CN1941990A - Method for verifying between user terminal apparatus and network in wireless telecommunication system - Google Patents

Abstract

According to the present invention, a method for performing authentication between a user terminal device and a network in a wireless communication system is proposed, the method includes the following steps: UE transmits an authentication request message to the network, and the authentication request message includes an authentication reference value; The network judges whether the authentication value generated by itself is consistent with the authentication reference value, and if it is consistent, it means that the network side authentication is successful and sends an authentication response message to the UE, and the authentication response message contains another authentication reference value; and the UE receives the authentication value from the network transmit the authentication response message, and verify whether the other authentication reference value contained in the authentication response message is consistent with the authentication value generated by itself, and if they are consistent, the user terminal device side authentication is successful.

Description

Method for authenticating between user terminal equipment and network in wireless communication system

technical field

The present invention relates to a wireless communication system, in particular to a method for mutual authentication between a network and a user terminal equipment in the wireless communication system, which is used to speed up the process of call establishment.

Background technique

The main purpose of the third generation mobile communication system is to provide seamless services for end users anywhere and at any time in the world. Among them, the Universal Mobile Telecommunications System (hereinafter referred to as UMTS), as a network platform of the third generation mobile communication system, has been applied in the networks of many operators. Fig. 1 is a structural frame diagram of the UMTS system.

User equipment 101 (hereinafter referred to as UE) is a device used to receive a called service or call and send a calling service or call. The base station 102 (hereinafter referred to as Node B) is a device that communicates with user equipment through wireless signals through sending and receiving devices. The air interface between UE and NodeB involves physical layer and media access layer (hereinafter referred to as MAC layer). The physical layer is responsible for processing operations related to wireless signal transmission and reception, and the MAC is responsible for mapping different services to the physical layer. The controlling radio network controller (hereinafter referred to as CRNC) controls the radio resource management, allocation and use of each cell in the base station, and is responsible for allocating the radio resources in each cell to the user equipment UE. The role of the radio network controller RNC for the UE may be distinguished from a serving radio network controller (hereinafter referred to as SRNC) and a drift radio network controller (hereinafter referred to as DRNC). The SRNC is an entity that provides a radio resource control connection (hereinafter referred to as RRC) for the user equipment, through which the user equipment can send control signaling to the network and receive control signaling from the network. The SRNC obtains the network resources allocated to the user from the CRNC, and sends the resource configuration parameters to the user equipment through RRC signaling. In this way, the user equipment can communicate with the network. The interface between SRNC and user equipment is Uu interface. Serving GPRS Support Node 105 (hereinafter referred to as SGSN) is an entity responsible for managing the mobility management state and session management state of user equipment, and the mobility management of user equipment and the negotiation of session-related service quality also occur between UE and SGSN of. The interface between the SGSN and the SRNC of the user equipment is Iu, which is responsible for establishing the transmission channel of the user plane and the signaling connection for transmitting signaling for the transmission of user data. The gateway GPRS support node 106 (hereinafter referred to as GGSN) functions as a gateway for data transmission between user equipment and packet data network (hereinafter referred to as PDN). The GGSN allocates an Internet Protocol (hereinafter referred to as IP) address for the user equipment, and the data sent by the user and the data sent to the user are all identified by the address. The interface between the GGSN and the SGSN is called Gn, which is responsible for negotiating the quality of service between the SGSN and the GGSN, and establishing a GPRS user plane tunnel (hereinafter referred to as GTP-U) on the user plane for data transmission. The interface between the GGSN and the PDN is Gi, which has a wide range of functions and can be used to allocate IP addresses, authentication, authentication, and billing to users. The main function of GGSN is to receive and analyze the received data, and then transmit the data belonging to a certain user equipment to the corresponding GTP-U tunnel.

UTRAN can be connected with these two domains at the same time, and can only be connected with one of them. The goal of UTRAN is to provide a set of unified radio bearers, which can be used for bursty packet services as well as traditional telephone services. Each URAN can perform wireless coverage and provide services in a certain area. This area is defined as the UTRAN Registration Area (hereinafter referred to as URA). In order to provide the wireless coverage, each URAN includes a radio network controller (hereinafter referred to as RNC) and at least one base station (hereinafter referred to as NodeB) under its control. Logically, each NodeB may include at least one cell (hereinafter referred to as Cell). The RNC can be connected with other RNCs, and supports handover and mobility management brought about by the movement of user terminal equipment (hereinafter referred to as UE). CNs are connected to other types of networks to provide seamless services to end users.

Radio resource processing is an internal function of UTRAN, and CN does not define the type of radio resource allocated. Usually, a radio resource control (RRC) connection needs to be established between the UE and the RNC, so as to transmit a large amount of user data flow and signaling flow between the UTRAN and the UE. RRC has two modes: RRC connected mode and RRC idle mode. The mode of RRC describes the way to identify the identity of the UE. In RRC idle mode, the UE is identified by an identity related to the CN. In the RRC connected mode, the UE is identified by a Radio Network Temporary Identity (hereinafter referred to as RNTI) allocated to the UE on a common transport channel.

Referring to Fig. 2, for the UE's mobility function, four different area concepts are used in the UMTS system. A location area (hereinafter referred to as LA) and a routing area (hereinafter referred to as RA) are used for the core network. URA and cellular Cell area are used for UTRAN. The location area LA is related to the CS service, and the routing area RA is related to the PS service. One location area LA is handled by one CN node. The UE is registered in a location area LA, which means that the UE is registered in the CN node handling this location area LA. One routing area RA is handled by one CN node. The UE is registered in a routing area RA, which means that the UE is registered in the CN node handling this routing area RA. In UMTS system, MSC/VLR uses LA to page UE, and SGSN uses RA to page UE. The URA and Cell areas are only visible in UTRAN and used in RRC connection mode.

Merged MSC/VLR+SGSN

For CS/PS services, CN uses location area LA/routing area RA. CN uses LA/RA when starting to page UE related to CS/PS service. MSC/VLR and SGSN can assign UE a temporary identity related to CS/RS service, TMSI/P-TMSI. This temporary identity is unique within an LA/RA.

