[go: up one dir, main page]

WO2009018778A1 - Method, device and system for non-card device accessing personal network - Google Patents

Method, device and system for non-card device accessing personal network Download PDF

Info

Publication number
WO2009018778A1
WO2009018778A1 PCT/CN2008/071916 CN2008071916W WO2009018778A1 WO 2009018778 A1 WO2009018778 A1 WO 2009018778A1 CN 2008071916 W CN2008071916 W CN 2008071916W WO 2009018778 A1 WO2009018778 A1 WO 2009018778A1
Authority
WO
WIPO (PCT)
Prior art keywords
cardless
personal network
access
identifier
management entity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/071916
Other languages
French (fr)
Chinese (zh)
Inventor
Yixian Xu
Yanmei Yang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2009018778A1 publication Critical patent/WO2009018778A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present invention relates to the field of communications, and in particular, to a technology for a cardless device to access a personal network.
  • PN Personal Network
  • the PN is composed of a personal area network (PAN), and the PAN includes at least one user equipment (User Equipment, with a Universal Subscriber Identity Module (“USIM”).
  • U User Equipment
  • USIM Universal Subscriber Identity Module
  • UF user equipment
  • M Mobile Equipment
  • TE Terminal Equipment
  • MT Mobile Termination
  • Ordinary devices such as PCs.
  • the UE can also be regarded as a constituent element of the PN.
  • PNE Personal Network Elements
  • PNM Personal Network Management
  • the PNM entity manages the various services required by the subscriber by managing the PNEs belonging to the same subscriber PN.
  • the PNM entity can be a Personal Network Management Application Server ("PNM AS") in the network. Its functions mainly include the establishment, configuration and management of personal networks, registration and personalization of service terminals, and Secure connections between personal network elements, etc.
  • the inventors have found that at least the following problems exist in the prior art:
  • the prior art can only solve the problem that a terminal with a USIM accesses a PN, whereas in the prior art, only a cardless device is defined by a PNM entity. Business needs, but there is no effective solution for how cardless devices can access PN.
  • the main purpose of the embodiments of the present invention is to provide a method, device and system for a cardless device to access a personal network, so that the cardless device can be registered to the personal network.
  • an embodiment of the present invention provides a method for a cardless device to access a personal network, including the following steps:
  • a cardless device that allows access is assigned a personal network element identity, and the personal network element identity is sent to the cardless device that is allowed to access.
  • the embodiment of the present invention further provides a personal network management entity, including: a determining unit: configured to determine whether a cardless device is allowed to access a personal network;
  • the allocating unit is configured to: assign a personal network element identifier to the cardless device that is allowed to access; and send a unit: to send the personal network element identifier allocated by the allocating unit to the cardless device that is allowed to access.
  • an embodiment of the present invention further provides an access system, including:
  • the network entity is configured to connect a cardless device and a personal network management entity
  • the cardless device is configured to send an identity identifier to the personal network management entity by using the network entity;
  • the personal network management entity is configured to determine whether the cardless device is allowed to access the personal network, and perform a corresponding access operation on the cardless device that is allowed to access.
  • the embodiment of the present invention determines whether the cardless device allows access to the personal network according to the identity identification identifier, or determines whether the cardless device allows access to the individual by using the authentication process of the cardless device.
  • Network assign a personal network element identifier to the cardless device that is allowed to access, and send the personal network element identifier to the cardless device that is allowed to access. It solves the problem of registering a cardless device to a personal network and provides a secure registration method that allows users to securely access the personal network.
  • FIG. 1 is a flowchart of a method for a cardless device to access a personal network according to an embodiment of the present invention
  • FIG. 2 is a flow chart of a method for a cardless device to access a personal network according to a first embodiment of the present invention
  • 3 is a flow chart of a method for a cardless device to access a personal network according to a second embodiment of the present invention
  • FIG. 4 is a flow chart of a method for a cardless device to access a personal network according to a third embodiment of the present invention
  • FIG. 6 is a flowchart of a method for a cardless device to access a personal network according to a fifth embodiment of the present invention
  • FIG. 1 is a flowchart of a method for a cardless device to access a personal network according to an embodiment of the present invention
  • FIG. 2 is a flow chart of a method for a cardless device to access a personal network according to a first embodiment of the present invention
  • 3 is a flow
  • FIG. 7 is a sixth flowchart of a method for accessing a personal network according to a fifth embodiment of the present invention
  • FIG. 8 is a flowchart of a method for a cardless device to access a personal network according to a seventh embodiment of the present invention
  • FIG. 9 is a flowchart according to an eighth embodiment of the present invention.
  • FIG. 10 is a flowchart of a method for a cardless device to access a personal network according to a ninth embodiment of the present invention
  • FIG. 11 is a cardless device access according to a tenth embodiment of the present invention
  • FIG. 12 is a flowchart of a method for a cardless device to access a personal network according to an eleventh embodiment of the present invention;
  • FIG. 13 is a flow chart showing a method of accessing a personal network by a cardless device according to a twelfth embodiment of the present invention.
  • FIG. 14 is a structural diagram of a personal network management entity according to an embodiment of the present invention.
  • FIG. 15 is a block diagram of an access system in accordance with an embodiment of the present invention.
  • Registration refers to the process of an entity joining a PN.
  • This entity can be either a device or a group of devices.
  • the registration process ensures that the device to be registered is licensed by the signing user, and the device is authenticated by a secure method to join the PN of the signing user.
  • the PNM entity assigns the device a personal network element identifier. This identity determines the identity of the device in the PN.
  • FIG. 1 is a flowchart of a method for a cardless device to access a personal network according to an embodiment of the present invention, including the following steps:
  • step 101 it is determined whether the cardless device is allowed to access the personal network
  • the network side obtains the identity identifier of the cardless device, and determines whether the cardless device is allowed to access the personal network according to the identity identification identifier; or, the network side authenticates the cardless device, and determines Whether to allow the cardless device to access the personal network;
  • the identification identifier is generally a device identification code of the cardless device. It is necessary to specifically indicate that the device identification code is used to correspond to the personal network element identifier sent by the personal network management entity in the future, so that the PNM AS can be saved and managed. Therefore, the device identification code is not limited herein, as long as the identifier that uniquely distinguishes the cardless device in a personal network can be used as the identity identifier of the cardless device;
  • the cardless device that is allowed to access is assigned a personal network element identifier; wherein the personal network element identifier is an identification number that identifies the cardless device in the personal network.
  • the personal network element identifier is an identification number that identifies the cardless device in the personal network.
  • PNE identifier PNE identifier
  • the PNE identifier may be a unique number in the entire PN.
  • the PNE identifier is the same number in different PANs, but after adding different PAN identifiers, it becomes the entire PN. The unique identification number.
  • a personal network element identification is sent to the cardless device that is allowed to access.
  • the personal network management entity notifies the personal network element identifier to the network application function entity, and the network application function entity sends the personal network element identifier to the cardless device that is allowed to access;
  • the embodiment of the present invention is specifically described.
  • the user side of the embodiment of the present invention includes a personal area network (“PAN”) composed of devices, including at least one A UE with a Universal Subscriber Identity Module (“USIM”) may also include other cardless devices, such as Mobile Equipment (“ME”), and Terminal Equipment (referred to as Terminal Equipment). "TE”), mobile terminal (Mobile Termination, referred to as "MT”), PC, printer, scanner and other common equipment.
  • PAN personal area network
  • USIM Universal Subscriber Identity Module
  • ME Mobile Equipment
  • TE Terminal Equipment
  • MT mobile terminal
  • PC printer, scanner and other common equipment.
  • a cardless device selects a typical wireless local area network (WLAN) device as an example.
  • WLAN wireless local area network
  • the embodiment of the present invention includes a PAN in the PN, and the PAN includes the UE and the PAN.
  • the case of a cardless device it should be noted that, in the embodiment of the present invention, the case where there are multiple PANs and UEs in the PN can still be applied, so that the technical solutions in the embodiments of the present invention cannot be considered to be applicable to these systems.
  • the network side of the first embodiment of the present invention includes a personal network management entity (Personal Network Management, referred to as " ⁇ "), a network application function entity (Network Application Function (NAF), and a bootstrap server function entity ( Bootstrapping Server Function, Referred to as "BSF"), the Home Subscriber Server (“HSS”), where the PNM entity can be a Personal Network Management Application Server (PNM AS) in the network, or other completions.
  • Personal Network Management
  • NAF Network Application Function
  • BSF Bootstrapping Server Function
  • HSS Home Subscriber Server
  • PNM AS Personal Network Management Application Server
  • PNMAS, HSS, BSF, NAF, etc. in the embodiments of the present invention are merely names used for convenience of description. These names are not limited to the scope of the embodiments of the present invention, that is, in some systems, there may be no names of entities such as PNMAS, HSS, BSF, NAF entities, etc., but the technical solution in the embodiments of the present invention cannot be considered as Can be applied to these systems.
  • the PNM AS when the PNM AS and the NAF function are separated, that is, the PNM AS and the NAF function entities exist in the network at the same time, the PNM AS functions as an authentication function, and the NAF functions as an authorization function.
  • the WLAN device is self-registered, and the network side uses the Generic Bootstrapping Architecture ("GBA") authentication registration request message. Specifically as shown in Figure 2.
  • GBA Generic Bootstrapping Architecture
  • step 201 the UE, the BSF, and the HSS perform a GBA process, and the UE and the BSF generate a shared key Ks.
  • GBA technology can check and verify the identity of users of application services, and provide secure communication keys for users to access application services. Because GBA technology belongs to the field of communication security technology. Standardized technology, therefore, the details of the GBA technology are not repeated in this embodiment;
  • step 202 based on the shared key Ks in step 201, the BSF derives the key Ks_NAF, and the derived key may also be the case of GBA U Ks_int-NAF, or may be the case of GBA-ME.
  • Ks — ext keys such as NAF.
  • step 203 the BSF sends the derived key Ks_NAF to the NAF;
  • step 204 the NAF receives the ⁇ "green key Ks_NAF sent by the BSF, and saves the ⁇ " birth key Ks_NAF;
  • step 205 the UE derives the key Ks_NAF based on the shared key Ks in step 201.
  • the NAF and the WLAN device have the shared key Ks-NAF; in particular, the shared key used to establish the secure channel here may be Ks-NAF, or may be derived based on Ks-NAF. Keys; it should be noted that the local interface has been defined by related specifications, and is a technology known in the art, and will not be described here;
  • the UE sends the smear key Ks-NAF to the WLAN device in the PAN through the local interface, and optionally sends related parameters, which can establish related parameters of the security channel, or are related to specific service applications. Related parameters, or other related parameters.
  • the NAF and the WLAN device establish a secure channel based on the shared key Ks_NAF, which may be a pre-shared key transport layer security ("PSK TLS"), or IP security channel (IP security, referred to as "Ipsec”), or other types of security channels; in particular, the technology for establishing a secure channel belongs to the well-known technology in the industry, so the details of the secure channel technology are not described herein; Operation, communication between the NAF and the WLAN device can be performed through this secure channel;
  • Ks_NAF which may be a pre-shared key transport layer security ("PSK TLS"), or IP security channel (IP security, referred to as "Ipsec”), or other types of security channels
  • PSK TLS pre-shared key transport layer security
  • IP security IP security channel
  • Ipsec IP security channel
  • the NAF sends the request to the PNM AS.
  • the indication indicates that the PNM AS allocates a PNE identifier (PNE identifier, PEL for short) to the WLAN device, and sends the WLAN device identification code; the PNE identifier is unique in the PN, and the identity of the PNE in the PN is determined. And location;
  • PNE identifier PEL for short
  • the PNE identifier in the embodiment of the present invention is merely a name adopted for convenience of description. This name is not limited to the scope of the embodiments of the present invention. For details, refer to the description of the PNE identifier, which is not described here.
  • the PNM AS determines whether to allow access according to the WLAN device identification code. For example, the PNM AS determines whether the WLAN device allows access according to the information saved by the PNM AS. It can be a user blacklist, or a device blacklist.
  • the PNM AS may also determine, according to some other user information (such as a public identity), whether the user has the right to register the device;
  • the PNM AS can also save the device number or public user identity available to the WLAN device locally.
  • the identity is carried in the GBA User Security Settings ("GBSS") and sent to the NAF.
  • the NAF is sent to the PNM AS.
  • step 211 the NAF sends a registration response to the WLAN device through the secure channel, where the registration response can carry the PNE identifier assigned to the WLAN device;
  • the NAF sends the PNE identifier to the WLAN device through the secure channel, where the PNE identifier may be transmitted by using an existing message, or Define a new message to transmit the PNE identifier
  • the WLAN device sends a response that has been successfully registered to the UE through the local interface, and notifies the UE that it has registered to the personal network.
  • the WLAN device authenticates the registration message through the GBA mode, and passes the secure channel. It protects the delivery of PNE identifiers, prevents PNs from being maliciously infringed, and improves security.
  • the present invention provides an application scenario of the second embodiment, which is different from the first embodiment in that: when only the PNM AS exists in the network, the PNM AS not only has the authentication function and the PN management function, but also has the function of the NAF to participate in the GBA. process.
  • the WLAN device is self-registered, and the network side uses the GBA authentication registration request message. Specifically shown in Figure 3.
  • the UE, the BSF, and the HSS perform a GBA process, and the UE and the BSF generate a shared key Ks.
  • the GBA technology can implement the function of checking and verifying the identity of the user of the application service, and providing a key for the user to access the application service. Since the GBA technology belongs to the standardized technology in the field of communication security technology, it is no longer in this embodiment. Describe the details of GBA technology;
  • the BSF derives the key Ks_NAF, and the derived key may also be the case of GBA U Ks_int-NAF, or may be the case of GBA-ME Ks_ext_NAF, or Is the other ⁇ " raw key;
  • step 303 the BSF sends the derived key Ks_NAF to the PNMAS;
  • step 304 the PNM AS receives the "green key Ks_NAF” sent by the BSF, and saves the "generated key Ks-NAF;
  • step 305 the UE derives the key Ks_NAF based on the shared key Ks in step 301; in step 306, the UE sends the dirty key Ks_NAF to the WLAN device in the PAN through the local interface.
  • the NAF and the WLAN device have the shared key Ks-NAF; in particular, the shared key used to establish the secure channel here may be Ks-NAF or may be derived based on Ks-NAF. Keys; it should be noted that the local interface has been defined by related specifications, and is a technology known in the art, and will not be described here;
  • the UE sends the smear key Ks-NAF to the WLAN device in the PAN through the local interface, and optionally sends related parameters, which can establish related parameters of the security channel, or are related to specific service applications. Related parameters, or other related parameters.
  • the PNM AS and the WLAN device establish a secure channel based on the shared key Ks-NAF, and the secure channel may be a pre-shared key transport layer security ("PSK TLS"). Or IP security channel (IP security, referred to as "Ipsec”), or other types of security channels; in particular, the technology for establishing a secure channel belongs to the well-known technology in the industry, so the details of the secure channel technology are not described here; 307 operation, PNM Communication between the AS and the WLAN device can be performed through this secure channel;
  • IP security IP security, referred to as "Ipsec”
  • the WLAN device sends a registration request to the PNM AS, where the registration request may include, but is not limited to, a device identification code of the WLAN device.
  • the PNE identifier (PNE identifier) is corresponding to the PNM storage management. Therefore, the WLAN device identification code is not limited to this, as long as the identifier of the cardless device can be uniquely distinguished in a PN.
  • the PNMAS determines whether to allow access according to the WLAN device identification code.
  • the PNM AS determines whether the WLAN device allows access according to the information saved by itself, and the information may be It is a user blacklist, or a device blacklist.
  • the PNE identifier in the embodiment of the present invention is merely a name adopted for convenience of description. This name does not limit the scope of application of the embodiments of the present invention, that is, there may be no name of the PNE identifier in some systems, but it cannot be considered that the technical solutions in the embodiments of the present invention are not applicable to these systems.
  • the PNE identifier may be a unique number in the entire PN. In another case, in order to save the cell space, the PNE identifier is the same number in different PANs, but after adding different PAN identifiers, it becomes the entire PN. The unique identification number.
  • the PNE identifier is unique in the PN, and the identity and location of the PNE in the PN are determined. It is to be noted that the PNE identifier in the embodiment of the present invention is merely a name used for convenience of description. This name does not limit the scope of application of the embodiments of the present invention, that is, there may be no name of the PNE identifier in some systems, but it cannot be considered that the technical solutions in the embodiments of the present invention are not applicable to these systems. Alternatively, the PNE identifier may be a unique number in the entire PN, or in order to save the cell space, the PNE identifier is the same number in different PANs, but after adding different PAN identifiers, it becomes the unique identification number in the entire PN. .
  • the PNM AS may also determine, according to some other user information (such as a public identity), whether the user has the right to register the device;
  • the PNM AS can also save the device number or public available for the WLAN device locally.
  • Total user identity The identity is carried in the GBA User Security Settings (GBS) and sent to the NAF.
  • GBS GBA User Security Settings
  • the NAF is sent to the PNMAS.
  • the WLAN device sends a response that has been successfully registered to the UE through the local interface, and notifies the UE that it has registered to the personal network.
  • the WLAN device authenticates the registration message through the GBA mode, protects the PNE identifier from being sent through the secure channel, prevents the PN from being maliciously invaded, and improves the security.
  • the application scenario of the third embodiment of the present invention is basically similar to that of the first embodiment.
  • the PNM AS and the NAF function are separated, and two functional entities, PNMAS and NAF, exist in the network, and the network side uses the Generic Bootstrapping Architecture (abbreviation). "GBA") authentication registration request message.
  • GBA Generic Bootstrapping Architecture
  • Steps 401 to 406 are the same as steps 201 to 206 in the first embodiment, and are not described herein again.
  • step 407 the UE sends a WLAN device registration request and a WLAN device identification code to the NAF through the Ua port or the other network side interface, and the message is encrypted and protected by the GBA derivative key Ks-NAF;
  • the registration request may include, but is not limited to, a device identification code of the WLAN device.
  • the WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN;
  • the NAF and the WLAN device establish a secure channel based on the shared key Ks-NAF, which may be a pre-shared key transport layer security ("PSK TLS"), or IP security channel (IP security, referred to as "Ipsec”), or other types of security channels; it is particularly important to note that the techniques for establishing a secure channel are well known in the art, so the details of the secure channel technology are not described herein; Operation, communication between the NAF and the WLAN device can be performed through this secure channel; Steps 409 to 412 are the same as steps 209 to 212 in the first embodiment, and are not described herein again.
  • Ks-NAF which may be a pre-shared key transport layer security ("PSK TLS"), or IP security channel (IP security, referred to as "Ipsec”), or other types of security channels; it is particularly important to note that the techniques for establishing a secure channel are well known in the art, so the details of the secure channel technology are not described herein; Operation, communication between the NAF and
  • the PNE identifier is transmitted through the secure channel to prevent the PN from being maliciously infringed, and the security is improved.
  • the registration mode of the UE instead of the WLAN device registration is provided, and the user can select the registration mode according to the preference.
  • the application scenario of the fourth embodiment of the present invention is basically similar to that of the second embodiment, and the difference is that the UE is registered instead of the WLAN device, as shown in FIG. 5 .
  • the steps 501 to 506 are the same as the steps 301 to 306 in the second embodiment, and are not described herein again.
  • step 507 the UE sends a WLAN device registration request and a WLAN device identification code to the PNM AS through the Ut port or the other network side interface, and the message uses the GBA derived key.
  • the registration request may include, but is not limited to, a device identification code of the WLAN device.
  • the WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN;
  • the PNM AS and the WLAN device establish a secure channel based on the shared key Ks-NAF, and the secure channel may be a pre-shared key transport layer security ("PSK TLS"). Or IP security channel (IP security, referred to as "Ipsec”), or other types of secure channels; it is important to point out that the technology for establishing a secure channel is a well-known technology in the industry, so the details of the secure channel technology are not mentioned here;
  • IP security channel IP security, referred to as "Ipsec”
  • communication between the NAF and the WLAN device can be performed through the secure channel;
