Global System for Mobile Communication
  • the terminal device does not have an authentication and authentication process on the network side. Therefore, a pseudo base station exists in the GSM network system, and the pseudo base station refers to a base station masquerading as an operator, and can use the mobile phone number of another person to forcibly send short messages such as fraud and advertisement promotion to the user's mobile phone.
  • the GSM pseudo base station has strong concealment, and has formed a fraud industry chain with pseudo base stations as the source, causing users to be deceived and suffered heavy losses.
  • the pseudo base station technology is continuously upgraded, even if the terminal device and the network are upgraded to the 3/4G network, as long as the terminal device supports GSM, the pseudo base station can interfere with the 3/4G signal through the full frequency band, and the terminal device can also fall back to the 2G. The network, so that it can continue to send spam messages to the terminal device.
  • the embodiment of the present application provides a method for accessing a network device and a network device thereof, which can minimize the impact of the pseudo base station on the network.
  • a terminal device receives a system message sent by a base station controller, determines, according to the system message, that the terminal device is allowed to access a first cell, and the terminal device performs network authentication when accessing the first cell.
  • the first cell is a cell that supports two-way authentication; the terminal device sends an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to The terminal device performs authentication; when the terminal device receives the downlink authentication request message sent by the core network device, performs network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the embodiment of the present application can indicate that the terminal device can only access the cell supporting the two-way authentication, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed, thereby preventing the pseudo base station from being caused to the network. Cyber attack.
  • the first cell is a cell identified as a R99+ version in a system message.
  • the embodiment of the present application indicates that the terminal device only allows access to the cell identified as the R99+ version, because R99+ The version of the cell supports the two-way authentication. Therefore, the terminal device determines whether the target cell of the R99+ version can be accessed by performing network authentication on the target cell to be accessed, so that the network attack caused by the pseudo base station to the network can be avoided as much as possible.
  • the performing, by using the target cell in the first cell, performing network authentication, determining whether to access the target cell includes: when the terminal device passes the network authentication of the target cell, determining to access the target cell; when the terminal device fails to pass the network authentication of the target cell, determining to not access the target cell.
  • the terminal device does not pass the authentication of the pseudo cell, that is, does not access the pseudo cell, and avoids the terminal device accessing the pseudo cell, and the network suffering from the pseudo base station. attack.
  • the method further includes: The core network device returns an authentication response message, where the authentication response message is used to identify the terminal device by performing authentication authentication on the target cell.
  • the terminal device can notify the core network device terminal device to perform authentication authentication on the target cell by returning the authentication response to the core network device.
  • the uplink authentication request message is an access request message, where the access request message includes The secret key serial number CKSN field is used to trigger the authentication process of the network device by the network device.
  • the core network device can be instructed to trigger the authentication of the terminal device, and the information interaction between the network device and the terminal device is implemented without increasing the signaling overhead.
  • the access request message is one of: a location update request message, a connection management CM service request message, Call the reply message.
  • the system message carries the identifier information, where the identifier information is used to indicate that the first cell is an identifier of the R99+ version. Community.
  • the terminal device can be notified to allow access to the first cell with the version of 99+.
  • the second aspect provides a method for accessing a network device, where the core network device receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is sent by the terminal device to the base station controller. a request message sent after the system message, the system message is used by the terminal device to determine to allow access to the first cell, and the terminal device is instructed to perform network authentication when accessing the first cell, where the first cell is a cell that supports bidirectional authentication; the core network authenticates the terminal device according to the uplink authentication request message, so that the terminal device performs network authentication on the target cell in the first cell. And determining whether to access the target cell.
  • the embodiment of the present application can indicate that the terminal device can only access the cell supporting the two-way authentication, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed, thereby preventing the pseudo base station from being caused to the network. Cyber attack.
  • the core network device after the core network device receives the uplink authentication request message sent by the terminal device, the core network is configured according to the uplink authentication request message, The authentication of the terminal device further includes: a downlink authentication request message sent to the terminal device, where the downlink authentication request message is used to instruct the terminal device to perform network authentication on the target cell, where Carrying the downlink authentication request message The identifier of the target cell.
  • the network covered by the core network device is a network supporting two-way authentication, and further, the core network device is The network covered is the R99+ version.
  • a third aspect provides a method for accessing a network device, where the base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and the terminal device
  • the base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and the terminal device
  • the first cell is accessed, the first cell is authenticated, the first cell is a cell that supports bidirectional authentication
  • the base station controller receives an uplink authentication request message sent by the terminal device, where the uplink packet is sent.
  • the right request message is used to indicate that the terminal device needs to perform network authentication on the first cell;
  • the base station controller sends the uplink authentication request message to the core network device, to notify the core network device to The terminal device performs authentication to facilitate access by the terminal device to a cell authenticated by the network.
  • the method further includes: receiving a downlink authentication request message sent by the core network device, where the downlink authentication request message is used to notify the The terminal device performs network authentication on the target cell in the first cell, where the downlink authentication request message carries the identifier of the target cell, and sends the downlink authentication request message to the terminal device.
  • the system message carries the identifier information, where the identifier information is used to indicate that the first cell is identified as an R99+ version.
  • the cell the system message is one of the following: base station subsystem BSS system message 2, BSS system message 3, BSS system message 4.
  • the method before the base station controller sends the system message to the terminal device, the method further includes: determining the core network device The network covered is the R99+ version.
  • a terminal device for performing the method of any of the above first aspect or any of the possible implementations of the first aspect.
  • the terminal device comprises means for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect.
  • a network device for performing the method of any of the foregoing second aspect or any of the possible implementations of the second aspect.
  • the apparatus comprises means for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect.
  • the apparatus comprises means for performing the method of any of the possible implementations of the third aspect or the third aspect described above.
  • a terminal device comprising: a transceiver, a memory, a processor, and a bus system.
  • the transceiver, the memory and the processor are connected by the bus system
  • the memory is for storing instructions for executing instructions stored by the memory to control the transceiver to receive and/or transmit signals
  • the processor executes the instructions stored by the memory, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
  • a network device comprising: a transceiver, a memory, a processor, and a bus system.
  • the transceiver, the memory and the processor are coupled by the bus system, the memory is for storing instructions for executing instructions stored by the memory to control the transceiver to receive signals and/or transmit signals, and And when the processor executes the instructions stored by the memory, the executing causes the processor to perform the method of any of the possible implementations of the second aspect or the second aspect.
  • a network device comprising: a transceiver, a memory, a processor, and a bus system.
  • the transceiver, the memory and the processor are connected by the bus system
  • the memory is for storing instructions for executing instructions stored by the memory to control the transceiver to receive signals and/or transmit signals
  • the processor executes the instructions stored by the memory, the execution causes the processor to perform the method of any of the possible implementations of the third aspect or the third aspect.
  • a tenth aspect a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • a computer readable medium for storing a computer program comprising instructions for performing the method of any of the second aspect or any of the possible implementations of the second aspect.
  • a computer readable medium for storing a computer program comprising instructions for performing the method of any of the third aspect or any of the possible implementations of the third aspect.
  • FIG. 1 is a schematic diagram of an authentication scenario applied in an embodiment of the present application.
  • FIG. 2 shows a schematic flow chart of a method of an embodiment of the present application.
  • Figure 3 shows a schematic diagram of a method of one embodiment of the present application.
  • Figure 4 shows a schematic diagram of a method of one embodiment of the present application.
  • FIG. 5 shows a schematic flow chart of a method of an embodiment of the present application.
  • FIG. 6 shows a schematic block diagram of a terminal device of one embodiment of the present application.
  • FIG. 7 shows a schematic block diagram of a network device according to an embodiment of the present application.
  • FIG. 8 shows a schematic block diagram of a network device of another embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • FIG. 10 is a schematic block diagram of a network device according to an embodiment of the present application.
  • FIG. 11 is a schematic block diagram of a network device of another embodiment of the present application.
  • FIG. 1 is a schematic diagram of an authentication scenario applied in an embodiment of the present application.
  • a user ie, a user using a USIM card
  • UMTS Universal Mobile Telecommunications System
  • the terminal device 110 communicates with the core network 130 through a Global System for Mobile Communication (GSM) radio access network 120, where the GSM radio access network 120 includes a Base Station Controller (BSC).
  • GSM Global System for Mobile Communication
  • BSC Base Station Controller
  • the terminal device 110 is a terminal device with UMTS authentication and encryption capability, and has a Universal Subscriber Identity Module (USIM) with UMTS security.
  • the core network supports Release 99+ and later, that is, core network support. Two-way authentication authentication on the network side and the terminal device side.
  • terminal devices supporting 3/4G networks and using Universal Subscriber Identity Module (USIM) and supporting UMTS authentication have been defined.
  • the device lives in the GSM radio access network (GRAN) network (2G), and when the core network is the R99+ version, the two-way authentication process is performed, that is, the terminal device will also authenticate the authentication. Community. That is, as long as the core network initiates the authentication process, the terminal device authenticates the network.
  • GRAN GSM radio access network
  • USIM Universal Subscriber Identity Module
  • the pseudo base station bypasses this process and does not initiate authentication for the mobile phone, so that the mobile phone cannot authenticate the pseudo base station.
  • FIG. 2 is a schematic flowchart of a method of an embodiment of the present application, where an execution entity of the method is a terminal device, where the terminal device can communicate with a core network via a Radio Access Network (RAN).
  • a terminal may refer to a User Equipment (UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user device.
  • the access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), with wireless communication.
  • the base station may be a network device used for communication with the terminal device, for example, may be a base station (Base Transceiver Station, BTS) in the GSM system or CDMA, or a base station (NodeB, NB) in the WCDMA system. It may be an evolved base station (Evolutional Node B, eNB or eNodeB) in the LTE system, or the base station may be a relay station, an access point, an in-vehicle device, a wearable device, and a network side device in a future 5G network.
  • BTS Base Transceiver Station
  • NodeB NodeB
  • NB evolved base station
  • eNodeB evolved base station
  • the base station may be a relay station, an access point, an in-vehicle device, a wearable device, and a network side device in a future 5G network.
  • the core network device is composed of a series of devices that complete the user location management, the network function, and the service control function, and is not limited in this embodiment.
  • the method includes the following steps.
  • Step 210 The terminal device receives the system message sent by the base station controller, determines, according to the system message, that the terminal device is allowed to access the first cell, and the terminal device performs network authentication when accessing the first cell, where the first cell supports the two-way. The community of authentication.
  • Step 220 The terminal device sends an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device.
  • Step 230 When the terminal device receives the downlink authentication request message sent by the core network device, perform network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the first cell is a cell supporting bidirectional authentication, that is, a cell supporting Terrestrial Radio Access Network (UTRAN) or Long Term Evolution (LTE) authentication authentication. .
  • UTRAN Terrestrial Radio Access Network
  • LTE Long Term Evolution
  • the first cell is a cell identified as a R99+ version in the system message.
  • the first cell refers to a type of cell identified as a R99+ version in a system message
  • the base station controller refers to a communication device that manages the terminal device.
  • the terminal device determines that only the first cell of the R99+ version can be accessed, but cannot access other types of cells, and further, in the R99+ version of the cell, the two-way authentication between the supporting network side and the terminal device is supported.
  • the terminal device also needs to authenticate whether it can access the network.
  • the base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and when the terminal device accesses the first cell
  • the first cell is authenticated, and the first cell is a cell identified as a R99+ version in the system message.
  • the system message carries the identifier information, where the identifier information is used to indicate that the first cell is a cell identified as an R99+ version.
  • the system message is one of the following: a base station system (BSS) system message 2, a BSS system message 3, and a BSS system message 4. That is to say, the system message can use the vacant field in the above message to carry the identification information for identifying the message of the R99+ version.
  • BSS base station system
  • the system message can use the vacant field in the above message to carry the identification information for identifying the message of the R99+ version.
  • system message may be a newly defined message, or may be an existing system message carrying the identification information, which is not limited in the embodiment of the present application, and the system message capable of carrying the identification information falls within the scope of the embodiment of the present application.
  • the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device.
  • the uplink authentication request message may be one of the following three conditions:
  • the core network device learns that the terminal device performs cross-location reselection, and the terminal device continues to send the uplink authentication request message to the core network device to notify The core network device authenticates the terminal device, and determines whether the terminal device can access the network covered by the core network device;
  • the uplink authentication request message may be a newly defined message, and the newly defined uplink authentication request message can be used not only to notify the core network device to authenticate the terminal device, but also to indicate that the terminal device will perform Re-selection across location areas;
  • the uplink authentication request message is an access request message
  • the access request message includes a Ciphering Key Sequence Number (CKSN) field set to be unavailable for the key, so that And triggering the authentication process of the network device by the network device, optionally, the access request message is one of the following: a location update request message, a connection management (CM) service request message, Paging response message.