When the terminal is in RRC connected mode, the UTRAN inner area is used. These areas are used when UTRAN initiates paging. UTRAN intra-area update is a radio network procedure and the UTRAN intra-area structure should not be visible outside UTRAN. In the RRC connection mode, the main states are the cellular connection state and the URA connection state, and the UE location can be known at the cellular level or the URA level. The Radio Network Temporary Identifier (hereinafter referred to as RNTI) is used in the UTRAN as a temporary UE identity, which is allocated to the UE when the RRC connection is established. In this mode, there is only one RNC as the serving RNC, and an RRC connection is established between the UE and the SRNC.

An RA is composed of multiple cells belonging to RNCs connected to the same CN node, and the mapping between RA and RNCs is handled by the SGSN owning the RA. A LA is composed of multiple cells belonging to RNCs connected to the same CN node, and the mapping between LA and RNCs is handled by the MSC/VLR that owns the LA. One RA/LA is only handled by one CN service node, that is, one SGSN or MSC/VLR. Some operators may adopt the following networking method: RA and LA are equal or one RA is one and can only be a subset of one LA, that is, one RA cannot exceed one LA. The mapping between LA and Cell and between RA and Cell is handled in RNC.

At the beginning, the UE performs service registration in the respective service domains of the CN. When a UE moves from a URA (hereinafter referred to as an old URA) to a new URA, the RNC to which the new URA belongs will be caused to perform a URA update process, so that the UE can be found when needed. Therefore, the network operator must go through a certain verification process to make sure that the UE that initiates the URA update is the valid UE. This verification process involves the RNC performing an integrity check on the data transmitted between the RNC and the UE.

Referring to Fig. 3, each UE has inside a card containing specific information of the user, a Subscriber Identity Module (hereinafter referred to as SIM) for user identification, and a mobile device (hereinafter referred to as SIM) for processing other functions, especially supporting user mobile functions (hereinafter referred to as SIM). referred to as ME). Various data and executable files are recorded on the SIM card. Wherein, the data part includes the International Mobile Subscriber Identity (IMSI for short), the current location information of the UE, the integrity key (IK for short), and other security and management information, which uniquely and permanently identifies the user identity. Said location information will be updated each time a call is terminated, the handset completely terminates service or when the terminal moves from one URA to another. The location information includes an anonymous identifier temporarily used to identify the user, which is used within each URA. Depending on the RRC mode used and the CS/PS service domain, this anonymous identifier may be a Temporary Subscriber Identity (hereinafter referred to as TMSI), a Packet Temporary Mobile Subscriber Code (hereinafter referred to as P-TMSI) or a wireless network temporary identifier ( Hereinafter referred to as RNTI).

The purpose of using the TMSI or other temporary identifiers to anonymously identify a certain UE instead of using the IMSI directly is for security considerations. Because user identity is important and sensitive information, the confidentiality of this information must be guaranteed in the communication. The purpose of identity confidentiality is to protect the user's privacy and avoid leakage of permanent user identification IMSI information.

TMSI/P-TMSI has local characteristics and is only valid in the home area MSC/VLR or the routing area RA where the user is registered. Outside this area, in order to avoid confusion, a location area identifier (hereinafter referred to as LAI) or routing area identifier (hereinafter referred to as RAI) should be added. The relationship between the temporary user ID and the permanent user ID is stored in the MSC/VLR or SGSN where the user is registered.

In order to avoid user traceability, generally the same TMSI/P-TMSI should not be used for a long time to identify a user. Referring to Figure 4, taking the PS domain as an example, the update of the P-TMSI is initiated by the SGSN after the security mode is established. The relationship is stored in its database, and then the SGSN sends P-TMSIn and a new routing area identifier RAIn to the user; then, after the user receives it, saves the P-TMSIn and automatically deletes the association with the previous P-TMSIo, Send a response to SGSN; finally, after receiving the response, SGSN deletes the association with the old P-TMSIo from the database, and P-TMSIn is used in the subsequent identification process.

In the UMTS system, when the user cannot identify his identity through the P-TMSI, he can use the IMSI to identify his own identity. This process is mainly used when the user registers to a service network for the first time or the SGSN cannot obtain the IMSI from the P-TMSI. At this time, the SGSN sends an IMSI request to the user, and the user's response is a plain text containing IMSI information.

Also for security reasons, the communication between UE and URAN is encrypted using an encryption key. The encryption key is usually the encryption key CK stored in the authentication center (hereinafter referred to as AuC) or the home location register (hereinafter referred to as HLR) in the UE's home environment (hereinafter referred to as HE). There are usually different CKs in the CS domain and the PS domain. In order to avoid making the description of this patent too lengthy, in the following description, only the operation of the PS domain is taken as an example, and the detailed description of the similar CS domain is omitted.

The aforementioned CK is obtained through an authentication and key agreement (hereinafter referred to as AKA) process. The described process is based on a key K shared only by the SIM and the HLR. The UE and the network each prove that they can know the key, so as to achieve the purpose of mutual authentication. In addition, in order to support network authentication, both the SIM and the local environment of the user record the serial number SQN _MS and the serial number SQN _HE respectively. There is an individual serial number SQN _HE for each subscriber, and SQN _MS indicates the highest serial number accepted by the SIM. The UE sends a process access request message to the relevant SGSN to obtain the parameters of the mobile station. The network sends out an authentication request, which includes a random number. After the UE processes the random number according to a certain algorithm, it sends an authentication response to the network, and the network judges the legitimacy of the user.

Referring to FIG. 5 , the specific process of AKA is as follows: First, the UE sends an identification that can indicate its identity to the SGSN. The SGSN can obtain the IMSI that uniquely and permanently identifies the user identity and the HLR information of the home office directly or indirectly through the stored mapping relationship between P-TMSI and IMSI from this identification. Then, the SGSN sends an "authentication data request" to the HLR, requesting to obtain the authentication data corresponding to the IMSI. The "authentication data request" contains the user's IMSI and the requested domain category (PS or CS). Afterwards, after receiving the "authentication data request" from the SGSN, the HLR generates n authentication vectors (hereinafter referred to as AVs) immediately, or takes out the required quantity from the calculated AV database, sorts them according to the serial numbers, and sends them to VLR. Fig. 17 describes the generation method of AV. The AMF, f1, f2, f3, f4, f5 algorithms described therein are beyond the scope of the present invention, so their detailed descriptions are omitted. Each AV includes the following information: random number RAND, expected response XRES, encryption key CK, integrity key IK, and authentication token AUTN. Each AV can be used for one authentication and key negotiation between SGSN and SIM.