  • Steps 509 to 510 are the same as steps 309 to 310 in the second embodiment, and are not described herein again.
  • the PNE identifier is sent through the secure channel to prevent the PN from being maliciously infringed, and the security is improved.
  • the registration mode of the UE instead of the WLAN device registration is provided, and the user can use the local policy or the network side policy. Or choose a registration method in advance by the network side to negotiate with the user.
  • the application scenario of the fifth embodiment of the present invention is basically similar to that of the third embodiment. The difference is that the UE registers multiple WLAN devices at a time. In this embodiment, two WLAN devices are taken as an example, as shown in FIG. 6 .
  • the steps 601 to 605 are the same as the steps 401 to 405 in the third embodiment, and are not described herein again.
  • step 606 the UE sends the derived key Ks_NAF to the WLAN1 device in the PAN through the local interface.
  • the NAF and WLAN1 devices have the shared key Ks-NAF; in particular, the shared key used to establish the secure channel here may be Ks-NAF or may be derived based on Ks-NAF. Keys; it should be noted that the local interface has been defined by related specifications, and is a technology known in the art, and will not be described here;
  • the UE sends the smear key Ks-NAF to the WLAN device in the PAN through the local interface, and optionally sends related parameters, which may establish related parameters of the security channel, or are related to specific service applications. Parameters, or other related parameters.
  • the UE sends the derived key Ks_NAF to the WLAN2 device in the PAN through the local interface.
  • the NAF and WLAN2 devices have the shared key Ks-NAF; it is particularly pointed out that here
  • the shared key used to establish a secure channel may be Ks-NAF or a key based on Ks-NAF redistribution; in particular, the local interface has been defined by relevant specifications and belongs to the known technology in the industry. I will not repeat them here;
  • the UE sends the smear key Ks-NAF to the WLAN 2 device in the PAN through the local interface, and optionally sends related parameters, which can establish related parameters of the security channel, or are related to specific service applications. Related parameters, or other related parameters.
  • step 608 the UE sends the WLAN device registration request and the identification codes of the WLAN devices 1 and 2 to the NAF through the Ua port or other network-side interfaces.
  • the message is encrypted with the GBA derived key Ks-NAF.
  • the registration request may include, but is not limited to, a device identification code of the WLAN device.
  • the WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN; Step 609 to step 613, and step 614 to step 618, respectively, the registration process of the WLAN1 device and the WLAN2 device are respectively the same as the steps 408 to 412 in the third embodiment, and details are not described herein again. For the implementation of the steps 609 to 613 and the steps 614 to 618, there is no order in time, and the method may be performed at the same time. This embodiment does not limit this.
  • multiple WLAN devices can be simultaneously registered to the PNM at the same time, which improves the registration efficiency.
  • the PNE identifier is protected by the secure channel to prevent the PN from being maliciously invaded and the security is improved.
  • the application scenario of the sixth embodiment of the present invention is basically similar to that of the fourth embodiment.
  • the difference is that the UE registers multiple WLAN devices at a time.
  • two WLAN devices are taken as an example, and the PNM AS is separately sent to each WLAN device.
  • the PNE identifier is shown in Figure 7.
  • Steps 701 to 705 are the same as steps 501 to 505 in the fourth embodiment, and are not described herein again.
  • the steps 706 to 707 are the same as the steps 606 to 607 in the fifth embodiment, and are not described herein again.
  • step 708 the UE sends a WLAN device registration request and an identification code of the WLAN devices 1 and 2 to the PNM AS through the Ut port or the other network side interface.
  • the message is GBA.
  • the registration request may include, but is not limited to, a device identification code of the WLAN device.
  • the WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN;
  • Step 709 to step 711 and step 712 to step 714 are the same as step 508 to step 510 in the fourth embodiment, respectively, and are not further described herein.
  • steps 709 to 713 and the steps 614 to 618 there is no order in time, and the method may be performed at the same time. This embodiment does not limit this.
  • multiple WLAN devices can be simultaneously registered to the PNM at the same time, which improves registration efficiency.
  • the PNE identifier is protected by the secure channel to prevent the PN from being maliciously infringed and the security is improved.
  • the application scenario of the seventh embodiment of the present invention is basically similar to that of the sixth embodiment. The difference is that all the PNE identifiers are sent to the UE by the PNM AS, and are sent by the UE to the WLAN devices. Specifically, as shown in Figure 8.
  • Steps 801 to 805 are the same as steps 701 to 705 in the sixth embodiment, and are not described herein again.
  • step 806 the UE sends a WLAN device registration request and an identification code of the WLAN devices 1 and 2 to the PNM AS through the Ut interface, and the message is protected by GBA ⁇ "home key Ks-NAF encryption.
  • the registration request may include, but is not limited to, a device identification code of the WLAN device.
  • the WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN;
  • step 807 if the PNM AS considers that the registration is successful (the PNM AS may also need to judge whether the user has the right to register the device according to some user information), assign a PNE identifier to all the WLAN devices according to the WLAN device identification code, and save the corresponding Relationship
  • the PNM AS may locally store the device number or public user identity available to the user.
  • the PNMAS sends the allocated PNE identifier encrypted with Ks-NAF and the corresponding relationship with the WLAN device identification code to the UE.
  • step 809 and step 810 the UE sends the PNE identifier to the WLAN device through the local interface according to the correspondence between the PNE identifier sent by the PNM AS and the WLAN device identification code.
  • multiple WLAN devices can be simultaneously registered to the PNM at the same time, which improves the registration efficiency.
  • the PNE identifier is protected by the secure channel to prevent the PN from being maliciously invaded and the security is improved.
  • the application scenario of the eighth embodiment of the present invention is basically similar to that of the seventh embodiment.
  • the difference is that the PNMAS and the NAF function are separated.
  • the PNM AS and the NAF function entities exist in the network, and the PNM AS performs the authentication function.
  • the UE sends a registration request for multiple WLAN devices and all the identifiers of the WLAN devices that need to be registered. In this embodiment, two WLAN devices are used. For example, all the PNE identifiers are sent to the UE by the NAF, and the WLAN devices are notified by the UE. Specifically, as shown in Figure 9.
  • Steps 901 to 905 are the same as steps 601 to 605 in the fifth embodiment, and are not described herein again.
  • step 906 the UE sends the WLAN device registration request and the identification codes of the WLAN devices 1 and 2 to the NAF through the Ut interface, and the message is encrypted and protected by the GBA ⁇ "green key Ks-NAF.
  • the registration request and the seventh embodiment The registration request in step 806 is the same, as described in detail above, and details are not described herein again;
  • the key is that, in step 907, after receiving the registration request, the NAF sends an indication to the PNMAS, instructing the PNM AS to assign PNE identifiers to the WLAN devices 1 and 2, and transmitting the identification codes of the WLAN devices 1 and 2.
  • step 908 if the PNM AS considers that the registration is successful (the PNM AS may also need to judge whether the user has the right to register the device according to some user information), assign the PNE identifier to all the WLAN devices according to the WLAN device identification code, and save the corresponding Relationship
  • the PNMAS may locally store the device number or public user identity available to the user. Identity. The information is sent to the GUS and sent to the NAF, and the NAF is sent to the PNMAS.
  • step 909 the PNM AS sends the assigned PNE identifier to the NAF and the correspondence with all WLAN device identification codes.
  • step 910 after receiving the message of the PNM AS, the NAF encrypts the PNE identifiers with the Ks-NAF and the corresponding relationship with all the WLAN device identification codes, and sends the information to the UE through the Ua interface.
  • step 911 and step 912 the UE sends a PNE identifier to all WLAN devices through the local interface according to the correspondence between the PNE identifier sent by the PNM AS and all the WLAN device identification codes, indicating that the registration is successful.
  • the network side uses the GBA mode to authenticate the user's registration message.
  • the key authentication message further derived by using the GBA related key or the GBA related key is legal. Sex.
  • the network side may also adopt an authentication and key negotiation manner.
  • AKA mode Authentication and key agreement
  • the user directly obtains the authentication parameter quintuple from the HSS, and uses AKA to generate a shared key, thereby authenticating the validity of the registration message.
  • Figure 10 Authentication and key agreement
  • step 1001 the UE sends a request for generating a shared key to the PNMAS;
  • step 1003 the UE performs an AKA process with the PNMAS, and performs mutual authentication to generate a shared key K.
  • the AKA algorithm can perform checking and verifying the identity of the user of the application service, and provides a key for secure communication for the user to access the application service;
  • AKA belongs to the standardized technology in the field of communication security technology. Therefore, the details of AKA are no longer praised in this embodiment;
  • step 1004 the UE sends the shared key K to the WLAN device, and establishes a security channel related parameter, so that the PNMAS and the WLAN device have a shared key;
  • the shared key used to establish a secure channel here may be K or a key based on K re-derived;
  • the WLAN device sends a registration request to the PNMAS, where the registration request may include, but is not limited to, a device identification code of the WLAN device.
  • the WLAN device identification code is used for the PNE delivered by the PNM AS in the future.
  • the identifier (PNE identifier, referred to as "PNE identifier") corresponds to the PNM storage management. Therefore, the WLAN device identification code is not limited to this, as long as the identifier of the cardless device can be uniquely distinguished in one PN;
  • step 1007 after receiving the registration request from the WLAN device sent by the NAF, the PNM AS determines that the registration is successful, assigns a PNE identifier to the WLAN device according to the WLAN device identification code, and saves the correspondence, and sends the PNE identifier to the NAF;
  • the PNMAS can also determine whether the user has the right to register the device according to other user information (such as a public identity);
  • the PNM AS can also save the device number or public user identity that is available to the WLAN device locally. Identity.
  • the information is sent to the GUS and sent to the NAF, and the NAF is sent to the PNMAS.
  • the WLAN device sends a successful registration response to the UE through the local interface, notifying the UE that it has registered to the personal network.
  • the embodiment of the present invention is applicable not only to the case where the cardless device is self-registered, but also to the case where the UE replaces the cardless device registration; not only for the single cardless device registration.
  • the case can also be applied to the case of multiple cardless device registrations; the basic principle thereof has been explained in the foregoing embodiments, and those skilled in the art can associate with the AKA solution according to the GBA technical revelation, or based on other The solution to the authentication algorithm. No longer here - list these technical solutions.
  • the network side may also use the GBA mode to authenticate the registration information, when
  • the PNM AS has the NAF function.
  • the WLAN device is self-registered and can directly share the key with the BSF for the GBA process. Specifically as shown in Figure 11.
  • step 1101 the WLAN device, the BSF and the HSS perform a GBA process, and the WLAN device and the BSF generate a shared key Ks.
  • step 1102 the BSF derives the key Ks-NAF.
  • step 1103 and step 1104 the BSF sends the "Generation Key Ks-NAF" and the established security channel related parameters to the PNM AS, and the PNM AS saves the derived key.
  • the WLAN device In step 1105, the WLAN device generates a "home key Ks-NAF" such that the PNM AS and the WLAN device have a shared key.
  • step 1106 the PNM AS and the WLAN device establish a secure channel based on the shared key, which may be PSK TLS, or IPsec. Thereafter, communication between the PNM AS and the WLAN device takes place via this secure channel.
  • the shared key which may be PSK TLS, or IPsec.
  • the WLAN device sends a registration request to the PNM AS, including the device identification code of the WLAN device.
  • step 1108 and in step 1109 if the PNM AS considers that the registration is successful (the PNM AS may also need to determine whether the user has the right to register the device or the public identity according to some user information), the WLAN device identification code is assigned to the WLAN device. PNE identifier, and save this correspondence, send PNE identifie to the WLAN device
  • the WLAN device sends a response to the UE that has successfully registered, informing the UE that it has registered to the personal network.
  • This embodiment solves the problem that a cardless device is registered to a personal network, and provides a method of secure registration so that the user's personal network is not invaded by a malicious terminal.
  • the network side may also use the public key certificate to authenticate the registration information, thereby authenticating the validity of the registration message. Specifically, as shown in Figure 12.
  • the WLAN device performs an authentication process with the PNMAS through a public key certificate (or a shared key, that is, a key shared by the WLAN device and the network in advance). After the PNMAS verifies the identity of the WLAN device, it determines whether to allow it to join the P-awake according to the user subscription information or the locally stored correspondence between the user and the device.
  • a public key certificate or a shared key, that is, a key shared by the WLAN device and the network in advance.
  • the manner in which the PNM AS determines whether to allow the device to join may also be that the PNM notifies the UE of a device registration, and after the UE approves, it is allowed to join.
  • the WLAN device sends the public key certificate (or the shared key, that is, the key shared by the WLAN device and the network in advance) to the UE through the local interface, and the UE and the PNM AS authenticate each other based on the public key certificate (or share).
  • step 1203 the UE sends a registration request to the PNMAS, including the identification code of the WLAN device.
  • step 1204 the PNM AS assigns a PNE identifier to the WLAN device according to the identification code of the WLAN device, and saves the correspondence.
  • step 1205 the PNM AS sends a registration response to the UE, including the PNE identifier assigned to the WLAN device.
  • step 1206 the UE sends a PNE identifie to the WLAN device.
  • the difference from the above embodiment is that: different UEs are used for multiple The WLAN device registers, and multiple WLAN devices do not belong to the same PAN.
  • two WLAN devices are taken as an example (WLAN1, WLAN2), which belong to different PANs, and corresponding to different UEs (such as UE1, UE2), BSF (BSF1, BSF2), and HSS (HSS1, HSS2).
  • WLAN1, WLAN2 two WLAN devices are taken as an example
  • UEs such as UE1, UE2), BSF (BSF1, BSF2), and HSS (HSS1, HSS2).
  • PNM AS There is only a PNM AS in the network.
  • the PNM AS also has the function of NAF to participate in the GBA process.
  • the UE registers on behalf of the WLAN device, and the network side uses the GBA authentication registration request message. Specifically, as shown in FIG.
  • Steps 1301 to 1305 and steps 1306 to 1310 are respectively processes for generating a shared key.
  • the foregoing embodiment has described the flow in detail, and details are not described herein again; and steps 1301 to 1305 and steps 1306 to 1310 are in time. No backward order;
  • step 1311 and step 1312 the UE sends the derived key Ks-NAF to the WLAN device through the local interface and establishes a security channel related parameter.
  • the PNMAS and the WLAN device have a shared key Ks-NAF;
  • the shared key used to establish a secure channel may be Ks-NAF or a key derived based on Ks-NAF.
  • the local interface has been defined by relevant specifications. Techniques known in the art will not be described here;
  • the UE can only send the shared key to the WLAN device after generating the shared key.
  • Steps 1313 to 1316 and steps 1317 to 1320 are respectively processes for registering the WLAN device to the PNM AS.
  • the foregoing embodiment has described the flow in detail, and is not mentioned here; and steps 1313 to 1316 and steps 1317 to 1320 are There is no backward order in time, and it can be done at the same time.
  • the embodiment of the present invention does not limit whether the PNM AS and the NAF are merged and separated.
  • the PNM AS and the NAF are combined as an embodiment, but the flow between the PNM AS and the NAF is not affected. Under separation, there will be signaling between these entities in addition to the flow of the invention between the PNM AS and the NAF.
  • the embodiment of the present invention is applicable not only to the case where the cardless device is self-registered, but also to the UE instead of the Card device registration; not only applies to the case where the PNM AS is separated from the NAF, but also applies to the case where the PNM AS is integrated with the NAF; not only applies to the GBA algorithm authentication process, It can also be applied to the solution based on other authentication algorithms in the prior art; the basic principle thereof has been explained in the foregoing embodiments, and those skilled in the art should understand that it can be made in form and detail. Various changes may be made without departing from the spirit and scope of the invention. No longer here - list these technical solutions.
  • the WLAN device is selected as the cardless device, but the embodiment of the present invention is not applicable to the WLAN device, and the method for the other cardless device to access the personal network may be deduced by the foregoing embodiments of the present invention. Out, but the difference is that some simple substitutions may be made in some concepts.
  • the identity identifier of the WLAN device is a WLAN device identification code. If it is another cardless device, it may not be the device identification code, so as long as it can uniquely distinguish this in a PN.
  • the identity of the card device can be used as an identification identifier.
  • the personal network management entity 1400 in the embodiment of the present invention includes:
  • the determining unit 1410 configured to determine whether the cardless device is allowed to access the personal network
  • the allocating unit 1420 configured to determine, by the determining unit 1410, the cardless device that is allowed to access to allocate the personal network element identifier;
  • the sending unit 1430 is configured to send the personal network element identifier allocated by the allocating unit to the cardless device that allows access.
  • the determining unit 1410 includes:
  • Acquisition unit an identification identifier for acquiring a cardless device
  • a determining unit configured to determine, according to the identity identification identifier acquired by the acquiring unit, whether the cardless device is allowed to access the personal network.
  • the obtaining unit includes:
  • Secure channel establishment unit used to establish a secure channel
  • the information acquiring unit is configured to obtain the identity identification of the cardless device by using the secure channel established by the secure channel establishing unit.
  • the determining unit 1410 may also include:
  • Authentication unit used to authenticate cardless devices
  • Determining unit used to identify according to the above
  • the acquiring unit in the personal network management entity may include: a shared key generating unit, a secure channel establishing unit, and an information acquiring unit.
  • the shared key generating unit is configured to: determine a shared key between the user equipment and the personal network management entity; the secure channel establishing unit is configured to establish a secure channel by using the shared key; And obtaining, by the secure channel established by the secure channel establishing unit, an identity identifier of the cardless device.
  • the obtaining unit may include: a shared key generating unit and an information acquiring unit, where the shared key generating unit is configured to: determine a shared key between the user equipment and the personal network management entity; And the acquiring, by the user equipment, the registration request based on the shared key encryption, where the registration request carries the identity identification identifier of the cardless device.
  • the shared key generating unit includes: an authentication key negotiating unit: configured to obtain a shared key between the user equipment and the personal network management entity by using an authentication and key negotiation technology.
  • the authentication unit in the personal network management entity may include: a public key certificate unit and a shared key unit, where the public key certificate unit is used to pass the public key certificate.
  • the cardless device is authenticated; the shared key unit is used to generate a shared key to authenticate the cardless device.
  • the allocating unit in the personal network management entity may include: an acquiring unit and an identifier of the cardless device that is allowed to access when the identifier of the network element is identified; the identifier assigning unit, configured to be used according to the acquiring unit The acquired identification identifier assigns a personal network element identifier to the cardless device that is allowed to access.
  • the method includes the following steps: obtaining an identity identifier of the cardless device in the personal network, determining, according to the acquired identity identifier, whether the cardless device is allowed to access the personal network, and performing the cardless device that is allowed to access The corresponding access operation.
  • the access operation includes: assigning a corresponding personal network element identifier to the cardless device that is allowed to access, and sending the personal network element identifier to the user side.
  • the above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the personal network management entity 1503 is configured to determine whether the cardless device is allowed to access the personal network, and perform a corresponding access operation on the cardless device that is allowed to access.
  • the personal network management entity 1503 includes:
  • the determining unit 1510 configured to determine whether the cardless device is allowed to access the personal network
  • the allocating unit 1520 is configured to allocate a personal network element identifier to the cardless device that allows access; the sending unit 1530: is configured to send the personal network element identifier allocated by the allocating unit to the cardless device that allows access.
  • the embodiment of the present invention determines whether the cardless device allows access to the personal network according to the identity identification identifier, or determines whether the cardless device allows access to the individual by using the authentication process of the cardless device.
  • Network assign a personal network element identifier to the cardless device that is allowed to access, and send the personal network element identifier to the cardless device that is allowed to access. It solves the problem of registering a cardless device to a personal network and provides a secure registration method that allows users to securely access the personal network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, a device and a system for the non-card device accessing personal network are provided, enabling the non-card device to register to personal network. The non-card device permitted to access personal network is distributed a personal network element identifier by judging whether to permit the non-card device to access personal network or not, sending personal network element identifier to the non-card device permitted to access personal network. A personal network management and a connection system are also provided.

