+

WO2018137671A1 - Procédé d'authentification, station de base, équipement d'utilisateur, réseau fédérateur, système, dispositif, et support de stockage de données - Google Patents

Procédé d'authentification, station de base, équipement d'utilisateur, réseau fédérateur, système, dispositif, et support de stockage de données Download PDF

Info

Publication number
WO2018137671A1
WO2018137671A1 PCT/CN2018/074053 CN2018074053W WO2018137671A1 WO 2018137671 A1 WO2018137671 A1 WO 2018137671A1 CN 2018074053 W CN2018074053 W CN 2018074053W WO 2018137671 A1 WO2018137671 A1 WO 2018137671A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
token1
information
key
algorithm information
Prior art date
Application number
PCT/CN2018/074053
Other languages
English (en)
Chinese (zh)
Inventor
谢振华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018137671A1 publication Critical patent/WO2018137671A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present application relates to the field of communications, and in particular, to a connection reestablishment authentication method, a base station, a user equipment (UE), a core network and system, a communication device, and a storage medium.
  • a connection reestablishment authentication method a base station, a user equipment (UE), a core network and system, a communication device, and a storage medium.
  • the 3rd Generation Partnership Project (3GPP) proposes an authentication scheme for mobile network connection reestablishment, which includes: first, the UE sends an attach request to a core network element (such as a mobile network entity MME), and then the core The network element performs authentication on the UE, negotiates a key and a security algorithm in the authentication process, and generates a Key based on the key; the core network element calculates the token (Token) 1 by using the negotiated key and the security algorithm, and carries the order
  • the connection establishment of the card 1 indicates the source base station sent to the UE; the source base station transmits a downlink data message to the UE based on the token 1; when the UE needs to establish a connection with the target base station, the re-establishment including the token 1 is sent to the target base station.
  • the target base station and the source base station verify the token 1, and receive a handover instruction from the core network that includes the recalculated token 2.
  • the main object of the present invention is to provide a connection re-establishment authentication method, a base station, a user equipment, a core network and system, a communication device, and a storage medium, which are intended to solve the above problems in the prior art.
  • an embodiment of the present invention provides a connection reestablishment authentication method, which is applied to a first base station, and the method includes:
  • the first base station receives algorithm information and a key for the terminal UE from the core network element;
  • the first base station receives a request from the second base station for the UE, and sends a second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key And for verifying, by the second base station side, the Token1 sent by the UE.
  • the method further includes: the first base station generates a second token Token2 based on the algorithm information and the key; and compare the generated Token2 with the Token1.
  • the method further includes: when the first base station verifies that the Token1 is successful, sending the algorithm information to the second base station.
  • the method further includes: the first base station sending the algorithm information to the UE.
  • the method further includes: the first base station transmitting the security capability information of the first base station to the core network element, where the security capability information is used on the core network side of the core network Based on its selection of the algorithm information.
  • the embodiment of the present invention further provides an authentication method for connection reestablishment, which is applied to a second base station, where the method includes:
  • the second base station receives the first token Token1 from the terminal UE;
  • the second base station requests the first base station to send a second token Token2, and the Token2 is used to check the Token1 on the second base station side.
  • the embodiment of the present invention further provides an authentication method for connection reestablishment, which is applied to a terminal UE, and the method includes:
  • the terminal UE receives algorithm information and key generation information from a core network element
  • the UE sends a first token Token1 to the second base station, and the Token1 is generated based on the algorithm information and a key generated based on the key generation information.
  • the embodiment of the present invention further provides an authentication method for connection reestablishment, which is applied to a core network, and the method includes:
  • the core network element negotiates key generation information and algorithm information with the terminal UE;
  • the algorithm information and a key generated based on the key generation information are transmitted to the first base station.
  • the core network element receives the security capability information from the first base station, and the security capability information is used by the core network element to select the algorithm information based on the core network element.
  • the embodiment of the present invention further provides a first base station, where the first base station includes:
  • a first receiving unit configured to receive algorithm information and a key from a core network element
  • a second receiving unit configured to receive a first token Token1 from the second base station; the Token1 is received by the second base station from the UE, and the first base station is based on the algorithm information and the The key is verified;
  • the second receiving unit is configured to receive a request from the second base station