Thereafter, when the SGSN initiates an authentication and key negotiation, it will select the next AV from the sorted AV array, send the random number RAND and the authentication token AUTN to the UE, and request the user to generate authentication data. Each node processes the AV according to the first-in/first-out principle.

Next, after the SIM receives the authentication request, it first calculates the XMAC and compares it with the MAC in the AUTN. If it is different, it sends a message of rejecting the authentication to the VLR and gives up the process. At the same time, it is also necessary to verify whether the received sequence number SQN is within the valid range, if not, the MS sends a synchronization failure message to the VLR, and gives up the process. After the above two items are all passed, UE calculates RES with f2, calculates CK with f3, calculates IK with f4 algorithm, and sends RES to SGSN.

Finally, after receiving the RES from the UE, the SGSN compares the RES with the XRES in the AV. If they are the same, the authentication succeeds; otherwise, the authentication fails. Since both MS and HLR use the same algorithm f3 for calculating CK and the same algorithm f4 for calculating IK, the resulting CK and IK must be the same. After mutual identity authentication and key negotiation, SIM and SGSN The CK and IK in this process are respectively transmitted to ME and RNC that specifically perform encryption and integrity protection functions, and are used for future confidential communication between UE and RNC.

Mutual identity authentication between the UE and the network includes two aspects: user authentication and network authentication: user authentication enables the serving network to confirm the identity of the user, and network authentication enables the user to confirm that the serving network it is using is through its registered home environment HE authorized to provide services to him, which also includes confirming that the authorization is up to date. In order to achieve the above purpose, usually each time a connection is established between the user and the network, each other needs to be authenticated. The identity authentication process in the UMTS system includes two mechanisms of AKA and local authentication. Wherein, the AKA process is the above-mentioned process performed by using the authentication vector from the user's home environment HE. When the user registers to a service network for the first time, or sends a service request (SERVICE REQUEST), a location update request (LOCATIONUPDATE REQUEST), a routing area update request (ROUTING AREA UPDATEREQUEST), an attached network request ( ATTAH REQUEST), DETACHREQUEST, and CONNECTION RE-ESTABLISHMENTREQUEST, and the number of local authentications that can be performed using the IK generated by the last AKA has reached the maximum limit, the service network initiates this AKA process. Another local authentication mechanism is to use the integrity key IK generated in the last AKA process between the user and the service network. When the user sends a service request (SERVICEREQUEST), location update request (LOCATION UPDATE REQUEST), routing area update request (ROUTING AREA UPDATE REQUEST), attachment network request (ATTAHREQUEST), detachment network request (DETACH REQUEST) in the registered service network After commands such as CONNECTION RE-ESTABLISHMENT REQUEST and the number of local authentications that can be performed using the IK generated by the last AKA has not reached the maximum limit value, the service network initiates this local authentication process. It can be known from this that the AKA process takes place at a longer interval, while the local authentication process takes place at a shorter interval.

Figure 6 describes the initial process of local authentication and connection establishment in the UMTS system.

In step 601, the UE will send the value of the parameter START stored on the SIM card and the "UE security capability" information to the RNC during the process of establishing the RRC connection. It is also possible to transmit GSM class 2 and 3 capabilities in the above steps if the UE has this capability. The security capability information of the UE includes various encryption algorithms UEA and integrity protection algorithms UIA that the UE can support. The START value and the security capability information of the UE are stored in the serving RNC (hereinafter referred to as SRNC). If the GSM level 2 and 3 capabilities are transmitted during the RRC connection establishment process, the RNC needs to store the UE's GSM domain encryption capabilities (see step 607).

In step 602, the UE also sends an initial Layer 3 message to the VLR/SGSN. The third layer message includes "connection management service request (CM_SERVICE_REQUEST), location update request (LOCATION UPDATE REQUEST), routing area update request (ROUTING AREA UPDATE REQUEST), attachment network request (ATTAHREQUEST), paging response (PAGING RESPONSE ) and other types. It includes user identification information and key group identification (hereinafter referred to as KSI) information. KSI refers to the CK/IK group assigned by this domain when it was last authenticated in the CS domain or PS domain logo.

In step 603, if necessary, certain interactive operations within the network and between the network and the UE are performed to confirm the user's identity IMSI. According to the maximum limit value that IK can allow, there may be an AKA process to authenticate the user and generate new keys IK and CK. At the same time, the network will assign a KSI identifier to the IK/CK group. The process of AKA is depicted in Figure 4.

In step 604, the SGSN decides the various UIA and UEA algorithms that are allowed to be used, and queues them according to the priority.

In step 605, the SGSN initiates integrity protection and encryption operations by sending a RANAP message "Security_mode_command" to the RNC. The parameters carried in the "Security Mode Command" message include various UIA lists that are permitted to be used by the RNC and the IK to be used, arranged according to priority. If the subsequent communication is to be encrypted, the above message also includes various UEA lists arranged according to priority and the CK to be used. If a new AKA procedure was previously performed, the message to the RNC should indicate this. This indication means that when using a new key, the START value will be reset to 0. Otherwise, RNC will use the START value obtained in step 601.

In step 606, after receiving the "Security mode command Security_mode_command" message, the RNC compares the UIA/UEA supported by the UE with the UIA/UEA allowed to be used by it, selects the UIA/UEA algorithm with the highest priority in the algorithm list supported by the UE, and Generate a random value FRESH and start downlink integrity protection. If the requirements in the received "Security_mode_command" message cannot be met, then the RNC sends a "SECURITY MODE REJECT" message to the SGSN.

In step 607, the RNC generates a "Security Mode Command Security_mode_command" message. The associated message includes the UE's security capabilities, optional GSM encryption capabilities (if the RNC receives this information in step 601), the UIA and FRESH parameters to be used, and the required UEA if encryption is used. Other information (such as a flag to start encryption) may also be included. Since the UE can have two encryption and integrity protection key sets of the CS domain and the PS domain at the same time, the network must add a CN domain indication to indicate whether the key set of the CS domain or the PS domain is to be used. Before sending a message, RNC generates a message identification code MAC-I for integrity protection and attaches it to the message.

