[go: up one dir, main page]

WO2012022155A1 - Identity authentication method and system for evolved node b - Google Patents

Identity authentication method and system for evolved node b Download PDF

Info

Publication number
WO2012022155A1
WO2012022155A1 PCT/CN2011/072464 CN2011072464W WO2012022155A1 WO 2012022155 A1 WO2012022155 A1 WO 2012022155A1 CN 2011072464 W CN2011072464 W CN 2011072464W WO 2012022155 A1 WO2012022155 A1 WO 2012022155A1
Authority
WO
WIPO (PCT)
Prior art keywords
evolved node
server
enb
authentication
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2011/072464
Other languages
French (fr)
Chinese (zh)
Inventor
朱永升
杜高鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2012022155A1 publication Critical patent/WO2012022155A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/005Data network PoA devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present invention relates to the field of communications, and in particular to an identity authentication method and system for an evolved Node B.
  • BACKGROUND OF THE INVENTION Wireless communication systems are increasingly deployed and applied with their open network architecture. With the popularity of wireless communication systems, security issues in communication systems have gradually become the focus of users. With the emergence of an application mode such as a home base station, an Evolved Node B (eNB) may be in a physically untrusted area, in order to prevent the eNB from accessing the network to the entire wireless communication system and the user. Sensitive information poses a threat, and the legal identity of the eNB is authenticated to ensure that only legitimate eNBs can access the operator's network, becoming the primary mechanism for ensuring the security of the wireless communication system.
  • eNB Evolved Node B
  • the eNB is physically connected to the carrier network.
  • the dynamic host configuration protocol (DHCP) is used, and the carrier is the eNB.
  • IP Internet Protocol
  • IP address and other network information are allocated, and the subsequent eNB uses the IP address to communicate with the operator's core network and the network management system.
  • the operator allocates a network-wide unique identity (eNB Identity) and a password corresponding to the identity (eNB Password) to the eNB before the eNB accesses the network.
  • eNB Identity discloses that the eNB Password needs to be stored in a secure manner.
  • a primary object of the present invention is to provide an identity authentication scheme for an evolved Node B, so as to at least solve the problem that the process of authenticating the eNB is generally separated from the access process of the eNB in the related art.
  • an identity authentication method for an evolved Node B includes: the evolved Node B sends the identity authentication information to a server when applying for an internet protocol address to the server; After receiving the identity authentication information, the server authenticates the evolved Node B by using the identity authentication information, and if the authentication passes, assigns the Internet Protocol address to the evolved Node B.
  • the server sends the first random string to the evolved Node B; the evolved Node B sends the identity authentication information to the server, including: the evolved Node B uses the evolved The type node B password is operated by the first function to obtain the first data; the evolved node B sends the identity authentication information to the server, where the identity authentication information includes: the first data, the identification information of the first function And the evolved Node B identifier; the server authenticating the evolved Node B by using the identity authentication information comprises: the server obtaining the first function according to the identifier information of the first function; the server acquiring the evolved Node B password corresponding to the identifier of the evolved Node B; The server uses the obtained evolved Node B password to operate the first random string stored locally by the first function, and compares the operation result with the first data.
  • the authentication passes, otherwise, the authentication fails.
  • the operator allocates the evolved Node B cipher and the evolved Node B identity to the evolved Node B.
  • the evolved Node B uses the evolved Node B cipher to perform the operation on the first random string by using the first function.
  • Obtaining the first data includes: the evolved Node B uses the forged evolved Node B cipher to perform operation on the first random string by using the first function to obtain the first data; and the evolved Node B identifies the falsified evolved Node B identifier.
  • the method further includes: the server sending the authentication legality information to the evolved Node B; and the evolved Node B authenticating the server according to the authentication legality information.
  • the server sends the authentication legality information to the evolved Node B, the evolved Node B sends the second random string to the server; the server sends the authentication legality information to the evolved Node B, including: the server uses the evolved Node B.
  • the password is obtained by the second function to obtain the second data by using the second function; the server sends the authentication legality information to the evolved node B, where the authentication legality information includes: the second data and the identification information of the second function;
  • the evolved Node B authenticates the server according to the authentication legality information, including: the evolved Node B according to the second function
  • the identification information obtains a second function; the evolved Node B uses the evolved Node B cipher of the evolved Node B to perform a second random function on the locally stored second random string, and compares the operation result with the second data, if the match , the certification is passed, otherwise, the certification does not pass.
  • the method further includes: the operator assigning the evolved Node B password and the evolved Node B identifier to the evolved Node B.
  • the server uses the evolved Node B password to perform operation on the second random string by using the second function to obtain the second data.
  • the server uses the forged evolved Node B cipher to operate the second random string by the second function to obtain the second data.
  • an evolved Node B identity authentication system comprising: an evolved Node B and a server, wherein the evolved Node B is configured to apply for an Internet to a server When the protocol address is sent, the identity authentication information is sent to the server; the server is configured to authenticate the evolved Node B through the identity authentication information after receiving the identity authentication information, and if the authentication passes, assign the Internet Protocol address to the evolved Node B.
  • the server is further configured to send authentication legality information to the evolved Node B; the evolved Node B is further configured to authenticate the server according to the authentication legality information.
  • the method for performing bidirectional security authentication on the eNB when the operator allocates an IP address to the eNB reduces the complexity of the access and authentication separation processing on the network.
  • the invention uses the method of performing two-way security authentication on the eNB and the operator network, thereby avoiding the security vulnerability existing in the one-way authentication.
  • FIG. 2 is a flowchart of an identity authentication method of an eNB according to an embodiment of the present invention
  • FIG. 3 is a DHCP protocol according to an embodiment of the present invention.
  • Schematic diagram of text interaction 4 is a schematic diagram of a method for authenticating a legal eNB according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of a method for authenticating an illegal eNB according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a method according to the present invention
  • FIG. 7 is a structural block diagram of an identity authentication system of an eNB according to an embodiment of the present invention.
  • FIG. 1 is a network architecture of an embodiment of the present invention.
  • a security gateway (Se gateway) is a security network of an operator, and a network element such as a DHCP server, a network management server, and a core network is deployed in a secure manner.
  • a network element such as a DHCP server, a network management server, and a core network is deployed in a secure manner.
  • an identity authentication method of an eNB is provided.
  • FIG. 2 is a flowchart of an eNB identity authentication method according to an embodiment of the present invention. As shown in FIG.
  • the method includes: Step S202: When an eNB requests an IP address from a server, the eNB sends the identity authentication information to the server.
  • the method for performing security authentication on the eNB when the operator allocates an IP address to the eNB is used to solve the problem that the identity authentication of the eNB is usually separated from the access process of the eNB in the related art, which causes a complicated process, and reduces the problem. The complexity of the network caused by access and authentication separation processing.
  • the server in this embodiment may be a DHCP server or a security gateway integrated with a DHCP function.
  • the server sends the first random string to the eNB; the eNB sends the identity authentication information to the server: the eNB uses the eNB password to use the first function to the first random The string is operated to obtain the first data; the eNB sends the identity authentication information to the server, where the identity authentication information includes: the first data, the identifier information of the first function, and the eNB identifier; the server performs the eNB by using the identity authentication information.
  • the eNB obtains the eNB password corresponding to the eNB identifier, where the eNB identifies the eNB identifier and the eNB password of the eNB in the server, and the server obtains the eNB password corresponding to the eNB identifier locally, and the third party participates in the authentication.
  • the operator stores the eNB identifier and the eNB password of the eNB in the third party, and the server sends the eNB identifier to the third party.
  • the third party After determining the eNB password corresponding to the eNB identifier, the third party sends the corresponding eNB password to the third party.
  • the server uses the acquired eNB password to perform the operation on the first random string saved locally by the first function, and compares the operation result with the first data. If it matches, the authentication passes, otherwise, the authentication is performed. Fail.