Description

无卡设备接入个人网络的方法、 装置及系统  Method, device and system for accessing personal network without card device

本申请要求于 2007 年 8 月 7 日提交中国专利局、 申请号为 200710075709.8、 发明名称为"无卡设备接入个人网络的方法、 装置及系统,,的 中国专利申请的优先权, 其全部内容通过引用结合在本申请中。  This application claims the priority of the Chinese patent application filed on August 7, 2007, the Chinese Patent Office, the application number is 200710075709.8, and the invention is entitled "Methods, devices and systems for accessing personal networks without card devices." This is incorporated herein by reference.

技术领域 Technical field

本发明涉及通信领域, 特别涉及一种无卡设备接入个人网络的技术。  The present invention relates to the field of communications, and in particular, to a technology for a cardless device to access a personal network.

背景技术 Background technique

随着通信技术的发展, 目前很多签约用户都拥有不止一个设备来进行移动 通信服务, 签约用户可以将其拥有的所有设备连接成个人网络 (Personal Network, 简称" PN" )。  With the development of communication technology, many contracted users now have more than one device for mobile communication services, and the subscribers can connect all the devices they own into a personal network (Personal Network, referred to as "PN").

PN由个人区域网络( Personal Area Network, 简称" PAN" )组成 , 其中, PAN 包括至少一个带有激活的通用签约用户身份模块(Universal Subscriber Identity Module, 简称" USIM" )的用户设备 ( User Equipment, 简称" UF, ), 还 可以包括其他无卡设备, 比如移动设备(Mobile Equipment, 简称" ME" ), 终 端设备( Terminal equipment, 简称" TE" ), 移动终端 (Mobile Termination, 简 称" MT" ), PC机等普通设备。 当一个 PAN中只有一个激活的 UE时, 该 UE 也可以看成是 PN的组成元素。  The PN is composed of a personal area network (PAN), and the PAN includes at least one user equipment (User Equipment, with a Universal Subscriber Identity Module ("USIM"). Referred to as "UF,", it can also include other cardless devices, such as Mobile Equipment ("ME"), Terminal Equipment ("TE"), and Mobile Termination (MT). Ordinary devices such as PCs. When there is only one active UE in a PAN, the UE can also be regarded as a constituent element of the PN.

在 PN中, 各种终端设备(如 TE, ME等)都称为个人网络元素( Personal Network Element,简称" PNE";), PN还包括个人网络管理实体( Personal Network Management, 简称" PNM" )0 PNM实体通过管理属于同一个签约用户 PN中的 PNE, 满足签约用户需要的各种服务。 PNM 实体在网络中可以是个人网络管 理应用月良务器 ( Personal Network Management Application Server, 简称" PNM AS" ), 其功能主要包括个人网络的建立, 配置和管理, 业务终端的注册和个 性化以及个人网络元素间的安全连接等。 In PN, various terminal devices (such as TE, ME, etc.) are called Personal Network Elements ("PNE";), and PN also includes Personal Network Management (PNM). 0 The PNM entity manages the various services required by the subscriber by managing the PNEs belonging to the same subscriber PN. The PNM entity can be a Personal Network Management Application Server ("PNM AS") in the network. Its functions mainly include the establishment, configuration and management of personal networks, registration and personalization of service terminals, and Secure connections between personal network elements, etc.

在实现本发明过程中,发明人发现现有技术中至少存在如下问题: 现有技 术只能解决带 USIM的终端接入 PN的问题, 而现有技术中只是定义了无卡设 备通过 PNM实体进行业务的需求, 但是对于无卡设备如何接入 PN, 还没有 有效的解决方案。  In the process of implementing the present invention, the inventors have found that at least the following problems exist in the prior art: The prior art can only solve the problem that a terminal with a USIM accesses a PN, whereas in the prior art, only a cardless device is defined by a PNM entity. Business needs, but there is no effective solution for how cardless devices can access PN.

发明内容 有鉴于此,本发明实施例的主要目的在于提供一种无卡设备接入个人网络 的方法、 装置及系统, 使得无卡设备可以注册到个人网络。 Summary of the invention In view of this, the main purpose of the embodiments of the present invention is to provide a method, device and system for a cardless device to access a personal network, so that the cardless device can be registered to the personal network.

为实现上述目的,一方面,本发明实施例提供了一种无卡设备接入个人网 络的方法, 包含以下步骤:  To achieve the above objective, in one aspect, an embodiment of the present invention provides a method for a cardless device to access a personal network, including the following steps:

判断是否允许无卡设备接入个人网络,  Determine whether card-free devices are allowed to access the personal network.

给允许接入的无卡设备分配个人网络元素标识,将所述个人网络元素标识 发送给所述允许接入的无卡设备。  A cardless device that allows access is assigned a personal network element identity, and the personal network element identity is sent to the cardless device that is allowed to access.

另一方面, 本发明实施例还提供了一种个人网络管理实体, 包含: 判断单元: 用于判断是否允许无卡设备接入个人网络;  In another aspect, the embodiment of the present invention further provides a personal network management entity, including: a determining unit: configured to determine whether a cardless device is allowed to access a personal network;

分配单元: 用于给允许接入的无卡设备分配个人网络元素标识; 发送单元:用于将所述分配单元分配的个人网络元素标识发送给允许接入 的无卡设备。  The allocating unit is configured to: assign a personal network element identifier to the cardless device that is allowed to access; and send a unit: to send the personal network element identifier allocated by the allocating unit to the cardless device that is allowed to access.

再一方面, 本发明实施例还提供了一种接入系统, 包含:  In another aspect, an embodiment of the present invention further provides an access system, including:

所述网络实体用于连接无卡设备和个人网络管理实体;  The network entity is configured to connect a cardless device and a personal network management entity;

所述无卡设备:用于通过所述网络实体向个人网络管理实体发送身份识别 标识;  The cardless device is configured to send an identity identifier to the personal network management entity by using the network entity;

所述个人网络管理实体: 用于判断是否允许所述无卡设备接入个人网络, 并对允许接入的无卡设备执行相应的接入操作。  The personal network management entity is configured to determine whether the cardless device is allowed to access the personal network, and perform a corresponding access operation on the cardless device that is allowed to access.

通过比较可以发现,上述技术方案中的一个技术方案与现有技术相比,具 有如下优点或有益效果:  By comparison, it can be found that one of the above technical solutions has the following advantages or advantages compared with the prior art:

本发明实施例通过获取无卡设备的身份识别标识,根据身份识别标识判断 无卡设备是否允许接入个人网络,或者通过对无卡设备的认证过程, 判断所述 无卡设备是否允许接入个人网络;给允许接入的无卡设备分配个人网络元素标 识 ,将个人网络元素标识发送给所述允许接入的无卡设备。解决了无卡设备注 册到个人网络的问题,提供了安全注册的方法,使得用户可以安全接入到个人 网络中。  The embodiment of the present invention determines whether the cardless device allows access to the personal network according to the identity identification identifier, or determines whether the cardless device allows access to the individual by using the authentication process of the cardless device. Network; assign a personal network element identifier to the cardless device that is allowed to access, and send the personal network element identifier to the cardless device that is allowed to access. It solves the problem of registering a cardless device to a personal network and provides a secure registration method that allows users to securely access the personal network.

附图说明 DRAWINGS

图 1是根据本发明实施例无卡设备接入个人网络的方法的流程图; 图 2是根据本发明第一实施例的无卡设备接入个人网络的方法流程图; 图 3是根据本发明第二实施例的无卡设备接入个人网络的方法流程图; 图 4是根据本发明第三实施例的无卡设备接入个人网络的方法流程图; 图 5是根据本发明第四实施例的无卡设备接入个人网络的方法流程图; 图 6是根据本发明第五实施例的无卡设备接入个人网络的方法流程图; 图 7是根据本发明第六实施例的无卡设备接入个人网络的方法流程图; 图 8是根据本发明第七实施例的无卡设备接入个人网络的方法流程图; 图 9是根据本发明第八实施例的无卡设备接入个人网络的方法流程图; 图 10是根据本发明第九实施例的无卡设备接入个人网络的方法流程图; 图 11是根据本发明第十实施例的无卡设备接入个人网络的方法流程图; 图 12是根据本发明第十一实施例的无卡设备接入个人网络的方法流程 图; 1 is a flowchart of a method for a cardless device to access a personal network according to an embodiment of the present invention; FIG. 2 is a flow chart of a method for a cardless device to access a personal network according to a first embodiment of the present invention; 3 is a flow chart of a method for a cardless device to access a personal network according to a second embodiment of the present invention; FIG. 4 is a flow chart of a method for a cardless device to access a personal network according to a third embodiment of the present invention; FIG. 6 is a flowchart of a method for a cardless device to access a personal network according to a fifth embodiment of the present invention; FIG. 7 is a sixth flowchart of a method for accessing a personal network according to a fifth embodiment of the present invention; FIG. 8 is a flowchart of a method for a cardless device to access a personal network according to a seventh embodiment of the present invention; FIG. 9 is a flowchart according to an eighth embodiment of the present invention. FIG. 10 is a flowchart of a method for a cardless device to access a personal network according to a ninth embodiment of the present invention; FIG. 11 is a cardless device access according to a tenth embodiment of the present invention; FIG. 12 is a flowchart of a method for a cardless device to access a personal network according to an eleventh embodiment of the present invention;

图 13 是根据本发明第十二实施例的无卡设备接入个人网络的方法流程 图;  13 is a flow chart showing a method of accessing a personal network by a cardless device according to a twelfth embodiment of the present invention;

图 14是根据本发明实施例的个人网络管理实体结构图;  14 is a structural diagram of a personal network management entity according to an embodiment of the present invention;

图 15是根据本发明实施例的接入系统结构图。  Figure 15 is a block diagram of an access system in accordance with an embodiment of the present invention.

具体实施方式 detailed description

为使本发明实施例的目的、技术方案和优点更加清楚, 下面将结合附图对 本发明实施例作进一步地详细描述。  The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

在无卡设备接入个人网络的过程中,无卡设备需要进行注册过程。 注册是 指某一实体加入 PN的过程, 此实体可以是一个设备, 也可以是一组设备。 注 册过程要保证需要注册的设备得到签约用户的许可,并且通过安全方法对该设 备进行认证以加入签约用户的 PN,每个设备一旦注册成功以后, PNM实体会 给该设备分配个人网络元素标识, 该标识确定了该设备在 PN中的身份。  In the process of a cardless device accessing a personal network, a cardless device needs to perform a registration process. Registration refers to the process of an entity joining a PN. This entity can be either a device or a group of devices. The registration process ensures that the device to be registered is licensed by the signing user, and the device is authenticated by a secure method to join the PN of the signing user. Once each device is successfully registered, the PNM entity assigns the device a personal network element identifier. This identity determines the identity of the device in the PN.

本发明实施例提供了一种无卡设备接入个人网络的方法,如图 1所示, 图 1 为本发明实施例一种无卡设备接入个人网络的方法的流程图, 包括以下步 骤:  An embodiment of the present invention provides a method for a cardless device to access a personal network. As shown in FIG. 1 , FIG. 1 is a flowchart of a method for a cardless device to access a personal network according to an embodiment of the present invention, including the following steps:

在步骤 101中, 判断是否允许无卡设备接入个人网络;  In step 101, it is determined whether the cardless device is allowed to access the personal network;

网络侧获取无卡设备的身份识别标识,根据所述身份识别标识判断是否允 许所述无卡设备接入个人网络; 或者, 网络侧通过对无卡设备进行认证, 判断 是否允许所述无卡设备接入个人网络; The network side obtains the identity identifier of the cardless device, and determines whether the cardless device is allowed to access the personal network according to the identity identification identifier; or, the network side authenticates the cardless device, and determines Whether to allow the cardless device to access the personal network;

其中, 身份识别标识一般为无卡设备的设备标识码, 需要特别指出的是, 此设备标识码用于与以后个人网路管理实体下发的个人网络元素标识相对应, 便于 PNM AS保存管理, 因此, 此处并不限于是设备标识码, 只要能够在一 个个人网络中唯一区分此无卡设备的标识都可以作为无卡设备的身份识别标 识;  The identification identifier is generally a device identification code of the cardless device. It is necessary to specifically indicate that the device identification code is used to correspond to the personal network element identifier sent by the personal network management entity in the future, so that the PNM AS can be saved and managed. Therefore, the device identification code is not limited herein, as long as the identifier that uniquely distinguishes the cardless device in a personal network can be used as the identity identifier of the cardless device;

在步骤 102中, 给允许接入的无卡设备分配个人网络元素标识; 其中, 个人网络元素标识是标识无卡设备在个人网络中的标识编号。在本 发明实施例中可以是 PNE标识(PNE identifier ), 但仅仅是为描述方便而采用 的名称。这个名称不能够对本发明实施例适用的范围进行限定, 即在某些系统 中也许没有 PNE identifier的名称, 但是, 不能由此认为本发明实施例中的技 术方案不能够适用于这些系统。 或者, PNE identifier可以是在整个 PN中唯一 的编号, 另一种情况是, 为了节约信元空间, PNE identifier在不同 PAN中是 相同的编号, 但是加上不同 PAN标识之后, 就成为整个 PN中唯一的标识编 号。  In step 102, the cardless device that is allowed to access is assigned a personal network element identifier; wherein the personal network element identifier is an identification number that identifies the cardless device in the personal network. It may be a PNE identifier (PNE identifier) in the embodiment of the present invention, but is merely a name adopted for convenience of description. This name is not intended to limit the scope of application of the embodiments of the present invention, i.e., there may be no PNE identifier names in some systems, but the technical solutions in the embodiments of the present invention cannot be considered to be applicable to these systems. Alternatively, the PNE identifier may be a unique number in the entire PN. In another case, in order to save the cell space, the PNE identifier is the same number in different PANs, but after adding different PAN identifiers, it becomes the entire PN. The unique identification number.

在步骤 103中, 将个人网络元素标识发送给所述允许接入的无卡设备。 通过以下方式之一将所述个人网络元素标识发送给所述无卡设备: 所述个人网络管理实体直接将所述个人网络元素标识,发送给所述允许接 入的无卡设备;  In step 103, a personal network element identification is sent to the cardless device that is allowed to access. Sending the personal network element identifier to the cardless device in one of the following manners: the personal network management entity directly sends the personal network element identifier to the cardless device that is allowed to access;

所述个人网络管理实体将所述个人网络元素标识通知给网络应用功能实 体,所述网络应用功能实体将所述个人网络元素标识发送给所述允许接入的无 卡设备;  The personal network management entity notifies the personal network element identifier to the network application function entity, and the network application function entity sends the personal network element identifier to the cardless device that is allowed to access;

所述个人网络管理实体将所述个人网络元素标识发送给用户设备,所述用 户设备将所述个人网络元素标识发送给所述允许接入的无卡设备;  Sending, by the personal network management entity, the personal network element identifier to the user equipment, where the user equipment sends the personal network element identifier to the cardless device that is allowed to access;

所述个人网络管理实体将所述个人网络元素标识通知给网络应用功能实 体, 所述网络应用功能实体将所述个人网络元素标识发送给用户设备, 所述用 户设备将所述个人网络元素标识发送给所述允许接入的无卡设备。  Transmitting, by the personal network management entity, the personal network element identifier to a network application function entity, where the network application function entity sends the personal network element identifier to a user equipment, where the user equipment sends the personal network element identifier Give the cardless device that is allowed to access.

下面对本发明实施方式进行具体说明,本发明实施例的用户侧包括设备组 成的个人区域网络( Personal Area Network, 简称" PAN" ), 其中包括至少一个 带有激活通用签约用户身份模块 ( Universal Subscriber Identity Module, 简称 "USIM" )的 UE,还可以包括其他无卡设备,比如移动设备(Mobile Equipment, 简称" ME" ), 终端设备( Terminal equipment, 简称" TE" ), 移动终端 (Mobile Termination, 简称" MT" ), PC机, 打印机, 扫描仪等普通设备。 本实施例中 无卡设备选取较为典型的无线局域网 (Wireless Local Area Network, 简称 "WLAN" )设备为例。 The embodiment of the present invention is specifically described. The user side of the embodiment of the present invention includes a personal area network ("PAN") composed of devices, including at least one A UE with a Universal Subscriber Identity Module ("USIM") may also include other cardless devices, such as Mobile Equipment ("ME"), and Terminal Equipment (referred to as Terminal Equipment). "TE"), mobile terminal (Mobile Termination, referred to as "MT"), PC, printer, scanner and other common equipment. In this embodiment, a cardless device selects a typical wireless local area network (WLAN) device as an example.