In step 608, after receiving the Security_mode_command (security mode command) message sent by the RNC, the UE first confirms that the "UE security capability" in the message is consistent with the "UE security capability" in step 601 . Likewise, if GSM class capability is included in step 601, it is also verified. UE calculates XMAC-I according to the parameters in the received Security_mode_command message, using the indicated UIA, stored START and received FRESH parameters, and verifies whether the integrity protection is successful by comparing the received MAC-I with the generated XMAC-I .

In step 609, if the integrity protection is implemented successfully, the UE will generate a MAC-I, and send Security_mode_complete including the MAC-I to the RNC. If the integrity protection is not implemented successfully, the procedure ends at the UE.

In step 610, upon receiving the response message "Security_mode_complete", the SRNC calculates the XMAC-I of the message. The SRNC verifies whether the integrity protection is successful by comparing the received MAC-I with the generated XMAC-I.

In step 611, if the verification is successful, the RNC sends a RANAP message Security_mode_complete including the selected algorithm to the SGSN, thereby ending the local authentication process.

The "Security_mode_command" message sent to the UE starts downlink integrity protection, that is to say, this message and subsequent downlink messages sent to the UE are protected using the new integrity protection configuration. The "Security_mode_complete" message sent by the UE starts the uplink integrity protection, that is to say, this message and subsequent uplink messages from the UE are protected with the new integrity protection configuration. When encryption is required, the encryption start time is exchanged between the RNC and the UE during the establishment of the security mode. The encryption start time sets the RLC sequence number or CFN sequence number for starting downlink encryption and uplink encryption using the new encryption configuration.

In the UMTS system, when a certain UE initiates a call to another mobile station or fixed network user on a random access channel, the PLMN system network will start a series of operations. First, when the UE initiates a call, the radio resource management RRC unit in the UE initiates the establishment of a signaling link through a random access procedure. This process sends a channel request message and a security capability message to the RNC through the NodeB on the random access channel. If the RNC receives it successfully, the request is sent to the radio resource management RRC unit in the RNC, which allocates a dedicated channel and sends an immediate assignment message on the access permission channel. When the UE starts the calling process, it also sets a timer to repeat the call at a certain time interval. If no response is received after repeating the call a predetermined number of times, the call is abandoned.

After receiving the immediate assignment message, the UE switches to the designated dedicated channel, thereby establishing a main signaling link with the RNC. After that, all the signaling until the allocation of the wireless service channel is carried out on this dedicated channel, and the signaling in the conversation process after the service channel is connected is carried out in the channel-associated control channel. The connection management CM unit in the UE continues to use the service request message sent to the data link layer to start the process of establishing the data link. The service request is actually embedded in a complete layer-3 "Connection Management Service Request (CM_SERVICE_REQUEST)" message described in step 602, and sent to the RNC to the SGSN.

Then, according to specific circumstances, after mutual identity authentication between the UE and the network, the UE performs an integrity check on the received message, and its mobile management layer MM simultaneously monitors the start of the integrity protection. The SGSN receives the "Security_mode_complete" message from the RNC, and the security control process is successfully started. If encryption is required, UE and RNC can start encryption protection of service data, channel identification, signaling, etc. at a certain time after activation.

Similarly, the process of being called by the mobile station is similar, and the security process after the random access process is the same as the above process.

The problems of the prior art that need to be improved will be described below.

The existing UMTS system structure has many disadvantages such as poor upgradeability, long call setup time, and complex system structure. Currently, the 3rd Generation Partnership Project (3GPP) standardization organization responsible for formulating the UMTS standard is working on the long-term evolution (hereinafter referred to as LTE) related standardization work of the UMTS system. One of the goals of the long-term evolution is to speed up the call establishment process and reduce the Call setup time. Aiming at various goals of long-term evolution of the UMTS system, each company has proposed a desired system structure after long-term evolution, and one of the proposed system structures after long-term evolution is shown in FIG. 7 and FIG. 8 .

The evolved base station (hereinafter referred to as ENB) in Figure 7 integrates the functions of the base station and RNC in the UMTS system, and is mainly responsible for the functions of transmitting and receiving wireless signals, signaling connection with user equipment, and mobility management, while the evolved GGSN (hereinafter referred to as E-GGSN) integrates the functions of the SGSN and GGSN in the UMTS system, and is mainly responsible for mobility management, interface with the PDN network, and negotiation of service quality.

The base station ENB in Figure 8 is not much different from the base station in UMTS. Both are responsible for receiving and sending wireless signals, and also have some MAC layer functions; the anchor point anchor is similar to the RNC in UMTS, and is responsible for encrypting user data. Decryption, control allocation of radio resources in ENB, signaling connection with user equipment and management of user mobility in connected state. The functions of the E-GGSN integrate the functions of the SGSN and GGSN in the UMTS system, and are mainly responsible for mobility management, interface with the PDN network, and negotiation of service quality.

For the sake of simplicity, in the following description of the present invention, it will not be limited to a certain architecture. The ENB in FIG. 7 and the ENB and the anchor point anchor in FIG. 8 are called E-RAN, and the E-GGSN is called E-CN.

From the point of view of the connection establishment process, usually the user always hopes to establish the call as soon as possible after typing in the other party's number and pressing the call button. According to the previous introduction, after the main signaling link is established between the UE and the RRC, mutual identity authentication between the UE and the network is required before the call can continue; and the mutual identity authentication between the UE and the network The process will take a lot of time. Therefore, simply simplifying the system composition is not enough to meet the short enough connection establishment time requirement proposed by LTE.

Contents of the invention

In order to reduce the call establishment time and speed up the user's service access process, the present invention proposes a new method of mutual authentication mechanism between the UE and the network that consumes less time, thereby speeding up the call establishment process.

In order to achieve the above object, according to the present invention, a method for authenticating between a user terminal device and a network in a wireless communication system is proposed, the method includes the following steps: UE transmits an authentication request message to the network, and the authentication request message Including an authentication reference value; the network judges whether the authentication value generated by itself is consistent with the authentication reference value, and if it is consistent, it means that the network side authentication is successful and sends an authentication response message to the UE, and the authentication response message contains another authentication reference value; and the UE receives the authentication response message transmitted from the network, and verifies whether the other authentication reference value contained in the authentication response message is consistent with the authentication value generated by itself, and if it is consistent, the user terminal equipment side Authentication succeeded.

Preferably, the authentication request message includes an encryption algorithm, an integrity protection algorithm and authentication parameter information adopted by the UE.