  • the eNB Enhanced Node Password
  • the operator allocates an eNB cipher and an eNB identity to the eNB before the server sends the first random string to the eNB.
  • the server and the eNB have a unified eNB password, so as to ensure that the authentication can be passed through the above authentication method.
  • the eNB uses the eNB password to calculate the first random string by using the first function to obtain the first data.
  • the eNB uses the forged eNB cipher to pass the first The function is performed on the first random string to obtain the first data.
  • the eNB identifies the eNB identifier as a forged eNB.
  • the eNB identifies the eNB identifier of the legal eNB by using the eNB identifier. Or the eNB directly falsifies an eNB identifier.
  • the server and the eNB do not have a unified eNB password, and the eNB is illegal.
  • the above authentication method can authenticate that the eNB does not pass, and avoids an attack caused by the eNB on the network.
  • the server sends the authentication legality information to the eNB; the eNB authenticates the server according to the authentication legality information.
  • the embodiment implements the legality authentication of the access network by the eNB and the mutual authentication of the eNB identity by the access network, thereby avoiding the cumbersome multi-step access authentication process and the one-way authentication system.
  • the disadvantages are that the user information, the eNB information, and the security of the operator network can be effectively protected, and the security of the entire wireless communication system is improved.
  • the eNB sends the second random character string to the server.
  • the server sends the authentication legality information to the eNB, where the server uses the eNB password to perform the second random character string by using the second function.
  • the operation obtains the second data; the server sends the authentication legality information to the eNB, where the authentication legality information includes: the second data and the second function identification information; the eNB performs authentication on the server according to the authentication legality information, including: Obtaining a second function according to the identification information of the second function; the eNB uses the eNB password of the eNB to perform a second random function on the locally stored second random string, and compares the operation result with the second data, If you have already passed the certification, otherwise the certification will not pass.
  • the eNB performs the authentication of the accessed network by using the eNB password information, and ensures the security of the LTE access network.
  • the operator allocates an eNB cipher and an eNB identity to the eNB before the eNB sends the second random string to the server.
  • the server and the eNB have a unified eNB password. Since the server knows the secret password information allocated by the operator to the eNB, the server can be considered to be legal, and the information allocated by the server is also legal. The incoming network is legal, ensuring that the eNB securely accesses the network.
  • the server uses the eNB password to calculate the second random string by using the second function to obtain the second data, including: the server uses the forged eNB password to pass the The second function operates on the second random string to obtain the second data.
  • the server and the eNB do not have a unified eNB password, and the server is illegal.
  • the authentication method can ensure that the server does not pass, so that the eNB does not access the illegal network, and the security of the access network is ensured.
  • the eNB when the eNB uses the dynamic host configuration protocol to apply for network information such as an IP address, the eNB may carry the identity authentication information in an extended option manner, thereby completing the mutual authentication of the eNB identity and the server identity.
  • the DHCP extension option information used is as follows: Table 1
  • FIG. 3 is a schematic diagram of a DHCP protocol packet exchange according to an embodiment of the present invention.
  • identity authentication is performed through DHCP protocol packet interaction.
  • the following three scenarios may exist: identity authentication when a legal eNB accesses the network, identity authentication when the illegal eNB accesses the network, and identity authentication when the legal eNB accesses the illegal network.
  • FIG. 4 is a schematic diagram of a method for performing identity authentication on a legal eNB according to an embodiment of the present invention. As shown in FIG.
  • Step S402 When an eNB accesses a network, first The DHCP process is initiated, and a legal IP address is applied for itself to communicate with a network element such as a Mobile Management Entity (MME)/S-GW/Operation Management Center (OMC). The eNB sends a DHCP Discover (4) message to the network.
  • the DHCP Offer 4 message is then sent to the eNB.
  • the eNB constructs a DHCP Request (DHCP Request) message, which carries a hash string l, a hash function identifier i (identity, abbreviated as ID), an eNB Identity (eNB identifier) information, and a locally generated random string.
  • DHCP Request DHCP Request
  • Step S408 After receiving the DHCP Request message, the DHCP server indexes the eNB according to the eNB Identity carried in the packet to the corresponding eNB Password, and then according to the hash algorithm corresponding to the HASH-FUNC-ID, according to the method in step S406.
  • the hash_string_l is calculated. If the calculated hash_string_l is consistent with the DHCP Request 4 message, the eNB is legal, and the DHCP server allocates an IP address to the eNB.
  • Step S410 DHCP Server constructs DHCP ACK The message is sent to the eNB, where the DHCP ACK message contains the IP address of the eNB and other network side information, hash_string_2 and HASH function ID.
  • Step S412 After receiving the DHCP ACK message, the eNB calculates the hash_string_2 locally according to the method in step S408. If the initial result is consistent with the ACK message, the network side is considered to be legal.
  • the eNB communicates with the network using information such as the applied IP address.
  • the DHCP Offer, DHCP Request, and DHCP Ack 4 messages use the message authentication option of the DHCP protocol to protect the integrity of the message and prevent the message from being tampered with during the delivery process.
  • the network side fails to authenticate the eNB. Then, the network side refuses to allocate an IP address to the eNB, and the eNB cannot use the service provided by the carrier network.
  • FIG. 5 is a schematic diagram of a method for performing identity authentication on an illegitimate eNB according to an embodiment of the present invention. As shown in FIG.
  • Step S502 When an illegal eNB accesses the network, The DHCP process is initiated first, and a legal IP address is applied for itself to communicate with network elements such as MME/S-GW/OMC. The illegal eNB sends a DHCP Discover message to the network.
  • Step S504 After receiving the DHCP Discover message, the DHCP server in the network randomly generates a string of 32 bytes, random_string_l, and encapsulates the string random string l into the DHCP Offer by using the RANDOM-STRING extended option. In the text, and sent to the eNB.
  • Step S506 After receiving the DHCP Offer message, the illegal eNB parses the random string l. Since the illegal eNB does not have the legal eNB password allocated by the operator, the illegal eNB cannot correctly calculate the hash_string_1 due to jt ⁇ .
  • the illegal eNB constructs a DHCP Request message, which carries the forged hash string l, the hash function ID, the eNB Identity information, and the locally generated random string random_string_2, where the hash function ID identifies the key required to calculate the hash_string_l A hash function, the eNB sends a DHCP Request message to the DHCP server.
  • Step S508 after receiving the DHCP Request message, the DHCP server indexes the corresponding eNB Password according to the eNB Identity carried in the packet, and locally calculates the hash_string_l according to the hash algorithm corresponding to the HASH-FUNC-ID, and the calculation result is obtained. Different from the KEY-HASH-STRING carried in the text, the eNB identity authentication fails. Step S510, the DHCP server responds to the DHCP NACK message, and the eNB allocates the eNB.
  • FIG. 6 is a schematic diagram of a method for performing identity authentication when a legal eNB accesses an illegal network according to an embodiment of the present invention. As shown in FIG.
  • Step S602 The eNB deploys an eNB, and allocates a unique eNB identity and an eNB password corresponding to the jt ⁇ to the eNB.
  • step S604 when the eNB accesses the network, the eNB first initiates a DHCP process, and applies for a legal IP address for itself, and the MME/S- Network element communication such as GW/OMC.
  • the eNB sends a DHCP Discover (4) message to the network.
  • Step S606 After receiving the DHCP Discover message, the illegal DHCP server in the network randomly generates a string of 32 bytes, random_string_l, and encapsulates the string random string l into the DHCP Offer 4 as an extended option. In this paper, it is sent to the eNB.
  • Step S608 after receiving the DHCP Offer 4 message, the eNB parses the
  • the RANDOM-STRING option locally calculates hash_string_l, for example, calculates hash string l in the manner of the first step S406.
  • the eNB constructs a DHCP Request message, which carries the hash string l , the HASH-FUNC-ID, the eNB Identity information, and the locally generated random string random_string_2. Then, the eNB sends the DHCP Request 4 message to the illegal DHCP server.