  • the sending unit is configured to send the second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key, and configured to be in the second base station side school
  • the Token1 sent by the UE is checked.
  • the first base station further includes: a processing unit configured to compare the generated Token2 with the Token1; and generate a second token Token2 based on the algorithm information and the key.
  • the sending unit is configured to: when the first base station checks that the Token1 is successful, send the algorithm information to the second base station.
  • the sending unit is configured to send the algorithm information to the UE.
  • the sending unit is configured to send the security capability information of the first base station to the core network element, where the security capability information is used on the core network side of the core network, based on the selection The algorithm information.
  • the embodiment of the present invention further provides a second base station, where the second base station includes:
  • a receiving unit configured to receive a first token Token1 from the UE
  • a sending unit configured to forward the Token1 to the first base station
  • the second base station Token2 is requested to be sent to the first base station.
  • An embodiment of the present invention further provides a UE, where the UE includes:
  • An information receiving unit configured to receive algorithm information and key generation information from a core network element
  • the information sending unit is configured to send a first token Token1 to the second base station, and the Token1 is generated based on the algorithm information and a key generated based on the key generation information.
  • the embodiment of the invention further provides a core network, where the core network includes:
  • a negotiating unit configured to negotiate key generation information and algorithm information with the UE
  • a communication unit configured to send the algorithm information and a key generated based on the key generation information to the first base station.
  • the communication unit is configured to receive security capability information from the first base station, where the security capability information is used by the core network element to select the algorithm information.
  • the embodiment of the invention further provides an authentication system for connection reconstruction, the system comprising:
  • a first base station configured to receive algorithm information and a key from a core network element; receive a first token Token1 from the second base station for the UE, and the Token1 is received by the second base station Determining the UE and verifying it based on the algorithm information and the key; or receiving a request from the second base station for the UE, sending a second token Token2 and the algorithm information to the second base station
  • the Token2 is generated based on the algorithm information and the key, and is used to check the Token1 sent by the UE at the second base station side;
  • the second base station is configured to receive the first token Token1 from the UE; to forward the Token1 to the first base station; or to send a second token Token2 to the first base station;
  • the UE is configured to receive the algorithm information and the key generation information from the core network element, and send the first token Token1 to the second base station, where the Token1 is based on the algorithm information and the secret generated based on the key generation information.
  • the core network is configured to negotiate key generation information and algorithm information with the terminal UE; and send the algorithm information and a key generated based on the key generation information to the first base station.
  • the embodiment of the present invention further provides a computer readable storage medium storing computer executable instructions, and when the computer executable instructions are executed, the following processing is implemented:
  • a communication device comprising: a processor and a memory configured to store a computer program executable on the processor,
  • processor is configured to perform the steps of the foregoing method when the computer program is run.
  • the network side sends the slice security parameter of the selected slice network to the terminal, so that the network side and the terminal can respectively generate their dedicated keys for different slice networks, so that each slice network has
  • the special security protection means realizes the security isolation between the slice networks and improves the security of the slice network communication.
  • FIG. 1 is a schematic flowchart of a method for establishing connection reestablishment according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart 1 of a connection reestablishment authentication method according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic flowchart 2 of a connection reestablishment authentication method according to Embodiment 1 of the present invention.
  • FIG. 4 is a schematic flowchart of a method for establishing connection reestablishment according to an embodiment of the present invention
  • FIG. 5 is a schematic flowchart of a method for establishing connection reestablishment according to an embodiment of the present invention
  • FIG. 6 is a schematic flowchart of a connection reestablishment authentication method according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a structure of a first base station according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a second base station according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a structure of a UE according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a core network according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of a structure of a connection reestablishment authentication system according to an embodiment of the present invention.
  • An embodiment of the present invention provides a connection reestablishment authentication method, which is applied to a first base station, as shown in FIG. 1 , and includes:
  • Step 101 The first base station receives the algorithm information and the key for the terminal UE from the core network element, where the first base station is the source base station of the user equipment UE that is managed by itself;
  • Step 102 The first base station receives a first token Token1 for the UE from a second base station, where the Token1 is received by the second base station from the UE, and is based on the first base station.
  • the algorithm information and the key are used to verify it;
  • the first base station receives a request from the second base station for the UE, and sends a second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key And for verifying, by the second base station side, the Token1 sent by the UE;
  • the second base station is a target base station to be handed over by the UE.
  • the first base station and the second base station may be the same base station or different base stations.
  • the UE Before performing step 101, the UE also needs to send an attach request to the core network element.
  • the first base station that is, the source base station
  • the first base station then sends security capability information to the core network element, which may include algorithm information that can be supported.
  • the first base station sends the security capability information of the first base station to the core network element, where the security capability information is used to select the algorithm information based on the core network element side.
  • the first base station receives the algorithm information and the key from the core network.
  • the first base station and the UE can be authenticated by using the algorithm information and the key to generate an initial token, and then the first base station and the UE perform information transmission.
  • it can include:
  • the core network element and the UE perform an authentication process, and the key generation information and the used security algorithm Algorithm are negotiated with the UE through the process, and a Key is generated based on the key generation information, and the core network element can select the source base station system according to the policy.
  • the supported security algorithm may also be selected according to the received security capability information of the source base station system;
  • the core network element sends a connection establishment indication to the source base station system (such as an eNB), for example, sends a Connection Establishment Indication message, and the message carries the Key and the negotiated algorithm;
  • the source base station system such as an eNB
  • the source base station system stores the Algorithm and the Key, and sends a downlink data message to the UE, for example, sending an RRC DL Information Transfer message.
  • the Key generated by the negotiated key generation information may be generated, and the negotiated Algorithm and related parameters (such as the source or target base station system identifier, or The user identifier assigned by the source base station system, etc.) calculates the first token Token1, and then sends a connection reestablishment request to the target base station, for example, sends an RRC Connection Re-establishment Request message, carrying Token1.
  • the method may include: the verifying the Token1 based on the algorithm information and the key, including:
  • the first base station generates a second token Token2 based on the algorithm information and the key;
  • the generated Token2 is compared with the Token1 to obtain a verification result.
  • the target base station requests the source base station (the first base station) to request the UE context, for example, sends a Retrieve UE Context Request message, which may carry the received Token1; the first base station system uses the Key and Algorithm and related parameters (such as the source or target).
  • the base station system identifier, or the user identifier assigned by the source base station system, etc. calculates Token1. If the source base station system receives the Token1, the source base station system compares the calculated Token2 with the received Token1, and if they are equal, the UE is authenticated successfully, otherwise Authentication failed.
  • the first base station (the source base station) returns the UE context, for example, sends a Retrieve UE Context Response message, and if the source base station system does not receive the Token1, carries the calculated Token2. ;
  • the first base station receives a request from the second base station, generates a second token Token2 based on the algorithm information and the key, and sends the Token2 to the second base station, so that the second base station And verifying, according to the Token2, the Token1 included in the connection re-establishment request sent by the UE; specifically, the target base station system receives the Token from the source base station system, and compares the received Token2 from the source base station system. And Token1 from the UE, if the UE is equal, the UE is authenticated successfully, otherwise the authentication fails.
  • the target base station system sends a connection reestablishment response to the UE, for example, sends an RRC Connection Re-establishment. Message.
  • FIG. 2 is a schematic flowchart 1 of a connection reestablishment authentication method according to Embodiment 1 of the present invention, where the process includes:
  • Step 201 The UE sends an attach request to the core network element (such as the mobile network entity MME), for example, sends an Attach Request message, and the message path source base station system (such as an eNB);
  • the core network element such as the mobile network entity MME
  • the message path source base station system such as an eNB
  • Step 202 The source base station system forwards the attach request to the core network element, and may carry the security capability information of the source base station system, such as the supported security algorithm information.