Preferably, the authentication value generated by the network itself is generated according to the encryption algorithm, integrity protection algorithm, parameter information for authentication, and key information generated by the network.

Preferably, the authentication value generated by the UE itself is generated according to the encryption algorithm, integrity protection algorithm, authentication parameter information, and key information stored in the UE itself.

Preferably, the authentication parameter information includes a FRESH random number and a START value.

Preferably, the key information generated by the network includes encryption key information and integrity protection key information.

Preferably, said encryption key information and integrity protection key information are generated by a core network entity in the network.

Preferably, the encryption algorithm and integrity protection algorithm contained in the authentication request message transmitted by the UE to the network are selected from multiple encryption algorithms and integrity protection algorithms provided by the network, and the encryption algorithm and integrity protection algorithm that the UE can support Integrity protection algorithm.

Preferably, the random number FRESH is broadcast by the network.

Preferably, the random number FRESH is inherent in the UE itself.

Preferably, the random number FRESH is updatable.

Description of drawings

The above objects, advantages and features of the present invention will become apparent by referring to the following detailed description of preferred embodiments employed in conjunction with the accompanying drawings, wherein:

FIG. 1 is a diagram showing a network structure of UMTS;

Figure 2 is a diagram for explaining the relationship between different regions in the UMTS system;

FIG. 3 is a structural diagram showing the composition of UE;

Fig. 4 is a diagram showing a temporary identification allocation process;

Figure 5 is a diagram showing the AKA process;

Figure 6 is a diagram illustrating a local authentication and connection establishment process;

FIG. 7 is a diagram showing a kind of architecture of E-UTMS;

FIG. 8 is a diagram showing another architecture of E-UTMS;

FIG. 9 is a diagram illustrating a process of mutual authentication between a network and a device according to the present invention;

FIG. 10 is a diagram for explaining MAC-I calculation and verification;

FIG. 11 is a diagram illustrating a process of mutual authentication between a network and a device according to a first embodiment of the present invention;

FIG. 12 is a diagram showing a process of mutual authentication between a network and a device according to a second embodiment of the present invention;

Fig. 13 is a diagram showing a message forwarding manner according to an embodiment of the present invention;

FIG. 14 is a flow chart illustrating the operation of the UE in a mutual authentication process according to an embodiment of the present invention;

FIG. 15 is a flowchart illustrating the operation of a node of the E-RAN during a mutual authentication process according to an embodiment of the present invention;

16 is a flowchart showing the operation of the nodes of the E-CN during the mutual authentication process according to an embodiment of the present invention; and

Fig. 17 is a diagram for explaining authentication vector set generation.

Detailed ways

First of all, it should be noted that the present invention can be based on the architecture of FIG. 7 or FIG. 8 , but is not limited to these two architectures.

Preferred embodiments according to the present invention will be described in detail below with reference to the accompanying drawings.

FIG. 9 is a diagram showing a process of mutual authentication between a network and a device according to the present invention.

As mentioned above with reference to FIG. 6 , when the user equipment communicates with the network, it first needs to send a message to the network. In the UMTS system, this message may be a service request, a routing area update, and the like. The present invention does not limit the content of the first sent message. In the first message, UE shall calculate MAC-I and verify MAC-I according to the method described in Fig. 10 according to the existing parameters. The parameters for calculating MAC-I are IK, COUNT-I, MESSAGE, DIRECTION and FRESH respectively.

In a specific situation, such as a user equipment performing periodic routing area update at the same place, when the user equipment communicates with the network, it is possible that two processes will send messages with exactly the same content. At the same time, it is also possible that some illegal users may eavesdrop on the content of a message sent by a normally communicating user equipment to the network, and then pretend to be the legitimate user at an appropriate time to send a message containing this content to the network again. At this time, the network needs to be able to distinguish whether the received message is from a legitimate user or a disguised user. The FRESH parameter described is for this purpose. When other parameters such as IK, COUNT-I, MESSAGE, and DIRECTION used to calculate MAC-I are completely the same, different FRESH parameters can also be used to generate different MAC-I in the two calculation processes. At this time, only the real legal user equipment knows the IK, and then can calculate a new MAC-I.

IK is generated during the authentication process, for details, please refer to the description in FIG. 6 . Because the user equipment may store multiple IKs, in the first message sent by the user equipment to the network, the UE must tell the network which IK and CK it uses for encryption and integrity protection. IK and CK are represented by a serial number, which uniquely identifies a combination of IK and CK. When the E-CN receives the serial number, it knows which IK and CK the user equipment uses.

COUNT-I is a parameter saved by the UE itself. This value is initialized by a START when the UE starts communicating with the network. START is a parameter saved by the UE itself. This parameter must be updated every time the user returns to the idle state. The updated value is consistent with the highest 20 digits of COUNT-I or COUNT-C at that time, and then in this value Add 2 to the base.

MESSAGE is the message itself to be integrity protected.

DIRECTION identifies the direction of the message, whether it is an uplink message sent by the user equipment to the network or a downlink message sent by the network to the user equipment.

Obtaining the value of FRESH is one of the contents of the present invention, which will be described below.

These five parameters are input into the algorithm f9, and the MAC-I will be calculated.

After receiving MAC-I, the receiving end calculates XMAC-I according to the algorithm and input parameters on the right side of Figure 10. The received MAC-I is then compared with the calculated XMAC-I. If the two are equal, then it can be considered that the sending end is a legal user terminal or network device.

Then the user equipment encapsulates the first message sent to the network, which will include MAC-I (step 902). After receiving this message, the radio access network will save the MAC-I, and perform necessary processing on the first message. For example, in step 903, the MAC-I is extracted from the message, and the remaining content is forwarded to the E-CN. Alternatively, the message sent by the user equipment is encapsulated with the message of the Iu+ interface, and sent to the E-CN. After receiving the first message, the E-CN checks whether the user equipment has a legal identifier such as P-TMSI, which is the IK used for integrity protection and the encrypted CK sequence. Then the E-CN sends a security mode command to the wireless access network (step 904), the message includes the key CK to be encrypted, the IK for integrity inclusion, and the encryption algorithm and the integrity inclusion algorithm. The message may also have other functions such as user plane establishment, service quality negotiation, etc., but these are not related to the present invention, so they will not be described here. After receiving the IK for integrity protection, the RAN verifies the MAC-I1 received from the user equipment according to the process in Figure 10 (step 905). If the verification is passed, the RAN generates a MAC-I2 again (step 906). The generation method of this value is the same as that of the user equipment to generate the MAC-I. After inputting 5 parameters into the f9 algorithm, the result can be obtained. Then the RAN includes the MAC-I in the message security mode command to be sent to the user equipment (step 907), and the message also includes parameters such as an encryption algorithm and an integrity algorithm. If in step 904, the message also performs functions such as service quality negotiation and user plane establishment, then in step 907, there should also be a function similar to user radio bearer establishment. After the user equipment receives the security mode command, it takes out the MAC-I in the others, and then uses the algorithm in Figure 10 to check whether the MAC-I has not been modified (step 908). If yes, it means that the RAN is trustworthy and is a legitimate network device.