  • Step S610 After receiving the DHCP Request message, the illegal DHCP server cannot authenticate the eNB because it does not know the eNB password information. Therefore, the illegal DHCP server directly sends a DHCP ACK message to the eNB, and the packet carries the illegal message.
  • Step 612 After receiving the DHCP ACK message, the eNB calculates the hash_string_2 locally. For example, the hash_string_2 is calculated in the manner of the step S408 in the first embodiment, and the calculated result is different from the ACK message, so that the eNB detects that The network side is illegal, and refuses to use information such as its assigned IP address, thus avoiding the theft of sensitive user information.
  • the DHCP Offer, DHCP Request, and DHCP Ack 4 messages use the message authentication option of the DHCP protocol to protect the integrity of the message and prevent the message from being tampered with during the delivery process.
  • the system embodiment corresponds to the foregoing method embodiment, and the present invention further provides an identity authentication system of an eNB.
  • 7 is a structural block diagram of an identity authentication system of an eNB, where the system includes: an eNB 72 and a server 74, where the eNB 72 is configured to send identity authentication information to the server when applying for an internet protocol address to the server.
  • the server 74 is coupled to the eNB 72, and is configured to authenticate the eNB by using the identity authentication information after receiving the identity authentication information, and if the authentication is passed, assign an Internet cut address to the eNB.
  • the server 74 is further arranged to send authentication legitimacy information to the eNB; the eNB 72 is further arranged to authenticate the server based on the authentication legitimacy information.
  • the embodiment of the present invention performs security authentication on the eNB when the operator allocates an IP address to the eNB, which reduces the complexity of the access and authentication separation processing on the network.
  • the embodiment of the present invention performs two-way authentication on the eNB and the network, solves the security vulnerability existing in the one-way authentication, achieves the effect of optimizing the access and authentication process, and improving the security of the system.
  • modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices.
  • they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention discloses an identity authentication method and system for an evolved Node B (eNB), and the method includes the following steps: when an eNB applies to a server for an Internet Protocol (IP) address, it sends identity authentication information to the server; after receiving the identity authentication information, the server authenticates the eNB by the identity authentication information; and if the authentication succeeded, the server allocates the IP address to the eNB. The present invention reduces network complexity caused by separated processing of access and authentication.

Description

演进型节点 B的身伤人证方法及系统 技术领域 本发明涉及通信领域, 具体而言, 涉及一种演进型节点 B的身份认证方 法及系统。 背景技术 无线通信系统以其开放的网络架构而得到越来越多的部署和应用, 随着 无线通信系统的普及, 通信系统中的安全问题也逐渐成为用户关注的焦点。 随着家庭基站等应用模式的出现, 演进型节点 B ( Evolved Node B, 简称为 eNB )可能会处于物理上不信任的区域, 为了防止^ _冒 eNB接入网络对整个 无线通信系统以及用户的敏感信息造成威胁, 对 eNB的合法身份进行认证, 确保只有合法的 eNB才能接入运营商的网络,成为保证无线通信系统安全的 首要机制。 为了降低运营商对网络的运行和维护成本, eNB在物理上接入运营商网 络时, 上电初始化过程完成后, 通过动态主机配置协议 ( Dynamic Host Configure Protocol , 简称 DHCP ), 运营商为该 eNB分配互联网协议 ( Internet Protocol, 简称为 IP )地址及其它网络信息, 后续 eNB使用该 IP地址与运营 商的核心网以及网管系统进行通信。 在实际应用中,为了对 eNB进行管理,运营商在 eNB接入网络前为 eNB 分配一个全网唯一的身份 ( eNB Identity ) 以及与此身份对应的口令 ( eNB Password )。 其中, eNB Identity公开, eNB Password需要保密存储。 在相关技术中, 对 eNB的身份认证通常是和 eNB的接入过程分离的, 流程较为复杂。 同时, 相关技术只有网络认证 eNB身份的单向认证机制, 安 全性较低。 发明内容 本发明的主要目的在于提供一种演进型节点 B的身份认证方案, 以至少 解决相关技术中对 eNB的身份认证通常是和 eNB的接入过程分离的而造成 流程复杂的问题。 为了实现上述目的, 根据本发明的一个方面, 提供了一种演进型节点 B 的身份认证方法, 该方法包括: 演进型节点 B在向服务器申请互联网协议地 址时, 将身份认证信息发送给服务器; 服务器在接收到身份认证信息之后, 通过身份认证信息对演进型节点 B进行认证, 如果认证通过, 则为演进型节 点 B分配互联网协议地址。 优选地, 在演进型节点 B将身份认证信息发送给服务器之前, 服务器将 第一随机字符串发送给演进型节点 B; 演进型节点 B将身份认证信息发送给 服务器包括:演进型节点 B使用演进型节点 B密码通过第一函数对第一随机 字符串进行运算获得第一数据;演进型节点 B将身份认证信息发送给服务器, 其中, 身份认证信息包括: 第一数据、 第一函数的标识信息和演进型节点 B 标识; 服务器通过身份认证信息对演进型节点 B进行认证包括: 服务器根据 第一函数的标识信息获得第一函数; 服务器获取与演进型节点 B标识对应的 演进型节点 B密码;服务器使用获取的演进型节点 B密码通过第一函数对本 地存储的第一随机字符串进行运算, 将运算结果与第一数据进行比较, 如果 匹配, 则认证通过, 否则, 认证不通过。 优选地, 在服务器将第一随机字符串发送给演进型节点 B之前, 运营商 为演进型节点 B分配演进型节点 B密码和演进型节点 B标识。 优选地,在运营商没有为演进型节点 B分配演进型节点 B密码和演进型 节点 B标识的情况下, 演进型节点 B使用演进型节点 B密码通过第一函数 对第一随机字符串进行运算获得第一数据包括: 演进型节点 B使用伪造的演 进型节点 B密码通过第一函数对第一随机字符串进行运算获得第一数据; 演 进型节点 B标识为伪造的演进型节点 B标识。 优选地, 在服务器对演进型节点 B进行认证之后, 该方法还包括: 服务 器向演进型节点 B发送认证合法性信息;演进型节点 B根据认证合法性信息 对服务器进行认证。 优选地, 在服务器向演进型节点 B发送认证合法性信息之前, 演进型节 点 B将第二随机字符串发送给服务器;服务器向演进型节点 B发送认证合法 性信息包括: 服务器使用演进型节点 B密码通过第二函数对第二随机字符串 进行运算获得第二数据; 服务器将认证合法性信息发送给演进型节点 B , 其 中, 认证合法性信息包括: 第二数据和第二函数的标识信息; 演进型节点 B 根据认证合法性信息对服务器进行认证包括: 演进型节点 B根据第二函数的 标识信息获得第二函数; 演进型节点 B使用演进型节点 B 的演进型节点 B 密码通过第二函数对本地存储的第二随机字符串进行运算, 将运算结果与第 二数据进行比较, 如果匹配, 则认证通过, 否则, 认证不通过。 优选地, 在演进型节点 B将第二随机字符串发送给服务器之前, 该方法 还包括: 运营商为演进型节点 B分配演进型节点 B密码和演进型节点 B标 识。 优选地, 在服务器未获取到运营商为演进型节点 B分配的演进型节点 B 密码的情况下, 服务器使用演进型节点 B密码通过第二函数对第二随机字符 串进行运算获得第二数据包括: 服务器使用伪造的演进型节点 B密码通过第 二函数对第二随机字符串进行运算获得第二数据。 为了实现上述目的, 居本发明的另一个方面, 提供了一种演进型节点 B的身份认证系统, 该系统包括: 演进型节点 B和服务器, 其中, 演进型节 点 B设置为在向服务器申请互联网协议地址时, 将身份认证信息发送给服务 器; 服务器设置为在接收到身份认证信息之后, 通过身份认证信息对演进型 节点 B进行认证, 如果认证通过, 则为演进型节点 B分配互联网协议地址。 优选地, 服务器还设置为向演进型节点 B发送认证合法性信息; 演进型 节点 B还设置为根据认证合法性信息对服务器进行认证。 通过本发明, 釆用在运营商为 eNB分配 IP地址时对 eNB进行双向安全 认证的方式, 降低了接入和认证分离处理对网络造成的复杂性。 同时, 本发 明釆用对 eNB和运营商网络进行双向安全认证的方式,避免了单向认证存在 的安全漏洞。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的 不当限定。 在附图中: 图 1是本发明实施例应用的网络架构; 图 2是根据本发明实施例的一种 eNB的身份认证方法的流程图; 图 3是根据本发明实施例的 DHCP协议 4艮文交互的示意图; 图 4是才艮据本发明实施例的对合法 eNB进行身份认证的方法的示意图; 图 5是才艮据本发明实施例的对非法 eNB进行身份认证的方法的示意图; 图 6是根据本发明实施例的合法 eNB接入非法网络时进行身份认证的方 法的示意图; 图 7是根据本发明实施例的 eNB的身份认证系统的结构框图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互组合。 图 1 是本发明实施例应用的网络架构, 如图所示, 安全网关 (Security Gateway, 简称为 Se GW )之后为运营商的安全网络, DHCP服务器、 网管 服务器以及核心网等网元部署在安全网络中。 根据本发明实施例, 提供了一种 eNB的身份认证方法。 图 2是根据本发 明实施例的一种 eNB的身份认证方法的流程图, 如图 2所示, 该方法包括: 步骤 S202, eNB在向服务器申请 IP地址时, 将身份认证信息发送给服 务器; 步骤 S204 , 服务器在接收到身份认证信息之后, 通过身份认证信息对 eNB进行认证, 如果认证通过, 则为 eNB分配 IP地址。 该实施例釆用在运营商为 eNB分配 IP地址时对 eNB进行安全认证的方 式, 解决了相关技术中对 eNB的身份认证通常是和 eNB的接入过程分离的 而造成流程复杂的问题, 降低了接入和认证分离处理对网络造成的复杂性。 需要注意的是, 本实施例中的服务器可以是 DHCP服务器, 也可以是集 成了 DHCP功能的安全网关。 优选地, 在 eNB将身份认证信息发送给服务器之前, 服务器将第一随机 字符串发送给 eNB; eNB将身份认证信息发送给月艮务器包括: eNB使用 eNB 密码通过第一函数对第一随机字符串进行运算获得第一数据; eNB将身份认 证信息发送给服务器, 其中, 身份认证信息包括: 第一数据、 第一函数的标 识信息和 eNB标识; 月艮务器通过身份认证信息对 eNB进行认证包括: 月艮务 器获取与 eNB标识对应的 eNB密码, 其中, 在进行本地认证的情况下, 运 营商在服务器配置 eNB的 eNB标识和 eNB密码,服务器从本地获取 eNB标 识对应的 eNB密码, 在第三方参与认证的情况下, 运营商在第三方存储 eNB 的 eNB标识和 eNB密码, 月艮务器将 eNB标识发送给第三方, 第三方在确定 与该 eNB标识对应的 eNB密码之后, 将对应的 eNB密码发送给月艮务器; 月艮 务器使用获取的 eNB 密码通过第一函数对本地保存的第一随机字符串进行 运算, 将运算结果与第一数据进行比较, 如果匹配, 则认证通过, 否则, 认 证不通过。 该实施例通过 eNB Password (增强型节点密码)信息, 完成网络 对 eNB的认证, 保证了长期演进 ( Long-Term Evolution, 简称为 LTE )接入 网的安全生。 优选地, 在 艮务器将第一随机字符串发送给 eNB之前, 运营商为 eNB 分配 eNB密码和 eNB标识。 该实施例中,月艮务器和 eNB具有统一的 eNB密 码, 从而保证通过上述认证方式能够认证通过。 优选地,在运营商没有为 eNB分配 eNB密码和 eNB标识的情况下, eNB 使用 eNB密码通过第一函数对第一随机字符串进行运算获得第一数据包括: eNB使用伪造的 eNB 密码通过第一函数对第一随机字符串进行运算获得第 一数据; eNB标识为伪造的 eNB标识, 其中, 伪造的 eNB标识获得的方式 包括: 该 eNB窃取合法 eNB的 eNB标识, 将其伪造成自身的 eNB标识, 或 者 eNB直接伪造一个 eNB标识。该实施例中,月艮务器和 eNB没有统一的 eNB 密码, eNB 是非法的, 通过上述认证方式能够认证 eNB 不通过, 避免 i冒 eNB对网络造成的攻击。 优选地, 在服务器对 eNB进行认证之后, 服务器向 eNB发送认证合法 性信息; eNB根据认证合法性信息对服务器进行认证。 