  • Step 203 The core network element and the UE perform an authentication process, and the key generation information and the used security algorithm Algorithm are negotiated with the UE through the process, and a key is generated based on the key generation information, and the core network element can select a source according to the policy.
  • the security algorithm also supported by the base station system may also be selected according to the received security capability information of the source base station system;
  • Step 204 The core network element sends a connection establishment indication to the source base station system (such as an eNB), for example, sends a Connection Establishment Indication message, and the message carries a Key and a negotiated algorithm.
  • the source base station system such as an eNB
  • Step 205 The source base station system stores the Algorithm and the Key, and sends a downlink data message to the UE, for example, sending an RRC DL Information Transfer message.
  • Step 206 The UE wants to establish a connection with other base station systems (target base station systems) at a certain time, and then uses the negotiated key generation information to generate a Key, and the negotiated algorithm and related parameters (such as the source or target base station system identifier, Or the user identifier assigned by the source base station system, etc., calculates a Token, and then sends a connection reestablishment request to the target base station, for example, sending an RRC Connection Re-establishment Request message, carrying the Token;
  • target base station systems target base station systems
  • the negotiated algorithm and related parameters such as the source or target base station system identifier, Or the user identifier assigned by the source base station system, etc.
  • Step 207 The target base station system requests the UE context from the source base station system, for example, sends a Retrieve UE Context Request message, which may carry the received Token.
  • Step 208 The source base station system uses the Key and Algorithm and related parameters (such as the source or target base station system identifier, or the user identifier allocated by the source base station system, etc.) to calculate the Token. If the source base station system receives the Token, the source base station system calculates the Token. The Token is compared with the received Token. If the UE is equal, the UE is authenticated successfully. Otherwise, the authentication fails. If the authentication succeeds or the source base station system does not receive the Token, the source base station returns the UE context, such as sending a Retrieve UE Context Response message, if the source base station The system does not receive the Token and carries the calculated Token;
  • the source base station system uses the Key and Algorithm and related parameters (such as the source or target base station system identifier, or the user identifier allocated by the source base station system, etc.) to calculate the Token. If the source base station system receives the Token, the source base station system calculates the Token. The
  • Step 209 The target base station system receives the Token from the source base station system, and compares the received Token from the source base station system with the Token from the UE. If they are equal, the UE is authenticated successfully, otherwise the authentication fails. If the authentication succeeds or the target base station does not.
  • Receiving a Token from the source base station system the target base station system sends a connection reestablishment response to the UE, for example, sending an RRC Connection Re-establishment message;
  • Step 210 The target base station system sends a path switch request to the core network element, for example, sends a Path Switch message.
  • Step 211 The core network element sends a path switch response to the target base station system, for example, sends a Path Switch ACK message.
  • the embodiment further provides a different processing manner from the foregoing, that is, before the first base station receives the first token Token1 from the second base station, the method further includes:
  • the method further includes: receiving second algorithm information sent by the core network element;
  • the method further includes: when the first base station verifies that the Token1 is successful, sending the second algorithm information to the second base station;
  • the second token may be calculated based on the second algorithm information, and the second token is compared with the first token to obtain a verification result;
  • FIG. 3 is a schematic flowchart 2 of a connection reestablishment authentication method according to Embodiment 1 of the present invention, where the process includes:
  • Step 301 The UE sends an attach request to the core network element (such as the mobile network entity MME), for example, sends an Attach Request message, and the message path source base station system (such as an eNB);
  • the core network element such as the mobile network entity MME
  • the message path source base station system such as an eNB
  • Step 302 The source base station system forwards the attach request to the core network element, and may carry the security capability information of the source base station system, such as the supported security algorithm information.
  • Step 303 The core network element and the UE perform an authentication process, and the key generation information and the used security algorithm Algorithm1 are negotiated with the UE, and a key is generated based on the key generation information, and the core network element can select a source according to the policy.
  • the security algorithm also supported by the base station system may also be selected according to the received security capability information of the source base station system;
  • Step 304 The core network element sends a connection establishment indication to the source base station system (such as an eNB), for example, sends a Connection Establishment Indication message, and the message carries a Key and an Algorithm2;