  • CKSN Ciphering Key Sequence Number
  • CM connection management
  • the base station controller receives the uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell; further, And sending, by the base station controller, the uplink authentication request message to the core network device, to notify the core network device to perform authentication on the terminal device, so that the terminal device accesses a cell that is authenticated by the terminal.
  • step 230 after the core network device receives the uplink authentication request message in step 220, the authentication process for the terminal device is triggered, and the downlink authentication request message sent to the terminal device is sent, and the downlink is sent.
  • the authentication request message is used to instruct the terminal device to perform network authentication on the target cell in the first cell.
  • the downlink authentication request message sent by the core network device to the terminal device, where the downlink authentication request message is used to indicate that the terminal device performs network authentication on the target cell, where the downlink authentication is performed.
  • the request message carries an identifier of the target cell.
  • the performing network authentication on the target cell in the first cell to determine whether to access the target cell includes:
  • the terminal device passes the network authentication of the target cell, determining to access the target cell;
  • the terminal device fails to pass the network authentication of the target cell, it is determined that the target cell is not accessed.
  • the location update request message, the access request message, the uplink authentication request message, and the offline authentication request message are all forwarded by the base station controller, where the location update request message and the access request sent by the terminal device
  • the message and the uplink authentication request message are forwarded to the core network device by the base station controller, and the downlink authentication request message sent by the core network device is also sent to the terminal device by using the base station controller.
  • the target cell is one of the cells in the first cell and belongs to the base station controller.
  • the uplink authentication request message is sent to the base station controller by the target cell, and the base station controller further forwards the uplink authentication request message to the core network device, thereby triggering the core network.
  • the device authenticates the terminal device, that is, the core network device sends a downlink authentication request message to the terminal device by using the base station controller, and the terminal device determines, according to the downlink authentication request message, whether the target cell can pass the authentication of the terminal device. Only the target cell can access the target cell through the authentication of the terminal device, otherwise the terminal device will not access the target cell.
  • the terminal device will not access the pseudo cell generated by the pseudo base station, and thus will not be affected by the pseudo base station, thereby avoiding the influence of the pseudo base station on the network. .
  • the terminal device fails to pass the authentication of the pseudo cell, that is, does not access the pseudo cell.
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • the method further includes: returning an authentication response message to the core network device, where the authentication The response message is used to characterize the terminal device by authenticating the target cell.
  • the terminal device notifies the core network device by returning an authentication response message to the core network device, and the terminal device accesses the target cell.
  • FIG. 3 is a schematic diagram of a method of an embodiment of the present application.
  • the execution body of the method may be a core network device. As shown in FIG. 3, the method 300 includes the following steps.
  • Step 310 The core network device receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving the system message sent by the base station controller, and the system message is used by the terminal device to determine that the terminal device is allowed to connect. And entering the first cell, and instructing the terminal device to perform network authentication when accessing the first cell, where the first cell is a cell identified as a R99+ version in the system message.
  • Step 320 The core network authenticates the terminal device according to the uplink authentication request message, so that the terminal device performs network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the core network device after the core network device receives the uplink authentication request message sent by the terminal device, the core network performs the authentication on the terminal device according to the uplink authentication request message.
  • the right further includes: a downlink authentication request message sent to the terminal device, where the downlink authentication request message is used to indicate that the terminal device performs network authentication on the target cell, where the downlink authentication request message is carried in the The identifier of the target cell.
  • the network covered by the core network device is an R99+ version.
  • the execution body of the method is a base station controller. As shown in FIG. 4, the method 400 includes the following steps.
  • Step 410 The base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device is allowed to connect. And entering the first cell, and performing authentication on the first cell network when the terminal device accesses the first cell, where the first cell is a cell that supports bidirectional authentication.
  • Step 420 The base station controller receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell.
  • Step 430 The base station controller sends an uplink authentication request message to the core network device, and notifies the core network device to perform authentication on the terminal device, so that the terminal device accesses the cell that is authenticated by the network.
  • the method further includes: receiving a downlink authentication request message sent by the core network device, where the downlink authentication request message is used to notify the terminal device to the first The target cell in the cell performs network authentication, where the downlink authentication request message carries the identifier of the target cell, and the downlink authentication request message is sent to the terminal device.
  • the system message carries the identifier information, where the identifier information is used to indicate that the first cell is a cell identified as an R99+ version, and the system message is one of the following: BSS system message 2, 2BIS, BSS system message 3, BSS system message 4.
  • FIG. 5 shows a schematic flow chart of a method of an embodiment of the present application. As shown in FIG. 5, the method includes the following steps.
  • Step 501 The base station controller sends a system message to the terminal device, where the system message is used to indicate that the UE can only access the first cell, and the terminal device performs network authentication when accessing the first cell, where the first cell Refers to a cell identified by the system message as the R99+ version.
  • system message may be a newly defined system message, or may be an existing system message indicating that the first cell is a R99+ version of the cell, for example, may be BSS system message 2, 2BIS, BSS system message 3, BSS System message 4, in the blank field of the system message, carries the identifier information indicating the first cell type, indicating that the UE can only allow access to the identified first cell.
  • Step 502 The terminal device sends an uplink authentication request to the core network device.
  • the uplink authentication request is used to notify the core network device to perform authentication on the terminal device.
  • the uplink authentication message is sent by the terminal device to the base station controller, and is forwarded by the base station controller to the core network device.
  • the terminal device sends an access request message to the core network device, where the access request message is used to notify the core network device that the terminal device is about to enter the cross-location area reselection.
  • the uplink authentication request message is an access request message, where the access request message includes a CKSN field set to be unavailable for the key, for example, a CKSN field set to “111”, in order to trigger the network device to The authentication process of the terminal device.
  • the access request message includes a CKSN field set to be unavailable for the key, for example, a CKSN field set to “111”, in order to trigger the network device to The authentication process of the terminal device.
  • the foregoing access request message is one of the following: a location update request message, a CM service request message, and a page response message.
  • Step 503 The core network device sends a downlink authentication request message to the UE, that is, when the core network device receives the uplink authentication request message in step 502, the network side authenticates the UE.
  • the core network device sends a downlink authentication request message to the UE through the base station controller, and notifies the UE to perform network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the target cell is one of the first cells that the UE desires to access.
  • Step 504 The UE authenticates the network, that is, the UE performs network authentication on the target cell to determine whether to access the network. Target cell.
  • the terminal device passes the network authentication of the target cell, determining to access the target cell; when the terminal device fails to pass the network authentication of the target cell, determining not to access the target cell .
  • Step 506 The UE returns an authentication response message to the core network device, where the authentication response message is used to identify the terminal device by authenticating the target cell.
  • Step 507 The network authenticates the terminal, that is, the core network device determines whether the UE can access the target cell. If the target cell can be accessed, step 508 is performed.
  • Step 508 The core network device sends a location update success notification message to the UE, where the UE has completed cross-location area reselection and accesses the target cell.
  • step 501 when it is determined that the network covered by the current core network device is the R99+ version, that is, the control switch is added to the base station controller to ensure that the foregoing process is performed under the R99+ network.
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • FIG. 6 shows a schematic block diagram of a terminal device of one embodiment of the present application. It should be understood that the terminal device 600 can perform the various steps performed by the UE in FIG. 2 and FIG. 5, and is not detailed herein to avoid repetition.
  • the terminal device 600 includes the following units.
  • a receiving unit 610 configured to receive a system message sent by the base station controller, determine, according to the system message, that the terminal device allows access to the first cell, and the terminal device performs access to the first cell.
  • Network authentication where the first cell is a cell that supports two-way authentication.
  • the sending unit 620 is configured to send an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device.
  • the authentication unit 630 is configured to: when receiving the downlink authentication request message sent by the core network device, perform network authentication on the target cell in the first cell, and determine whether to access the target cell. .
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • FIG. 7 shows a schematic block diagram of a network device according to an embodiment of the present application. It should be understood that the network device 700 can perform the various steps performed by the core network device in FIG. 3 and FIG. 5, and is not detailed herein to avoid repetition.
  • network device 700 includes the following units.
  • the receiving unit 710 is configured to receive an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving the system message sent by the base station controller, The system message is used by the terminal device to determine that the first cell is allowed to access, and the terminal device is instructed to perform network authentication when accessing the first cell, where the first cell is a cell that supports two-way authentication;
  • the authentication unit 720 is configured to perform authentication on the terminal device according to the uplink authentication request message, so that the terminal device performs network on the target cell in the first cell. Authentication, determining whether to access the target cell.
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • FIG. 8 shows a schematic block diagram of a network device of another embodiment of the present application. It should be understood that the network device 800 is capable of performing the various steps performed by the base station controller device of FIGS. 4 and 5, and to avoid repetition, it will not be described in detail herein.
  • the network device 800 includes the following units.
  • a sending unit 810 configured to send a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and is performed when the terminal device accesses the first cell
  • the first cell network is authenticated, and the first cell is a cell that supports bidirectional authentication.
  • the receiving unit 820 is configured to receive an uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell.
  • the sending unit 810 is further configured to send the uplink authentication request message to the core network device, to notify the core network device to perform authentication on the terminal device, so that the terminal device accesses the network through the network for authentication. Community.
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application. It should be understood that the terminal device 900 can perform the various steps performed by the UE in FIG. 2 and FIG. 5, and is not detailed herein to avoid repetition.
  • Device 900 includes the following components.
  • the memory 910 is configured to store a program.
  • the transceiver 920 is configured to communicate with other devices.
  • the processor 930 is configured to execute a program in the memory 910, and the processor 930 is respectively connected to the memory 910 and the transceiver 920, and is configured to execute the instruction stored by the memory 910 to execute the instruction Perform the following steps:
  • the processor 930 is configured to receive, by using the transceiver 920, a system message sent by the base station controller, determine, according to the system message, that the terminal device is allowed to access the first cell, and the terminal device is in accessing the first cell. Performing network authentication, where the first cell is a cell that supports bidirectional authentication; and the uplink authentication request message is sent to the core network device, where the uplink authentication request message is used to notify the core network device to the terminal. The device performs authentication; when the terminal device receives the downlink authentication request message sent by the core network device, performs network authentication on the target cell in the first cell to determine whether to access the target cell.
  • terminal device 900 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the terminal device in the foregoing method embodiments.
  • FIG. 10 is a schematic block diagram of a network device according to an embodiment of the present application. It should be understood that the terminal device 1000 can perform the various steps performed by the core network device in FIG. 3 and FIG. 5, and is not detailed herein to avoid repetition.
  • Device 1000 includes the following components.
  • the memory 1010 is configured to store a program.
  • the transceiver 1020 is configured to communicate with other devices.
  • a processor 1030 configured to execute a program in the memory 1010, the processor 1030 is coupled to the memory 1010 and the transceiver 1020, respectively, for executing the instructions stored by the memory 1010 to execute the instructions And performing the following steps: receiving an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving a system message sent by the base station controller, where the system message is used
  • the terminal device determines to allow access to the first cell, and instructs the terminal device to perform network authentication when accessing the first cell, where the first cell is a cell supporting two-way authentication; according to the uplink authentication request
  • the message is used to authenticate the terminal device, so that the terminal device performs network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the network device 1000 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the core network device in the foregoing method embodiments.
  • FIG. 11 is a schematic block diagram of a network device of another embodiment of the present application.
  • terminal device 1100 can perform the various steps performed by the base station controller in FIGS. 3 and 5, and in order to avoid repetition, it will not be described in detail herein.
  • Device 1100 includes the following components.
  • the memory 1110 is configured to store a program.
  • the transceiver 1120 is configured to communicate with other devices.
  • the processor 1130 is configured to execute a program in the memory 1110, and the processor 1130 is respectively connected to the memory 1110 and the transceiver 1120, and is configured to execute the instruction stored by the memory 1110, when executing the instruction. Performing the following steps: sending a system message to the terminal device, where the system message is used to indicate that the terminal device is allowed to access the first cell, and performing network packetization on the first cell when the terminal device accesses the first cell.
  • the first cell is a cell that supports bidirectional authentication; the uplink authentication request message sent by the terminal device is received, and the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell.
  • the network device 1100 may be specifically the base station controller in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the base station controller in the foregoing method embodiments.
  • RAM random access memory
  • ROM read only memory
  • EEPROM electrically programmable ROM
  • EEPly erasable programmable ROM registers
  • hard disk removable disk
  • CD-ROM computer-readable media