当然需要说明的是, PN中可以存在一个以上的 PAN, 为方便介绍清楚, 在不影响本发明实施例正常实现的前提下, 本发明实施例选取 PN中包括一个 PAN, PAN中包括 UE和多个无卡设备的情况。 需要特别说明的是, 本发明实 施例中仍然可以适用 PN中存在多个 PAN和 UE的情况,所以不能认为本发明 实施例中的技术方案不能够适用于这些系统。  It should be noted that, in the PN, more than one PAN may be present in the PN. For the sake of convenience, the embodiment of the present invention includes a PAN in the PN, and the PAN includes the UE and the PAN. The case of a cardless device. It should be noted that, in the embodiment of the present invention, the case where there are multiple PANs and UEs in the PN can still be applied, so that the technical solutions in the embodiments of the present invention cannot be considered to be applicable to these systems.

本发明第一实施例的网络侧包含个人网络管理实体 (Personal Network Management ,简称" ΡΝΜ" ) , 网络应用功能实体( Network Application Function , 简称 "NAF" ) , 自举服务器功能实体 ( Bootstrapping Server Function , 简称 "BSF" ), 归属用户服务器(Home Subscriber Server, 简称" HSS" ), 其中 PNM 实体在网络中可以是个人网络管理应用服务器( Personal Network Management Application Server, 简称" PNM AS" ),或者其他完成个人网络管理功能的实体。  The network side of the first embodiment of the present invention includes a personal network management entity (Personal Network Management, referred to as "ΡΝΜ"), a network application function entity (Network Application Function (NAF), and a bootstrap server function entity ( Bootstrapping Server Function, Referred to as "BSF"), the Home Subscriber Server ("HSS"), where the PNM entity can be a Personal Network Management Application Server (PNM AS) in the network, or other completions. The entity of the personal network management function.

需要特别说明的是, 本发明实施例中的 PNMAS、 HSS、 BSF, NAF等, 仅仅是为描述方便而采用的名称。这些名称不能够对本发明实施例适用的范围 进行限定, 即在某些系统中也许没有 PNMAS、 HSS、 BSF、 NAF实体等实体 的名称,但是, 不能由此认为本发明实施例中的技术方案不能够适用于这些系 统。  It should be noted that the PNMAS, HSS, BSF, NAF, etc. in the embodiments of the present invention are merely names used for convenience of description. These names are not limited to the scope of the embodiments of the present invention, that is, in some systems, there may be no names of entities such as PNMAS, HSS, BSF, NAF entities, etc., but the technical solution in the embodiments of the present invention cannot be considered as Can be applied to these systems.

本实施例中, 当 PNM AS和 NAF功能分离, 即网络中同时存在 PNM AS 和 NAF两个功能实体, PNM AS作认证功能, NAF作授权功能。 WLAN设备 自注册, 网络侧利用通用自举架构技术(Generic Bootstrapping Architecture, 简称" GBA" )认证注册请求消息。 具体如图 2所示。  In this embodiment, when the PNM AS and the NAF function are separated, that is, the PNM AS and the NAF function entities exist in the network at the same time, the PNM AS functions as an authentication function, and the NAF functions as an authorization function. The WLAN device is self-registered, and the network side uses the Generic Bootstrapping Architecture ("GBA") authentication registration request message. Specifically as shown in Figure 2.

在步骤 201中, UE、 BSF、 HSS进行 GBA过程, UE和 BSF生成共享密 钥 Ks。 GBA技术可实现对应用业务的用户进行检查和验证身份, 并为用户访 问应用业务提供安全通信的密钥; 由于 GBA技术属于通信安全技术领域内已 规范化的技术, 因此, 本实施例中不再赘述 GBA技术的细节; In step 201, the UE, the BSF, and the HSS perform a GBA process, and the UE and the BSF generate a shared key Ks. GBA technology can check and verify the identity of users of application services, and provide secure communication keys for users to access application services. Because GBA technology belongs to the field of communication security technology. Standardized technology, therefore, the details of the GBA technology are not repeated in this embodiment;

在步骤 202中, 基于步骤 201中共享密钥 Ks, BSF衍生密钥 Ks— NAF, 此衍生密钥也可以是 GBA U的情况 Ks— int— NAF,还可以是 GBA— ME的情况 In step 202, based on the shared key Ks in step 201, the BSF derives the key Ks_NAF, and the derived key may also be the case of GBA U Ks_int-NAF, or may be the case of GBA-ME.

Ks— ext— NAF等密钥。 Ks — ext — keys such as NAF.

在步骤 203中, BSF将衍生密钥 Ks— NAF发送给 NAF;  In step 203, the BSF sends the derived key Ks_NAF to the NAF;

在步骤 204中, NAF收到 BSF发送的^"生密钥 Ks— NAF, 并保存该 ^"生 密钥 Ks— NAF;  In step 204, the NAF receives the ^"green key Ks_NAF sent by the BSF, and saves the ^" birth key Ks_NAF;

在步骤 205中, UE基于步骤 201中共享密钥 Ks, 衍生密钥 Ks— NAF; 在步骤 206中, UE通过本地接口向所述 PAN内的 WLAN设备发送衍生 密钥 Ks— NAF。 通过本步骤, NAF和 WLAN设备就有了共享密钥 Ks— NAF; 特别需要指出的是, 这里用来建立安全通道的共享密钥可以是 Ks—NAF, 也可 以是基于 Ks— NAF再衍生的密钥;特别需要指出的是,此本地接口已有相关规 范进行定义, 属于业内已知技术, 在此不再赘述;  In step 205, the UE derives the key Ks_NAF based on the shared key Ks in step 201. In step 206, the UE transmits the derived key Ks_NAF to the WLAN device in the PAN through the local interface. Through this step, the NAF and the WLAN device have the shared key Ks-NAF; in particular, the shared key used to establish the secure channel here may be Ks-NAF, or may be derived based on Ks-NAF. Keys; it should be noted that the local interface has been defined by related specifications, and is a technology known in the art, and will not be described here;

本步骤中 UE通过本地接口向所述 PAN内的 WLAN设备发送^汙生密钥 Ks—NAF, 可选的还可以发送相关参数, 这些参数可以建立安全通道的相关参 数, 或者是与具体业务应用相关的参数, 或者是其他相关参数。  In this step, the UE sends the smear key Ks-NAF to the WLAN device in the PAN through the local interface, and optionally sends related parameters, which can establish related parameters of the security channel, or are related to specific service applications. Related parameters, or other related parameters.

在步骤 207中, NAF和 WLAN设备基于共享密钥 Ks—NAF建立安全通道, 此安全通道可以是预共享密钥传输层安全通道 ( pre-shared key transport layer security, 简称" PSK TLS" ), 或 IP安全通道( IP security, 简称" Ipsec" ), 或者 其他类型的安全通道; 特别需要指出的是, 建立安全通道的技术属于业内熟知 的技术, 因此不在此赘述安全通道技术的细节; 通过步骤 207 的操作, NAF 与 WLAN设备之间的通信可通过此安全通道进行;  In step 207, the NAF and the WLAN device establish a secure channel based on the shared key Ks_NAF, which may be a pre-shared key transport layer security ("PSK TLS"), or IP security channel (IP security, referred to as "Ipsec"), or other types of security channels; in particular, the technology for establishing a secure channel belongs to the well-known technology in the industry, so the details of the secure channel technology are not described herein; Operation, communication between the NAF and the WLAN device can be performed through this secure channel;

在步骤 208中, WLAN设备向 NAF发送注册请求, 其中该注册请求可以 包括但不限于 WLAN设备的识别标识,在本实施例中为 WLAN设备的设备标 识码; 需要特别指出的是, 此 WLAN设备标识码用于与以后 PNM AS下发的 PNE标识( PNE identifier, 简称" PNE标识")相对应 , 便于 PNM保存管理, 因此, 此处并不限于是 WLAN设备标识码, 只要能够在一个 PN中唯一区分 此无卡设备的标识都可以作为 WLAN设备的身份识别标识;  In step 208, the WLAN device sends a registration request to the NAF, where the registration request may include, but is not limited to, an identification identifier of the WLAN device, which is a device identification code of the WLAN device in this embodiment; The identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future, which facilitates the PNM storage management. Therefore, the WLAN device identification code is not limited to this, as long as it can be in a PN. The only identifier that distinguishes this cardless device can be used as the identity of the WLAN device;

在步骤 209中 , NAF收到来自 WLAN设备注册请求后 , 向 PNM AS发送 指示, 指示 PNM AS给 WLAN设备分配 PNE标识( PNE identifier, 简称" PNE 标识";), 并发送 WLAN设备标识码; PNE identifier在 PN中是唯一的, 也就 确定了该 PNE在 PN中的身份及位置; In step 209, after receiving the registration request from the WLAN device, the NAF sends the request to the PNM AS. The indication indicates that the PNM AS allocates a PNE identifier (PNE identifier, PEL for short) to the WLAN device, and sends the WLAN device identification code; the PNE identifier is unique in the PN, and the identity of the PNE in the PN is determined. And location;

需要特别说明的是,本发明实施例中的 PNE identifier,仅仅是为描述方便 而采用的名称。这个名称不能够对本发明实施例适用的范围进行限定,具体详 见上述对 PNE identifier的描述, 在此不再赘述。  It should be noted that the PNE identifier in the embodiment of the present invention is merely a name adopted for convenience of description. This name is not limited to the scope of the embodiments of the present invention. For details, refer to the description of the PNE identifier, which is not described here.

在步骤 210中, PNM AS收到 NAF发送的来自 WLAN设备的注册请求后 , 根据 WLAN设备标识码判定是否允许接入, 比如 PNM AS根据自身保存的信 息判断该 WLAN设备是否允许接入, 这些信息可以是用户黑名单、 或设备黑 名单等。  In step 210, after receiving the registration request from the WLAN device sent by the NAF, the PNM AS determines whether to allow access according to the WLAN device identification code. For example, the PNM AS determines whether the WLAN device allows access according to the information saved by the PNM AS. It can be a user blacklist, or a device blacklist.

给允许接入的 WLAN设备分配 PNE identifier, 保存此对应关系, 向 NAF 发送该 PNE identifier;  Assign a PNE identifier to the WLAN device that is allowed to access, save the correspondence, and send the PNE identifier to the NAF;

本步骤中, PNM AS还可以根据其他一些用户信息(比如公共身份标识 ) 判断该用户是否有权注册这个设备;  In this step, the PNM AS may also determine, according to some other user information (such as a public identity), whether the user has the right to register the device;

同时本步骤 , PNM AS在本地也可以保存该 WLAN设备可用的设备号或 者公共用户身份标识。 身份标识,该信息携带在 GBA用户安全设置消息( GBAUser Security Settings, 简称" GUSS" )里面下发到 NAF, NAF再发给 PNM AS。  At the same time, the PNM AS can also save the device number or public user identity available to the WLAN device locally. The identity is carried in the GBA User Security Settings ("GBSS") and sent to the NAF. The NAF is sent to the PNM AS.

在步骤 211中, NAF通过安全通道向 WLAN设备发送注册响应, 该注册 响应可以携带给 WLAN设备分配的 PNE identifier;  In step 211, the NAF sends a registration response to the WLAN device through the secure channel, where the registration response can carry the PNE identifier assigned to the WLAN device;

需要特别说明的是, 本实施例中, 在 PNM AS为给 WLAN设备分配 PNE identifier后 , NAF会通过安全通道向 WLAN设备发送该 PNE identifier, 其中 可以利用已有消息中传送该 PNE identifier, 也可以定义一个新的消息传送该 PNE identifier  It should be noted that, in this embodiment, after the PNM AS allocates the PNE identifier to the WLAN device, the NAF sends the PNE identifier to the WLAN device through the secure channel, where the PNE identifier may be transmitted by using an existing message, or Define a new message to transmit the PNE identifier

在步骤 212中, 该 WLAN设备通过本地接口向 UE发送已经成功注册的 响应, 通知 UE其已注册进个人网络。  In step 212, the WLAN device sends a response that has been successfully registered to the UE through the local interface, and notifies the UE that it has registered to the personal network.

本实施例中 , 当 PNM AS和 NAF功能分离 , 网络中同时存在 PNM AS和 NAF两个功能实体, WLAN设备通过 GBA方式认证注册消息,通过安全通道 保护了 PNE identifier的下发, 防止 PN被恶意侵犯, 提高了安全性。 本发明提供第二实施例的应用场景, 与第一实施例的不同点在于: 当网络 中只存在 PNM AS时 , PNM AS不但具有认证功能以及 PN管理的功能外, 还 具备 NAF的功能参与 GBA过程。 WLAN设备自注册, 网络侧利用 GBA认证 注册请求消息。 具体如图 3所示。 In this embodiment, when the PNM AS and the NAF function are separated, two functional entities, the PNM AS and the NAF, exist in the network, and the WLAN device authenticates the registration message through the GBA mode, and passes the secure channel. It protects the delivery of PNE identifiers, prevents PNs from being maliciously infringed, and improves security. The present invention provides an application scenario of the second embodiment, which is different from the first embodiment in that: when only the PNM AS exists in the network, the PNM AS not only has the authentication function and the PN management function, but also has the function of the NAF to participate in the GBA. process. The WLAN device is self-registered, and the network side uses the GBA authentication registration request message. Specifically shown in Figure 3.

在步骤 301中, UE、 BSF、 HSS进行 GBA过程, UE和 BSF生成共享密 钥 Ks。 GBA技术可实现对应用业务的用户进行检查和验证身份, 并为用户访 问应用业务提供安全通信的密钥; 由于 GBA技术属于通信安全技术领域内已 规范化的技术, 因此, 本实施例中不再赘述 GBA技术的细节;  In step 301, the UE, the BSF, and the HSS perform a GBA process, and the UE and the BSF generate a shared key Ks. The GBA technology can implement the function of checking and verifying the identity of the user of the application service, and providing a key for the user to access the application service. Since the GBA technology belongs to the standardized technology in the field of communication security technology, it is no longer in this embodiment. Describe the details of GBA technology;

在步骤 302中, 基于步骤 301中共享密钥 Ks, BSF衍生密钥 Ks— NAF, 此衍生密钥也可以是 GBA U的情况 Ks— int— NAF,还可以是 GBA— ME的情况 Ks_ext_NAF, 或者是其他 ^"生密钥;  In step 302, based on the shared key Ks in step 301, the BSF derives the key Ks_NAF, and the derived key may also be the case of GBA U Ks_int-NAF, or may be the case of GBA-ME Ks_ext_NAF, or Is the other ^" raw key;

在步骤 303中, BSF将衍生密钥 Ks— NAF发送给 PNMAS;  In step 303, the BSF sends the derived key Ks_NAF to the PNMAS;

在步骤 304中, PNM AS收到 BSF发送的^"生密钥 Ks— NAF, 并保存该^" 生密钥 Ks— NAF;  In step 304, the PNM AS receives the "green key Ks_NAF" sent by the BSF, and saves the "generated key Ks-NAF;

在步骤 305中, UE基于步骤 301中共享密钥 Ks, 衍生密钥 Ks— NAF; 在步骤 306中, UE通过本地接口向所述 PAN内的 WLAN设备发送^汙生 密钥 Ks— NAF。 通过本步骤, NAF和 WLAN设备就有了共享密钥 Ks— NAF; 特别需要指出的是, 这里用来建立安全通道的共享密钥可以是 Ks—NAF, 也可 以是基于 Ks—NAF再衍生的密钥;特别需要指出的是,此本地接口已有相关规 范进行定义, 属于业内已知技术, 在此不再赘述;  In step 305, the UE derives the key Ks_NAF based on the shared key Ks in step 301; in step 306, the UE sends the dirty key Ks_NAF to the WLAN device in the PAN through the local interface. Through this step, the NAF and the WLAN device have the shared key Ks-NAF; in particular, the shared key used to establish the secure channel here may be Ks-NAF or may be derived based on Ks-NAF. Keys; it should be noted that the local interface has been defined by related specifications, and is a technology known in the art, and will not be described here;

本步骤中 UE通过本地接口向所述 PAN内的 WLAN设备发送^汙生密钥 Ks—NAF, 可选的还可以发送相关参数, 这些参数可以建立安全通道的相关参 数, 或者是与具体业务应用相关的参数, 或者是其他相关参数。  In this step, the UE sends the smear key Ks-NAF to the WLAN device in the PAN through the local interface, and optionally sends related parameters, which can establish related parameters of the security channel, or are related to specific service applications. Related parameters, or other related parameters.

在步骤 307中, PNM AS和 WLAN设备基于共享密钥 Ks—NAF建立安全 通道, 此安全通道可以是预共享密钥传输层安全通道 ( pre-shared key transport layer security, 简称" PSK TLS" ), 或 IP安全通道( IP security, 简称" Ipsec" ), 或者其他类型的安全通道; 特别需要指出的是, 建立安全通道的技术属于业内 熟知的技术,因此不在此赘述安全通道技术的细节;通过步骤 307的操作, PNM AS与 WLAN设备之间的通信可通过此安全通道进行; In step 307, the PNM AS and the WLAN device establish a secure channel based on the shared key Ks-NAF, and the secure channel may be a pre-shared key transport layer security ("PSK TLS"). Or IP security channel (IP security, referred to as "Ipsec"), or other types of security channels; in particular, the technology for establishing a secure channel belongs to the well-known technology in the industry, so the details of the secure channel technology are not described here; 307 operation, PNM Communication between the AS and the WLAN device can be performed through this secure channel;

在步骤 308中, WLAN设备向 PNM AS发送注册请求, 其中该注册请求 可以包括但不限于 WLAN设备的设备标识码; 需要特别指出的是, 此 WLAN 设备标识码用于与以后 PNM AS下发的 PNE标识( PNE identifier, 简称" PNE 标识")相对应, 便于 PNM保存管理, 因此, 此处并不限于是 WLAN设备标 识码, 只要能够在一个 PN中唯一区分此无卡设备的标识都可以;  In step 308, the WLAN device sends a registration request to the PNM AS, where the registration request may include, but is not limited to, a device identification code of the WLAN device. The PNE identifier (PNE identifier) is corresponding to the PNM storage management. Therefore, the WLAN device identification code is not limited to this, as long as the identifier of the cardless device can be uniquely distinguished in a PN.

在步骤 309中, PNMAS收到 NAF发送的来自 WLAN设备的注册请求后, 根据 WLAN设备标识码判定是否允许接入, 比如 PNM AS根据自身保存的信 息判断该 WLAN设备是否允许接入, 这些信息可以是用户黑名单、 或设备黑 名单等。  In step 309, after receiving the registration request from the WLAN device sent by the NAF, the PNMAS determines whether to allow access according to the WLAN device identification code. For example, the PNM AS determines whether the WLAN device allows access according to the information saved by itself, and the information may be It is a user blacklist, or a device blacklist.