  • the source base station system such as an eNB
  • Step 305 The source base station system stores the Key and Algorithm2, and sends a downlink data message to the UE, for example, sends an RRC DL Information Transfer message, and the message carries Algorithm2;
  • Step 306 The UE wants to establish a connection with other base station systems (target base station systems) at a certain time, and then uses the negotiated key generation information to generate a Key, and the Algorithm2 and related parameters (such as the source or target base station system identifier, or the source base station).
  • the user identifier assigned by the system, etc. calculates the Token, and then sends a connection reestablishment request to the target base station system, for example, sending an RRC Connection Re-establishment Request message, carrying the Token;
  • Step 307 The target base station system requests the UE context from the source base station system, for example, sends a Retrieve UE Context Request message, which may carry the received Token.
  • Step 308 The source base station system calculates the Token by using the Key and Algorithm2 and related parameters (such as the source or target base station system identifier, or the user identifier allocated by the source base station system, etc.). If the source base station system receives the Token2, the source base station system calculates the token. The Token2 is compared with the received Token. If the UE is equal, the UE is authenticated successfully. Otherwise, the authentication fails. If the authentication succeeds or the source base station system does not receive the Token, the source base station system returns the UE context, such as sending a Retrieve UE Context Response message. The base station system carries the calculated Token without receiving the Token;
  • Step 309 The target base station system receives the Token from the source base station system, and compares the received Token from the source base station system with the Token from the UE. If they are equal, the UE is authenticated successfully, otherwise the authentication fails, if the authentication succeeds or the target base station system The Token from the source base station system is not received, and the target base station system sends a connection reestablishment response to the UE, for example, sending an RRC Connection Re-establishment message;
  • Step 310 The target base station system sends a path switch request to the core network element, for example, sends a Path Switch message.
  • Step 311 The core network element sends a path switch response to the target base station system, for example, sends a Path Switch ACK message.
  • the second base station system sends a path switch request to the core network element, for example, sends a Path Switch message; the core network element sends a path switch response to the target base station system, for example, sends a Path Switch ACK message.
  • the present embodiment describes an authentication method for a connection re-establishment from the second base station, the UE, and the core network side, respectively.
  • the method When applied to the second base station, referring to FIG. 4, the method includes:
  • Step 401 The second base station receives the first token Token1 from the UE;
  • Step 402 The second base station forwards the Token1 to the first base station;
  • the second base station requests the first base station to send the second token Token2.
  • the method further includes:
  • the second base station After receiving the Token2, the second base station compares the Token1 and the Token2 to obtain a verification result.
  • a connection re-establishment authentication method is applied to the UE. As shown in FIG. 5, the method includes:
  • Step 501 The UE generates information by using the first base station or directly receiving algorithm information and a key from the core network element.
  • Step 502 The UE sends a first token Token1 to the second base station, where the Token1 is generated based on the algorithm information and a key generated based on the key generation information.
  • the first base station is a source base station of the user equipment UE
  • the second base station is a target base station of the UE.
  • An authentication method for connection reestablishment provided in this embodiment is applied to a core network.
  • the method includes:
  • Step 601 The core network element negotiates key generation information and algorithm information with the UE.
  • Step 602 Send the algorithm information and the key generated based on the key generation information to the first base station, where the first base station is a source base station of the user equipment UE managed by itself.
  • the core network element receives security capability information from the first base station, and the security capability information is used by the core network element to select the algorithm information.
  • the token can be verified by the base station side when performing reconnection; thus, the generation of the token is repeated repeatedly on the core network side, and the load of the core network element is reduced.
  • An embodiment of the present invention provides a first base station, where the first base station includes:
  • a first receiving unit configured to receive algorithm information and a key from a core network element
  • a second receiving unit configured to receive a first token Token1 from the second base station; the Token1 is received by the second base station from the UE, and is calibrated based on the algorithm information and the key Test
  • the second receiving unit is configured to receive a request from the second base station
  • the sending unit is configured to send the second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key, and is used to check at the second base station side.
  • the first base station includes: a first receiving unit 71 configured to receive algorithm information and a key from a core network element; wherein the first base station is managed by itself a source base station of the user equipment UE;