该实施例在 eNB接入 网络的过程中,同步实现 eNB对接入网络的合法性认证以及接入网络对 eNB 身份的双向认证, 避免了烦瑣的多步接入认证流程以及单向认证所存在的弊 端, 可以有效保护用户信息、 eNB信息以及运营商网络的安全, 提高了整个 无线通信系统的安全性。 优选地, 在服务器向 eNB发送认证合法性信息之前, eNB将第二随机字 符串发送给服务器; 服务器向 eNB 发送认证合法性信息包括: 服务器使用 eNB密码通过第二函数对第二随机字符串进行运算获得第二数据; 服务器将 认证合法性信息发送给 eNB, 其中, 认证合法性信息包括: 第二数据和第二 函数的标识信息; eNB根据认证合法性信息对服务器进行认证包括: eNB根 据第二函数的标识信息获得第二函数; eNB使用该 eNB的 eNB密码通过第 二函数对本地保存的第二随机字符串进行运算, 将运算结果与第二数据进行 比较, ^口果匹 S己,则认证通过,否则,认证不通过。该实施例通过 eNB Password 信息, 完成 eNB对所接入网络的认证, 保证了 LTE接入网的安全性。 优选地, 在 eNB 将第二随机字符串发送给服务器之前, 运营商为 eNB 分配 eNB密码和 eNB标识。 该实施例中, 月艮务器和 eNB具有统一的 eNB密 码, 由于服务器知道运营商分配给 eNB的秘密口令信息, 则可以认为该服务 器是合法的, 进而其分配的信息也是合法的, eNB接入的网络是合法的, 保 证了 eNB安全接入网络。 优选地, 在服务器未获取到运营商为 eNB分配的 eNB密码的情况下, 服务器使用 eNB 密码通过第二函数对第二随机字符串进行运算获得第二数 据包括:服务器使用伪造的 eNB密码通过第二函数对第二随机字符串进行运 算获得第二数据。 该实施例中, 服务器和 eNB没有统一的 eNB密码, 服务 器是非法的, 通过上述认证方式能够认证服务器不通过, 从而 eNB不会接入 非法网络, 保证了接入网络的安全。 下面结合具体实施例和附图对本发明的实现方式进行详细说明。 在本发明实施例中, 可以在 eNB使用动态主机配置协议申请 IP地址等 网络信息时, 以扩展选项的方式携带身份认证信息, 从而完成 eNB身份和服 务器身份的双向认证。 其中, 使用的 DHCP扩展选项信息如下表所示: 表 1 The present invention relates to the field of communications, and in particular to an identity authentication method and system for an evolved Node B. BACKGROUND OF THE INVENTION Wireless communication systems are increasingly deployed and applied with their open network architecture. With the popularity of wireless communication systems, security issues in communication systems have gradually become the focus of users. With the emergence of an application mode such as a home base station, an Evolved Node B (eNB) may be in a physically untrusted area, in order to prevent the eNB from accessing the network to the entire wireless communication system and the user. Sensitive information poses a threat, and the legal identity of the eNB is authenticated to ensure that only legitimate eNBs can access the operator's network, becoming the primary mechanism for ensuring the security of the wireless communication system. In order to reduce the operating and maintenance costs of the network, the eNB is physically connected to the carrier network. After the power-on initialization process is completed, the dynamic host configuration protocol (DHCP) is used, and the carrier is the eNB. The Internet Protocol (IP) address and other network information are allocated, and the subsequent eNB uses the IP address to communicate with the operator's core network and the network management system. In practical applications, in order to manage the eNB, the operator allocates a network-wide unique identity (eNB Identity) and a password corresponding to the identity (eNB Password) to the eNB before the eNB accesses the network. Wherein, the eNB Identity discloses that the eNB Password needs to be stored in a secure manner. In the related art, the identity authentication of the eNB is usually separated from the access process of the eNB, and the process is complicated. At the same time, the related technology only has a one-way authentication mechanism for the identity of the network authentication eNB, and the security is low. SUMMARY OF THE INVENTION A primary object of the present invention is to provide an identity authentication scheme for an evolved Node B, so as to at least solve the problem that the process of authenticating the eNB is generally separated from the access process of the eNB in the related art. In order to achieve the above object, according to an aspect of the present invention, an identity authentication method for an evolved Node B is provided, the method includes: the evolved Node B sends the identity authentication information to a server when applying for an internet protocol address to the server; After receiving the identity authentication information, the server authenticates the evolved Node B by using the identity authentication information, and if the authentication passes, assigns the Internet Protocol address to the evolved Node B. Preferably, before the evolved Node B sends the identity authentication information to the server, the server sends the first random string to the evolved Node B; the evolved Node B sends the identity authentication information to the server, including: the evolved Node B uses the evolved The type node B password is operated by the first function to obtain the first data; the evolved node B sends the identity authentication information to the server, where the identity authentication information includes: the first data, the identification information of the first function And the evolved Node B identifier; the server authenticating the evolved Node B by using the identity authentication information comprises: the server obtaining the first function according to the identifier information of the first function; the server acquiring the evolved Node B password corresponding to the identifier of the evolved Node B; The server uses the obtained evolved Node B password to operate the first random string stored locally by the first function, and compares the operation result with the first data. If the match, the authentication passes, otherwise, the authentication fails. Preferably, before the server sends the first random string to the evolved Node B, the operator allocates the evolved Node B cipher and the evolved Node B identity to the evolved Node B. Preferably, in the case that the operator does not allocate the evolved Node B cipher and the evolved Node B identity to the evolved Node B, the evolved Node B uses the evolved Node B cipher to perform the operation on the first random string by using the first function. Obtaining the first data includes: the evolved Node B uses the forged evolved Node B cipher to perform operation on the first random string by using the first function to obtain the first data; and the evolved Node B identifies the falsified evolved Node B identifier. Preferably, after the server authenticates the evolved Node B, the method further includes: the server sending the authentication legality information to the evolved Node B; and the evolved Node B authenticating the server according to the authentication legality information. Preferably, before the server sends the authentication legality information to the evolved Node B, the evolved Node B sends the second random string to the server; the server sends the authentication legality information to the evolved Node B, including: the server uses the evolved Node B. The password is obtained by the second function to obtain the second data by using the second function; the server sends the authentication legality information to the evolved node B, where the authentication legality information includes: the second data and the identification information of the second function; The evolved Node B authenticates the server according to the authentication legality information, including: the evolved Node B according to the second function The identification information obtains a second function; the evolved Node B uses the evolved Node B cipher of the evolved Node B to perform a second random function on the locally stored second random string, and compares the operation result with the second data, if the match , the certification is passed, otherwise, the certification does not pass. Preferably, before the evolved Node B sends the second random string to the server, the method further includes: the operator assigning the evolved Node B password and the evolved Node B identifier to the evolved Node B. Preferably, in a case that the server does not obtain the evolved Node B password allocated by the operator for the evolved Node B, the server uses the evolved Node B password to perform operation on the second random string