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides a terminal apparatus. The terminal apparatus receives a system message transmitted from a base station controller, determines according to the system message that the terminal apparatus has permission to access a first cell, and performs, when accessing the first cell, network authentication, wherein the first cell is a cell supporting bidirectional authentication. The terminal apparatus further transmits an uplink authentication request message to a core network apparatus, wherein the uplink authentication request message is used to notify the core network apparatus of performing authentication on the terminal apparatus. Upon receiving a downlink authentication request message transmitted from the core network apparatus, the terminal apparatus further performs network authentication on a target cell in the first cell to determine whether to access the target cell. In the embodiment of the invention, the terminal apparatus is instructed to only access a cell supporting the bidirectional authentication, and to perform the network authentication on the target cell to be accessed to determine whether the network is accessible, thereby preventing a fake base station from performing a network attack on the network.

Description

接入网络设备的方法及其终端设备、网络设备Method for accessing network device and terminal device and network device thereof
本申请要求于2016年12月08日提交中国专利局、申请号为201611124220.0、申请名称为“接入网络设备的方法及其终端设备、网络设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on December 8, 2016, the Chinese Patent Office, the application number is 201611124220.0, and the application name is "Access to network equipment and its terminal equipment, network equipment". The citations are incorporated herein by reference.
技术领域Technical field
本申请涉及通信领域,并且更具体地,涉及一种接入网络设备的方法及其终端设备、网络设备。The present application relates to the field of communications, and in particular, to a method for accessing a network device, a terminal device thereof, and a network device.
背景技术Background technique
在全球移动通信系统(Global System for Mobile Communication,GSM)中,只定义了网络侧对终端设备的认证鉴权流程,而终端设备对网络侧却没有认证鉴权流程。因此,导致在GSM网络系统中存在伪基站,伪基站是指通过伪装成运营商的基站,能够冒用他人手机号码强行向用户手机发送诈骗、广告推销等短信息。GSM伪基站具有极强的隐蔽性,已形成了以伪基站为源头的诈骗产业链,致使用户被骗损失惨重。In the Global System for Mobile Communication (GSM), only the authentication authentication process of the terminal device on the network side is defined, and the terminal device does not have an authentication and authentication process on the network side. Therefore, a pseudo base station exists in the GSM network system, and the pseudo base station refers to a base station masquerading as an operator, and can use the mobile phone number of another person to forcibly send short messages such as fraud and advertisement promotion to the user's mobile phone. The GSM pseudo base station has strong concealment, and has formed a fraud industry chain with pseudo base stations as the source, causing users to be deceived and suffered heavy losses.
进一步地,随着伪基站技术不断升级,即使终端设备及网络升级到3/4G网络,但只要终端设备其支持GSM,伪基站通过全频段干扰3/4G信号,也能够让终端设备回落到2G网络,从而能够继续对终端设备发送垃圾短信。Further, as the pseudo base station technology is continuously upgraded, even if the terminal device and the network are upgraded to the 3/4G network, as long as the terminal device supports GSM, the pseudo base station can interfere with the 3/4G signal through the full frequency band, and the terminal device can also fall back to the 2G. The network, so that it can continue to send spam messages to the terminal device.
因此,亟需一种技术手段,能够尽量避免伪基站对网络的影响。Therefore, a technical means is needed to minimize the impact of the pseudo base station on the network.
发明内容Summary of the invention
本申请实施例提供一种接入网络设备的方法及其网络设备,能够尽量避免伪基站对网络造成的影响。The embodiment of the present application provides a method for accessing a network device and a network device thereof, which can minimize the impact of the pseudo base station on the network.
第一方面,提供一种终端设备接收基站控制器发送的系统消息,根据所述系统消息确定所述终端设备允许接入第一小区,并且所述终端设备在接入第一小区时进行网络鉴权,其中,所述第一小区为支持双向鉴权的小区;所述终端设备向核心网设备发送上行鉴权请求消息,所述上行鉴权请求消息用于通知所述核心网设备对所述终端设备进行鉴权;当所述终端设备接收核心网设备发送的下行鉴权请求消息时,对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。In a first aspect, a terminal device receives a system message sent by a base station controller, determines, according to the system message, that the terminal device is allowed to access a first cell, and the terminal device performs network authentication when accessing the first cell. And the first cell is a cell that supports two-way authentication; the terminal device sends an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to The terminal device performs authentication; when the terminal device receives the downlink authentication request message sent by the core network device, performs network authentication on the target cell in the first cell to determine whether to access the target cell.
因此,本申请实施例通过指示终端设备仅仅能够接入支持双向鉴权的小区,并且对将要接入的目标小区进行网络鉴权,确定是否能够接入网络,从而能够尽量避免伪基站对网络造成的网络攻击。Therefore, the embodiment of the present application can indicate that the terminal device can only access the cell supporting the two-way authentication, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed, thereby preventing the pseudo base station from being caused to the network. Cyber attack.
结合第一方面,在第一方面的第一种可能的实现方式中,所述第一小区为系统消息中标识为R99+版本的小区。In conjunction with the first aspect, in a first possible implementation manner of the first aspect, the first cell is a cell identified as a R99+ version in a system message.
因此,本申请实施例通过指示终端设备仅允许接入标识为R99+版本的小区,由于R99+ 版本的小区支持双向鉴权,因此终端设备通过对将要接入的目标小区进行网络鉴权,确定是否能够接入R99+版本的目标小区,从而能够尽量避免伪基站对网络造成的网络攻击。Therefore, the embodiment of the present application indicates that the terminal device only allows access to the cell identified as the R99+ version, because R99+ The version of the cell supports the two-way authentication. Therefore, the terminal device determines whether the target cell of the R99+ version can be accessed by performing network authentication on the target cell to be accessed, so that the network attack caused by the pseudo base station to the network can be avoided as much as possible.
结合第一方面及其上述实现方式,在第一方面的第二种可能的实现方式中,所述对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区,包括:当终端设备对所述目标小区的网络鉴权通过时,确定接入所述目标小区;当终端设备对所述目标小区的网络鉴权不通过时,确定不接入所述目标小区。With reference to the first aspect and the foregoing implementation manner, in a second possible implementation manner of the first aspect, the performing, by using the target cell in the first cell, performing network authentication, determining whether to access the target cell, The method includes: when the terminal device passes the network authentication of the target cell, determining to access the target cell; when the terminal device fails to pass the network authentication of the target cell, determining to not access the target cell.
也就是说,当伪基站模拟产生R99+版本的伪小区,终端设备对该伪小区鉴权认证不通过,也就是不会接入该伪小区,避免终端设备接入伪小区,遭受伪基站的网络攻击。That is to say, when the pseudo base station simulates the generation of the pseudo cell of the R99+ version, the terminal device does not pass the authentication of the pseudo cell, that is, does not access the pseudo cell, and avoids the terminal device accessing the pseudo cell, and the network suffering from the pseudo base station. attack.
结合第一方面及其上述实现方式,在第一方面的第三种可能的实现方式中,在对所述第一小区中的目标小区进行网络鉴权之后,所述方法还包括:向所述核心网设备返回鉴权响应消息,所述鉴权响应消息用于表征所述终端设备通过对所述目标小区的鉴权认证。With reference to the first aspect and the foregoing implementation manner, in a third possible implementation manner of the foregoing aspect, after performing network authentication on the target cell in the first cell, the method further includes: The core network device returns an authentication response message, where the authentication response message is used to identify the terminal device by performing authentication authentication on the target cell.
因此,终端设备通过向核心网设备返回鉴权响应,可以告知核心网设备终端设备鉴权认证通过对目标小区的鉴权认证。Therefore, the terminal device can notify the core network device terminal device to perform authentication authentication on the target cell by returning the authentication response to the core network device.
结合第一方面及其上述实现方式,在第一方面的第四种可能的实现方式中,所述上行鉴权请求消息为接入请求消息,所述接入请求消息包括设置为秘钥不可获得的秘钥序列号CKSN字段,以便于触发所述网络设备对所述终端设备的鉴权流程。With reference to the first aspect and the foregoing implementation manner, in a fourth possible implementation manner of the foregoing aspect, the uplink authentication request message is an access request message, where the access request message includes The secret key serial number CKSN field is used to trigger the authentication process of the network device by the network device.
因此,通过设置接入请求消息中的CKSN字段为无效设置,能够指示核心网设备触发对终端设备的鉴权,在尽量不增加信令开销的情况下,实现网络设备和终端设备的信息交互。Therefore, by setting the CKSN field in the access request message to an invalid setting, the core network device can be instructed to trigger the authentication of the terminal device, and the information interaction between the network device and the terminal device is implemented without increasing the signaling overhead.
结合第一方面及其上述实现方式,在第一方面的第五种可能的实现方式中,所述接入请求消息为下列中的一种:位置更新请求消息,连接管理CM业务请求消息,寻呼应答消息。With reference to the first aspect and the foregoing implementation manner, in a fifth possible implementation manner of the first aspect, the access request message is one of: a location update request message, a connection management CM service request message, Call the reply message.
结合第一方面及其上述实现方式,在第一方面的第六种可能的实现方式中,所述系统消息中携带标识信息,所述标识信息用于指示所述第一小区为标识为R99+版本的小区。With reference to the first aspect and the foregoing implementation manner, in a sixth possible implementation manner of the first aspect, the system message carries the identifier information, where the identifier information is used to indicate that the first cell is an identifier of the R99+ version. Community.
也就是说,通过在系统消息中携带标识信息,能够通知终端设备允许接入版本为99+的第一小区。That is to say, by carrying the identifier information in the system message, the terminal device can be notified to allow access to the first cell with the version of 99+.
第二方面,提供一种接入网络设备的方法,包括:核心网设备接收终端设备发送的上行鉴权请求消息,其中,所述上行鉴权请求消息为所述终端设备接收基站控制器发送的系统消息后发送的请求消息,所述系统消息用于所述终端设备确定允许接入第一小区,并且指示所述终端设备在接入第一小区时进行网络鉴权,所述第一小区为支持双向鉴权的小区;所述核心网根据所述上行鉴权请求消息,对所述终端设备的进行鉴权,以便于所述终端设备对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。The second aspect provides a method for accessing a network device, where the core network device receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is sent by the terminal device to the base station controller. a request message sent after the system message, the system message is used by the terminal device to determine to allow access to the first cell, and the terminal device is instructed to perform network authentication when accessing the first cell, where the first cell is a cell that supports bidirectional authentication; the core network authenticates the terminal device according to the uplink authentication request message, so that the terminal device performs network authentication on the target cell in the first cell. And determining whether to access the target cell.
因此,本申请实施例通过指示终端设备仅仅能够接入支持双向鉴权的小区,并且对将要接入的目标小区进行网络鉴权,确定是否能够接入网络,从而能够尽量避免伪基站对网络造成的网络攻击。Therefore, the embodiment of the present application can indicate that the terminal device can only access the cell supporting the two-way authentication, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed, thereby preventing the pseudo base station from being caused to the network. Cyber attack.
结合第二方面,在第二方面的第一种可能的实现方式中,在所述核心网设备接收终端设备发送的上行鉴权请求消息之后,所述核心网根据所述上行鉴权请求消息,对所述终端设备的进行鉴权还包括:向所述终端设备发送的下行鉴权请求消息,所述下行鉴权请求消息用于指示所述终端设备对目标小区进行网络鉴权,其中,所述下行鉴权请求消息中携带 所述目标小区的标识。With reference to the second aspect, in a first possible implementation manner of the second aspect, after the core network device receives the uplink authentication request message sent by the terminal device, the core network is configured according to the uplink authentication request message, The authentication of the terminal device further includes: a downlink authentication request message sent to the terminal device, where the downlink authentication request message is used to instruct the terminal device to perform network authentication on the target cell, where Carrying the downlink authentication request message The identifier of the target cell.
结合第二方面及其上述实现方式,在第二方面的第二种可能的实现方式中,所述核心网设备所覆盖的网络为支持双向鉴权的网络,进一步的,所述核心网设备所覆盖的网络为R99+版本。With reference to the second aspect and the foregoing implementation manner, in a second possible implementation manner of the second aspect, the network covered by the core network device is a network supporting two-way authentication, and further, the core network device is The network covered is the R99+ version.
第三方面,提供一种接入网络设备的方法,包括:基站控制器向终端设备发送系统消息,所述系统消息用于指示所述终端设备允许接入第一小区,并且在所述终端设备接入第一小区时进行对所述第一小区网络鉴权,所述第一小区为支持双向鉴权的小区;所述基站控制器接收终端设备发送的上行鉴权请求消息,所述上行鉴权请求消息用于表征所述终端设备需要对所述第一小区进行网络鉴权;所述基站控制器向所述核心网设备发送所述上行鉴权请求消息,通知所述核心网设备对所述终端设备进行鉴权,以便于所述终端设备接入通过网络鉴权的小区。A third aspect provides a method for accessing a network device, where the base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and the terminal device When the first cell is accessed, the first cell is authenticated, the first cell is a cell that supports bidirectional authentication, and the base station controller receives an uplink authentication request message sent by the terminal device, where the uplink packet is sent. The right request message is used to indicate that the terminal device needs to perform network authentication on the first cell; the base station controller sends the uplink authentication request message to the core network device, to notify the core network device to The terminal device performs authentication to facilitate access by the terminal device to a cell authenticated by the network.
结合第三方面,在第三方面的第一种可能的实现方式中,所述方法还包括:接收所述核心网设备发送的下行鉴权请求消息,所述下行鉴权请求消息用于通知所述终端设备对所述第一小区中的目标小区进行网络鉴权,其中,所述下行鉴权请求消息中携带所述目标小区的标识;向所述终端设备发送所述下行鉴权请求消息。With reference to the third aspect, in a first possible implementation manner of the third aspect, the method further includes: receiving a downlink authentication request message sent by the core network device, where the downlink authentication request message is used to notify the The terminal device performs network authentication on the target cell in the first cell, where the downlink authentication request message carries the identifier of the target cell, and sends the downlink authentication request message to the terminal device.
结合第三方面及其上述实现方式,在第三方面的第二种可能的实现方式中,所述系统消息携带标识信息,所述标识信息用于指示所述第一小区为标识为R99+版本的小区,所述系统消息为下列中的一种:基站子系统BSS系统消息2,BSS系统消息3,BSS系统消息4。With reference to the third aspect and the foregoing implementation manner, in a second possible implementation manner of the third aspect, the system message carries the identifier information, where the identifier information is used to indicate that the first cell is identified as an R99+ version. The cell, the system message is one of the following: base station subsystem BSS system message 2, BSS system message 3, BSS system message 4.