A first embodiment and a second embodiment according to the present invention will be described below.

In the present invention, the FRESH parameters can be obtained through different embodiments.

FIG. 11 is a diagram showing a process of mutual authentication between a network and a device according to the first embodiment of the present invention.

The E-CN (that is, the core network entity) determines the encryption algorithm and the integrity protection algorithm to be used by the network, which may be one or more. If there are more than one, then according to the order given, it represents different priorities. For example, E-CN wants the user equipment to use Algorithm 1 first, Algorithm 2 next, and Algorithm 3 again if it has the ability. Then in the message security mode broadcast in step 1101, Algorithm 1, Algorithm 2 and Algorithm 2 will be included. Algorithm 3. After E-RAN receives the broadcast message, it broadcasts these algorithms and their priorities in all its cells (step 1102). In the security mode broadcast message, it not only includes the encryption algorithm and integrity inclusion algorithm that the network allows the user equipment to select, but also includes the FRESH value that the network wants the user equipment to use. The use of this parameter is well described in the description in Figure 10. illustrate. After the user equipment receives these parameters, it saves them for use when communicating with the network.

When the user equipment wants to communicate with the network, it sends the first message to the E-RAN (step 1103), which contains the serial number of the encryption key and the integrity protection key it will use, through Fig. 10 The MAC-I calculated in the step, as well as parameters such as the encryption algorithm and the integrity protection algorithm selected by it, and the user identification. After E-RAN receives the first message that receives from user equipment place, just preserve MAC-I, encryption algorithm and integrity protection algorithm, other parts of message or all of message are forwarded to E-CN (step 1104 ). This process will be described in detail in Figure 13. When the E-CN receives the first message sent from the user equipment, it checks whether the encryption algorithm and integrity protection algorithm selected by the user are legal. By checking the KSI, it is possible to know what keys are used by the user equipment for encryption or integrity protection. Generally, the message also includes parameters such as user identification such as P-TMSI. When E-CN knows that the user equipment is a legitimate user, it sends a security mode command message to E-RAN (step 1105), which includes the algorithm that the network wants the user equipment and E-RAN to use for encryption and integrity protection. The algorithm may be the same as that selected by the user equipment itself in step 1103 . If this parameter is not included in the message transmitted in step 1105, both the E-RAN and the user equipment default that the encryption algorithm and integrity protection algorithm selected by the user equipment can be used, otherwise the encryption algorithm and integrity protection algorithm reconfigured by the network will be used. Integrity protection algorithm. The message transmitted in step 1105 also includes the encryption key CK and the integrity key IK, and these two parameters are passed to the E-RAN, so that the E-RAN can perform integrity protection and encryption operations on the downlink signaling and data .

When the E-RAN receives the security mode command (step 1105), the IK transmitted through the network and the integrity protection algorithm included in the message transmitted by the user equipment in step 1103 are used for the MAC-I received in step 1103. According to the operation method in Figure 10, verify whether the MAC-I is correct. If it is correct, it means that the user equipment is a legitimate UE, otherwise it is illegal. If the user equipment is legal, the E-RAN sends a security mode command message to the user equipment (step 1106), which contains the encryption algorithm and the integrity protection algorithm that the network wants to reconfigure, if in step 1105, the encryption algorithm is not included and the integrity inclusion algorithm, then the message transmitted in step 1106 also does not include the encryption algorithm and the integrity inclusion algorithm. At the same time, the E-RAN calculates a MAC-I, includes it in the security mode command, and sends it to the UE. The integrity protection algorithm used by MAC-I should be the algorithm involved in step 1105, otherwise, it is the algorithm notified by the user equipment to the E-RAN in step 1103.

After the user equipment receives the security mode command, if there is no protection encryption algorithm and integrity protection algorithm in the message, it uses the integrity protection algorithm selected by the user to verify whether the MAC-I is correct according to the method shown in FIG. 10 . Otherwise, verify according to the integrity protection algorithm contained in the message. If the verification is correct, then the network is considered to be legal, and the following operations are continued.

In a variation of this embodiment, the network may not broadcast the encryption algorithm and the integrity protection algorithm, but the user equipment selects one of its own security capabilities, and similarly informs the E-RAN in step 1103 .

Fig. 12 is a second embodiment of the present invention.

The E-GGSN (that is, the core network entity) determines the encryption algorithm and the integrity protection algorithm to be used by the network, which may be one or more. If there are more than one, then according to the order given, it represents different priorities. For example, E-GGSN wants the user equipment to use Algorithm 1 first if it has the ability, then choose Algorithm 2, and choose Algorithm 3 again, then in the message security mode broadcast (step 1201), Algorithm 1 and Algorithm 2 will be included and Algorithm 3. After E-RAN receives the message, it broadcasts these algorithms and their priorities in all its cells (step 1202). The security mode broadcast message transmitted in step 1202 includes the encryption algorithm and the integrity algorithm selected by the network for the user equipment. After the user equipment receives these parameters, it saves them for use when communicating with the network.

When the user equipment wants to communicate with the network, it sends the first message to the E-RAN (step 1203), which contains the serial number of the encryption key and the integrity protection key it will use, through Fig. 10 The MAC-I calculated in the step, as well as the encryption algorithm and integrity protection algorithm selected by it, the user ID, and parameters such as the FRESH value used to generate the MAC-I. When calculating the MAC-I, the FRESH value used may be a random number, or START plus a random number or a fixed value.