by using the second function to obtain the second data. The server uses the forged evolved Node B cipher to operate the second random string by the second function to obtain the second data. In order to achieve the above object, in another aspect of the present invention, an evolved Node B identity authentication system is provided, the system comprising: an evolved Node B and a server, wherein the evolved Node B is configured to apply for an Internet to a server When the protocol address is sent, the identity authentication information is sent to the server; the server is configured to authenticate the evolved Node B through the identity authentication information after receiving the identity authentication information, and if the authentication passes, assign the Internet Protocol address to the evolved Node B. Preferably, the server is further configured to send authentication legality information to the evolved Node B; the evolved Node B is further configured to authenticate the server according to the authentication legality information. Through the invention, the method for performing bidirectional security authentication on the eNB when the operator allocates an IP address to the eNB reduces the complexity of the access and authentication separation processing on the network. At the same time, the invention uses the method of performing two-way security authentication on the eNB and the operator network, thereby avoiding the security vulnerability existing in the one-way authentication. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 1 is a network architecture of an embodiment of the present invention; FIG. 2 is a flowchart of an identity authentication method of an eNB according to an embodiment of the present invention; and FIG. 3 is a DHCP protocol according to an embodiment of the present invention. Schematic diagram of text interaction; 4 is a schematic diagram of a method for authenticating a legal eNB according to an embodiment of the present invention; FIG. 5 is a schematic diagram of a method for authenticating an illegal eNB according to an embodiment of the present invention; FIG. 6 is a schematic diagram of a method according to the present invention; A schematic diagram of a method for performing identity authentication when a legal eNB of an embodiment accesses an illegal network; FIG. 7 is a structural block diagram of an identity authentication system of an eNB according to an embodiment of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. Figure 1 is a network architecture of an embodiment of the present invention. As shown in the figure, a security gateway (Se gateway) is a security network of an operator, and a network element such as a DHCP server, a network management server, and a core network is deployed in a secure manner. In the network. According to an embodiment of the present invention, an identity authentication method of an eNB is provided. FIG. 2 is a flowchart of an eNB identity authentication method according to an embodiment of the present invention. As shown in FIG. 2, the method includes: Step S202: When an eNB requests an IP address from a server, the eNB sends the identity authentication information to the server. Step S204: After receiving the identity authentication information, the server authenticates the eNB by using the identity authentication information, and if the authentication passes, assigns an IP address to the eNB. In this embodiment, the method for performing security authentication on the eNB when the operator allocates an IP address to the eNB is used to solve the problem that the identity authentication of the eNB is usually separated from the access process of the eNB in the related art, which causes a complicated process, and reduces the problem. The complexity of the network caused by access and authentication separation processing. It should be noted that the server in this embodiment may be a DHCP server or a security gateway integrated with a DHCP function. Preferably, before the eNB sends the identity authentication information to the server, the server sends the first random string to the eNB; the eNB sends the identity authentication information to the server: the eNB uses the eNB password to use the first function to the first random The string is operated to obtain the first data; the eNB sends the identity authentication information to the server, where the identity authentication information includes: the first data, the identifier information of the first function, and the eNB identifier; the server performs the eNB by using the identity authentication information. Certification includes: The eNB obtains the eNB password corresponding to the eNB identifier, where the eNB identifies the eNB identifier and the eNB password of the eNB in the server, and the server obtains the eNB password corresponding to the eNB identifier locally, and the third party participates in the authentication. In this case, the operator stores the eNB identifier and the eNB password of the eNB in the third party, and the server sends the eNB identifier to the third party. After determining the eNB password corresponding to the eNB identifier, the third party sends the corresponding eNB password to the third party. The server uses the acquired eNB password to perform the operation on the first random string saved locally by the first function, and compares the operation result with the first data. If it matches, the authentication passes, otherwise, the authentication is performed. Fail. In this embodiment, the eNB (Enhanced Node Password) information is used to complete the authentication of the eNB by the network, and the security of the Long-Term Evolution (LTE) access network is ensured. Preferably, the operator allocates an eNB cipher and an eNB identity to the eNB before the server sends the first random string to the eNB. In this embodiment, the server and the eNB have a unified eNB password, so as to ensure that the authentication can be passed through the above authentication method. Preferably, if the eNB does not allocate the eNB cipher and the eNB identifier to the eNB, the eNB uses the eNB password to calculate the first random string by using the first function to obtain the first data. The eNB uses the forged eNB cipher to pass the first The function is performed on the first random string to obtain the first data. The eNB identifies the eNB identifier as a forged eNB. The eNB identifies the eNB identifier of the legal eNB by using the eNB identifier. Or the eNB directly falsifies an eNB identifier. In this embodiment, the server and the eNB do not have a unified eNB password, and the eNB is illegal. The above authentication method can authenticate that the eNB does not pass, and avoids an attack caused by the eNB on the network. Preferably, after the server authenticates the eNB, the server sends the authentication legality information to the eNB; the eNB authenticates the server according to the authentication legality information. In the process of accessing the network by the eNB, the embodiment implements the legality authentication of the access network by the eNB and the mutual authentication of the eNB identity by the access network, thereby avoiding the cumbersome multi-step access authentication process and the one-way authentication system. The disadvantages are that the user information, the eNB information, and the security of the operator network can be effectively protected, and the security of the entire wireless communication system is improved. Preferably, before