  • the second receiving unit 72 is configured to receive the first token Token1 from the second base station; correspondingly, the processing unit 73 is configured to check the Token1 based on the algorithm information and the key;
  • the second receiving unit 72 is configured to receive a request from the second base station
  • the processing unit 73 is configured to generate a second token Token2 based on the algorithm information and the key;
  • the sending unit 74 is configured to send the Token2 to the second base station
  • the second base station is a target base station to be handed over by the UE.
  • the first base station and the second base station may be the same base station or different base stations.
  • the UE also needs to send an attach request to the core network element.
  • the first base station that is, the source base station
  • the first base station then sends security capability information to the core network element, which may include algorithm information that can be supported.
  • the first base station receives the algorithm information and the key from the core network.
  • the first base station and the UE can be authenticated by using the algorithm information and the key to generate an initial token, and then the first base station and the UE perform information transmission.
  • it can include:
  • the core network element and the UE perform an authentication process, and the key generation information and the used security algorithm Algorithm are negotiated with the UE through the process, and a Key is generated based on the key generation information, and the core network element can select the source base station system according to the policy.
  • the supported security algorithm may also be selected according to the received security capability information of the source base station system;
  • the core network element sends a connection establishment indication to the source base station system (such as an eNB), for example, sends a Connection Establishment Indication message, and the message carries the Key and the negotiated algorithm;
  • the source base station system such as an eNB
  • the source base station system stores the Algorithm and the Key, and sends a downlink data message to the UE, for example, sending an RRC DL Information Transfer message.
  • the Key generated by the negotiated key generation information may be generated, and the negotiated Algorithm and related parameters (such as the source or target base station system identifier, or The user identifier assigned by the source base station system, etc.) calculates the first token Token1, and then sends a connection reestablishment request to the target base station, for example, sends an RRC Connection Re-establishment Request message, carrying Token1.
  • the second receiving unit is configured to generate a second token Token2 based on the algorithm information and the key;
  • the generated Token2 is compared with the Token1 to obtain a verification result.
  • the target base station requests the source base station (the first base station) to request the UE context, for example, sends a Retrieve UE Context Request message, which may carry the received Token1; the first base station system uses the Key and Algorithm and related parameters (such as the source or target).
  • the base station system identifier, or the user identifier assigned by the source base station system, etc. calculates Token1. If the source base station system receives the Token1, the source base station system compares the calculated Token2 with the received Token1, and if they are equal, the UE is authenticated successfully, otherwise Authentication failed.
  • the first base station (the source base station) returns the UE context, for example, sends a Retrieve UE Context Response message, and if the source base station system does not receive the Token1, carries the calculated Token2. ;
  • the first base station receives a request from the second base station, generates a second token Token2 based on the algorithm information and the key, and sends the Token2 to the second base station, so that the second base station And verifying, according to the Token2, the Token1 included in the connection re-establishment request sent by the UE; specifically, the target base station system receives the Token from the source base station system, and compares the received Token2 from the source base station system. And Token1 from the UE, if the UE is equal, the UE is authenticated successfully, otherwise the authentication fails.
  • the target base station system sends a connection reestablishment response to the UE, for example, sends an RRC Connection Re-establishment. Message.
  • the embodiment further provides a different processing manner from the foregoing, that is, before the first base station receives the first token Token1 from the second base station, the method further includes:
  • the processing unit is configured to send the first algorithm information to the UE according to the first algorithm information sent by the core network element, and determine an initial token by using the first algorithm information between the UE and the UE. And interact based on the initial token.
  • the first receiving unit is configured to receive second algorithm information sent by the core network element;
  • the sending unit is configured to: when the first base station verifies that the Token1 is successful, send the second algorithm information to the second base station.
  • the second token may be calculated based on the second algorithm information, and the second token is compared with the first token to obtain a verification result;
  • the present embodiment describes an authentication method for a connection re-establishment from the second base station, the UE, and the core network side, respectively.
  • the second base station When applied to the second base station, referring to FIG. 8, the second base station includes:
  • the receiving unit 81 is configured to receive the first token Token1 from the UE;