结合第三方面及其上述实现方式,在第三方面的第三种可能的实现方式中,在所述基站控制器向终端设备发送系统消息之前,所述方法还包括:确定所述核心网设备所覆盖的网络为R99+版本。With reference to the third aspect and the foregoing implementation manner, in a third possible implementation manner of the third aspect, before the base station controller sends the system message to the terminal device, the method further includes: determining the core network device The network covered is the R99+ version.
第四方面,提供了一种终端设备,用于执行上述第一方面或第一方面的任意可能的实现方式中的方法。具体地,该终端设备包括用于执行上述第一方面或第一方面的任意可能的实现方式中的方法的单元。In a fourth aspect, a terminal device is provided for performing the method of any of the above first aspect or any of the possible implementations of the first aspect. In particular, the terminal device comprises means for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect.
第五方面,提供了一种网络设备,用于执行上述第二方面或第二方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行上述第二方面或第二方面的任意可能的实现方式中的方法的单元。In a fifth aspect, a network device is provided for performing the method of any of the foregoing second aspect or any of the possible implementations of the second aspect. In particular, the apparatus comprises means for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect.
第六方面,提供了另一种网络设备,用于执行上述第三方面或第三方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行上述第三方面或第三方面的任意可能的实现方式中的方法的单元。In a sixth aspect, there is provided another network device for performing the method of any of the above-described third aspect or any of the possible implementations of the third aspect. In particular, the apparatus comprises means for performing the method of any of the possible implementations of the third aspect or the third aspect described above.
第七方面,提供了一种终端设备,该网络设备包括:收发器、存储器、处理器和总线系统。其中,该收发器、该存储器和该处理器通过该总线系统相连,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,以控制收发器接收和/或发送信号,并且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第一方面或第一方面的任意可能的实现方式中的方法。In a seventh aspect, a terminal device is provided, the network device comprising: a transceiver, a memory, a processor, and a bus system. Wherein the transceiver, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing instructions stored by the memory to control the transceiver to receive and/or transmit signals, and When the processor executes the instructions stored by the memory, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
第八方面,提供了一种网络设备,该网络设备包括:收发器、存储器、处理器和总线系统。其中,该收发器、该存储器和该处理器通过该总线系统相连,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,以控制收发器接收信号和/或发送信号,并 且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第二方面或第二方面的任意可能的实现方式中的方法。In an eighth aspect, a network device is provided, the network device comprising: a transceiver, a memory, a processor, and a bus system. Wherein the transceiver, the memory and the processor are coupled by the bus system, the memory is for storing instructions for executing instructions stored by the memory to control the transceiver to receive signals and/or transmit signals, and And when the processor executes the instructions stored by the memory, the executing causes the processor to perform the method of any of the possible implementations of the second aspect or the second aspect.
第九方面,提供了一种网络设备,该网络设备包括:收发器、存储器、处理器和总线系统。其中,该收发器、该存储器和该处理器通过该总线系统相连,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,以控制收发器接收信号和/或发送信号,并且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第三方面或第三方面的任意可能的实现方式中的方法。In a ninth aspect, a network device is provided, the network device comprising: a transceiver, a memory, a processor, and a bus system. Wherein the transceiver, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing instructions stored by the memory to control the transceiver to receive signals and/or transmit signals, and When the processor executes the instructions stored by the memory, the execution causes the processor to perform the method of any of the possible implementations of the third aspect or the third aspect.
第十方面,提供了一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第一方面或第一方面的任意可能的实现方式中的方法的指令。A tenth aspect, a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
第十一方面,提供了一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第二方面或第二方面的任意可能的实现方式中的方法的指令。In an eleventh aspect, a computer readable medium is provided for storing a computer program comprising instructions for performing the method of any of the second aspect or any of the possible implementations of the second aspect.
第十二方面,提供了一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第三方面或第三方面的任意可能的实现方式中的方法的指令。According to a twelfth aspect, a computer readable medium is provided for storing a computer program comprising instructions for performing the method of any of the third aspect or any of the possible implementations of the third aspect.
附图说明DRAWINGS
图1是本申请实施例应用的鉴权场景的示意性图。FIG. 1 is a schematic diagram of an authentication scenario applied in an embodiment of the present application.
图2示出了本申请一个实施例的方法的示意性流程图。FIG. 2 shows a schematic flow chart of a method of an embodiment of the present application.
图3示出了本申请一个实施例的方法的示意图。Figure 3 shows a schematic diagram of a method of one embodiment of the present application.
图4示出了本申请一个实施例的方法的示意图。Figure 4 shows a schematic diagram of a method of one embodiment of the present application.
图5示出了本申请一个实施例的方法的示意性流程图。FIG. 5 shows a schematic flow chart of a method of an embodiment of the present application.
图6示出了本申请一个实施例的终端设备的示意性框图。FIG. 6 shows a schematic block diagram of a terminal device of one embodiment of the present application.
图7示出了本申请一实施例的网络设备的示意性框图。FIG. 7 shows a schematic block diagram of a network device according to an embodiment of the present application.
图8示出了本申请另一实施例的网络设备的示意性框图。FIG. 8 shows a schematic block diagram of a network device of another embodiment of the present application.
图9示出了本申请一个实施例的终端设备的示意性结构图。FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
图10示出了本申请一实施例的网络设备的示意性框图。FIG. 10 is a schematic block diagram of a network device according to an embodiment of the present application.
图11示出了本申请另一实施例的网络设备的示意性框图。FIG. 11 is a schematic block diagram of a network device of another embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述。The technical solutions in the embodiments of the present application will be clearly and completely described in the following with reference to the accompanying drawings in the embodiments.
图1是本申请实施例应用的鉴权场景的示意性图。FIG. 1 is a schematic diagram of an authentication scenario applied in an embodiment of the present application.
如图1所示,示出了通用移动通信系统(Universal Mobile Telecommunications System,UMTS)下的用户(即使用USIM卡的用户)鉴权场景。As shown in FIG. 1, a user (ie, a user using a USIM card) authentication scenario under the Universal Mobile Telecommunications System (UMTS) is shown.
具体地,终端设备110通过全球移动通信系统(Global System for Mobile Communication,GSM)无线接入网120与核心网130通信,其中GSM无线接入网120包括基站控制器(Base Station Controller,BSC),终端设备110为具备UMTS鉴权与加密能力的终端设备,并且具备UMTS安全性的全球用户识别卡(Universal Subscriber Identity Module,USIM),核心网支持为Release 99+及以后版本,也就是核心网支持网络侧与终端设备侧的双向鉴权认证。 Specifically, the terminal device 110 communicates with the core network 130 through a Global System for Mobile Communication (GSM) radio access network 120, where the GSM radio access network 120 includes a Base Station Controller (BSC). The terminal device 110 is a terminal device with UMTS authentication and encryption capability, and has a Universal Subscriber Identity Module (USIM) with UMTS security. The core network supports Release 99+ and later, that is, core network support. Two-way authentication authentication on the network side and the terminal device side.
在当前的第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)协议中,已经定义了“支持3/4G网络并且使用全球用户识别卡(Universal Subscriber Identity Module,USIM)且支持UMTS鉴权的终端设备”驻留在GSM无线接入网(GSM radio access network,GRAN)网络(2G)中,并且核心网为R99+版本时,会执行双向鉴权流程,也就是终端设备也将会鉴权会认证小区。也即核心网只要发起鉴权流程,终端设备就会认证网络。In the current 3rd Generation Partnership Project (3GPP) protocol, "terminals supporting 3/4G networks and using Universal Subscriber Identity Module (USIM) and supporting UMTS authentication have been defined. The device "lives in the GSM radio access network (GRAN) network (2G), and when the core network is the R99+ version, the two-way authentication process is performed, that is, the terminal device will also authenticate the authentication. Community. That is, as long as the core network initiates the authentication process, the terminal device authenticates the network.
但由于鉴权认证不是强制的,所以伪基站绕过了此流程,不对手机发起鉴权,从而手机也无法对伪基站进行认证。However, since the authentication is not mandatory, the pseudo base station bypasses this process and does not initiate authentication for the mobile phone, so that the mobile phone cannot authenticate the pseudo base station.
图2示出了本申请一个实施例的方法的示意性流程图,该方法的执行主体为终端设备,其中,终端设备可以经无线接入网(Radio Access Network,RAN)与核心网进行通信,终端可以指用户设备(User Equipment,UE)、接入终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、无线通信设备、用户代理或用户装置。接入终端可以是蜂窝电话、无绳电话、会话启动协议(Session Initiation Protocol,SIP)电话、无线本地环路(Wireless Local Loop,WLL)站、个人数字处理(Personal Digital Assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备,未来5G网络中的终端设备等。FIG. 2 is a schematic flowchart of a method of an embodiment of the present application, where an execution entity of the method is a terminal device, where the terminal device can communicate with a core network via a Radio Access Network (RAN). A terminal may refer to a User Equipment (UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user device. The access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), with wireless communication. Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in future 5G networks, and the like.
其中,基站可以是用于与终端设备进行通信的网络设备,例如,可以是GSM系统或CDMA中的基站(Base Transceiver Station,BTS),也可以是WCDMA系统中的基站(NodeB,NB),还可以是LTE系统中的演进型基站(Evolutional Node B,eNB或eNodeB),或者该基站可以为中继站、接入点、车载设备、可穿戴设备以及未来5G网络中的网络侧设备等。The base station may be a network device used for communication with the terminal device, for example, may be a base station (Base Transceiver Station, BTS) in the GSM system or CDMA, or a base station (NodeB, NB) in the WCDMA system. It may be an evolved base station (Evolutional Node B, eNB or eNodeB) in the LTE system, or the base station may be a relay station, an access point, an in-vehicle device, a wearable device, and a network side device in a future 5G network.
其中,核心网设备由一系列完成用户位置管理、网络功能和业务控制功能等设备组成,本申请实施例不做限定。The core network device is composed of a series of devices that complete the user location management, the network function, and the service control function, and is not limited in this embodiment.
如图2所示,该方法包括以下步骤。As shown in FIG. 2, the method includes the following steps.
步骤210,终端设备接收基站控制器发送的系统消息,根据系统消息确定终端设备允许接入第一小区,并且终端设备在接入第一小区时进行网络鉴权,其中,第一小区为支持双向鉴权的小区。Step 210: The terminal device receives the system message sent by the base station controller, determines, according to the system message, that the terminal device is allowed to access the first cell, and the terminal device performs network authentication when accessing the first cell, where the first cell supports the two-way. The community of authentication.
步骤220,终端设备向核心网设备发送上行鉴权请求消息,上行鉴权请求消息用于通知核心网设备对终端设备进行鉴权。Step 220: The terminal device sends an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device.
步骤230,当终端设备接收核心网设备发送的下行鉴权请求消息时,对第一小区中的目标小区进行网络鉴权,确定是否接入目标小区。Step 230: When the terminal device receives the downlink authentication request message sent by the core network device, perform network authentication on the target cell in the first cell to determine whether to access the target cell.
应理解,在步骤210中,第一小区为支持双向鉴权的小区,也就是支持陆地无线接入网(Terrestrial Radio Access Network,UTRAN)或长期演进(Long Term Evolution,LTE)鉴权认证的小区。It should be understood that, in step 210, the first cell is a cell supporting bidirectional authentication, that is, a cell supporting Terrestrial Radio Access Network (UTRAN) or Long Term Evolution (LTE) authentication authentication. .
可选地,第一小区为系统消息中标识为R99+版本的小区。Optionally, the first cell is a cell identified as a R99+ version in the system message.
具体地,在步骤210中,第一小区指的是在系统消息中被标识为R99+版本的一类小区,基站控制器指的管理终端设备的通信设备。终端设备接收系统消息后,确定只能够接入R99+版本的第一小区,而不能接入其它类型的小区,并且进一步地,在R99+版本的小区中,支持网络侧与终端设备之间进行双向鉴权,也就是不仅网络设备能够鉴权终端设备, 终端设备也需要鉴权是否能够接入网络。Specifically, in step 210, the first cell refers to a type of cell identified as a R99+ version in a system message, and the base station controller refers to a communication device that manages the terminal device. After receiving the system message, the terminal device determines that only the first cell of the R99+ version can be accessed, but cannot access other types of cells, and further, in the R99+ version of the cell, the two-way authentication between the supporting network side and the terminal device is supported. Right, that is, not only network devices can authenticate terminal devices, The terminal device also needs to authenticate whether it can access the network.
在步骤210之前,基站控制器将会基站控制器向终端设备发送系统消息,所述系统消息用于指示所述终端设备允许接入第一小区,并且在所述终端设备接入第一小区时进行对所述第一小区网络鉴权,所述第一小区为系统消息中标识为R99+版本的小区。Before the step 210, the base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and when the terminal device accesses the first cell The first cell is authenticated, and the first cell is a cell identified as a R99+ version in the system message.
可选地,所述系统消息中携带标识信息,所述标识信息用于指示所述第一小区为标识为R99+版本的小区。Optionally, the system message carries the identifier information, where the identifier information is used to indicate that the first cell is a cell identified as an R99+ version.
可选地,所述系统消息为下列中的一种:基站子系统(Base station system,BSS)系统消息2,BSS系统消息3,BSS系统消息4。也就是说,系统消息可以利用上述消息中的空余字段,携带标识信息,用于标识R99+版本的消息。Optionally, the system message is one of the following: a base station system (BSS) system message 2, a BSS system message 3, and a BSS system message 4. That is to say, the system message can use the vacant field in the above message to carry the identification information for identifying the message of the R99+ version.
应理解,所述系统消息可以为新定义的消息,也可以为携带标识信息的现有系统消息,本申请实施例不做限定,能够携带标识信息的系统消息都落入本申请实施例范围。It should be understood that the system message may be a newly defined message, or may be an existing system message carrying the identification information, which is not limited in the embodiment of the present application, and the system message capable of carrying the identification information falls within the scope of the embodiment of the present application.
在步骤220中,上行鉴权请求消息用于通知核心网设备对终端设备进行鉴权,具体地,上行鉴权请求消息可以为以下三种情况之一:In the step 220, the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device. Specifically, the uplink authentication request message may be one of the following three conditions:
第一种实施例中,在终端设备向核心网设备发送位置更新请求消息后,核心网设备获知终端设备进行跨位置区重选,终端设备继续向核心网设备发送上行鉴权请求消息,以通知核心网设备对终端设备进行鉴权,确定该终端设备是否能够接入该核心网设备所覆盖的网络;In the first embodiment, after the terminal device sends the location update request message to the core network device, the core network device learns that the terminal device performs cross-location reselection, and the terminal device continues to send the uplink authentication request message to the core network device to notify The core network device authenticates the terminal device, and determines whether the terminal device can access the network covered by the core network device;