给允许接入的 WLAN设备分配 PNE identifier, 保存此对应关系, 向 NAF 发送该 PNE identifier;  Assign a PNE identifier to the WLAN device that is allowed to access, save the correspondence, and send the PNE identifier to the NAF;

需要特别说明的是,本发明实施例中的 PNE identifier,仅仅是为描述方便 而采用的名称。这个名称不能够对本发明实施例适用的范围进行限定, 即在某 些系统中也许没有 PNE identifier的名称, 但是, 不能由此认为本发明实施例 中的技术方案不能够适用于这些系统。 或者, PNE identifier可以是在整个 PN 中唯一的编号, 另一种情况是, 为了节约信元空间, PNE identifier在不同 PAN 中是相同的编号, 但是加上不同 PAN标识之后, 就成为整个 PN中唯一的标 识编号。  It should be noted that the PNE identifier in the embodiment of the present invention is merely a name adopted for convenience of description. This name does not limit the scope of application of the embodiments of the present invention, that is, there may be no name of the PNE identifier in some systems, but it cannot be considered that the technical solutions in the embodiments of the present invention are not applicable to these systems. Alternatively, the PNE identifier may be a unique number in the entire PN. In another case, in order to save the cell space, the PNE identifier is the same number in different PANs, but after adding different PAN identifiers, it becomes the entire PN. The unique identification number.

PNE identifier在 PN中是唯一的 ,也就确定了该 PNE在 PN中的身份及位 置; 需要特别说明的是, 本发明实施例中的 PNE identifier, 仅仅是为描述方便 而采用的名称。这个名称不能够对本发明实施例适用的范围进行限定, 即在某 些系统中也许没有 PNE identifier的名称, 但是, 不能由此认为本发明实施例 中的技术方案不能够适用于这些系统。 或者, PNE identifier可以是在整个 PN 中唯一的编号, 也可能为了节约信元空间, PNE identifier在不同 PAN中是相 同的编号, 但是加上不同 PAN标识之后, 就成为整个 PN中唯一的标识编号。  The PNE identifier is unique in the PN, and the identity and location of the PNE in the PN are determined. It is to be noted that the PNE identifier in the embodiment of the present invention is merely a name used for convenience of description. This name does not limit the scope of application of the embodiments of the present invention, that is, there may be no name of the PNE identifier in some systems, but it cannot be considered that the technical solutions in the embodiments of the present invention are not applicable to these systems. Alternatively, the PNE identifier may be a unique number in the entire PN, or in order to save the cell space, the PNE identifier is the same number in different PANs, but after adding different PAN identifiers, it becomes the unique identification number in the entire PN. .

本步骤中, PNM AS还可以根据其他一些用户信息(比如公共身份标识 ) 判断该用户是否有权注册这个设备;  In this step, the PNM AS may also determine, according to some other user information (such as a public identity), whether the user has the right to register the device;

本步骤, PNM AS在本地也可以保存该 WLAN设备可用的设备号或者公 共用户身份标识。 身份标识,该信息携带在 GBA用户安全设置消息( GBA User Security Settings , 简称" GUSS" )里面下发到 NAF, NAF再发给 PNMAS。 In this step, the PNM AS can also save the device number or public available for the WLAN device locally. Total user identity. The identity is carried in the GBA User Security Settings (GBS) and sent to the NAF. The NAF is sent to the PNMAS.

在步骤 310中, 该 WLAN设备通过本地接口向 UE发送已经成功注册的 响应, 通知 UE其已注册进个人网络。  In step 310, the WLAN device sends a response that has been successfully registered to the UE through the local interface, and notifies the UE that it has registered to the personal network.

本实施例中 , 当 PNM AS和 NAF功能合并 , WLAN设备通过 GBA方式 认证注册消息,通过安全通道保护了 PNE identifier的下发, 防止 PN被恶意侵 犯, 提高了安全性。  In this embodiment, when the PNM AS and the NAF function are combined, the WLAN device authenticates the registration message through the GBA mode, protects the PNE identifier from being sent through the secure channel, prevents the PN from being maliciously invaded, and improves the security.

本发明第三实施例的应用场景与第一实施例基本类似, PNM AS和 NAF 功能分离, 网络中同时存在 PNMAS和 NAF两个功能实体, 网络侧利用通用 自举架构技术(Generic Bootstrapping Architecture, 简称" GBA" )认证注册请 求消息。 不同点在于: UE代替 WLAN设备注册, 具体如图 4所示。  The application scenario of the third embodiment of the present invention is basically similar to that of the first embodiment. The PNM AS and the NAF function are separated, and two functional entities, PNMAS and NAF, exist in the network, and the network side uses the Generic Bootstrapping Architecture (abbreviation). "GBA") authentication registration request message. The difference is that the UE is registered instead of the WLAN device, as shown in FIG. 4 .

步骤 401至步骤 406与第一实施例中步骤 201至步骤 206相同,在此不再 赘述;  Steps 401 to 406 are the same as steps 201 to 206 in the first embodiment, and are not described herein again.

在步骤 407中, UE通过 Ua口 , 也可以是其他网络侧的接口 , 向 NAF发 送 WLAN设备注册请求和 WLAN设备标识码, 这条消息用 GBA衍生密钥 Ks— NAF加密保护;  In step 407, the UE sends a WLAN device registration request and a WLAN device identification code to the NAF through the Ua port or the other network side interface, and the message is encrypted and protected by the GBA derivative key Ks-NAF;

其中该注册请求可以包括但不限于 WLAN设备的设备标识码; 需要特别 指出的是, 此 WLAN设备标识码用于与以后 PNM AS下发的 PNE标识( PNE identifier, 简称" PNE标识")相对应, 便于 PNM保存管理, 因此, 此处并不 限于是 WLAN设备标识码, 只要能够在一个 PN中唯一区分此无卡设备的标 识都可以;  The registration request may include, but is not limited to, a device identification code of the WLAN device. The WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN;

在步骤 408中, NAF和 WLAN设备基于共享密钥 Ks— NAF建立安全通道, 此安全通道可以是预共享密钥传输层安全通道 ( pre-shared key transport layer security, 简称" PSK TLS" ), 或 IP安全通道( IP security, 简称" Ipsec" ), 或者 其他类型的安全通道; 特别需要指出的是, 建立安全通道的技术属于业内熟知 的技术, 因此不在此赘述安全通道技术的细节; 通过步骤 408 的操作, NAF 与 WLAN设备之间的通信可通过此安全通道进行; 步骤 409至步骤 412与第一实施例中步骤 209至步骤 212相同,在此不再 赘述。 In step 408, the NAF and the WLAN device establish a secure channel based on the shared key Ks-NAF, which may be a pre-shared key transport layer security ("PSK TLS"), or IP security channel (IP security, referred to as "Ipsec"), or other types of security channels; it is particularly important to note that the techniques for establishing a secure channel are well known in the art, so the details of the secure channel technology are not described herein; Operation, communication between the NAF and the WLAN device can be performed through this secure channel; Steps 409 to 412 are the same as steps 209 to 212 in the first embodiment, and are not described herein again.

本实施例中,通过安全通道保护了 PNE identifier的下发, 防止 PN被恶意 侵犯, 提高了安全性, 同时提供了 UE代替 WLAN设备注册的注册方式, 用 户可以根据喜欢选择注册方式。  In this embodiment, the PNE identifier is transmitted through the secure channel to prevent the PN from being maliciously infringed, and the security is improved. At the same time, the registration mode of the UE instead of the WLAN device registration is provided, and the user can select the registration mode according to the preference.

本发明第四实施例的应用场景与第二实施例基本类似, 其不同点在于: UE代替 WLAN设备注册, 具体如图 5所示。  The application scenario of the fourth embodiment of the present invention is basically similar to that of the second embodiment, and the difference is that the UE is registered instead of the WLAN device, as shown in FIG. 5 .

步骤 501至步骤 506与第二实施例中步骤 301至步骤 306相同,在此不再 赘述。  The steps 501 to 506 are the same as the steps 301 to 306 in the second embodiment, and are not described herein again.

在步骤 507中, UE通过 Ut口 , 也可以是其他网络侧的接口 , 向 PNM AS 发送 WLAN设备注册请求和 WLAN设备标识码, 这条消息用 GBA衍生密钥 In step 507, the UE sends a WLAN device registration request and a WLAN device identification code to the PNM AS through the Ut port or the other network side interface, and the message uses the GBA derived key.

Ks— NAF加密保护; Ks—NAF encryption protection;

其中该注册请求可以包括但不限于 WLAN设备的设备标识码; 需要特别 指出的是, 此 WLAN设备标识码用于与以后 PNM AS下发的 PNE标识( PNE identifier, 简称" PNE标识")相对应, 便于 PNM保存管理, 因此, 此处并不 限于是 WLAN设备标识码, 只要能够在一个 PN中唯一区分此无卡设备的标 识都可以;  The registration request may include, but is not limited to, a device identification code of the WLAN device. The WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN;

在步骤 508中, PNM AS和 WLAN设备基于共享密钥 Ks— NAF建立安全 通道, 此安全通道可以是预共享密钥传输层安全通道 ( pre-shared key transport layer security, 简称" PSK TLS" ), 或 IP安全通道( IP security, 简称" Ipsec" ), 或者其他类型的安全通道; 特别需要指出的是, 建立安全通道的技术属于业内 熟知的技术, 因此不在此赞述安全通道技术的细节; 通过步骤 508 的操作, NAF与 WLAN设备之间的通信可通过此安全通道进行;  In step 508, the PNM AS and the WLAN device establish a secure channel based on the shared key Ks-NAF, and the secure channel may be a pre-shared key transport layer security ("PSK TLS"). Or IP security channel (IP security, referred to as "Ipsec"), or other types of secure channels; it is important to point out that the technology for establishing a secure channel is a well-known technology in the industry, so the details of the secure channel technology are not mentioned here; In operation of step 508, communication between the NAF and the WLAN device can be performed through the secure channel;

步骤 509至步骤 510与第二实施例中步骤 309至步骤 310相同,在此不再 赘述。  Steps 509 to 510 are the same as steps 309 to 310 in the second embodiment, and are not described herein again.

本实施例中,通过安全通道保护了 PNE identifier的下发, 防止 PN被恶意 侵犯, 提高了安全性, 同时提供了 UE代替 WLAN设备注册的注册方式, 用 户可以根据本地策略,或网络侧策略,或者事先由网络侧与用户协商的策略选 择注册方式。 本发明第五实施例的应用场景与第三实施例基本类似, 不同点在于: UE 一次注册多个 WLAN设备, 本实施例中以 2个 WLAN设备为例 , 具体如图 6 所示。 In this embodiment, the PNE identifier is sent through the secure channel to prevent the PN from being maliciously infringed, and the security is improved. The registration mode of the UE instead of the WLAN device registration is provided, and the user can use the local policy or the network side policy. Or choose a registration method in advance by the network side to negotiate with the user. The application scenario of the fifth embodiment of the present invention is basically similar to that of the third embodiment. The difference is that the UE registers multiple WLAN devices at a time. In this embodiment, two WLAN devices are taken as an example, as shown in FIG. 6 .

步骤 601至步骤 605与第三实施例中步骤 401至步骤 405相同,在此不再 赘述;  The steps 601 to 605 are the same as the steps 401 to 405 in the third embodiment, and are not described herein again.

在步骤 606中, UE通过本地接口向所述 PAN内的 WLAN1设备发送衍生 密钥 Ks— NAF。 通过本步骤, NAF和 WLAN1设备就有了共享密钥 Ks— NAF; 特别需要指出的是, 这里用来建立安全通道的共享密钥可以是 Ks—NAF, 也可 以是基于 Ks— NAF再衍生的密钥;特别需要指出的是,此本地接口已有相关规 范进行定义, 属于业内已知技术, 在此不再赘述;  In step 606, the UE sends the derived key Ks_NAF to the WLAN1 device in the PAN through the local interface. Through this step, the NAF and WLAN1 devices have the shared key Ks-NAF; in particular, the shared key used to establish the secure channel here may be Ks-NAF or may be derived based on Ks-NAF. Keys; it should be noted that the local interface has been defined by related specifications, and is a technology known in the art, and will not be described here;

本步骤中 UE通过本地接口向所述 PAN内的 WLAN设备发送汙生密钥 Ks—NAF, 可选的还可以发送相关参数, 这些参数可以建立安全通道的相关参 数, 或者是与具体业务应用相关的参数, 或者是其他相关参数。  In this step, the UE sends the smear key Ks-NAF to the WLAN device in the PAN through the local interface, and optionally sends related parameters, which may establish related parameters of the security channel, or are related to specific service applications. Parameters, or other related parameters.

在步骤 607中, UE通过本地接口向所述 PAN内的 WLAN2设备发送衍生 密钥 Ks—NAF, 通过本步骤, NAF和 WLAN2设备就有了共享密钥 Ks—NAF; 特别需要指出的是, 这里用来建立安全通道的共享密钥可以是 Ks—NAF, 也可 以是基于 Ks—NAF再衍生的密钥;特别需要指出的是,此本地接口已有相关规 范进行定义, 属于业内已知技术, 在此不再赘述;  In step 607, the UE sends the derived key Ks_NAF to the WLAN2 device in the PAN through the local interface. Through this step, the NAF and WLAN2 devices have the shared key Ks-NAF; it is particularly pointed out that here The shared key used to establish a secure channel may be Ks-NAF or a key based on Ks-NAF redistribution; in particular, the local interface has been defined by relevant specifications and belongs to the known technology in the industry. I will not repeat them here;

本步骤中 UE通过本地接口向所述 PAN内的 WLAN2设备发送^汙生密钥 Ks—NAF, 可选的还可以发送相关参数, 这些参数可以建立安全通道的相关参 数, 或者是与具体业务应用相关的参数, 或者是其他相关参数。  In this step, the UE sends the smear key Ks-NAF to the WLAN 2 device in the PAN through the local interface, and optionally sends related parameters, which can establish related parameters of the security channel, or are related to specific service applications. Related parameters, or other related parameters.

在步骤 608中, UE通过 Ua口 , 也可以是其他网络侧的接口 , 向 NAF发 送 WLAN设备注册请求和 WLAN设备 1和 2的标识码, 这条消息用 GBA衍 生密钥 Ks—NAF加密保护。  In step 608, the UE sends the WLAN device registration request and the identification codes of the WLAN devices 1 and 2 to the NAF through the Ua port or other network-side interfaces. The message is encrypted with the GBA derived key Ks-NAF.

其中该注册请求可以包括但不限于 WLAN设备的设备标识码; 需要特别 指出的是, 此 WLAN设备标识码用于与以后 PNM AS下发的 PNE标识( PNE identifier, 简称" PNE标识")相对应, 便于 PNM保存管理, 因此, 此处并不 限于是 WLAN设备标识码, 只要能够在一个 PN中唯一区分此无卡设备的标 识都可以; 步骤 609至步骤 613 , 与步骤 614至步骤 618, 分别为 WLAN1设备和 WLAN2设备的注册过程, 分别与第三实施例中步骤 408至步骤 412相同, 在 此不再赘述。 其中, 对于步骤 609至步骤 613, 以及步骤 614至步骤 618的实 现过程,在时间上的没有先后顺序,也可以同时进行,本实施例对此不作限定。 The registration request may include, but is not limited to, a device identification code of the WLAN device. The WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN; Step 609 to step 613, and step 614 to step 618, respectively, the registration process of the WLAN1 device and the WLAN2 device are respectively the same as the steps 408 to 412 in the third embodiment, and details are not described herein again. For the implementation of the steps 609 to 613 and the steps 614 to 618, there is no order in time, and the method may be performed at the same time. This embodiment does not limit this.

本实施例中, 同时可以支持多个 WLAN设备同时注册到 PNM, 提高了注 册效率。 同时, 通过安全通道保护了 PNE identifier的下发, 防止 PN被恶意侵 犯, 提高了安全性。  In this embodiment, multiple WLAN devices can be simultaneously registered to the PNM at the same time, which improves the registration efficiency. At the same time, the PNE identifier is protected by the secure channel to prevent the PN from being maliciously invaded and the security is improved.

本发明第六实施例的应用场景与第四实施例基本类似, 不同点在于: UE 一次注册多个 WLAN设备, 本实施例中以 2个 WLAN设备为例 , 由 PNM AS 分别向各 WLAN设备下发 PNE identifier 具体如图 7所示。  The application scenario of the sixth embodiment of the present invention is basically similar to that of the fourth embodiment. The difference is that the UE registers multiple WLAN devices at a time. In this embodiment, two WLAN devices are taken as an example, and the PNM AS is separately sent to each WLAN device. The PNE identifier is shown in Figure 7.

步骤 701至步骤 705与第四实施例中步骤 501至步骤 505相同,在此不再 赘述;  Steps 701 to 705 are the same as steps 501 to 505 in the fourth embodiment, and are not described herein again.

步骤 706至步骤 707与第五实施例中步骤 606至步骤 607相同,在此不再 赘述;  The steps 706 to 707 are the same as the steps 606 to 607 in the fifth embodiment, and are not described herein again.

在步骤 708中, UE通过 Ut口 ,也可以是其他网络侧的接口 ,向 PNM AS 发送 WLAN设备注册请求和 WLAN设备 1和 2的标识码, 这条消息用 GBA In step 708, the UE sends a WLAN device registration request and an identification code of the WLAN devices 1 and 2 to the PNM AS through the Ut port or the other network side interface. The message is GBA.

^汙生密钥 Ks— NAF加密保护。 ^Stained key Ks—NAF encryption protection.

其中该注册请求可以包括但不限于 WLAN设备的设备标识码; 需要特别 指出的是, 此 WLAN设备标识码用于与以后 PNM AS下发的 PNE标识( PNE identifier, 简称" PNE标识")相对应, 便于 PNM保存管理, 因此, 此处并不 限于是 WLAN设备标识码, 只要能够在一个 PN中唯一区分此无卡设备的标 识都可以;  The registration request may include, but is not limited to, a device identification code of the WLAN device. The WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN;

步骤 709至步骤 711和步骤 712至步骤 714,分别与第四实施例中步骤 508 至步骤 510相同, 在此不再赞述。 其中, 对于步骤 709至步骤 713, 以及步骤 614至步骤 618的实现过程, 在时间上的没有先后顺序, 也可以同时进行, 本 实施例对此不作限定。  Step 709 to step 711 and step 712 to step 714 are the same as step 508 to step 510 in the fourth embodiment, respectively, and are not further described herein. For the implementation of the steps 709 to 713 and the steps 614 to 618, there is no order in time, and the method may be performed at the same time. This embodiment does not limit this.

本实施例中, 同时可以支持多个 WLAN设备同时注册到 PNM, 提高了注 册效率。 同时, 通过安全通道保护了 PNE identifier的下发, 防止 PN被恶意侵 犯, 提高了安全性。 本发明第七实施例的应用场景与第六实施例基本类似, 不同点在于: 由 PNM AS 将 PNE identifier全部下发给 UE, 由 UE下发给各 WLAN设备。 具 体如图 8所示。 In this embodiment, multiple WLAN devices can be simultaneously registered to the PNM at the same time, which improves registration efficiency. At the same time, the PNE identifier is protected by the secure channel to prevent the PN from being maliciously infringed and the security is improved. The application scenario of the seventh embodiment of the present invention is basically similar to that of the sixth embodiment. The difference is that all the PNE identifiers are sent to the UE by the PNM AS, and are sent by the UE to the WLAN devices. Specifically, as shown in Figure 8.