  • the sending unit 82 is configured to forward the Token1 to the first base station;
  • the second base station Token2 is requested to be sent to the first base station.
  • the method further includes:
  • the second base station further includes:
  • the processing unit is configured to compare the Token1 and the Token2 to obtain a verification result after receiving the Token2.
  • a UE includes:
  • the information receiving unit 91 is configured to: through the first base station or directly receive algorithm information and key generation information from the core network element;
  • the information sending unit 92 is configured to send a first token Token1 to the second base station, where the Token1 is generated based on the algorithm information and a key generated based on the key generation information;
  • the first base station is a source base station of the user equipment UE
  • the second base station is a target base station of the UE.
  • a core network provided in this embodiment, see FIG. 10, includes:
  • the negotiating unit 1001 is configured to negotiate key generation information and algorithm information with the UE;
  • the communication unit 1002 is configured to send the algorithm information and a key generated based on the key generation information to the first base station, where the first base station is a source base station of the user equipment UE that is managed by itself.
  • the core network element receives security capability information from the first base station, and the security capability information is used by the core network element to select the algorithm information.
  • the embodiment provides an authentication system for connection reestablishment, and the system includes:
  • the first base station 1101 is configured to receive the algorithm information and the key from the core network element, where the first base station is the source base station of the user equipment UE managed by itself, and the first token is received from the second base station. Token1, verifying the Token1 based on the algorithm information and the key;
  • the Token1 included in the connection re-establishment request sent by the UE is used for verification; wherein the second base station is a target base station to be handed over by the UE;
  • the second base station 1102 is configured to receive the first token Token1 from the UE; forward the Token1 to the first base station; or request the first base station to send the second token Token2;
  • the UE1103 is configured to: through the first base station or directly receive algorithm information and key generation information from the core network element; send a first token Token1 to the second base station, where the Token1 is based on the algorithm information and based on the secret Key generation generated by key generation information;
  • the core network 1104 is configured to negotiate key generation information and algorithm information with the UE, and send the algorithm information and a key generated based on the key generation information to the first base station, where the first base station manages itself Source base station of the user equipment UE.
  • the embodiment further provides a computer readable storage medium storing computer executable instructions that, when executed, implement the following processing:
  • the second base station is a target base station to be handed over by the UE.
  • the token can be verified by the base station side when performing reconnection; thus, the generation of the token is repeated repeatedly on the core network side, and the load of the core network element is reduced.
  • Embodiments of the present invention also provide a communication apparatus including: a processor and a memory configured to store a computer program executable on the processor,
  • processor is configured to perform the steps of the method in the foregoing embodiments when the computer program is run.
  • each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function.
  • This application is not limited to any combination of the specified forms of hardware and software.
  • the method and device for generating a key of a slice network provided by the present invention, the network side sends a slice security parameter of the selected slice network to the terminal, so that the network side and the terminal can respectively generate their own dedicated keys for different slice networks, so that each Each slice network has and has a special security protection means, which realizes the security isolation between the slice networks and improves the security of the slice network communication.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé d'authentification, une station de base, un équipement d'utilisateur, un réseau fédérateur, un système, un dispositif, et un support de stockage de données. Le procédé comprend les étapes suivantes : une première station de base reçoit des informations d'algorithme et une clé fournies par un élément de réseau fédérateur et relatives à un équipement d'utilisateur (UE) ; la première station de base reçoit un premier jeton Token1 fourni par une seconde station de base et relatif à l'UE, le premier jeton Token1 étant d'abord reçu par la seconde station de base en provenance de l'UE, et étant vérifié sur la base des informations d'algorithme et de la clé ; ou la première station de base reçoit une demande fournie par la seconde station de base et relative à l'UE, et transmet un second jeton Token2 et les informations d'algorithme à la seconde station de base, le second jeton Token2 étant généré sur la base des informations d'algorithme et de la clé, et utilisé pour vérifier, au niveau de la seconde station de base, le premier jeton Token1 transmis depuis l'UE.
PCT/CN2018/074053 2017-01-24 2018-01-24 Procédé d'authentification, station de base, équipement d'utilisateur, réseau fédérateur, système, dispositif, et support de stockage de données WO2018137671A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710060338.X 2017-01-24
CN201710060338.XA CN108616881A (zh) 2017-01-24 2017-01-24 连接重建的认证方法、基站、用户设备、核心网及系统