the server sends the authentication legality information to the eNB, the eNB sends the second random character string to the server. The server sends the authentication legality information to the eNB, where the server uses the eNB password to perform the second random character string by using the second function. The operation obtains the second data; the server sends the authentication legality information to the eNB, where the authentication legality information includes: the second data and the second function identification information; the eNB performs authentication on the server according to the authentication legality information, including: Obtaining a second function according to the identification information of the second function; the eNB uses the eNB password of the eNB to perform a second random function on the locally stored second random string, and compares the operation result with the second data, If you have already passed the certification, otherwise the certification will not pass. In this embodiment, the eNB performs the authentication of the accessed network by using the eNB password information, and ensures the security of the LTE access network. Preferably, the operator allocates an eNB cipher and an eNB identity to the eNB before the eNB sends the second random string to the server. In this embodiment, the server and the eNB have a unified eNB password. Since the server knows the secret password information allocated by the operator to the eNB, the server can be considered to be legal, and the information allocated by the server is also legal. The incoming network is legal, ensuring that the eNB securely accesses the network. Preferably, in a case that the server does not obtain the eNB password allocated by the operator for the eNB, the server uses the eNB password to calculate the second random string by using the second function to obtain the second data, including: the server uses the forged eNB password to pass the The second function operates on the second random string to obtain the second data. In this embodiment, the server and the eNB do not have a unified eNB password, and the server is illegal. The authentication method can ensure that the server does not pass, so that the eNB does not access the illegal network, and the security of the access network is ensured. The implementation of the present invention will be described in detail below with reference to specific embodiments and drawings. In the embodiment of the present invention, when the eNB uses the dynamic host configuration protocol to apply for network information such as an IP address, the eNB may carry the identity authentication information in an extended option manner, thereby completing the mutual authentication of the eNB identity and the server identity. The DHCP extension option information used is as follows: Table 1

Figure imgf000008_0001
Figure imgf000008_0001

在表 1中描述的扩展选项中, RANDOM-STRING为 eNB或 DHCP月艮务 器生成的随机字符串, KEY-HASH-STRING 为密钥哈希函数运算结果字符 串, HASH-FUNC-ID标识认证所使用的密钥哈希函数。 图 3是根据本发明实 施例的 DHCP协议报文交互的示意图,本发明实施例就是通过 DHCP协议报 文交互进行身份认证的。 在图 1所示的场景下可能存在以下三种情况:合法 eNB接入网络时的身 份认证、 非法 eNB接入网络时的身份认证以及合法 eNB接入非法网络时的 身份认证。 下面结合实施例对上述三种情况进行说明。 实施例一 合法 eNB接入网络后, 网络侧对 eNB的身份进行认证, 并为其分配 IP 地址, 同时 eNB对网络侧进行认证, 在双向认证成功之后, eNB正常使用运 营商网络提供的服务。图 4是根据本发明实施例的对合法 eNB进行身份认证 的方法的示意图, 如图 4所示, 对合法 eNB进行身份认证的方法的具体实施 过程如下: 步骤 S402, eNB接入网络时, 首先发起 DHCP过程, 为自己申请合法 的 IP地址, 以便和移动性管理实体 ( Mobile Management Entity, 简称 MME ) /S-GW/操作维护中心 ( Operation Management Center , 简称为 OMC )等网元 通信。 eNB向网络发送 DHCP Discover ( DHCP发现) 4艮文。 步 4聚 S404, 网络中的 DHCP Server在接收到 DHCP Discover 4艮文后, 随 机生成一长度为 32 字节的字符 串 random_string_l , 将该字符串 random string l 以 RANDOM-STRING扩展选项的方式封装到 DHCP Offer 4艮文中, 然后发送给 eNB。 步骤 S406, eNB 在接收到 DHCP Offer ( DHCP 提供)报文后, 解析 RANDOM-STRING选项, 在本地计算 hash_string_l , 计算的方式为以 eNB Password为密钥, 对收到的 random_string_l求哈希, 即, hash _ string _ 1 = HASH _ FUNCeNB― password {random _ string _ 1)。 eNB 构造 DHCP Request ( DHCP 请求) 4艮文, 该 4艮文中携带有 hash string l , hash函数标 i只 ( Identity, 简称为 ID )、 eNB Identity ( eNB标 识)的信息以及本地生成的随机字符串 random_string_2, 其中, hash函数 ID 标识了计算 hash_string_l所需的密钥哈希函数, 然后, eNB将构造的 DHCP Request 艮文发送给 DHCP Server, 步骤 S408 , DHCP Server在接收到 DHCP Request报文后, 根据报文中 携带的 eNB Identity索引到对应的 eNB Password, 并才艮据 HASH-FUNC-ID 对应的哈希算法按照步骤 S406中的方法本地计算 hash_string_l ,如果计算出 的 hash_string_l与 DHCP Request 4艮文中携带的一致, 则说明该 eNB是合法 的, DHCP Server为 eNB分配 IP地址。 In the extended options described in Table 1, RANDOM-STRING is a random string generated by the eNB or DHCP server, and KEY-HASH-STRING is the result of the key hash function operation. String, HASH-FUNC-ID identifies the key hash function used for authentication. FIG. 3 is a schematic diagram of a DHCP protocol packet exchange according to an embodiment of the present invention. In the embodiment of the present invention, identity authentication is performed through DHCP protocol packet interaction. In the scenario shown in Figure 1, the following three scenarios may exist: identity authentication when a legal eNB accesses the network, identity authentication when the illegal eNB accesses the network, and identity authentication when the legal eNB accesses the illegal network. The above three cases will be described below with reference to the embodiments. After the eNB is connected to the network, the eNB authenticates the eNB and assigns an IP address to it. The eNB authenticates the network. After the two-way authentication succeeds, the eNB normally uses the services provided by the carrier network. FIG. 4 is a schematic diagram of a method for performing identity authentication on a legal eNB according to an embodiment of the present invention. As shown in FIG. 4, a specific implementation process of a method for authenticating a legal eNB is as follows: Step S402: When an eNB accesses a network, first The DHCP process is initiated, and a legal IP address is applied for itself to communicate with a network element such as a Mobile Management Entity (MME)/S-GW/Operation Management Center (OMC). The eNB sends a DHCP Discover (4) message to the network. Step 4: S404, after receiving the DHCP Discover message, the DHCP server in the network randomly generates a string of 32 bytes, random_string_l, and encapsulates the string random string l into the RANDOM-STRING extended option. The DHCP Offer 4 message is then sent to the eNB. Step S406: After receiving the DHCP Offer message, the eNB parses the RANDOM-STRING option, and calculates the hash_string_l locally, in the manner that the eNB Password is used as a key, and the received random_string_1 is hashed, that is, Hash _ string _ 1 = HASH _ FUNCeNB - password {random _ string _ 1). The eNB constructs a DHCP Request (DHCP Request) message, which carries a hash string l, a hash function identifier i (identity, abbreviated as ID), an eNB Identity (eNB identifier) information, and a locally generated random string. Random_string_2, where the hash function ID identifies the key hash function required to calculate hash_string_1, and then the eNB sends the constructed DHCP Request message to the DHCP server. Step S408: After receiving the DHCP Request message, the DHCP server indexes the eNB according to the eNB Identity carried in the packet to the corresponding eNB Password, and then according to the hash algorithm corresponding to the HASH-FUNC-ID, according to the method in step S406. The hash_string_l is calculated. If the calculated hash_string_l is consistent with the DHCP Request 4 message, the eNB is legal, and the DHCP server allocates an IP address to the eNB.