When E-RAN receives the first message received from user equipment (step 1203), it saves MAC-I, FRESH, encryption algorithm and integrity protection algorithm, and forwards other parts of the message or all of the message to E-GGSN (step 1203). This process will be described in detail in Figure 13. After the E-CN receives the first message sent from the user equipment (step 1204), it checks whether the encryption algorithm and the integrity protection algorithm selected by the user are legal. By checking the KSI, it is possible to know what keys are used by the user equipment for encryption or integrity protection. The message transmitted in step 1204 generally also includes parameters such as user identification such as P-TMSI. When E-CN knows that the user equipment is a legitimate user, it sends a security mode command message to E-RAN (step 1205), which includes the algorithm that the network wants the user equipment and E-RAN to use for encryption and integrity protection. The algorithm may be the same as that selected by the user equipment itself in step 1203 . If this parameter is not included in the message transmitted in step 1205, both the E-RAN and the user equipment default that the encryption algorithm and integrity protection algorithm selected by the user equipment can be used, otherwise the encryption algorithm and integrity protection algorithm reconfigured by the network will be used. Integrity protection algorithm. The message transmitted in step 1205 also includes the encryption key CK and the integrity key IK. These two parameters are passed to the E-RAN, so that the E-RAN can perform integrity protection and integrity protection on the downlink signaling and data. cryptographic operations.

When the E-RAN receives the security mode command (step 1205), the IK transmitted through the network, and the integrity protection algorithm and the FRESH value involved in the user equipment in step 1203, are compared to the MAC- I verify whether the MAC-I is correct according to the operation method in Fig. 10. If it is correct, it means that the user equipment is a legitimate UE, otherwise it is illegal. If the user equipment is legal, the E-RAN sends a security mode command message to the user equipment (step 1206), which includes the encryption algorithm and the integrity protection algorithm that the network wants to reconfigure, if in step 1205, the encryption algorithm and the integrity protection algorithm are not included. Algorithm and Integrity Inclusion Algorithm, then in step 1206 the encryption algorithm and Integrity Inclusion Algorithm are also not included. At the same time, the E-RAN calculates a MAC-I, includes it in the security mode command, and sends it to the UE. The integrity protection algorithm used by MAC-I should be the algorithm included in step 1205, otherwise it is the algorithm notified by the user equipment to the E-RAN in step 1203.

After the user equipment receives the security mode command, if there is no protection encryption algorithm and integrity protection algorithm in the message, it uses the integrity protection algorithm selected by the user to verify whether the MAC-I is correct according to the method shown in FIG. 10 . Otherwise, verify according to the integrity protection algorithm contained in the message. If the verification is correct, then the network is considered to be legal, and the following operations are continued.

A modification of this embodiment is that a new FRESH value may be carried in the security mode command message transmitted in step 1206, and the integrity protection of the message transmitted in step 1206 is performed through the new FRESH. Then, after receiving the security mode command transmitted in step 1206, the user equipment uses the FRESH included in this message to check its integrity. If it passes, the network is trusted.

In a modification of this embodiment, the network may not broadcast the encryption algorithm and the integrity protection algorithm, but the user equipment selects one of its own security capabilities, and similarly informs the E-RAN in step 1203 .

In fact, the user equipment and the network may agree in advance not to use the FRESH parameter when calculating the MAC-I. At this time, in order to ensure that the MAC-I generated by the two calculations of the same content is different, the COUN-I used in the two calculations may be different. Since COUNT-I is initialized by START, this means that the START used in the two calculations is different. Therefore, as a modification of this embodiment, the network may assign a new START value to the user network device for next use during the last communication process. In this way, in the next communication process, the user network equipment uses the specified START value to perform MAC-I calculation. The network also uses the saved START value for MAC-I calculation. At this time, the START value may be transmitted from the user communication device to the network during the next communication process, or from the network to the user communication device, or may not be transmitted. If the transmission is performed, the receiver can verify whether the START value used in this communication process is the same as the START value saved by itself.

Likewise, as another variant of this embodiment, the user equipment uses a new START value during each communication process. In this way, the user network equipment and the network use this START value to perform MAC-I calculation. At this time, the START value needs to be transmitted from the user communication device to the network. The network can save the START value used last time, so as to verify whether the START value used in this communication process is the same as the START value saved by itself.

Fig. 13 describes the method of how the user equipment performs signaling interaction with the network.

There is a dedicated interface Uu+ between the user equipment and the E-RAN and the corresponding message name for this interface. Some of the messages should be responsible for transmitting the signaling from the user equipment to the E-CN, which may be called L3 signaling. This may be similar to the initial direct transmission INITIAL DIRECTTRANSFER, the uplink direct transmission UPLINK DIRECT TRANSFER and the downlink direct transmission DOWNLINK DIRECT TRANSFER in the current UMTS. L3 signaling is included in these special Uu+ interface messages.

After receiving such messages, the E-RAN forwards the L3 signaling to the E-CN or to the UE. The interface Iu+ between the E-RAN and the E-CN is responsible for transferring the signaling messages between the user equipment and the E-CN, which may be similar to the initial UE message INITIAL UE MESSAGE and the direct transmission DIRECT TRANSFER in UMTS. L3 signaling is included in these special Iu+ interface messages.

1301 and 1302 in FIG. 13 transmit the signaling between the user equipment and the E-CN through this mechanism. The UE sends 1301 signaling between the UE and the E-RAN to the E-RAN, and the message not only includes the L3 signaling, but also includes information elements that the UE asks the E-RAN to process. Similarly, after receiving the message, the E-RAN forwards the L3 signaling to the E-CN, and the E-RAN sends 1302 the signaling between the E-RAN and the E-CN to the E-GGSN to forward the L3 signaling. Include not only the L3 signaling, but also the information unit for the E-RAN to be processed by the E-GGSN.

The signaling interaction between the user equipment and the E-CN can also be performed through two steps 1311 and 1312 . The names of the two messages 1311 and 1312 can be the same or different, but the two messages must have a one-to-one correspondence between the interface between the UE and the E-RAN and the interface between the E-RAN and the E-CN stand up. The E-RAN can extract some information units in the 1311 message and not pass them to the E-CN. Some new information units can also be added on the basis of this message, and then sent to the E-CN through 1302 .

FIG. 14 describes the action behavior of the UE in the present invention.