Publications (1)

Publication Number Publication Date
WO2018137671A1 true WO2018137671A1 (fr) 2018-08-02

Family

ID=62978094

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/074053 WO2018137671A1 (fr) 2017-01-24 2018-01-24 Procédé d'authentification, station de base, équipement d'utilisateur, réseau fédérateur, système, dispositif, et support de stockage de données

Country Status (2)

Country Link
CN (1) CN108616881A (fr)
WO (1) WO2018137671A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080181411A1 (en) * 2007-01-26 2008-07-31 Karl Norrman Method and system for protecting signaling information
CN101378591A (zh) * 2007-08-31 2009-03-04 华为技术有限公司 终端移动时安全能力协商的方法、系统及装置
US20090258631A1 (en) * 2008-04-14 2009-10-15 Nokia Corporation Mobility related control signalling authentication in mobile communications system
CN102067642A (zh) * 2008-06-13 2011-05-18 诺基亚公司 用于在系统间移动性期间提供新的安全性上下文的方法、设备和计算机程序产品
CN105027626A (zh) * 2013-02-18 2015-11-04 Lg电子株式会社 在无线通信系统中执行数据传输的方法和设备

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080181411A1 (en) * 2007-01-26 2008-07-31 Karl Norrman Method and system for protecting signaling information
CN101378591A (zh) * 2007-08-31 2009-03-04 华为技术有限公司 终端移动时安全能力协商的方法、系统及装置
US20090258631A1 (en) * 2008-04-14 2009-10-15 Nokia Corporation Mobility related control signalling authentication in mobile communications system
CN102067642A (zh) * 2008-06-13 2011-05-18 诺基亚公司 用于在系统间移动性期间提供新的安全性上下文的方法、设备和计算机程序产品
CN105027626A (zh) * 2013-02-18 2015-11-04 Lg电子株式会社 在无线通信系统中执行数据传输的方法和设备

Also Published As

Publication number Publication date
CN108616881A (zh) 2018-10-02

Similar Documents

Publication Publication Date Title
KR102354626B1 (ko) 연결 재개 요청 방법 및 장치
US11496320B2 (en) Registration method and apparatus based on service-based architecture
KR101167781B1 (ko) 콘텍스트 전달을 인증하는 시스템 및 방법
CN101772021A (zh) 无线通讯系统处理保密设定的方法及其相关通讯装置
US11689922B2 (en) Re-establishing a radio resource control connection
US20230370292A1 (en) Session establishment method and apparatus, access network device and storage medium
CN110192399B (zh) 重新建立无线电资源控制连接
CN115396892A (zh) 一种通信方法及装置
US20230232228A1 (en) Method and apparatus for establishing secure communication
CN109891921B (zh) 下一代系统的认证的方法、装置和计算机可读存储介质
CN109819439B (zh) 密钥更新的方法及相关实体
CN107820242A (zh) 一种认证机制的协商方法及装置
CN113395238B (zh) 一种认证授权方法及对应装置
EP3547787B1 (fr) Procédés, dispositif, et système de rétablissement de liaison
CN112400335A (zh) 用于执行数据完整性保护的方法和计算设备
CN110830996B (zh) 一种密钥更新方法、网络设备及终端
CN113840283A (zh) 引导认证方法、系统、电子设备和可读存储介质
WO2018137671A1 (fr) Procédé d'authentification, station de base, équipement d'utilisateur, réseau fédérateur, système, dispositif, et support de stockage de données
WO2019192275A1 (fr) Procédé d'authentification et élément de réseau
KR20060131169A (ko) 통신 시스템에서 인증 수행 시스템 및 방법
CN115996377A (zh) 切片认证和授权方法、装置、终端及网络设备
CN113810903A (zh) 一种通信方法及装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18744638

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18744638

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载