步骤 801至步骤 805与第六实施例中步骤 701至步骤 705相同,在此不再 赘述;  Steps 801 to 805 are the same as steps 701 to 705 in the sixth embodiment, and are not described herein again.

在步骤 806中, UE通过 Ut口向 PNM AS发送 WLAN设备注册请求和 WLAN设备 1和 2的标识码, 这条消息用 GBA ^"生密钥 Ks— NAF加密保护。  In step 806, the UE sends a WLAN device registration request and an identification code of the WLAN devices 1 and 2 to the PNM AS through the Ut interface, and the message is protected by GBA^"home key Ks-NAF encryption.

其中该注册请求可以包括但不限于 WLAN设备的设备标识码; 需要特别 指出的是, 此 WLAN设备标识码用于与以后 PNM AS下发的 PNE标识( PNE identifier, 简称" PNE标识")相对应, 便于 PNM保存管理, 因此, 此处并不 限于是 WLAN设备标识码, 只要能够在一个 PN中唯一区分此无卡设备的标 识都可以;  The registration request may include, but is not limited to, a device identification code of the WLAN device. The WLAN device identification code is used to correspond to the PNE identifier (PNE identifier) issued by the PNM AS in the future. It is convenient for the PNM to save management. Therefore, the WLAN device identification code is not limited herein, as long as the identifier of the cardless device can be uniquely distinguished in one PN;

在步骤 807中,如果 PNM AS认为注册成功( PNM AS可能还需要根据一 些用户信息判断该用户是否有权注册这个设备),则根据 WLAN设备标识码给 所有 WLAN设备分配 PNE identifier, 并保存此对应关系;  In step 807, if the PNM AS considers that the registration is successful (the PNM AS may also need to judge whether the user has the right to register the device according to some user information), assign a PNE identifier to all the WLAN devices according to the WLAN device identification code, and save the corresponding Relationship

值得指出的是, PNM AS本地可能保存了用户可用的设备号或者公共用户 身份标识。  It is worth noting that the PNM AS may locally store the device number or public user identity available to the user.

在步骤 808中, PNMAS向 UE发送用 Ks— NAF加密的分配的 PNE identifier 及与 WLAN设备标识码的对应关系。  In step 808, the PNMAS sends the allocated PNE identifier encrypted with Ks-NAF and the corresponding relationship with the WLAN device identification code to the UE.

在步骤 809和步骤 810中, UE根据 PNM AS发送过来的 PNE identifier 与 WLAN设备标识码的对应关系, 通过本地接口向 WLAN设备下发各自的 PNE identifier o  In step 809 and step 810, the UE sends the PNE identifier to the WLAN device through the local interface according to the correspondence between the PNE identifier sent by the PNM AS and the WLAN device identification code.

本实施例中, 同时可以支持多个 WLAN设备同时注册到 PNM, 提高了注 册效率。 同时, 通过安全通道保护了 PNE identifier的下发, 防止 PN被恶意侵 犯, 提高了安全性。  In this embodiment, multiple WLAN devices can be simultaneously registered to the PNM at the same time, which improves the registration efficiency. At the same time, the PNE identifier is protected by the secure channel to prevent the PN from being maliciously invaded and the security is improved.

本发明第八实施例的应用场景与第七实施例基本类似 , 不同之处在于: PNMAS和 NAF功能分离, 网络中同时存在 PNM AS和 NAF两个功能实体, PNM AS作认证功能, NAF作授权功能。 UE—次发送注册多个 WLAN设备 请求及所有需要注册 WLAN设备的标识码 ,本实施例中以 2个 WLAN设备为 例, 由 NAF将 PNE identifier全部下发给 UE, 由 UE通知各 WLAN设备。 具 体如图 9所示。 The application scenario of the eighth embodiment of the present invention is basically similar to that of the seventh embodiment. The difference is that the PNMAS and the NAF function are separated. The PNM AS and the NAF function entities exist in the network, and the PNM AS performs the authentication function. Features. The UE sends a registration request for multiple WLAN devices and all the identifiers of the WLAN devices that need to be registered. In this embodiment, two WLAN devices are used. For example, all the PNE identifiers are sent to the UE by the NAF, and the WLAN devices are notified by the UE. Specifically, as shown in Figure 9.

步骤 901至步骤 905与第五实施例中步骤 601至步骤 605相同,在此不再 赘述;  Steps 901 to 905 are the same as steps 601 to 605 in the fifth embodiment, and are not described herein again.

在步骤 906中, UE通过 Ut口向 NAF发送 WLAN设备注册请求和 WLAN 设备 1和 2的标识码, 这条消息用 GBA ^"生密钥 Ks— NAF加密保护。 该注册 请求与第七实施例中步骤 806的所述的注册请求相同,具体详见上述,在此也 不再赘述;  In step 906, the UE sends the WLAN device registration request and the identification codes of the WLAN devices 1 and 2 to the NAF through the Ut interface, and the message is encrypted and protected by the GBA^"green key Ks-NAF. The registration request and the seventh embodiment The registration request in step 806 is the same, as described in detail above, and details are not described herein again;

关键在于,在步骤 907中, NAF收到注册请求后,向 PNMAS发送指示, 指示 PNM AS给 WLAN设备 1和 2分配 PNE identifier,并发送 WLAN设备 1 和 2的标识码。  The key is that, in step 907, after receiving the registration request, the NAF sends an indication to the PNMAS, instructing the PNM AS to assign PNE identifiers to the WLAN devices 1 and 2, and transmitting the identification codes of the WLAN devices 1 and 2.

在步骤 908中,如果 PNM AS认为注册成功( PNM AS可能还需要根据一 些用户信息判断该用户是否有权注册这个设备 ),则根据 WLAN设备标识码给 所有 WLAN设备分配 PNE identifier, 并保存此对应关系;  In step 908, if the PNM AS considers that the registration is successful (the PNM AS may also need to judge whether the user has the right to register the device according to some user information), assign the PNE identifier to all the WLAN devices according to the WLAN device identification code, and save the corresponding Relationship

值得指出的是, PNMAS本地可能保存了用户可用的设备号或者公共用户 身份标识。 身份标识。 该信息放到 GUSS里面下发到 NAF, NAF再发给 PNMAS。  It is worth noting that the PNMAS may locally store the device number or public user identity available to the user. Identity. The information is sent to the GUS and sent to the NAF, and the NAF is sent to the PNMAS.

在步骤 909中 , PNM AS向 NAF发送分配好的 PNE identifier, 及与所有 WLAN设备标识码的对应关系。  In step 909, the PNM AS sends the assigned PNE identifier to the NAF and the correspondence with all WLAN device identification codes.

在步骤 910 中, NAF收到 PNM AS 的消息后, 用 Ks— NAF加密 PNE identifiers,及其与所有 WLAN设备标识码的对应关系,通过 Ua口发送给 UE。  In step 910, after receiving the message of the PNM AS, the NAF encrypts the PNE identifiers with the Ks-NAF and the corresponding relationship with all the WLAN device identification codes, and sends the information to the UE through the Ua interface.

在步骤 911和步骤 912中, UE根据 PNM AS发送过来的 PNE identifier 与所有 WLAN设备标识码的对应关系,通过本地接口向所有 WLAN设备发送 各自的 PNE identifier, 表示注册成功。  In step 911 and step 912, the UE sends a PNE identifier to all WLAN devices through the local interface according to the correspondence between the PNE identifier sent by the PNM AS and all the WLAN device identification codes, indicating that the registration is successful.

以上几个实施例, 网络侧采用 GBA方式认证用户的注册消息, 在收到用 户侧发送的无卡设备注册消息时, 采用 GBA相关密钥或者 GBA相关密钥进 一步衍生的密钥认证消息的合法性。  In the above embodiments, the network side uses the GBA mode to authenticate the user's registration message. When receiving the cardless device registration message sent by the user side, the key authentication message further derived by using the GBA related key or the GBA related key is legal. Sex.

本发明第九实施例中, 网络侧还可以采用认证和密钥协商方式 ( Authentication and key agreement, 简称" AKA方式")进行注册, 此时用户直 接向 HSS取鉴权参数五元组, 利用 AKA生成共享密钥, 以此来认证注册消息 的合法性。 具体如图 10所示。 In the ninth embodiment of the present invention, the network side may also adopt an authentication and key negotiation manner. (Authentication and key agreement, referred to as "AKA mode") is registered. At this time, the user directly obtains the authentication parameter quintuple from the HSS, and uses AKA to generate a shared key, thereby authenticating the validity of the registration message. Specifically, as shown in Figure 10.

在步骤 1001中, UE向 PNMAS发送生成共享密钥的请求;  In step 1001, the UE sends a request for generating a shared key to the PNMAS;

在步骤 1002中, PNM AS向 HSS取一组鉴权参数五元组;  In step 1002, the PNM AS takes a set of authentication parameter quintuals to the HSS;

在步骤 1003中, UE与 PNMAS进行 AKA过程, 双向认证, 生成共享密 钥 K; AKA算法可实现对应用业务的用户进行检查和验证身份, 并为用户访 问应用业务提供安全通信的密钥; 由于 AKA属于通信安全技术领域内已规范 化的技术, 因此, 本实施例中不再赞述 AKA的细节;  In step 1003, the UE performs an AKA process with the PNMAS, and performs mutual authentication to generate a shared key K. The AKA algorithm can perform checking and verifying the identity of the user of the application service, and provides a key for secure communication for the user to access the application service; AKA belongs to the standardized technology in the field of communication security technology. Therefore, the details of AKA are no longer praised in this embodiment;

在步骤 1004中, UE向 WLAN设备发送共享密钥 K, 及建立安全通道相 关参数, 这样 PNMAS和 WLAN设备就有了共享密钥;  In step 1004, the UE sends the shared key K to the WLAN device, and establishes a security channel related parameter, so that the PNMAS and the WLAN device have a shared key;

这里用来建立安全通道的共享密钥可以是 K, 也可以是基于 K再衍生的 密钥;  The shared key used to establish a secure channel here may be K or a key based on K re-derived;

在步骤 1005中, PNMAS和 WLAN设备基于共享密钥 K建立安全通道, 如 PSK TLS, 或 IPsec等; 通过步骤 1005, PNM AS与 WLAN设备之间的通 信都通过此安全通道进行。  In step 1005, the PNMAS and the WLAN device establish a secure channel based on the shared key K, such as PSK TLS, or IPsec, etc.; in step 1005, communication between the PNM AS and the WLAN device is performed through the secure channel.

在步骤 1006中, WLAN设备向 PNMAS发送注册请求, 其中该注册请求 可以包括但不限于 WLAN设备的设备标识码; 需要特别指出的是, 此 WLAN 设备标识码用于与以后 PNM AS下发的 PNE标识( PNE identifier, 简称" PNE 标识")相对应, 便于 PNM保存管理, 因此, 此处并不限于是 WLAN设备标 识码, 只要能够在一个 PN中唯一区分此无卡设备的标识都可以;  In step 1006, the WLAN device sends a registration request to the PNMAS, where the registration request may include, but is not limited to, a device identification code of the WLAN device. The WLAN device identification code is used for the PNE delivered by the PNM AS in the future. The identifier (PNE identifier, referred to as "PNE identifier") corresponds to the PNM storage management. Therefore, the WLAN device identification code is not limited to this, as long as the identifier of the cardless device can be uniquely distinguished in one PN;

在步骤 1007中, PNM AS收到 NAF发送的来自 WLAN设备的注册请求 后,判定注册成功,根据 WLAN设备标识码给 WLAN设备分配 PNE identifier, 并保存此对应关系, 向 NAF发送该 PNE identifier;  In step 1007, after receiving the registration request from the WLAN device sent by the NAF, the PNM AS determines that the registration is successful, assigns a PNE identifier to the WLAN device according to the WLAN device identification code, and saves the correspondence, and sends the PNE identifier to the NAF;

本步骤中, PNMAS还可以根据其他一些用户信息(比如公共身份标识 ) 判断该用户是否有权注册这个设备;  In this step, the PNMAS can also determine whether the user has the right to register the device according to other user information (such as a public identity);

同时本步骤可选的 , PNM AS在本地也可以保存该 WLAN设备可用的设 备号或者公共用户身份标识。 身份标识。 该信息放到 GUSS里面下发到 NAF, NAF再发给 PNMAS。 At the same time, in this step, the PNM AS can also save the device number or public user identity that is available to the WLAN device locally. Identity. The information is sent to the GUS and sent to the NAF, and the NAF is sent to the PNMAS.

在步骤 1008中, WLAN设备通过本地接口向 UE发送成功注册响应,通 知 UE其已注册进个人网络。  In step 1008, the WLAN device sends a successful registration response to the UE through the local interface, notifying the UE that it has registered to the personal network.

需要指出的是, 本发明实施例在采用 AKA认证注册消息时, 不但适用于 无卡设备自注册的情况, 还可以适用于 UE代替无卡设备注册的情况; 不但适 用于单个无卡设备注册的情况,还可以适用于多个无卡设备注册的情况; 其基 本原理, 在前述各实施例中已有阐述, 本领域技术人员可以根据 GBA技术启 示, 联想到基于 AKA解决方案, 或者基于别的认证算法的解决方案。 这里就 不再——列举这些技术方案了。  It should be noted that, when the AKA authentication registration message is adopted, the embodiment of the present invention is applicable not only to the case where the cardless device is self-registered, but also to the case where the UE replaces the cardless device registration; not only for the single cardless device registration. The case can also be applied to the case of multiple cardless device registrations; the basic principle thereof has been explained in the foregoing embodiments, and those skilled in the art can associate with the AKA solution according to the GBA technical revelation, or based on other The solution to the authentication algorithm. No longer here - list these technical solutions.

本发明第十实施例中, 网络侧还可以采用 GBA 方式认证注册信息, 当 In the tenth embodiment of the present invention, the network side may also use the GBA mode to authenticate the registration information, when

PNM AS具有 NAF功能, WLAN设备自注册, 可以直接与 BSF进行 GBA过 程得到共享密钥。 具体如图 11所示。 The PNM AS has the NAF function. The WLAN device is self-registered and can directly share the key with the BSF for the GBA process. Specifically as shown in Figure 11.

在步骤 1101中, WLAN设备, BSF和 HSS进行 GBA过程, WLAN设备 和 BSF生成共享密钥 Ks。  In step 1101, the WLAN device, the BSF and the HSS perform a GBA process, and the WLAN device and the BSF generate a shared key Ks.

在步骤 1102中, BSF衍生密钥 Ks— NAF。  In step 1102, the BSF derives the key Ks-NAF.

在步骤 1103和步骤 1104中, BSF将^"生密钥 Ks— NAF及建立安全通道相 关参数发送给 PNM AS , PNM AS保存衍生密钥。  In step 1103 and step 1104, the BSF sends the "Generation Key Ks-NAF" and the established security channel related parameters to the PNM AS, and the PNM AS saves the derived key.

在步骤 1105中, WLAN设备生成^"生密钥 Ks— NAF, 这样, PNM AS和 WLAN设备就有了共享密钥。  In step 1105, the WLAN device generates a "home key Ks-NAF" such that the PNM AS and the WLAN device have a shared key.

在步骤 1106中, PNM AS和 WLAN设备基于共享密钥建立安全通道, 此安全通道可以是 PSK TLS, 或 IPsec等。 此后, PNM AS与 WLAN设备之 间的通信都通过此安全通道进行。  In step 1106, the PNM AS and the WLAN device establish a secure channel based on the shared key, which may be PSK TLS, or IPsec. Thereafter, communication between the PNM AS and the WLAN device takes place via this secure channel.

在步骤 1107中, WLAN设备向 PNM AS发送注册请求,其中包括 WLAN 设备的设备标识码。  In step 1107, the WLAN device sends a registration request to the PNM AS, including the device identification code of the WLAN device.

在步骤 1108中和步骤 1109中, 如果 PNM AS认为注册成功( PNM AS可 能还需要根据一些用户信息判断该用户是否有权注册这个设备,或者公共身份 标识), 则 WLAN设备标识码给 WLAN设备分配 PNE identifier, 并保存 此对应关系, 向 WLAN设备发送 PNE identifie  In step 1108 and in step 1109, if the PNM AS considers that the registration is successful (the PNM AS may also need to determine whether the user has the right to register the device or the public identity according to some user information), the WLAN device identification code is assigned to the WLAN device. PNE identifier, and save this correspondence, send PNE identifie to the WLAN device

值得指出的是, PNMAS本地可能保存了用户可用的设备号或者公共用户 身份标识。 身份标识。 该信息放到 GUSS里面下发到 NAF, NAF再发给 PNMAS。 It is worth pointing out that PNMAS may locally store the device number or public user available to the user. Identity. Identity. The information is sent to the GUS and sent to the NAF, and the NAF is sent to the PNMAS.

在步骤 1110中, WLAN设备向 UE发送已经成功注册的响应, 通知 UE 其已注册进个人网络。  In step 1110, the WLAN device sends a response to the UE that has successfully registered, informing the UE that it has registered to the personal network.

本实施例解决了无卡设备注册到个人网络的问题, 提供了安全注册的方 法, 使得用户的个人网络不会受到恶意终端的入侵。  This embodiment solves the problem that a cardless device is registered to a personal network, and provides a method of secure registration so that the user's personal network is not invaded by a malicious terminal.

本发明第十一实施例中, 网络侧还可以采用公钥证书方式认证注册信息, 以此来认证注册消息的合法性。 具体如图 12所示。  In the eleventh embodiment of the present invention, the network side may also use the public key certificate to authenticate the registration information, thereby authenticating the validity of the registration message. Specifically, as shown in Figure 12.

在步骤 1201 中, WLAN设备通过公钥证书 (或者共享密钥, 即 WLAN 设备与网络事前共享的密钥)与 PNMAS进行认证过程。 PNMAS验证 WLAN 设备身份以后,根据用户签约信息或本地存储的用户与设备对应关系来判断是 否允许其加入 P醒。  In step 1201, the WLAN device performs an authentication process with the PNMAS through a public key certificate (or a shared key, that is, a key shared by the WLAN device and the network in advance). After the PNMAS verifies the identity of the WLAN device, it determines whether to allow it to join the P-awake according to the user subscription information or the locally stored correspondence between the user and the device.

PNM AS判断是否允许设备加入的方式还可能是, PNM通知 UE某个设 备注册, UE认可后, 就允许其加入。  The manner in which the PNM AS determines whether to allow the device to join may also be that the PNM notifies the UE of a device registration, and after the UE approves, it is allowed to join.

在步骤 1202中, WLAN设备通过本地接口将公钥证书 (或者共享密钥, 即 WLAN设备与网络事前共享的密钥)发送给 UE, UE和 PNM AS互相认证 后, 基于公钥证书 (或者共享密钥, 即 WLAN设备与网络事前共享的密钥) 建立安全通道。  In step 1202, the WLAN device sends the public key certificate (or the shared key, that is, the key shared by the WLAN device and the network in advance) to the UE through the local interface, and the UE and the PNM AS authenticate each other based on the public key certificate (or share). The key, the key shared by the WLAN device and the network in advance, establishes a secure channel.