The user equipment receives the security mode broadcast message in the broadcast message (step 1401), and the encryption algorithm and the integrity protection algorithm and their priorities selected by the protection network for the user equipment are included in the message. The user equipment saves this information for use when interacting with the network. If FRESH is included in the broadcast message, the user equipment also saves the parameter (step 1402). When the user equipment is going to send the first message to the network, according to the process described in Figure 10, calculate the MAC-I of the message to be sent, include it in the first message, and send it to the E-RAN (step 1403). The message also includes the encryption algorithm and the integrity protection algorithm to be used by the user equipment. The UE receives the security mode command sent by the network, takes out the MAC-I therein, and performs verification according to the method described in FIG. 10 (step 1404). If the verification is successful, continue with subsequent operations. Otherwise, the UE considers that the network is illegal and exits the communication process with the network.

Figure 15 describes the actions of the E-RAN in the present invention.

The E-RAN receives the message "Safety Mode Broadcast" sent by the E-CN to broadcast the security mode in its cell (step 1501), the message includes the encryption algorithm and the integrity protection algorithm to be broadcast and their respective priorities. Then the E-RAN notifies the user equipment of the encryption algorithm, the integrity protection algorithm and their respective priorities in the cell broadcast in the system information broadcast of the cell under its control. If it corresponds to the first embodiment of the present invention (described in FIG. 11 ), the E-RAN also needs to broadcast the FRESH parameter. After the E-RAN receives the first message from the user equipment (step 1502), it uses the integrity protection algorithm contained in the message and other relevant parameters to verify whether the MAC-I is correct (step 1503). E-RAN shall save the encryption algorithm and integrity protection algorithm selected by the user equipment. If in step 1501, E-RAN has a broadcast FRESH value, then the FRESH used when checking the MAC-I in step 1503 is the one in the broadcast message, otherwise the message should contain the FRESH used by the user for integrity protection. The method for verifying MAC-I is performed as described in FIG. 10 (step 1504). If the verification is passed, then in step 1505, the E-RAN forwards the first message received from the user equipment to the E-CN. Otherwise, the E-RAN considers the user equipment as an illegal user, and ends the process. In step 1506, when the E-RAN receives the security mode command sent from the E-CN, if the encryption algorithm or the integrity protection algorithm is protected, then the algorithm selected by the user equipment is overwritten; otherwise, the algorithm selected by the user equipment is used. algorithm. The E-RAN sends a security mode command message to the user equipment, and the message carries the MAC-I calculated by the E-RAN, and the encryption algorithm and the integrity protection algorithm changed by the E-CN.

Figure 16 describes the action behavior of the E-CN of the present invention.

The E-CN sends a security mode broadcast message to the E-RAN, so that the E-RAN broadcasts the encryption algorithm and integrity protection algorithm set by the network and their respective priorities in the cells controlled by the E-RAN (step 1601). After the E-CN receives the first message of the user equipment forwarded from the E-RAN (step 1602), the message protects the encryption algorithm and the integrity protection algorithm selected by the UE. The E-CN checks whether the identification of the user equipment in the message, such as P-TMSI, identifies a legitimate user (step 1603). If yes, then send a security mode command message to E-RAN (step 1604), the message includes the identifier of the user equipment, and the encryption algorithm and integrity protection algorithm that the network wants the user equipment to use. If the E-CN does not want to change the encryption algorithm and integrity protection algorithm selected by the user, then the message does not carry any algorithm information, and finally, in step 1605, the operation ends.

Through the present invention as described above, the E-UMTS call establishment process can be shortened and the speed is fast, so as to achieve the purpose of optimizing UMTS.

Although the present invention has been illustrated in conjunction with the preferred embodiments thereof, those skilled in the art will understand that various modifications, substitutions and alterations can be made to the present invention without departing from the spirit and scope of the invention. Accordingly, the invention should not be limited by the above-described embodiments, but by the appended claims and their equivalents.

Claims (16)

1, the method that authenticates between subscriber terminal equipment and network in a kind of wireless communication system said method comprising the steps of:

Network-termination device transmits authentication request message to network, and described authentication request message comprises the authentication reference value;

Network judges whether the authentication value that himself produces is consistent with the authentication reference value, if consistent, then represent the network side authentication success and send authentication response message to network-termination device that described authentication response message comprises another authentication reference value; And

Network-termination device receives the described authentication response message that sends from network, and verify whether described another authentication reference value that is comprised in the described authentication response message is consistent with the authentication value that himself is produced, if unanimity, then subscriber terminal equipment side authentication success.

2, method according to claim 1 is characterized in that cryptographic algorithm, protection algorithm integrallty and authentication parameter information that described authentication request message comprises network-termination device and adopts.

3, method according to claim 1 is characterized in that: the authentication value that described network self is produced is to produce with the key information that parameter information and network produced according to described cryptographic algorithm, protection algorithm integrallty, authentication.

4, method according to claim 1 is characterized in that: the authentication value that described network-termination device self is produced is to produce with parameter information and key information according to described cryptographic algorithm, protection algorithm integrallty, authentication that network-termination device self is preserved.

5, according to claim 2, one of 3 and 4 described methods, it is characterized in that: described authentication comprises FRESH random number or START value with parameter information.

6,, it is characterized in that the key information that described network produces comprises encryption key message and integrity protection key information according to claim 3 or 4 described methods.

7, method according to claim 6 is characterized in that described encryption key message and integrity protection key information are produced by the part of the core network entity in the network.

8, method according to claim 2 is characterized in that cryptographic algorithm that authentication request message comprised that network-termination device transmits to network and protection algorithm integrallty are cryptographic algorithm and the protection algorithm integrallties that a plurality of cryptographic algorithm that provide from network and selected, the described network-termination device of protection algorithm integrallty can be supported.

9, method according to claim 5 is characterized in that: described random number FRESH is by Web broadcast.

10, method according to claim 5 is characterized in that: described random number FRESH is produced by network-termination device self.

11, method according to claim 5 is characterized in that described random number FRESH is renewable.

12, method according to claim 1, it is characterized in that described authentication response message comprise network side again assignment give cryptographic algorithm, protection algorithm integrallty and the authentication parameter information of network-termination device.

13, method according to claim 5 is characterized in that described START value is the network appointment.

14, method according to claim 5 is characterized in that described START value is that network-termination device self produces.

15, method according to claim 5, it is characterized in that network or subscriber equipment receive the START value after, verify whether this START value the same with its START value of preserving.

16. method according to claim 5 is characterized in that, subscriber equipment uses a new START value in each communication process.

Images