第二种实施例中,上行鉴权请求消息可以为新定义的消息,该新定义的上行鉴权请求消息不仅能够用于通知核心网设备对终端设备进行鉴权,还能够表征终端设备将进行跨位置区重选;In the second embodiment, the uplink authentication request message may be a newly defined message, and the newly defined uplink authentication request message can be used not only to notify the core network device to authenticate the terminal device, but also to indicate that the terminal device will perform Re-selection across location areas;
在第三种实施例中,所述上行鉴权请求消息为接入请求消息,所述接入请求消息包括设置为秘钥不可获得的秘钥序列号(Ciphering Key Sequence Number,CKSN)字段,以便于触发所述网络设备对所述终端设备的鉴权流程,可选地,所述接入请求消息为下列中的一种:位置更新请求消息,连接管理(Connect management,CM)业务请求消息,寻呼应答消息。In a third embodiment, the uplink authentication request message is an access request message, and the access request message includes a Ciphering Key Sequence Number (CKSN) field set to be unavailable for the key, so that And triggering the authentication process of the network device by the network device, optionally, the access request message is one of the following: a location update request message, a connection management (CM) service request message, Paging response message.
在步骤220之后,基站控制器将会接收终端设备发送的上行鉴权请求消息,所述上行鉴权请求消息用于表征所述终端设备需要对所述第一小区进行网络鉴权;进一步地,所述基站控制器向所述核心网设备发送所述上行鉴权请求消息,通知所述核心网设备对所述终端设备进行鉴权,以便于所述终端设备接入通过终端鉴权的小区。After the step 220, the base station controller receives the uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell; further, And sending, by the base station controller, the uplink authentication request message to the core network device, to notify the core network device to perform authentication on the terminal device, so that the terminal device accesses a cell that is authenticated by the terminal.
在步骤230中,当核心网设备接收步骤220中的上行鉴权请求消息后,将会触发对终端设备的鉴权流程,也就将会向终端设备接发送的下行鉴权请求消息,该下行鉴权请求消息用于指示终端设备对所述第一小区中的目标小区进行网络鉴权。In step 230, after the core network device receives the uplink authentication request message in step 220, the authentication process for the terminal device is triggered, and the downlink authentication request message sent to the terminal device is sent, and the downlink is sent. The authentication request message is used to instruct the terminal device to perform network authentication on the target cell in the first cell.
具体地,核心网设备将会向所述终端设备发送的下行鉴权请求消息,所述下行鉴权请求消息用于指示所述终端设备对目标小区进行网络鉴权,其中,所述下行鉴权请求消息中携带所述目标小区的标识。Specifically, the downlink authentication request message sent by the core network device to the terminal device, where the downlink authentication request message is used to indicate that the terminal device performs network authentication on the target cell, where the downlink authentication is performed. The request message carries an identifier of the target cell.
可选地,作为本申请一个实施例,所述对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区,包括:Optionally, as an embodiment of the present application, the performing network authentication on the target cell in the first cell to determine whether to access the target cell includes:
当终端设备对所述目标小区的网络鉴权通过时,确定接入所述目标小区;When the terminal device passes the network authentication of the target cell, determining to access the target cell;
当终端设备对所述目标小区的网络鉴权不通过时,确定不接入所述目标小区。 When the terminal device fails to pass the network authentication of the target cell, it is determined that the target cell is not accessed.
应理解,上述位置更新请求消息、接入请求消息,上行鉴权请求消息、下线鉴权请求消息都是通过基站控制器进行转发的,其中,终端设备发送的位置更新请求消息、接入请求消息、上行鉴权请求消息通过基站控制器转发至核心网设备,而核心网设备发送的下行鉴权请求消息也通过基站控制器发送至终端设备。It should be understood that the location update request message, the access request message, the uplink authentication request message, and the offline authentication request message are all forwarded by the base station controller, where the location update request message and the access request sent by the terminal device The message and the uplink authentication request message are forwarded to the core network device by the base station controller, and the downlink authentication request message sent by the core network device is also sent to the terminal device by using the base station controller.
还应理解,目标小区为第一小区中的一个小区,且归属于基站控制器。具体地,终端设备期望接入目标小区时,将会通过该目标小区向基站控制器发送上行鉴权请求消息,基站控制器进一步将该上行鉴权请求消息转发给核心网设备,从而触发核心网设备对终端设备的鉴权流程,也就是核心网设备通过基站控制器向终端设备发送下行鉴权请求消息,终端设备根据该下行鉴权请求消息确定目标小区是否能够通过终端设备的鉴权认证,只有目标小区通过终端设备的鉴权,终端设备才能接入该目标小区,否则终端设备将不接入该目标小区。It should also be understood that the target cell is one of the cells in the first cell and belongs to the base station controller. Specifically, when the terminal device is expected to access the target cell, the uplink authentication request message is sent to the base station controller by the target cell, and the base station controller further forwards the uplink authentication request message to the core network device, thereby triggering the core network. The device authenticates the terminal device, that is, the core network device sends a downlink authentication request message to the terminal device by using the base station controller, and the terminal device determines, according to the downlink authentication request message, whether the target cell can pass the authentication of the terminal device. Only the target cell can access the target cell through the authentication of the terminal device, otherwise the terminal device will not access the target cell.
也就是说,如果目标小区是伪基站产生的非R99+小区时,终端设备将不会接入伪基站产生的伪小区,因此也就不会遭受伪基站的影响,避免了伪基站对网络的影响。That is to say, if the target cell is a non-R99+ cell generated by the pseudo base station, the terminal device will not access the pseudo cell generated by the pseudo base station, and thus will not be affected by the pseudo base station, thereby avoiding the influence of the pseudo base station on the network. .
如果伪基站模拟产生R99+版本的伪小区,终端设备对该伪小区鉴权认证不通过,也就是不会接入该伪小区。If the pseudo base station simulates generating a pseudo cell of the R99+ version, the terminal device fails to pass the authentication of the pseudo cell, that is, does not access the pseudo cell.
因此,本申请实施例通过指示终端设备仅仅能够接入标识为R99+版本的小区,并且对将要接入的目标小区进行网络鉴权,确定是否能够接入网络,从而能够尽量避免伪基站对网络造成的网络攻击。Therefore, the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
可选地,作为本申请一个实施例,在对所述第一小区中的目标小区进行网络鉴权之后,所述方法还包括:向所述核心网设备返回鉴权响应消息,所述鉴权响应消息用于表征所述终端设备通过对所述目标小区的鉴权认证。Optionally, as an embodiment of the present application, after performing network authentication on the target cell in the first cell, the method further includes: returning an authentication response message to the core network device, where the authentication The response message is used to characterize the terminal device by authenticating the target cell.
也就是说终端设备通过向核心网设备返回鉴权响应消息,通知核心网设备,该终端设备将接入目标小区。That is to say, the terminal device notifies the core network device by returning an authentication response message to the core network device, and the terminal device accesses the target cell.
图3示出了本申请一个实施例的方法的示意图,该方法的执行主体可以为核心网设备,如图3所述,方法300包括以下步骤。FIG. 3 is a schematic diagram of a method of an embodiment of the present application. The execution body of the method may be a core network device. As shown in FIG. 3, the method 300 includes the following steps.
步骤310,核心网设备接收终端设备发送的上行鉴权请求消息,其中,上行鉴权请求消息为终端设备接收基站控制器发送的系统消息后发送的请求消息,系统消息用于终端设备确定允许接入第一小区,并且指示终端设备在接入第一小区时进行网络鉴权,第一小区为系统消息中标识为R99+版本的小区。Step 310: The core network device receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving the system message sent by the base station controller, and the system message is used by the terminal device to determine that the terminal device is allowed to connect. And entering the first cell, and instructing the terminal device to perform network authentication when accessing the first cell, where the first cell is a cell identified as a R99+ version in the system message.
步骤320,核心网根据上行鉴权请求消息,对终端设备的进行鉴权,以便于终端设备对第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。Step 320: The core network authenticates the terminal device according to the uplink authentication request message, so that the terminal device performs network authentication on the target cell in the first cell to determine whether to access the target cell.
可选地,作为本申请一个实施例,在所述核心网设备接收终端设备发送的上行鉴权请求消息之后,所述核心网根据所述上行鉴权请求消息,对所述终端设备的进行鉴权还包括:向所述终端设备发送的下行鉴权请求消息,所述下行鉴权请求消息用于指示所述终端设备对目标小区进行网络鉴权,其中,所述下行鉴权请求消息中携带所述目标小区的标识。Optionally, as an embodiment of the present application, after the core network device receives the uplink authentication request message sent by the terminal device, the core network performs the authentication on the terminal device according to the uplink authentication request message. The right further includes: a downlink authentication request message sent to the terminal device, where the downlink authentication request message is used to indicate that the terminal device performs network authentication on the target cell, where the downlink authentication request message is carried in the The identifier of the target cell.
可选地,作为本申请一个实施例,所述核心网设备所覆盖的网络为R99+版本。Optionally, as an embodiment of the present application, the network covered by the core network device is an R99+ version.
图4示出了本申请一个实施例的方法的示意图,该方法的执行主体为基站控制器,如图4所示,该方法400包括以下步骤。4 is a schematic diagram of a method of an embodiment of the present application. The execution body of the method is a base station controller. As shown in FIG. 4, the method 400 includes the following steps.
步骤410,基站控制器向终端设备发送系统消息,系统消息用于指示终端设备允许接 入第一小区,并且在终端设备接入第一小区时进行对第一小区网络鉴权,第一小区为支持双向鉴权的小区。Step 410: The base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device is allowed to connect. And entering the first cell, and performing authentication on the first cell network when the terminal device accesses the first cell, where the first cell is a cell that supports bidirectional authentication.
步骤420,基站控制器接收终端设备发送的上行鉴权请求消息,上行鉴权请求消息用于表征终端设备需要对第一小区进行网络鉴权。Step 420: The base station controller receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell.
步骤430,基站控制器向核心网设备发送上行鉴权请求消息,通知核心网设备对终端设备进行鉴权,以便于终端设备接入通过网络鉴权的小区。Step 430: The base station controller sends an uplink authentication request message to the core network device, and notifies the core network device to perform authentication on the terminal device, so that the terminal device accesses the cell that is authenticated by the network.
可选地,作为本申请一个实施例,所述方法还包括:接收所述核心网设备发送的下行鉴权请求消息,所述下行鉴权请求消息用于通知所述终端设备对所述第一小区中的目标小区进行网络鉴权,其中,所述下行鉴权请求消息中携带所述目标小区的标识;向所述终端设备发送所述下行鉴权请求消息。Optionally, as an embodiment of the present application, the method further includes: receiving a downlink authentication request message sent by the core network device, where the downlink authentication request message is used to notify the terminal device to the first The target cell in the cell performs network authentication, where the downlink authentication request message carries the identifier of the target cell, and the downlink authentication request message is sent to the terminal device.
可选地,作为本申请一个实施例,所述系统消息携带标识信息,所述标识信息用于指示所述第一小区为标识为R99+版本的小区,所述系统消息为下列中的一种:BSS系统消息2、2BIS,BSS系统消息3,BSS系统消息4。Optionally, as an embodiment of the present application, the system message carries the identifier information, where the identifier information is used to indicate that the first cell is a cell identified as an R99+ version, and the system message is one of the following: BSS system message 2, 2BIS, BSS system message 3, BSS system message 4.
图5示出了本申请一个实施例的方法的示意性流程图。如图5所示,该方法包括以下步骤。FIG. 5 shows a schematic flow chart of a method of an embodiment of the present application. As shown in FIG. 5, the method includes the following steps.
步骤501,基站控制器向终端设备UE发送系统消息,该系统消息用于指示UE只能允许接入第一小区,并且终端设备在接入第一小区时进行网络鉴权,其中,第一小区是指被系统消息标识为R99+版本的小区。Step 501: The base station controller sends a system message to the terminal device, where the system message is used to indicate that the UE can only access the first cell, and the terminal device performs network authentication when accessing the first cell, where the first cell Refers to a cell identified by the system message as the R99+ version.
应理解,该系统消息可以为新定义的系统消息,也可以为能够指示第一小区为R99+版本的小区的已有系统消息,例如,可以为BSS系统消息2、2BIS,BSS系统消息3,BSS系统消息4,在上述系统消息的空白字段携带指示第一小区类型的标识信息,指示UE只能允许接入被标识的第一小区。It should be understood that the system message may be a newly defined system message, or may be an existing system message indicating that the first cell is a R99+ version of the cell, for example, may be BSS system message 2, 2BIS, BSS system message 3, BSS System message 4, in the blank field of the system message, carries the identifier information indicating the first cell type, indicating that the UE can only allow access to the identified first cell.
步骤502,终端设备向核心网设备发送上行鉴权请求。其中,该上行鉴权请求用于通知核心网设备对终端设备进行鉴权。Step 502: The terminal device sends an uplink authentication request to the core network device. The uplink authentication request is used to notify the core network device to perform authentication on the terminal device.
具体地,该上行鉴权消息由终端设备发送至基站控制器,并由基站控制器转发至核心网设备。Specifically, the uplink authentication message is sent by the terminal device to the base station controller, and is forwarded by the base station controller to the core network device.
应理解,可选地,在步骤502之前,终端设备向核心网设备发送了接入请求消息,该接入请求消息用于通知核心网设备该终端设备将要进入跨位置区重选。It should be understood that, before the step 502, the terminal device sends an access request message to the core network device, where the access request message is used to notify the core network device that the terminal device is about to enter the cross-location area reselection.
可选地,上行鉴权请求消息为接入请求消息,接入请求消息包括设置为秘钥不可获得的CKSN字段,例如设置为“111”的CKSN字段,以便于触发所述网络设备对所述终端设备的鉴权流程。Optionally, the uplink authentication request message is an access request message, where the access request message includes a CKSN field set to be unavailable for the key, for example, a CKSN field set to “111”, in order to trigger the network device to The authentication process of the terminal device.
可选地,上述接入请求消息为下列中的一种:位置更新请求消息,CM业务请求消息,寻呼应答消息。Optionally, the foregoing access request message is one of the following: a location update request message, a CM service request message, and a page response message.
步骤503,核心网设备向UE发送下行鉴权请求消息,也就是说,当核心网设备通过步骤502接收到上行鉴权请求消息后,将启动网络侧对UE的鉴权流程。Step 503: The core network device sends a downlink authentication request message to the UE, that is, when the core network device receives the uplink authentication request message in step 502, the network side authenticates the UE.
具体地,核心网设备通过基站控制器向UE发送下行鉴权请求消息,通知UE对第一小区中的目标小区进行网络鉴权,确定是否接入目标小区。Specifically, the core network device sends a downlink authentication request message to the UE through the base station controller, and notifies the UE to perform network authentication on the target cell in the first cell to determine whether to access the target cell.
其中,目标小区是在UE期望接入的第一小区中的一个小区。The target cell is one of the first cells that the UE desires to access.
步骤504,UE对网络进行鉴权,也就是UE对目标小区进行网络鉴权,确定是否接入 目标小区。Step 504: The UE authenticates the network, that is, the UE performs network authentication on the target cell to determine whether to access the network. Target cell.