DHCP Server使用索引到的该 eNB对应的 eNB Password对接收到的 random_string_2进行哈希计算得到 hash_string_2 , 即, hash _ string _2 = HASH _ FUNCCNB― (random _ string _ 2) 步骤 S410 , DHCP Server构造 DHCP ACK 4艮文并将其发送给 eNB , 其 中, DHCP ACK 4艮文包含 eNB的 IP地址以及其它网络侧的信息, hash_string_2 和 HASH函数 ID。 步骤 S412 , eNB在接收到 DHCP ACK 4艮文后, 按照步骤 S408的方式本 地计算 hash_string_2 , 如果计算初的结果和 ACK报文中携带的一致, 则认 为网络侧是合法的。 eNB使用申请到的 IP地址等信息与网路通信。 DHCP Offer, DHCP Request和 DHCP Ack 4艮文使用 DHCP协议的消息 认证选项对 4艮文进行完整性保护, 防止消息在传递过程中被篡改。 实施例二 非法 eNB接入网络时, 网络侧对 eNB的身份认证失败, 然后, 网络侧 会拒绝为 eNB分配 IP地址, 该 eNB将无法使用运营商网络提供的服务。 图 5是根据本发明实施例的对非法 eNB进行身份认证的方法的示意图, 如图 5 所示, 对非法 eNB进行身份认证的方法的具体实施过程如下: 步骤 S502, 非法 eNB接入网络时, 首先发起 DHCP过程, 为自己申请 合法的 IP地址, 以便和 MME/S-GW/OMC等网元通信。 非法 eNB向网络发 送 DHCP Discover报文。 步骤 S504 , 网络中的 DHCP Server在接收到 DHCP Discover 4艮文后, 随 机生成一长度为 32 字节的字符 串 random_string_l , 将该字符串 random string l 以 RANDOM-STRING扩展选项的方式封装到 DHCP Offer 艮文中, 并发送给 eNB。 步骤 S506 , 非法 eNB 在接收到 DHCP Offer 报文后, 解析 random string l ,由于非法 eNB没有运营商分配的合法 eNB Password,因 jt匕, 非法 eNB无法正确计算 hash_string_l。 非法 eNB构造 DHCP Request 4艮文,该 4艮文携带伪造 hash string l、 hash 函数 ID、 eNB Identity的信息以及本地生成的随机字符串 random_string_2 , 其中, hash函数 ID标识了计算 hash_string_l所需的密钥哈希函数, eNB将 DHCP Request报文发送给 DHCP Server。 步骤 S508, DHCP Server在接收到 DHCP Request报文后, 根据报文中 携带的 eNB Identity索引到对应的 eNB Password, 并才艮据 HASH-FUNC-ID 对应的哈希算法本地计算 hash_string_l , 其计算结果与 4艮文中携带的 KEY-HASH-STRING必定不同, eNB身份认证失败。 步骤 S510, DHCP Server响应 DHCP NACK 4艮文, 4巨绝为该 eNB分配The DHCP server hashes the received random_string_2 using the eNB Password corresponding to the eNB to obtain hash_string_2, that is, hash_string_2 = HASH_FUNCCNB- (random_string_2). Step S410, DHCP Server constructs DHCP ACK The message is sent to the eNB, where the DHCP ACK message contains the IP address of the eNB and other network side information, hash_string_2 and HASH function ID. Step S412: After receiving the DHCP ACK message, the eNB calculates the hash_string_2 locally according to the method in step S408. If the initial result is consistent with the ACK message, the network side is considered to be legal. The eNB communicates with the network using information such as the applied IP address. The DHCP Offer, DHCP Request, and DHCP Ack 4 messages use the message authentication option of the DHCP protocol to protect the integrity of the message and prevent the message from being tampered with during the delivery process. In the second embodiment, when the illegal eNB accesses the network, the network side fails to authenticate the eNB. Then, the network side refuses to allocate an IP address to the eNB, and the eNB cannot use the service provided by the carrier network. FIG. 5 is a schematic diagram of a method for performing identity authentication on an illegitimate eNB according to an embodiment of the present invention. As shown in FIG. 5, a specific implementation process of the method for authenticating an illegitimate eNB is as follows: Step S502: When an illegal eNB accesses the network, The DHCP process is initiated first, and a legal IP address is applied for itself to communicate with network elements such as MME/S-GW/OMC. The illegal eNB sends a DHCP Discover message to the network. Step S504: After receiving the DHCP Discover message, the DHCP server in the network randomly generates a string of 32 bytes, random_string_l, and encapsulates the string random string l into the DHCP Offer by using the RANDOM-STRING extended option. In the text, and sent to the eNB. Step S506: After receiving the DHCP Offer message, the illegal eNB parses the random string l. Since the illegal eNB does not have the legal eNB password allocated by the operator, the illegal eNB cannot correctly calculate the hash_string_1 due to jt匕. The illegal eNB constructs a DHCP Request message, which carries the forged hash string l, the hash function ID, the eNB Identity information, and the locally generated random string random_string_2, where the hash function ID identifies the key required to calculate the hash_string_l A hash function, the eNB sends a DHCP Request message to the DHCP server. Step S508, after receiving the DHCP Request message, the DHCP server indexes the corresponding eNB Password according to the eNB Identity carried in the packet, and locally calculates the hash_string_l according to the hash algorithm corresponding to the HASH-FUNC-ID, and the calculation result is obtained. Different from the KEY-HASH-STRING carried in the text, the eNB identity authentication fails. Step S510, the DHCP server responds to the DHCP NACK message, and the eNB allocates the eNB.