在步骤 1203中, UE向 PNMAS发送注册请求, 包括 WLAN设备的标识 码。  In step 1203, the UE sends a registration request to the PNMAS, including the identification code of the WLAN device.

在步骤 1204中, PNM AS根据 WLAN设备的标识码给 WLAN设备分配 PNE identifier , 并保存此对应关系。  In step 1204, the PNM AS assigns a PNE identifier to the WLAN device according to the identification code of the WLAN device, and saves the correspondence.

在步骤 1205中, PNM AS向 UE发送注册响应 , 包括给 WLAN设备分配 的 PNE identifier  In step 1205, the PNM AS sends a registration response to the UE, including the PNE identifier assigned to the WLAN device.

在步骤 1206中, UE向 WLAN设备发送 PNE identifie  In step 1206, the UE sends a PNE identifie to the WLAN device.

本实施例解决了无卡设备注册到个人网络的问题, 提供了安全注册的方 法, 使得用户的个人网络不会受到恶意终端的入侵。  This embodiment solves the problem that a cardless device is registered to a personal network, and provides a method of secure registration so that the user's personal network is not invaded by a malicious terminal.

本发明第十二实施例中, 与上述实施例的不同点在于: 不同的 UE替多个 WLAN设备进行注册, 且多个 WLAN设备不属于同一个 PAN。 本实施例中以 2个 WLAN设备为例( WLAN1、 WLAN2 ), 分别属于不同的 PAN, 相应的对 应不同的 UE (如 UE1、 UE2 )、 BSF ( BSF1、 BSF2 )、 HSS ( HSS1、 HSS2 )。 网络中只存在 PNM AS, PNM AS不但具有 PN管理的功能外, 还具备 NAF 的功能参与 GBA过程。 UE代 WLAN设备注册, 网络侧利用 GBA认证注册 请求消息。 具体如图 13所示。 In the twelfth embodiment of the present invention, the difference from the above embodiment is that: different UEs are used for multiple The WLAN device registers, and multiple WLAN devices do not belong to the same PAN. In this embodiment, two WLAN devices are taken as an example (WLAN1, WLAN2), which belong to different PANs, and corresponding to different UEs (such as UE1, UE2), BSF (BSF1, BSF2), and HSS (HSS1, HSS2). There is only a PNM AS in the network. In addition to the PN management function, the PNM AS also has the function of NAF to participate in the GBA process. The UE registers on behalf of the WLAN device, and the network side uses the GBA authentication registration request message. Specifically, as shown in FIG.

步骤 1301至步骤 1305与步骤 1306至步骤 1310分别为产生共享密钥的过 程,前述实施例已经详细描述了流程,这里不再赘述;且步骤 1301至步骤 1305 与步骤 1306至步骤 1310在时间上并无向后顺序;  Steps 1301 to 1305 and steps 1306 to 1310 are respectively processes for generating a shared key. The foregoing embodiment has described the flow in detail, and details are not described herein again; and steps 1301 to 1305 and steps 1306 to 1310 are in time. No backward order;

步骤 1311与步骤 1312分别为 UE通过本地接口向 WLAN设备发送衍生 密钥 Ks— NAF及建立安全通道相关参数,通过这两个步骤, PNMAS和 WLAN 设备就有了共享密钥 Ks— NAF; 特别需要指出的是, 这里用来建立安全通道的 共享密钥可以是 Ks— NAF, 也可以是基于 Ks— NAF再衍生的密钥; 特别需要指 出的是, 此本地接口已有相关规范进行定义, 属于业内已知技术, 在此不再赘 述;  In step 1311 and step 1312, the UE sends the derived key Ks-NAF to the WLAN device through the local interface and establishes a security channel related parameter. Through these two steps, the PNMAS and the WLAN device have a shared key Ks-NAF; It is pointed out that the shared key used to establish a secure channel may be Ks-NAF or a key derived based on Ks-NAF. In particular, the local interface has been defined by relevant specifications. Techniques known in the art will not be described here;

这两个步骤并无严格时序限制, 当然 UE也只能在产生共享密钥后才能将 共享密钥发送给 WLAN设备。  These two steps do not have strict timing constraints. Of course, the UE can only send the shared key to the WLAN device after generating the shared key.

步骤 1313至步骤 1316与步骤 1317至步骤 1320分别为 WLAN设备注册 到 PNM AS的过程, 前述实施例已经详细描述了流程, 这里不再赞述; 且步 骤 1313至步骤 1316与步骤 1317至步骤 1320在时间上并无向后顺序,也可以 同时进行。  Steps 1313 to 1316 and steps 1317 to 1320 are respectively processes for registering the WLAN device to the PNM AS. The foregoing embodiment has described the flow in detail, and is not mentioned here; and steps 1313 to 1316 and steps 1317 to 1320 are There is no backward order in time, and it can be done at the same time.

本发明实施例对于 PNM AS与 NAF是否合并分离不做限制, 以上实施方 式中以 PNM AS与 NAF合一为实施例进行说明 ,但并不影响 PNM AS与 NAF 分离下的流程。 在分离下, PNM AS与 NAF之间除本发明流程外还将有这些 实体之间的信令。  The embodiment of the present invention does not limit whether the PNM AS and the NAF are merged and separated. In the above embodiment, the PNM AS and the NAF are combined as an embodiment, but the flow between the PNM AS and the NAF is not affected. Under separation, there will be signaling between these entities in addition to the flow of the invention between the PNM AS and the NAF.

需要指出的是, 当存在无卡设备注册的情况时,且当多个无卡设备不属于 同一个 PAN, 本发明实施例不但适用于无卡设备自注册的情况, 还可以适用 于 UE代替无卡设备注册的情况; 不但适用于 PNM AS与 NAF分离的情况, 还可以适用于 PNM AS与 NAF合一的情况; 不但适用于 GBA算法认证过程, 还可以适用于现有技术中基于别的认证算法的解决方案; 其基本原理,在前述 各实施例中已有阐述,本领域的普通技术人员应该明白,可以在形式上和细节 上对其作各种改变, 而不偏离本发明的精神和范围。这里就不再——列举这些 技术方案了。 It should be noted that, when there is no card device registration, and when multiple cardless devices do not belong to the same PAN, the embodiment of the present invention is applicable not only to the case where the cardless device is self-registered, but also to the UE instead of the Card device registration; not only applies to the case where the PNM AS is separated from the NAF, but also applies to the case where the PNM AS is integrated with the NAF; not only applies to the GBA algorithm authentication process, It can also be applied to the solution based on other authentication algorithms in the prior art; the basic principle thereof has been explained in the foregoing embodiments, and those skilled in the art should understand that it can be made in form and detail. Various changes may be made without departing from the spirit and scope of the invention. No longer here - list these technical solutions.

本发明实施例中, 由于选取了 WLAN设备作为无卡设备, 但并不能认为 本发明实施例仅适用于 WLAN设备, 其他无卡设备接入个人网路的方法可以 由本发明上述几个实施例推导出,但不同的是可能会在一些概念上作一些简单 的替换。 比如, 在上述几个实施例中, WLAN设备的身份识别标识是 WLAN 设备标识码, 如果是别的无卡设备的话, 可能就不是设备标识码了, 因此只要 能够在一个 PN中唯一区分此无卡设备的标识都可以作为身份识别标识。  In the embodiment of the present invention, the WLAN device is selected as the cardless device, but the embodiment of the present invention is not applicable to the WLAN device, and the method for the other cardless device to access the personal network may be deduced by the foregoing embodiments of the present invention. Out, but the difference is that some simple substitutions may be made in some concepts. For example, in the above embodiments, the identity identifier of the WLAN device is a WLAN device identification code. If it is another cardless device, it may not be the device identification code, so as long as it can uniquely distinguish this in a PN. The identity of the card device can be used as an identification identifier.

下面介绍本发明实施例中个人网络管理实体(PNMAS ) 实施例, 请参阅 图 14, 本发明实施例中个人网络管理实体 1400包括:  The following describes the embodiment of the personal network management entity (PNMAS) in the embodiment of the present invention. Referring to FIG. 14, the personal network management entity 1400 in the embodiment of the present invention includes:

判断单元 1410: 用于判断是否允许无卡设备接入个人网络;  The determining unit 1410: configured to determine whether the cardless device is allowed to access the personal network;

分配单元 1420: 用于给判断单元 1410判断允许接入的无卡设备分配个人 网络元素标识;  The allocating unit 1420: configured to determine, by the determining unit 1410, the cardless device that is allowed to access to allocate the personal network element identifier;

发送单元 1430: 用于将所述分配单元分配的个人网络元素标识发送给允 许接入的无卡设备。  The sending unit 1430: is configured to send the personal network element identifier allocated by the allocating unit to the cardless device that allows access.

其中, 判断单元 1410包括:  The determining unit 1410 includes:

获取单元: 用于获取无卡设备的身份识别标识;  Acquisition unit: an identification identifier for acquiring a cardless device;

确定单元:用于根据所述获取单元获取的身份识别标识判断是否允许所述 无卡设备接入个人网络。  a determining unit: configured to determine, according to the identity identification identifier acquired by the acquiring unit, whether the cardless device is allowed to access the personal network.

其中, 获取单元包括:  The obtaining unit includes:

安全通道建立单元: 用于建立安全通道;  Secure channel establishment unit: used to establish a secure channel;

信息获取单元:用于通过所述安全通道建立单元建立的安全通道获取无卡 设备的身份识别标识。  The information acquiring unit is configured to obtain the identity identification of the cardless device by using the secure channel established by the secure channel establishing unit.

其中, 判断单元 1410也可以包括::  The determining unit 1410 may also include:

认证单元: 用于对无卡设备进行认证;  Authentication unit: used to authenticate cardless devices;

确定单元:用于根据所述认^  Determining unit: used to identify according to the above

接入个人网络。 一种优选的实施例中,在上述实施例中, 所述个人网络管理实体中的获取 单元可以包括: 共享密钥生成单元、 安全通道建立单元和信息获取单元。 其中 所述共享密钥生成单元: 用于确定用户设备和个人网络管理实体间的共享密 钥; 所述安全通道建立单元: 用于利用所述共享密钥建立安全通道; 所述信息 获取单元:用于通过所述安全通道建立单元建立的安全通道获取无卡设备的身 份识别标识。 Access to the personal network. In a preferred embodiment, in the foregoing embodiment, the acquiring unit in the personal network management entity may include: a shared key generating unit, a secure channel establishing unit, and an information acquiring unit. The shared key generating unit is configured to: determine a shared key between the user equipment and the personal network management entity; the secure channel establishing unit is configured to establish a secure channel by using the shared key; And obtaining, by the secure channel established by the secure channel establishing unit, an identity identifier of the cardless device.

优选的, 所述获取单元可以包括: 共享密钥生成单元和信息获取单元, 所 述共享密钥生成单元: 用于确定用户设备和个人网络管理实体间的共享密钥; 所述信息获取单元:用于获取所述用户设备发送的基于所述共享密钥加密的注 册请求, 所述注册请求中携带所述无卡设备的身份识别标识。  Preferably, the obtaining unit may include: a shared key generating unit and an information acquiring unit, where the shared key generating unit is configured to: determine a shared key between the user equipment and the personal network management entity; And the acquiring, by the user equipment, the registration request based on the shared key encryption, where the registration request carries the identity identification identifier of the cardless device.

其中, 所述共享密钥生成单元包括: 认证密钥协商单元: 用于通过认证和 密钥协商技术获得用户设备和个人网络管理实体间的共享密钥。  The shared key generating unit includes: an authentication key negotiating unit: configured to obtain a shared key between the user equipment and the personal network management entity by using an authentication and key negotiation technology.

一种优选的实施例中,在上述实施例中, 所述个人网络管理实体中的认证 单元可以包括: 公钥证书单元和共享密钥单元, 所述公钥证书单元, 用于通过 公钥证书对无卡设备进行认证; 所述共享密钥单元, 用于生成的共享密钥对无 卡设备进行认证。  In a preferred embodiment, in the foregoing embodiment, the authentication unit in the personal network management entity may include: a public key certificate unit and a shared key unit, where the public key certificate unit is used to pass the public key certificate. The cardless device is authenticated; the shared key unit is used to generate a shared key to authenticate the cardless device.

所述个人网络管理实体中的分配单元可以包括: 获取单元和标识分配单 网络元素标识时,获取所述允许接入的无卡设备的身份识别标识; 所述标识分 配单元,用于根据获取单元获取的身份识别标识为所述允许接入的无卡设备分 配个人网络元素标识。  The allocating unit in the personal network management entity may include: an acquiring unit and an identifier of the cardless device that is allowed to access when the identifier of the network element is identified; the identifier assigning unit, configured to be used according to the acquiring unit The acquired identification identifier assigns a personal network element identifier to the cardless device that is allowed to access.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤 是可以通过程序来指令相关的硬件完成 ,所述的程序可以存储于一种计算机可 读存储介质中, 该程序在执行时, 包括如下步骤: 获取个人网络中无卡设备的 身份识别标识 ,根据所述获取的身份识别标识判断所述无卡设备是否允许接入 所述个人网络, 并对允许接入的无卡设备执行相应的接入操作。其中所述接入 操作, 包含: 给允许接入的无卡设备分配相应的个人网络元素标识, 将所述个 人网络元素标识发送给用户侧。  It will be understood by those skilled in the art that all or part of the steps of implementing the foregoing embodiments may be performed by a program to instruct related hardware, and the program may be stored in a computer readable storage medium. The method includes the following steps: obtaining an identity identifier of the cardless device in the personal network, determining, according to the acquired identity identifier, whether the cardless device is allowed to access the personal network, and performing the cardless device that is allowed to access The corresponding access operation. The access operation includes: assigning a corresponding personal network element identifier to the cardless device that is allowed to access, and sending the personal network element identifier to the user side.

上述提到的存储介质可以是只读存储器, 磁盘或光盘等。 下面介绍本发明实施例中接入系统实施例, 请参阅图 15, 本发明实施例 中接入系统包括: The above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like. The following describes an embodiment of the access system in the embodiment of the present invention. Referring to FIG. 15, the access system in the embodiment of the present invention includes:

所述网络实体 1502: 用于连接无卡设备 1501和个人网络管理实体 1503; 所述无卡设备 1501 : 用于通过所述网络实体向个人网络管理实体 1503发 送身份识别标识;  The network entity 1502: configured to connect the cardless device 1501 and the personal network management entity 1503; the cardless device 1501: configured to send an identity identification identifier to the personal network management entity 1503 by using the network entity;

所述个人网络管理实体 1503 : 用于判断是否允许所述无卡设备接入个人 网络, 并对允许接入的无卡设备执行相应的接入操作。  The personal network management entity 1503 is configured to determine whether the cardless device is allowed to access the personal network, and perform a corresponding access operation on the cardless device that is allowed to access.

其中, 个人网络管理实体 1503包括:  The personal network management entity 1503 includes:

判断单元 1510: 用于判断是否允许无卡设备接入个人网络;  The determining unit 1510: configured to determine whether the cardless device is allowed to access the personal network;

分配单元 1520: 用于给允许接入的无卡设备分配个人网络元素标识; 发送单元 1530: 用于将所述分配单元分配的个人网络元素标识发送给允 许接入的无卡设备。  The allocating unit 1520 is configured to allocate a personal network element identifier to the cardless device that allows access; the sending unit 1530: is configured to send the personal network element identifier allocated by the allocating unit to the cardless device that allows access.

本发明实施例通过获取无卡设备的身份识别标识,根据身份识别标识判断 无卡设备是否允许接入个人网络,或者通过对无卡设备的认证过程, 判断所述 无卡设备是否允许接入个人网络;给允许接入的无卡设备分配个人网络元素标 识 ,将个人网络元素标识发送给所述允许接入的无卡设备。解决了无卡设备注 册到个人网络的问题,提供了安全注册的方法,使得用户可以安全接入到个人 网络中。  The embodiment of the present invention determines whether the cardless device allows access to the personal network according to the identity identification identifier, or determines whether the cardless device allows access to the individual by using the authentication process of the cardless device. Network; assign a personal network element identifier to the cardless device that is allowed to access, and send the personal network element identifier to the cardless device that is allowed to access. It solves the problem of registering a cardless device to a personal network and provides a secure registration method that allows users to securely access the personal network.

虽然通过参照本发明的某些优选实施例, 已经对本发明进行了图示和描 述,但本领域的普通技术人员应该明白 ,可以在形式上和细节上对其作各种改 变, 而不偏离本发明的精神和范围。  Although the invention has been illustrated and described with reference to the preferred embodiments of the present invention, it will be understood The spirit and scope of the invention.