具体地,当终端设备对所述目标小区的网络鉴权通过时,确定接入所述目标小区;当终端设备对所述目标小区的网络鉴权不通过时,确定不接入所述目标小区。Specifically, when the terminal device passes the network authentication of the target cell, determining to access the target cell; when the terminal device fails to pass the network authentication of the target cell, determining not to access the target cell .
步骤506,UE向核心网设备返回鉴权响应消息,该鉴权响应消息用于表征终端设备通过对目标小区的鉴权认证。Step 506: The UE returns an authentication response message to the core network device, where the authentication response message is used to identify the terminal device by authenticating the target cell.
步骤507,网络对终端进行鉴权,也就是核心网设备判断UE是否能够接入目标小区,如果能够接入目标小区,则执行步骤508。Step 507: The network authenticates the terminal, that is, the core network device determines whether the UE can access the target cell. If the target cell can be accessed, step 508 is performed.
步骤508,核心网设备向UE发送位置更新成功通知消息,用于UE已经完成跨位置区重选,接入到目标小区。Step 508: The core network device sends a location update success notification message to the UE, where the UE has completed cross-location area reselection and accesses the target cell.
可选地,在步骤501之前,当确定目前核心网设备所覆盖的网络为R99+版本,也就是说,在基站控制器上增加控制开关,确保在R99+网络下执行上述流程。Optionally, before step 501, when it is determined that the network covered by the current core network device is the R99+ version, that is, the control switch is added to the base station controller to ensure that the foregoing process is performed under the R99+ network.
因此,本申请实施例通过指示终端设备仅仅能够接入标识为R99+版本的小区,并且对将要接入的目标小区进行网络鉴权,确定是否能够接入网络,从而能够尽量避免伪基站对网络造成的网络攻击。Therefore, the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
上文结合图1至图5详细描述了本申请实施例的接入网络设备的方法的流程,下面结合图6至图11详细描述本申请实施例的终端设备和网络设备。The flow of the method for accessing the network device in the embodiment of the present application is described in detail above with reference to FIG. 1 to FIG. 5. The terminal device and the network device in the embodiments of the present application are described in detail below with reference to FIG.
图6示出了本申请一个实施例的终端设备的示意性框图。应理解,终端设备600能够执行图2和图5中UE执行的各个步骤,为了避免重复,此处不再详述。FIG. 6 shows a schematic block diagram of a terminal device of one embodiment of the present application. It should be understood that the terminal device 600 can perform the various steps performed by the UE in FIG. 2 and FIG. 5, and is not detailed herein to avoid repetition.
如图6所示,终端设备600包括以下单元。As shown in FIG. 6, the terminal device 600 includes the following units.
接收单元610,所述接收单元610用于接收基站控制器发送的系统消息,根据所述系统消息确定所述终端设备允许接入第一小区,并且所述终端设备在接入第一小区时进行网络鉴权,其中,所述第一小区为支持双向鉴权的小区。a receiving unit 610, configured to receive a system message sent by the base station controller, determine, according to the system message, that the terminal device allows access to the first cell, and the terminal device performs access to the first cell. Network authentication, where the first cell is a cell that supports two-way authentication.
发送单元620,所述发送单元620用于向核心网设备发送上行鉴权请求消息,所述上行鉴权请求消息用于通知所述核心网设备对所述终端设备进行鉴权。The sending unit 620 is configured to send an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device.
鉴权单元630,所述鉴权单元630用于当接收核心网设备发送的下行鉴权请求消息时,对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。The authentication unit 630 is configured to: when receiving the downlink authentication request message sent by the core network device, perform network authentication on the target cell in the first cell, and determine whether to access the target cell. .
因此,本申请实施例通过指示终端设备仅仅能够接入标识为R99+版本的小区,并且对将要接入的目标小区进行网络鉴权,确定是否能够接入网络,从而能够尽量避免伪基站对网络造成的网络攻击。Therefore, the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
图7示出了本申请一实施例的网络设备的示意性框图。应理解,网络设备700能够执行图3和图5中核心网设备执行的各个步骤,为了避免重复,此处不再详述。FIG. 7 shows a schematic block diagram of a network device according to an embodiment of the present application. It should be understood that the network device 700 can perform the various steps performed by the core network device in FIG. 3 and FIG. 5, and is not detailed herein to avoid repetition.
如图7所示,网络设备700包括以下单元。As shown in FIG. 7, network device 700 includes the following units.
接收单元710,所述接收单元710用于接收终端设备发送的上行鉴权请求消息,其中,所述上行鉴权请求消息为所述终端设备接收基站控制器发送的系统消息后发送的请求消息,所述系统消息用于所述终端设备确定允许接入第一小区,并且指示所述终端设备在接入第一小区时进行网络鉴权,所述第一小区为支持双向鉴权的小区;The receiving unit 710 is configured to receive an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving the system message sent by the base station controller, The system message is used by the terminal device to determine that the first cell is allowed to access, and the terminal device is instructed to perform network authentication when accessing the first cell, where the first cell is a cell that supports two-way authentication;
鉴权单元720,所述鉴权单元720用于根据所述上行鉴权请求消息,对所述终端设备的进行鉴权,以便于所述终端设备对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。 The authentication unit 720 is configured to perform authentication on the terminal device according to the uplink authentication request message, so that the terminal device performs network on the target cell in the first cell. Authentication, determining whether to access the target cell.
因此,本申请实施例通过指示终端设备仅仅能够接入标识为R99+版本的小区,并且对将要接入的目标小区进行网络鉴权,确定是否能够接入网络,从而能够尽量避免伪基站对网络造成的网络攻击。Therefore, the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
图8示出了本申请另一实施例的网络设备的示意性框图。应理解,网络设备800能够执行图4和图5中基站控制器设备执行的各个步骤,为了避免重复,此处不再详述。FIG. 8 shows a schematic block diagram of a network device of another embodiment of the present application. It should be understood that the network device 800 is capable of performing the various steps performed by the base station controller device of FIGS. 4 and 5, and to avoid repetition, it will not be described in detail herein.
如图8所示,该网络设备800包括以下单元。As shown in FIG. 8, the network device 800 includes the following units.
发送单元810,所述发送单元810用于向终端设备发送系统消息,所述系统消息用于指示所述终端设备允许接入第一小区,并且在所述终端设备接入第一小区时进行对所述第一小区网络鉴权,所述第一小区为支持双向鉴权的小区。a sending unit 810, configured to send a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and is performed when the terminal device accesses the first cell The first cell network is authenticated, and the first cell is a cell that supports bidirectional authentication.
接收单元820,所述接收单元820用于接收终端设备发送的上行鉴权请求消息,所述上行鉴权请求消息用于表征所述终端设备需要对所述第一小区进行网络鉴权。The receiving unit 820 is configured to receive an uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell.
所述发送单元810还用于向所述核心网设备发送所述上行鉴权请求消息,通知所述核心网设备对所述终端设备进行鉴权,以便于所述终端设备接入通过网络鉴权的小区。The sending unit 810 is further configured to send the uplink authentication request message to the core network device, to notify the core network device to perform authentication on the terminal device, so that the terminal device accesses the network through the network for authentication. Community.
因此,本申请实施例通过指示终端设备仅仅能够接入标识为R99+版本的小区,并且对将要接入的目标小区进行网络鉴权,确定是否能够接入网络,从而能够尽量避免伪基站对网络造成的网络攻击。Therefore, the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
图9示出了本申请一个实施例的终端设备的示意性结构图。应理解,终端设备900能够执行图2和图5中UE执行的各个步骤,为了避免重复,此处不再详述。FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application. It should be understood that the terminal device 900 can perform the various steps performed by the UE in FIG. 2 and FIG. 5, and is not detailed herein to avoid repetition.
装置900包括以下部件。Device 900 includes the following components.
存储器910,用于存储程序。The memory 910 is configured to store a program.
收发器920,用于和其他设备进行通信。The transceiver 920 is configured to communicate with other devices.
处理器930,用于执行存储器910中的程序,处理器930与所述存储器910和所述收发器920分别相连,用于执行所述存储器910存储的所述指令,以在执行所述指令时执行如下步骤:The processor 930 is configured to execute a program in the memory 910, and the processor 930 is respectively connected to the memory 910 and the transceiver 920, and is configured to execute the instruction stored by the memory 910 to execute the instruction Perform the following steps:
所述处理器930用于通过收发器920,接收基站控制器发送的系统消息,根据所述系统消息确定所述终端设备允许接入第一小区,并且所述终端设备在接入第一小区时进行网络鉴权,其中,所述第一小区为支持双向鉴权的小区;向核心网设备发送上行鉴权请求消息,所述上行鉴权请求消息用于通知所述核心网设备对所述终端设备进行鉴权;当所述终端设备接收核心网设备发送的下行鉴权请求消息时,对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。The processor 930 is configured to receive, by using the transceiver 920, a system message sent by the base station controller, determine, according to the system message, that the terminal device is allowed to access the first cell, and the terminal device is in accessing the first cell. Performing network authentication, where the first cell is a cell that supports bidirectional authentication; and the uplink authentication request message is sent to the core network device, where the uplink authentication request message is used to notify the core network device to the terminal. The device performs authentication; when the terminal device receives the downlink authentication request message sent by the core network device, performs network authentication on the target cell in the first cell to determine whether to access the target cell.
应理解,终端设备900可以具体为上述实施例中的终端设备,并且可以用于执行上述方法实施例中与终端设备对应的各个步骤和/或流程。It should be understood that the terminal device 900 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the terminal device in the foregoing method embodiments.
图10示出了本申请一实施例的网络设备的示意性框图。应理解,终端设备1000能够执行图3和图5中核心网设备执行的各个步骤,为了避免重复,此处不再详述。FIG. 10 is a schematic block diagram of a network device according to an embodiment of the present application. It should be understood that the terminal device 1000 can perform the various steps performed by the core network device in FIG. 3 and FIG. 5, and is not detailed herein to avoid repetition.
装置1000包括以下部件。Device 1000 includes the following components.
存储器1010,用于存储程序。The memory 1010 is configured to store a program.
收发器1020,用于和其他设备进行通信。The transceiver 1020 is configured to communicate with other devices.
处理器1030,用于执行存储器1010中的程序,处理器1030与所述存储器1010和所述收发器1020分别相连,用于执行所述存储器1010存储的所述指令,以在执行所述指令 时执行如下步骤:接收终端设备发送的上行鉴权请求消息,其中,所述上行鉴权请求消息为所述终端设备接收基站控制器发送的系统消息后发送的请求消息,所述系统消息用于所述终端设备确定允许接入第一小区,并且指示所述终端设备在接入第一小区时进行网络鉴权,所述第一小区为支持双向鉴权的小区;根据所述上行鉴权请求消息,对所述终端设备的进行鉴权,以便于所述终端设备对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。a processor 1030, configured to execute a program in the memory 1010, the processor 1030 is coupled to the memory 1010 and the transceiver 1020, respectively, for executing the instructions stored by the memory 1010 to execute the instructions And performing the following steps: receiving an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving a system message sent by the base station controller, where the system message is used The terminal device determines to allow access to the first cell, and instructs the terminal device to perform network authentication when accessing the first cell, where the first cell is a cell supporting two-way authentication; according to the uplink authentication request The message is used to authenticate the terminal device, so that the terminal device performs network authentication on the target cell in the first cell to determine whether to access the target cell.
应理解,网络设备1000可以具体为上述实施例中的终端设备,并且可以用于执行上述方法实施例中与核心网设备对应的各个步骤和/或流程。It should be understood that the network device 1000 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the core network device in the foregoing method embodiments.
图11示出了本申请另一实施例的网络设备的示意性框图。FIG. 11 is a schematic block diagram of a network device of another embodiment of the present application.
应理解,终端设备1100能够执行图3和图5中基站控制器执行的各个步骤,为了避免重复,此处不再详述。It should be understood that the terminal device 1100 can perform the various steps performed by the base station controller in FIGS. 3 and 5, and in order to avoid repetition, it will not be described in detail herein.
装置1100包括以下部件。Device 1100 includes the following components.
存储器1110,用于存储程序。The memory 1110 is configured to store a program.
收发器1120,用于和其他设备进行通信。The transceiver 1120 is configured to communicate with other devices.
处理器1130,用于执行存储器1110中的程序,处理器1130与所述存储器1110和所述收发器1120分别相连,用于执行所述存储器1110存储的所述指令,以在执行所述指令时执行如下步骤:向终端设备发送系统消息,所述系统消息用于指示所述终端设备允许接入第一小区,并且在所述终端设备接入第一小区时进行对所述第一小区网络鉴权,所述第一小区为支持双向鉴权的小区;接收终端设备发送的上行鉴权请求消息,所述上行鉴权请求消息用于表征所述终端设备需要对所述第一小区进行网络鉴权;向所述核心网设备发送所述上行鉴权请求消息,通知所述核心网设备对所述终端设备进行鉴权,以便于所述终端设备接入通过网络鉴权的小区。The processor 1130 is configured to execute a program in the memory 1110, and the processor 1130 is respectively connected to the memory 1110 and the transceiver 1120, and is configured to execute the instruction stored by the memory 1110, when executing the instruction. Performing the following steps: sending a system message to the terminal device, where the system message is used to indicate that the terminal device is allowed to access the first cell, and performing network packetization on the first cell when the terminal device accesses the first cell The first cell is a cell that supports bidirectional authentication; the uplink authentication request message sent by the terminal device is received, and the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell. Sending the uplink authentication request message to the core network device, and instructing the core network device to perform authentication on the terminal device, so that the terminal device accesses a cell that is authenticated by the network.
应理解,网络设备1100可以具体为上述实施例中的基站控制器,并且可以用于执行上述方法实施例中与基站控制器对应的各个步骤和/或流程。It should be understood that the network device 1100 may be specifically the base station controller in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the base station controller in the foregoing method embodiments.
本领域普通技术人员可以意识到,结合本文中所公开的实施例中描述的各方法步骤和单元,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各实施例的步骤及组成。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。本领域普通技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art will appreciate that the various method steps and elements described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, in order to clearly illustrate hardware and software. Interchangeability, the steps and composition of the various embodiments have been generally described in terms of function in the foregoing description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. Different methods may be used to implement the described functionality for each particular application, but such implementation should not be considered to be beyond the scope of the application.
结合本文中所公开的实施例描述的方法或步骤可以用硬件、处理器执行的软件程序,或者二者的结合来实施。软件程序可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The methods or steps described in connection with the embodiments disclosed herein may be implemented in hardware, a software program executed by a processor, or a combination of both. Software programs can be placed in random access memory (RAM), memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or technical fields. Any other form of storage medium known.
尽管通过参考附图并结合优选实施例的方式对本申请进行了详细描述,但本申请并不限于此。在不脱离本申请的前提下,本领域普通技术人员可以对本申请的实施例进行各种等效的修改或替换,而这些修改或替换都应在本申请的涵盖范围内。 Although the present application has been described in detail by reference to the accompanying drawings in conjunction with the preferred embodiments, this application is not limited thereto. Various equivalent modifications and alterations to the embodiments of the present application can be made by those skilled in the art without departing from the scope of the present application, and such modifications or substitutions are within the scope of the present application.