Claims

权 利 要 求 Rights request 1. 一种无卡设备接入个人网络的方法, 其特征在于,  A method for a cardless device to access a personal network, characterized in that 判断是否允许无卡设备接入个人网络;  Determine whether cardless devices are allowed to access the personal network; 给允许接入的无卡设备分配个人网络元素标识,将所述个人网络元素标识 发送给所述允许接入的无卡设备。  A cardless device that allows access is assigned a personal network element identity, and the personal network element identity is sent to the cardless device that is allowed to access. 2.根据权利要求 1 所述的无卡设备接入个人网络的方法, 其特征在于, 所述判断是否允许无卡设备接入个人网络的过程包括:  The method for accessing a personal network by a cardless device according to claim 1, wherein the process of determining whether to allow a cardless device to access a personal network includes: 网络侧获取无卡设备的身份识别标识,根据所述身份识别标识判断是否允 许所述无卡设备接入个人网络。  The network side obtains the identity identifier of the cardless device, and determines, according to the identity identification identifier, whether the cardless device is allowed to access the personal network. 3.根据权利要求 2所述的无卡设备接入个人网络的方法, 其特征在于, 进一步包括:  The method for accessing a personal network of a cardless device according to claim 2, further comprising: 用户设备和网络侧获得共享密钥,所述用户设备将所述共享密钥发送给所 述无卡设备, 所述无卡设备和网络侧基于所述共享密钥建立安全通道;  The user equipment and the network side obtain a shared key, and the user equipment sends the shared key to the cardless device, and the cardless device and the network side establish a secure channel based on the shared key; 所述网络侧获取无卡设备的身份识别标识包括:  The identifier of the card-free device acquired by the network side includes: 网络侧通过所述安全通道获取所述无卡设备发送的注册请求,所述注册请 求中携带所述无卡设备的身份识别标识。  The network side obtains the registration request sent by the cardless device by using the secure channel, and the registration request carries the identity identifier of the cardless device. 4.根据权利要求 3所述的无卡设备接入个人网络的方法, 其特征在于, 所述无卡设备和网络侧的个人网络管理实体基于所述共享密钥建立安全 通道 ,所述个人网络管理实体通过所述安全通道获取所述无卡设备发送的注册 请求, 所述注册请求中携带所述无卡设备的身份识别标识;  The method for accessing a personal network by a cardless device according to claim 3, wherein the cardless device and a personal network management entity on the network side establish a secure channel based on the shared key, the personal network The management entity obtains the registration request sent by the cardless device by using the secure channel, where the registration request carries the identity identification identifier of the cardless device; 或者,  Or, 所述无卡设备和网络侧的网络应用功能实体基于所述共享密钥建立安全 通道,所述网络应用功能实体通过所述安全通道接收所述无卡设备发送的注册 请求, 所述注册请求中携带所述无卡设备的身份识别标识, 所述网络应用功能 实体向网络侧的个人网络管理实体发送所述无卡设备的身份识别标识,所述个 人网络管理实体获取所述无卡设备的身份识别标识。  The cardless device and the network application function entity on the network side establish a secure channel based on the shared key, and the network application function entity receives the registration request sent by the cardless device through the secure channel, where the registration request is Carrying the identity identification identifier of the cardless device, the network application function entity sends the identity identification identifier of the cardless device to the personal network management entity on the network side, and the personal network management entity acquires the identity of the cardless device Identify the logo. 5.根据权利要求 2所述的无卡设备接入个人网络的方法, 其特征在于, 进一步包括:  The method for accessing a personal network of a cardless device according to claim 2, further comprising: 用户设备和网络侧获得共享密钥; 所述网络侧获取无卡设备的身份识别标识包括: The user equipment and the network side obtain a shared key; The identifier of the card-free device acquired by the network side includes: 网络侧获取所述用户设备发送的基于所述共享密钥加密的注册请求 ,所述 注册请求中携带所述无卡设备的身份识别标识。  The network side acquires a registration request based on the shared key encryption sent by the user equipment, where the registration request carries an identity identification identifier of the cardless device. 6.根据权利要求 5所述的无卡设备接入个人网络的方法, 其特征在于, 网络侧的个人网络管理实体获取所述用户设备发送的基于所述共享密钥 加密的注册请求 , 所述注册请求中携带所述无卡设备的身份识别标识;  The method for accessing a personal network by a cardless device according to claim 5, wherein the personal network management entity on the network side acquires a registration request sent by the user equipment based on the shared key encryption, The registration request carries the identification identifier of the cardless device; 或者,  Or, 网络侧的网络应用功能实体接收所述用户设备发送的基于所述共享密钥 加密的注册请求, 所述注册请求中携带所述无卡设备的身份识别标识, 所述网 络应用功能实体向网络侧的个人网络管理实体发送所述无卡设备的身份识别 标识 , 所述个人网络管理实体获取所述无卡设备的身份识别标识。  The network application function entity of the network side receives the registration request based on the shared key encryption sent by the user equipment, where the registration request carries the identity identification identifier of the cardless device, and the network application function entity is to the network side. The personal network management entity sends the identity identification identifier of the cardless device, and the personal network management entity acquires the identity identification identifier of the cardless device. 7.根据权利要求 3至 6中任一项所述的无卡设备接入个人网络的方法, 用户设备和网络侧通过以下方式之一获得共享密钥, 其特征在于,  The method of accessing a personal network by a cardless device according to any one of claims 3 to 6, wherein the user equipment and the network side obtain a shared key by using one of the following methods, wherein: 所述用户设备通过和网络侧进行通用自举架构技术过程获得共享密钥; 所述用户设备通过和网络侧进行认证和密钥协商技术过程获得共享密钥。 The user equipment obtains a shared key by performing a general bootstrap architecture technical process with the network side; the user equipment obtains a shared key by performing an authentication and key agreement technology process with the network side. 8. 根据权利要求 3至 6中任一项所述的无卡设备接入个人网络的方法, 其特征在于, 通过以下方式之一将所述个人网络元素标识发送给所述无卡设 备: The method for accessing a personal network by a cardless device according to any one of claims 3 to 6, wherein the personal network element identifier is sent to the cardless device by one of the following methods: 所述个人网络管理实体直接将所述个人网络元素标识,发送给所述允许接 入的无卡设备;  The personal network management entity directly sends the personal network element identifier to the cardless device that is allowed to access; 所述个人网络管理实体将所述个人网络元素标识通知给网络应用功能实 体,所述网络应用功能实体将所述个人网络元素标识发送给所述允许接入的无 卡设备;  The personal network management entity notifies the personal network element identifier to the network application function entity, and the network application function entity sends the personal network element identifier to the cardless device that is allowed to access; 所述个人网络管理实体将所述个人网络元素标识发送给用户设备,所述用 户设备将所述个人网络元素标识发送给所述允许接入的无卡设备;  Sending, by the personal network management entity, the personal network element identifier to the user equipment, where the user equipment sends the personal network element identifier to the cardless device that is allowed to access; 所述个人网络管理实体将所述个人网络元素标识通知给网络应用功能实 体, 所述网络应用功能实体将所述个人网络元素标识发送给用户设备, 所述用 户设备将所述个人网络元素标识发送给所述允许接入的无卡设备。  Transmitting, by the personal network management entity, the personal network element identifier to a network application function entity, where the network application function entity sends the personal network element identifier to a user equipment, where the user equipment sends the personal network element identifier Give the cardless device that is allowed to access. 9.根据权利要求 1 所述的无卡设备接入个人网络的方法, 其特征在于, 所述判断是否允许无卡设备接入个人网络的过程包括: 9. The method of claim 1, wherein the cardless device accesses a personal network, wherein: The process of determining whether to allow a cardless device to access a personal network includes: 网络侧通过对无卡设备进行认证 ,判断是否允许所述无卡设备接入个人网 络。  The network side determines whether the cardless device is allowed to access the personal network by authenticating the cardless device. 10.根据权利要求 9所述的无卡设备接入个人网络的方法, 其特征在于, 网络侧通过公钥证书或共享密钥对无卡设备进行认证。  The method for accessing a personal network by a cardless device according to claim 9, wherein the network side authenticates the cardless device by using a public key certificate or a shared key. 11.根据权利要求 9所述的无卡设备接入个人网络的方法, 其特征在于 , 所述给允许接入的无卡设备分配个人网络元素标识包括:  The method for accessing a personal network by a cardless device according to claim 9, wherein the assigning a personal network element identifier to the cardless device that allows access includes: 获取允许接入的无卡设备的身份识别标识,根据所述身份识别标识给所述 允许接入的无卡设备分配个人网络元素标识。  Obtaining an identification identifier of the cardless device that is allowed to access, and assigning a personal network element identifier to the cardless device that is allowed to access according to the identity identification identifier. 12.根据权利要求 11所述的无卡设备接入个人网络的方法, 其特征在于, 进一步包括:  The method for accessing a personal network of a cardless device according to claim 11, further comprising: 所述允许接入的无卡设备将公钥证书或者共享密钥发送给用户设备,所述 用户设备和网络侧的个人网络管理实体基于所述公钥证书或共享密钥建立安 全通道;  The cardless device that is allowed to access sends a public key certificate or a shared key to the user equipment, and the user equipment and the personal network management entity on the network side establish a security channel based on the public key certificate or the shared key; 所述获取无卡设备的身份识别标识包括:  The acquiring the identity identifier of the cardless device includes: 所述个人网络管理实体通过所述安全通道获取所述用户设备发送的注册 请求 , 所述注册请求中携带所述无卡设备的身份识别标识。  And the personal network management entity obtains the registration request sent by the user equipment by using the secure channel, where the registration request carries the identity identification identifier of the cardless device. 13.根据权利要求 1所述的无卡设备接入个人网络的方法, 其特征在于, 所述判断是否允许无卡设备接入个人网络的过程包括:  The method of claim 1, wherein the process of determining whether to allow a cardless device to access a personal network comprises: 如果所述无卡设备不属于用户黑名单, 则允许所述无卡设备接入个人网 络; 和 /或,  If the cardless device does not belong to the user blacklist, allowing the cardless device to access the personal network; and/or, 如果所述无卡设备不属于设备黑名单 , 则允许所述无卡设备接入个人网 络。  If the cardless device does not belong to the device blacklist, the cardless device is allowed to access the personal network. 14. 一种个人网络管理实体, 其特征在于, 包含:  14. A personal network management entity, comprising: 判断单元: 用于判断是否允许无卡设备接入个人网络; 素标识;  Judging unit: used to determine whether to allow cardless devices to access the personal network; 发送单元:用于将所述分配单元分配的个人网络元素标识发送给允许接入 的无卡设备。 The sending unit is configured to send the personal network element identifier allocated by the allocating unit to the cardless device that allows access. 15. 根据权利要求 14所述的个人网络管理实体, 其特征在于, 所述判断 单元包括: The personal network management entity according to claim 14, wherein the determining unit comprises: 获取单元: 用于获取无卡设备的身份识别标识;  Acquisition unit: an identification identifier for acquiring a cardless device; 确定单元:用于根据所述获取单元获取的身份识别标识判断是否允许所述 无卡设备接入个人网络。  a determining unit: configured to determine, according to the identity identification identifier acquired by the acquiring unit, whether the cardless device is allowed to access the personal network. 16. 根据权利要求 15所述的个人网络管理实体, 其特征在于, 所述获取 单元包括:  The personal network management entity according to claim 15, wherein the obtaining unit comprises: 共享密钥生成单元: 用于确定用户设备和个人网络管理实体间的共享密 钥;  a shared key generation unit: configured to determine a shared key between the user equipment and the personal network management entity; 安全通道建立单元: 用于利用所述共享密钥建立安全通道;  a secure channel establishing unit: configured to establish a secure channel by using the shared key; 信息获取单元:用于通过所述安全通道建立单元建立的安全通道获取无卡 设备的身份识别标识。  The information acquiring unit is configured to obtain the identity identification of the cardless device by using the secure channel established by the secure channel establishing unit. 17. 根据权利要求 15所述的个人网络管理实体, 其特征在于, 所述获取 单元包括:  The personal network management entity according to claim 15, wherein the obtaining unit comprises: 共享密钥生成单元: 用于生成用户设备和个人网络管理实体间的共享密 钥;  a shared key generation unit: configured to generate a shared key between the user equipment and the personal network management entity; 信息获取单元:用于获取所述用户设备发送的基于所述共享密钥加密的注 册请求, 所述注册请求中携带所述无卡设备的身份识别标识。  The information obtaining unit is configured to obtain a registration request that is sent by the user equipment and is encrypted according to the shared key, where the registration request carries an identity identification identifier of the cardless device. 18. 根据权利要求 16或 17所述的个人网络管理实体, 其特征在于, 所述 共享密钥生成单元包括:  The personal network management entity according to claim 16 or 17, wherein the shared key generation unit comprises: 认证密钥协商单元:用于通过认证和密钥协商技术获得用户设备和个人网 络管理实体间的共享密钥。  The authentication key negotiation unit is configured to obtain a shared key between the user equipment and the personal network management entity by using an authentication and key agreement technology. 19. 根据权利要求 14所述的个人网络管理实体, 其特征在于, 所述判断 单元包括:  The personal network management entity according to claim 14, wherein the determining unit comprises: 认证单元: 用于对无卡设备进行认证; 接入个人网络。  Authentication unit: Used to authenticate cardless devices; access to personal networks. 20. 根据权利要求 19所述的个人网络管理实体, 其特征在于, 所述认证 单元包括: 公钥证书单元, 用于通过公钥证书对无卡设备进行认证; The personal network management entity according to claim 19, wherein the authentication unit comprises: a public key certificate unit, configured to authenticate a cardless device by using a public key certificate; 共享密钥单元, 用于生成的共享密钥对无卡设备进行认证。  The shared key unit, which is used to generate a shared key to authenticate the cardless device. 21. 根据权利要求 14所述的个人网络管理实体, 其特征在于, 所述分配 单元包括: 标识时, 获取所述允许接入的无卡设备的身份识别标识;  The personal network management entity according to claim 14, wherein the allocating unit comprises: when identifying, obtaining an identity identification identifier of the cardless device that is allowed to access; 标识分配单元,用于根据获取单元获取的身份识别标识为所述允许接入的 无卡设备分配个人网络元素标识。  And an identifier allocation unit, configured to allocate a personal network element identifier to the cardless device that is allowed to access according to the identity identification identifier acquired by the obtaining unit. 22. 一种接入系统, 其特征在于, 包括无卡设备、 网络实体和个人网络管 理实体:  22. An access system, comprising: a cardless device, a network entity, and a personal network management entity: 所述网络实体: 用于连接无卡设备和个人网络管理实体;  The network entity: configured to connect a cardless device and a personal network management entity; 所述无卡设备:用于通过所述网络实体向个人网络管理实体发送身份识别 标识;  The cardless device is configured to send an identity identifier to the personal network management entity by using the network entity; 所述个人网络管理实体: 用于判断是否允许所述无卡设备接入个人网络, 并对允许接入的无卡设备执行相应的接入操作。  The personal network management entity is configured to determine whether the cardless device is allowed to access the personal network, and perform a corresponding access operation on the cardless device that is allowed to access. 23. 根据权利要求 22所述的接入系统, 其特征在于, 所述个人网络管理 实体包括:  The access system according to claim 22, wherein the personal network management entity comprises: 判断单元 用于判断是否允许无卡设备接入个人网络;  The determining unit is configured to determine whether the cardless device is allowed to access the personal network; 分配单元 用于给允许接入的无卡设备分配个人网络元素标识; 发送单元 用于将所述分配单元分配的个人网络元素标识发送给允许接入 的无卡设备。  The allocating unit is configured to allocate a personal network element identifier to the cardless device that allows access; the sending unit is configured to send the personal network element identifier allocated by the allocating unit to the cardless device that is allowed to access.
PCT/CN2008/071916 2007-08-07 2008-08-07 Method, device and system for non-card device accessing personal network Ceased WO2009018778A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007100757098A CN101364909B (en) 2007-08-07 2007-08-07 Method, device and system for accessing personal network by non-card equipment
CN200710075709.8 2007-08-07

Publications (1)

Publication Number Publication Date
WO2009018778A1 true WO2009018778A1 (en) 2009-02-12

Family

ID=40340969

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071916 Ceased WO2009018778A1 (en) 2007-08-07 2008-08-07 Method, device and system for non-card device accessing personal network

Country Status (2)

Country Link
CN (1) CN101364909B (en)
WO (1) WO2009018778A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102083199A (en) * 2009-11-26 2011-06-01 华为终端有限公司 Personal network element (PNE) registering method, PNE calling method and relevant devices
CN103069743A (en) * 2010-06-15 2013-04-24 三星电子株式会社 Apparatus and method for registering personal network
EP2521304A4 (en) * 2009-12-28 2017-09-06 China Mobile Communications Corporation Authentication method, system and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202285B (en) * 2010-03-24 2014-01-22 华为终端有限公司 Management method of converged personal network, apparatus and system thereof
CN102307349B (en) * 2011-08-16 2015-04-01 宇龙计算机通信科技(深圳)有限公司 Access method of wireless network, terminal and server

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805391A (en) * 2005-01-13 2006-07-19 华为技术有限公司 Method and apparatus for supporting multiple logical networks in wireless LAN
CN1859335A (en) * 2005-04-30 2006-11-08 华为技术有限公司 Radio local network connecting gateway strategy loading method in radio local network
WO2007004625A1 (en) * 2005-07-04 2007-01-11 Matsushita Electric Industrial Co., Ltd. Personal network management method and personal network management apparatus

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100417282C (en) * 2005-03-17 2008-09-03 华为技术有限公司 Method for controlling user terminal access
US20070143613A1 (en) * 2005-12-21 2007-06-21 Nokia Corporation Prioritized network access for wireless access networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805391A (en) * 2005-01-13 2006-07-19 华为技术有限公司 Method and apparatus for supporting multiple logical networks in wireless LAN
CN1859335A (en) * 2005-04-30 2006-11-08 华为技术有限公司 Radio local network connecting gateway strategy loading method in radio local network
WO2007004625A1 (en) * 2005-07-04 2007-01-11 Matsushita Electric Industrial Co., Ltd. Personal network management method and personal network management apparatus

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102083199A (en) * 2009-11-26 2011-06-01 华为终端有限公司 Personal network element (PNE) registering method, PNE calling method and relevant devices
CN102083199B (en) * 2009-11-26 2013-09-11 华为终端有限公司 Personal network element (PNE) registering method, PNE calling method and relevant devices
EP2521304A4 (en) * 2009-12-28 2017-09-06 China Mobile Communications Corporation Authentication method, system and device
CN103069743A (en) * 2010-06-15 2013-04-24 三星电子株式会社 Apparatus and method for registering personal network
US9071590B2 (en) 2010-06-15 2015-06-30 Samsung Electronics Co., Ltd Apparatus and method for registering personal network
CN103069743B (en) * 2010-06-15 2016-04-20 三星电子株式会社 For registering the apparatus and method of personal network

Also Published As

Publication number Publication date
CN101364909A (en) 2009-02-11
CN101364909B (en) 2011-04-13

Similar Documents

Publication Publication Date Title
EP3570515B1 (en) Method, device, and system for invoking network function service
US10841784B2 (en) Authentication and key agreement in communication network
US8417218B2 (en) SIM based authentication
CN105554747B (en) Wireless network connecting method, apparatus and system
CN102379114B (en) Security Key Management in IMS-based Multimedia Broadcast and Multicast Service (MBMS)
US20180332471A1 (en) Wireless network connection method, wireless access point, server, and system
CN101163010B (en) Authentication method and related equipment for request message
CN108923918B (en) User equipment and communication method
US8275355B2 (en) Method for roaming user to establish security association with visited network application server
US20090100262A1 (en) Apparatus and method for detecting duplication of portable subscriber station in portable internet system
US20200099697A1 (en) Secure group creation in proximity based service communication
WO2019041802A1 (en) Discovery method and apparatus based on service-oriented architecture
CN115989689B (en) Methods and apparatus for user equipment authentication and authorization procedures in edge data networks
CN1559117A (en) Use the public key pair in the terminal equipment to allow network operators and business partners to authenticate and authorize telecom users
US12490092B2 (en) WPA3-personal cloud based network access and provisioning
CN115843447B (en) Network authentication for user equipment access to edge data networks
WO2008125062A1 (en) Method of admittance judgment and paging user in mobile communication system, system and device thereof
CN101662768A (en) Authenticating method and equipment based on user identification module of personal handy phone system
CN103415010A (en) D2D network authentication method and system
CN1929371B (en) Method for User and Peripheral to Negotiate a Shared Key
WO2009018778A1 (en) Method, device and system for non-card device accessing personal network
CN102196428B (en) Method, device and system for accessing personal network by card-free equipment
WO2010124569A1 (en) Method and system for user access control
CN113316139A (en) Wireless network access method and wireless access point
CN116868609A (en) User equipment authentication and authorization procedures for edge data networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08783909

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08783909

Country of ref document: EP

Kind code of ref document: A1