Claims (22)

  1. 一种接入网络设备的方法,其特征在于,包括:A method for accessing a network device, comprising:
    终端设备接收基站控制器发送的系统消息,根据所述系统消息确定所述终端设备允许接入第一小区,并且所述终端设备在接入第一小区时进行网络鉴权,其中,所述第一小区为支持双向鉴权的小区;Receiving, by the terminal device, a system message sent by the base station controller, determining, according to the system message, that the terminal device is allowed to access the first cell, and the terminal device performs network authentication when accessing the first cell, where the A cell is a cell supporting two-way authentication;
    所述终端设备向核心网设备发送上行鉴权请求消息,所述上行鉴权请求消息用于通知所述核心网设备对所述终端设备进行鉴权;The terminal device sends an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device.
    当所述终端设备接收核心网设备发送的下行鉴权请求消息时,对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。When the terminal device receives the downlink authentication request message sent by the core network device, performing network authentication on the target cell in the first cell to determine whether to access the target cell.
  2. 根据权利要求1所述的方法,其特征在于,在对所述第一小区中的目标小区进行网络鉴权之后,所述方法还包括:The method according to claim 1, wherein after performing network authentication on the target cell in the first cell, the method further includes:
    向所述核心网设备返回鉴权响应消息,所述鉴权响应消息用于表征所述终端设备通过对所述目标小区的鉴权认证。Returning an authentication response message to the core network device, where the authentication response message is used to identify the terminal device by performing authentication authentication on the target cell.
  3. 根据权利要求1或2所述的方法,其特征在于,所述上行鉴权请求消息为接入请求消息,所述接入请求消息包括设置为秘钥不可获得的秘钥序列号CKSN字段,以便于触发所述网络设备对所述终端设备的鉴权流程。The method according to claim 1 or 2, wherein the uplink authentication request message is an access request message, and the access request message includes a key sequence number CKSN field set to be unavailable for the key, so that And triggering an authentication process of the network device to the terminal device.
  4. 根据权利要求3中所述的方法,其特征在于,所述接入请求消息为下列中的一种:The method according to claim 3, wherein the access request message is one of the following:
    位置更新请求消息,连接管理CM业务请求消息,寻呼应答消息。A location update request message, a connection management CM service request message, and a paging response message.
  5. 根据权利要求1至4中任一项所述的方法,其特征在于,所述系统消息中携带标识信息,所述标识信息用于指示所述第一小区为标识为R99+版本的小区。The method according to any one of claims 1 to 4, wherein the system message carries identification information, and the identification information is used to indicate that the first cell is a cell identified as an R99+ version.
  6. 一种接入网络设备的方法,其特征在于,包括:A method for accessing a network device, comprising:
    核心网设备接收终端设备发送的上行鉴权请求消息,其中,所述上行鉴权请求消息为所述终端设备接收基站控制器发送的系统消息后发送的请求消息,所述系统消息用于所述终端设备确定允许接入第一小区,并且指示所述终端设备在接入第一小区时进行网络鉴权,所述第一小区为支持双向鉴权的小区;The core network device receives the uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving the system message sent by the base station controller, where the system message is used by the The terminal device determines to allow access to the first cell, and instructs the terminal device to perform network authentication when accessing the first cell, where the first cell is a cell supporting two-way authentication;
    所述核心网根据所述上行鉴权请求消息,对所述终端设备的进行鉴权,以便于所述终端设备对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。The core network authenticates the terminal device according to the uplink authentication request message, so that the terminal device performs network authentication on the target cell in the first cell, and determines whether to access the Target cell.
  7. 根据权利要求6所述的方法,其特征在于,在所述核心网设备接收终端设备发送的上行鉴权请求消息之后,所述核心网根据所述上行鉴权请求消息,对所述终端设备的进行鉴权还包括:The method according to claim 6, wherein after the core network device receives the uplink authentication request message sent by the terminal device, the core network refers to the uplink authentication request message to the terminal device. The authentication also includes:
    向所述终端设备发送的下行鉴权请求消息,所述下行鉴权请求消息用于指示所述终端设备对目标小区进行网络鉴权,其中,所述下行鉴权请求消息中携带所述目标小区的标识。a downlink authentication request message sent to the terminal device, where the downlink authentication request message is used to indicate that the terminal device performs network authentication on the target cell, where the downlink authentication request message carries the target cell Logo.
  8. 一种接入网络设备的方法,其特征在于,包括:A method for accessing a network device, comprising:
    基站控制器向终端设备发送系统消息,所述系统消息用于指示所述终端设备允许接入第一小区,并且在所述终端设备接入第一小区时进行对所述第一小区网络鉴权,所述第一小区为支持双向鉴权的小区;The base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device is allowed to access the first cell, and the first cell is authenticated when the terminal device accesses the first cell. The first cell is a cell supporting two-way authentication;
    所述基站控制器接收终端设备发送的上行鉴权请求消息,所述上行鉴权请求消息用于 表征所述终端设备需要对所述第一小区进行网络鉴权;The base station controller receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is used Characterizing the terminal device requires network authentication for the first cell;
    所述基站控制器向所述核心网设备发送所述上行鉴权请求消息,通知所述核心网设备对所述终端设备进行鉴权,以便于所述终端设备接入通过网络鉴权的小区。And sending, by the base station controller, the uplink authentication request message to the core network device, to notify the core network device to perform authentication on the terminal device, so that the terminal device accesses a cell that is authenticated by the network.
  9. 根据权利要求8所述的方法,其特征在于,所述方法还包括:The method of claim 8 further comprising:
    接收所述核心网设备发送的下行鉴权请求消息,所述下行鉴权请求消息用于通知所述终端设备对所述第一小区中的目标小区进行网络鉴权,其中,所述下行鉴权请求消息中携带所述目标小区的标识;Receiving a downlink authentication request message sent by the core network device, where the downlink authentication request message is used to notify the terminal device to perform network authentication on a target cell in the first cell, where the downlink authentication is performed. The request message carries an identifier of the target cell;
    向所述终端设备发送所述下行鉴权请求消息。Sending the downlink authentication request message to the terminal device.
  10. 根据权利要求8或9所述的方法,其特征在于,所述系统消息携带标识信息,所述标识信息用于指示所述第一小区为标识为R99+版本的小区,所述系统消息为下列中的一种:The method according to claim 8 or 9, wherein the system message carries identification information, the identifier information is used to indicate that the first cell is a cell identified as an R99+ version, and the system message is the following One kind:
    基站子系统BSS系统消息2,BSS系统消息3,BSS系统消息4。Base station subsystem BSS system message 2, BSS system message 3, BSS system message 4.
  11. 一种终端设备,其特征在于,包括:A terminal device, comprising:
    接收单元,所述接收单元用于接收基站控制器发送的系统消息,根据所述系统消息确定所述终端设备允许接入第一小区,并且所述终端设备在接入第一小区时进行网络鉴权,其中,所述第一小区为支持双向鉴权的小区;a receiving unit, configured to receive a system message sent by the base station controller, determine, according to the system message, that the terminal device is allowed to access the first cell, and the terminal device performs network authentication when accessing the first cell Right, wherein the first cell is a cell supporting two-way authentication;
    发送单元,所述发送单元用于向核心网设备发送上行鉴权请求消息,所述上行鉴权请求消息用于通知所述核心网设备对所述终端设备进行鉴权;a sending unit, configured to send an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device;
    鉴权单元,所述鉴权单元用于当接收核心网设备发送的下行鉴权请求消息时,对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。The authentication unit is configured to perform network authentication on the target cell in the first cell to determine whether to access the target cell when receiving the downlink authentication request message sent by the core network device.
  12. 根据权利要求11所述的终端设备,其特征在于,所述发送单元还用于:The terminal device according to claim 11, wherein the sending unit is further configured to:
    向所述核心网设备返回鉴权响应消息,所述鉴权响应消息用于表征所述终端设备通过对所述目标小区的鉴权认证。Returning an authentication response message to the core network device, where the authentication response message is used to identify the terminal device by performing authentication authentication on the target cell.
  13. 根据权利要求11或12所述的终端设备,其特征在于,所述上行鉴权请求消息为接入请求消息,所述接入请求消息包括设置为秘钥不可获得的秘钥序列号CKSN字段,以便于触发所述网络设备对所述终端设备的鉴权流程。The terminal device according to claim 11 or 12, wherein the uplink authentication request message is an access request message, and the access request message includes a key sequence number CKSN field that is set to be unavailable for the key. In order to trigger the authentication process of the network device by the network device.
  14. 根据权利要求12中所述的终端设备,其特征在于,所述接入请求消息为下列中的一种:The terminal device according to claim 12, wherein the access request message is one of the following:
    位置更新请求消息,连接管理CM业务请求消息,寻呼应答消息。A location update request message, a connection management CM service request message, and a paging response message.
  15. 根据权利要求11至14中任一项所述的终端设备,其特征在于,所述系统消息中携带标识信息,所述标识信息用于指示所述第一小区为标识为R99+版本的小区。The terminal device according to any one of claims 11 to 14, wherein the system message carries identification information, and the identifier information is used to indicate that the first cell is a cell identified as an R99+ version.
  16. 一种网络设备,其特征在于,包括:A network device, comprising:
    接收单元,所述接收单元用于接收终端设备发送的上行鉴权请求消息,其中,所述上行鉴权请求消息为所述终端设备接收基站控制器发送的系统消息后发送的请求消息,所述系统消息用于所述终端设备确定允许接入第一小区,并且指示所述终端设备在接入第一小区时进行网络鉴权,所述第一小区为支持双向鉴权的小区;a receiving unit, where the receiving unit is configured to receive an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving a system message sent by the base station controller, where The system message is used by the terminal device to determine that the first cell is allowed to access, and the terminal device is instructed to perform network authentication when accessing the first cell, where the first cell is a cell that supports two-way authentication;
    鉴权单元,所述鉴权单元用于根据所述上行鉴权请求消息,对所述终端设备的进行鉴权,以便于所述终端设备对所述第一小区中的目标小区进行网络鉴权,确定是否接入所述目标小区。 An authentication unit, configured to perform authentication on the terminal device according to the uplink authentication request message, so that the terminal device performs network authentication on the target cell in the first cell And determining whether to access the target cell.
  17. 根据权利要求16所述的网络设备,其特征在于,所述网络设备还包括:The network device according to claim 16, wherein the network device further comprises:
    发送单元,所述发送单元用于向所述终端设备发送的下行鉴权请求消息,所述下行鉴权请求消息用于指示所述终端设备对目标小区进行网络鉴权,其中,所述下行鉴权请求消息中携带所述目标小区的标识。a sending unit, where the sending unit is configured to send a downlink authentication request message to the terminal device, where the downlink authentication request message is used to instruct the terminal device to perform network authentication on a target cell, where the downlink authentication The identity request message carries the identifier of the target cell.
  18. 一种网络设备,其特征在于,包括:A network device, comprising:
    发送单元,所述发送单元用于向终端设备发送系统消息,所述系统消息用于指示所述终端设备允许接入第一小区,并且在所述终端设备接入第一小区时进行对所述第一小区网络鉴权,所述第一小区为支持双向鉴权的小区;a sending unit, configured to send a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and when the terminal device accesses the first cell, First cell network authentication, the first cell is a cell supporting two-way authentication;
    接收单元,所述接收单元用于接收终端设备发送的上行鉴权请求消息,所述上行鉴权请求消息用于表征所述终端设备需要对所述第一小区进行网络鉴权;a receiving unit, configured to receive an uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell;
    所述发送单元还用于向所述核心网设备发送所述上行鉴权请求消息,通知所述核心网设备对所述终端设备进行鉴权,以便于所述终端设备接入通过网络鉴权的小区。The sending unit is further configured to send the uplink authentication request message to the core network device, to notify the core network device to perform authentication on the terminal device, so that the terminal device accesses the network authentication. Community.
  19. 根据权利要求18所述的网络设备,其特征在于,所述接收单元还用于:The network device according to claim 18, wherein the receiving unit is further configured to:
    接收所述核心网设备发送的下行鉴权请求消息,所述下行鉴权请求消息用于通知所述终端设备对所述第一小区中的目标小区进行网络鉴权,其中,所述下行鉴权请求消息中携带所述目标小区的标识;Receiving a downlink authentication request message sent by the core network device, where the downlink authentication request message is used to notify the terminal device to perform network authentication on a target cell in the first cell, where the downlink authentication is performed. The request message carries an identifier of the target cell;
    所述发送单元还用于:向所述终端设备发送所述下行鉴权请求消息。The sending unit is further configured to: send the downlink authentication request message to the terminal device.
  20. 根据权利要求18或19所述的网络设备,其特征在于,所述系统消息携带标识信息,所述标识信息用于指示所述第一小区为标识为R99+版本的小区,所述系统消息为下列中的一种:The network device according to claim 18 or 19, wherein the system message carries identification information, the identifier information is used to indicate that the first cell is a cell identified as a R99+ version, and the system message is the following One of them:
    基站子系统BSS系统消息2,BSS系统消息3,BSS系统消息4。Base station subsystem BSS system message 2, BSS system message 3, BSS system message 4.
  21. 一种计算机可读介质,其特征在于,所述计算机可读介质用于存储计算机程序,所述计算机程序包括用于执行权利要求1至10中任一项所述的方法的指令。A computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any one of claims 1 to 10.
  22. 一种计算机程序产品,其特征在于,所述计算机程序产品被计算机执行时实现权利要求1至10中任一项所述的方法。 A computer program product, wherein the computer program product is executed by a computer to implement the method of any one of claims 1 to 10.
PCT/CN2017/114765 2016-12-08 2017-12-06 Method of accessing network apparatus, terminal apparatus thereof, and network apparatus WO2018103655A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611124220.0 2016-12-08
CN201611124220.0A CN108174380A (en) 2016-12-08 2016-12-08 Method for accessing network equipment, terminal equipment, and network equipment

Publications (1)

Publication Number Publication Date
WO2018103655A1 true WO2018103655A1 (en) 2018-06-14

Family

ID=62491720

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/114765 WO2018103655A1 (en) 2016-12-08 2017-12-06 Method of accessing network apparatus, terminal apparatus thereof, and network apparatus

Country Status (2)

Country Link
CN (1) CN108174380A (en)
WO (1) WO2018103655A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912661A (en) * 2018-09-14 2020-03-24 华为技术有限公司 Capability information receiving and sending method and device
CN112312389B (en) * 2019-07-29 2022-05-06 中国移动通信集团广东有限公司 Communication information transmission method, device, storage medium, and electronic device
CN113132334B (en) * 2019-12-31 2022-12-27 华为技术有限公司 Authorization result determination method and device
CN111479270B (en) * 2020-04-15 2021-10-12 青岛交互物联科技有限公司 Network access bidirectional authentication method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090029677A1 (en) * 2007-07-26 2009-01-29 Sungkyunkwan University Foundation For Corporate Collaboration Mobile authentication through strengthened mutual authentication and handover security
CN104168568A (en) * 2014-08-28 2014-11-26 中国联合网络通信集团有限公司 Mobile terminal and method for cell identity authentication through same
CN106028331A (en) * 2016-07-11 2016-10-12 华为技术有限公司 Pseudo base station identifying method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090029677A1 (en) * 2007-07-26 2009-01-29 Sungkyunkwan University Foundation For Corporate Collaboration Mobile authentication through strengthened mutual authentication and handover security
CN104168568A (en) * 2014-08-28 2014-11-26 中国联合网络通信集团有限公司 Mobile terminal and method for cell identity authentication through same
CN106028331A (en) * 2016-07-11 2016-10-12 华为技术有限公司 Pseudo base station identifying method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHOUDHARY, ANILMIT: "Analysis of UMTS (3G) Authentication and Key Agree- ment Protocol (AKA) for LTE (4G) Network", INTERNATIONAL JOURNAL ON RECENT AND INNOVATION TRENDS IN COMPUTING AND CO- MMUNICATION, vol. 3, no. 4, 30 April 2015 (2015-04-30), pages 2146 - 2149, XP055606720, ISSN: 2321-8169 *

Also Published As

Publication number Publication date
CN108174380A (en) 2018-06-15

Similar Documents

Publication Publication Date Title
US11653199B2 (en) Multi-RAT access stratum security
WO2018171703A1 (en) Communication method and device
CA2716681C (en) Methods, apparatuses, and computer program products for providing multi-hop cryptographic separation for handovers
EP3598711B1 (en) User authentication method and device
CN108293259B (en) NAS message processing and cell list updating method and equipment
EP3596985B1 (en) Method and apparatus for protection of privacy in paging of user equipment
CN102396203A (en) Emergency call handling in accordance with authentication procedure in communication network
WO2018103655A1 (en) Method of accessing network apparatus, terminal apparatus thereof, and network apparatus
US9161221B2 (en) Method, apparatus and computer program for operating a user equipment
US12113783B2 (en) Wireless-network attack detection
US10582378B2 (en) Message protection method, user equipment, and core network device
KR20190018706A (en) Securing Ciphering and Integrity Protection
EP3360303B1 (en) Wireless communications
EP3228108B1 (en) Method, computer program and network node for ensuring security of service requests
CN113396637B (en) Communication method, device and system
US20210250727A1 (en) Notification information presentation method and apparatus
Cao et al. Security analysis of DoS attack against the LTE-A system
CN108702619A (en) Obtain, send the method and apparatus of customer equipment identification
CN110933669A (en) Method for quickly registering cross-RAT user

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17879165

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17879165

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载