IP地址等网络侧信息。 非法 eNB无法申请到运营商网络提供的合法 IP地址等信息, 其无法使 用运营商网络提供的月艮务。 DHCP Offer、 DHCP Request和 DHCP Ack 4艮文使 用 DHCP协议的消息认证选项对报文进行完整性保护, 防止消息在传递过程 中被篡改。 实施例三 合法 eNB接入非法网络, 非法网络默认 eNB的身份认证通过, 并为其 分配 IP地址, 使合法 eNB接入非法网络, 以盗取用户敏感信息。 图 6是根 据本发明实施例的合法 eNB接入非法网络时进行身份认证的方法的示意图, 如图 6所示,合法 eNB接入非法网络时进行身份认证的方法的具体实施过程 如下: 步骤 S602,运营商部署 eNB, 为 eNB分配唯一的 eNB Identity以及与 jt匕 对应的 eNB Password, 步骤 S604, eNB接入网络时, 首先发起 DHCP过程, 为自己申请合法 的 IP地址, 以便和 MME/S-GW/OMC等网元通信。 eNB向网络发送 DHCP Discover ( DHCP发现) 4艮文。 步骤 S606,网络中非法的 DHCP Server在接收到 DHCP Discover 4艮文后, 随机生成一长度为 32 字节的字符串 random_string_l , 将该字符串 random string l 以扩展选项的方式封装到 DHCP Offer 4艮文中, 并发送给 eNB。 步骤 S608 , eNB 在接收到 DHCP Offer 4艮文后, 解析其中的Network side information such as IP address. The illegal eNB cannot apply for information such as the legal IP address provided by the carrier network, and cannot use the monthly service provided by the carrier network. The DHCP Offer, DHCP Request, and DHCP Ack 4 messages use the message authentication option of the DHCP protocol to protect the integrity of the message and prevent the message from being tampered with during the delivery process. In the third embodiment, the legal eNB accesses the illegal network, and the default eNB's identity authentication is passed, and an IP address is assigned to the legal eNB to access the illegal network to steal user sensitive information. FIG. 6 is a schematic diagram of a method for performing identity authentication when a legal eNB accesses an illegal network according to an embodiment of the present invention. As shown in FIG. 6, a specific implementation process of a method for performing identity authentication when a legal eNB accesses an illegal network is as follows: Step S602 The eNB deploys an eNB, and allocates a unique eNB identity and an eNB password corresponding to the jt匕 to the eNB. In step S604, when the eNB accesses the network, the eNB first initiates a DHCP process, and applies for a legal IP address for itself, and the MME/S- Network element communication such as GW/OMC. The eNB sends a DHCP Discover (4) message to the network. Step S606: After receiving the DHCP Discover message, the illegal DHCP server in the network randomly generates a string of 32 bytes, random_string_l, and encapsulates the string random string l into the DHCP Offer 4 as an extended option. In this paper, it is sent to the eNB. Step S608, after receiving the DHCP Offer 4 message, the eNB parses the

RANDOM-STRING选项, 本地计算 hash_string_l , 例如, 以实施例一步骤 S406中的方式计算 hash string l。 eNB 构造 DHCP Request 4艮文, 该 4艮文携 带 hash string l , HASH-FUNC-ID、 eNB Identity 的信息以及本地生成的随机字符串 random_string_2,然后, eNB将 DHCP Request 4艮文发送给非法 DHCP Server, 步骤 S610 , 非法 DHCP Server在接收到 DHCP Request报文后, 由于其 不知道 eNB Password信息, 无法认证 eNB的身份, 因此, 非法 DHCP Server 直接向 eNB发送 DHCP ACK报文,该报文中携带非法的 IP地址和网络信息, 以及伪造的 hash_string_2。 步骤 S612, eNB在接收到 DHCP ACK 4艮文后, 本地计算 hash_string_2 , 例如, 以实施例一步骤 S408 中的方式计算 hash_string_2 , 计算出的结果和 ACK报文中携带的必定不同, 从而 eNB检测到网络侧是非法的, 拒绝使用 其分配的 IP地址等信息, 这样避免了用户敏感信息被窃取。 The RANDOM-STRING option, locally calculates hash_string_l, for example, calculates hash string l in the manner of the first step S406. The eNB constructs a DHCP Request message, which carries the hash string l , the HASH-FUNC-ID, the eNB Identity information, and the locally generated random string random_string_2. Then, the eNB sends the DHCP Request 4 message to the illegal DHCP server. Step S610: After receiving the DHCP Request message, the illegal DHCP server cannot authenticate the eNB because it does not know the eNB password information. Therefore, the illegal DHCP server directly sends a DHCP ACK message to the eNB, and the packet carries the illegal message. IP address and network information, as well as fake hash_string_2. Step 612: After receiving the DHCP ACK message, the eNB calculates the hash_string_2 locally. For example, the hash_string_2 is calculated in the manner of the step S408 in the first embodiment, and the calculated result is different from the ACK message, so that the eNB detects that The network side is illegal, and refuses to use information such as its assigned IP address, thus avoiding the theft of sensitive user information.

DHCP Offer, DHCP Request和 DHCP Ack 4艮文使用 DHCP协议的消息 认证选项对 4艮文进行完整性保护, 防止消息在传递过程中被篡改。 系统实施例 对应于上述方法实施例, 本发明还提供了一种 eNB的身份认证系统。 图 7是根据本发明实施例的 eNB的身份认证系统的结构框图,该系统包括: eNB 72和服务器 74 , 其中, eNB 72 , 设置为在向服务器申请互联网协议地址时, 将身份认证信息发送给服务器; 服务器 74 , 耦合至 eNB 72 , 设置为在接收 到身份认证信息之后, 通过身份认证信息对 eNB进行认证, 如果认证通过, 则为 eNB分配互联网切、议地址。 优选地, 服务器 74还设置为向 eNB发送认证合法性信息; eNB 72还设 置为根据认证合法性信息对服务器进行认证。 综上所述, 本发明实施例在运营商为 eNB分配 IP地址时对 eNB进行安 全认证, 降低了接入和认证分离处理对网络造成的复杂性。 同时, 本发明实 施例还对 eNB和网络进行双向认证, 解决了单向认证存在的安全漏洞, 达到 优化接入和认证流程, 提高系统安全性的效果。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可 以用通用的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布 在多个计算装置所组成的网络上, 可选地, 它们可以用计算装置可执行的程 序代码来实现, 从而, 可以将它们存储在存储装置中由计算装置来执行, 并 且在某些情况下, 可以以不同于此处的顺序执行所示出或描述的步骤, 或者 将它们分别制作成各个集成电路模块, 或者将它们中的多个模块或步骤制作 成单个集成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软件 结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的 ^"神和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。 The DHCP Offer, DHCP Request, and DHCP Ack 4 messages use the message authentication option of the DHCP protocol to protect the integrity of the message and prevent the message from being tampered with during the delivery process. The system embodiment corresponds to the foregoing method embodiment, and the present invention further provides an identity authentication system of an eNB. 7 is a structural block diagram of an identity authentication system of an eNB, where the system includes: an eNB 72 and a server 74, where the eNB 72 is configured to send identity authentication information to the server when applying for an internet protocol address to the server. The server 74 is coupled to the eNB 72, and is configured to authenticate the eNB by using the identity authentication information after receiving the identity authentication information, and if the authentication is passed, assign an Internet cut address to the eNB. Preferably, the server 74 is further arranged to send authentication legitimacy information to the eNB; the eNB 72 is further arranged to authenticate the server based on the authentication legitimacy information. In summary, the embodiment of the present invention performs security authentication on the eNB when the operator allocates an IP address to the eNB, which reduces the complexity of the access and authentication separation processing on the network. At the same time, the embodiment of the present invention performs two-way authentication on the eNB and the network, solves the security vulnerability existing in the one-way authentication, achieves the effect of optimizing the access and authentication process, and improving the security of the system. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 Claims 1. 一种演进型节点 B的身份认证方法, 包括: 1. An authentication method for an evolved Node B, comprising: 演进型节点 B在向服务器申请互联网协议地址时, 将身份认证信 息发送给所述服务器;  The evolved node B sends the identity authentication information to the server when applying for an internet protocol address to the server; 所述服务器在接收到所述身份认证信息之后, 通过所述身份认证 信息对所述演进型节点 B进行认证, 如果认证通过, 则为所述演进型 节点 B分配互联网十办议地址。  After receiving the identity authentication information, the server authenticates the evolved Node B by using the identity authentication information, and if the authentication passes, assigns an Internet ten-office address to the evolved Node B. 2. 根据权利要求 1所述的方法, 2. The method of claim 1 , 在所述演进型节点 B 将所述身份认证信息发送给所述服务器之 前, 所述服务器将第一随机字符串发送给所述演进型节点 B;  Before the evolved Node B sends the identity authentication information to the server, the server sends a first random string to the evolved Node B; 所述演进型节点 B将所述身份认证信息发送给所述服务器包括: 所述演进型节点 B使用演进型节点 B密码通过第一函数对所述第一随 机字符串进行运算获得第一数据; 所述演进型节点 B将所述身份认证 信息发送给所述服务器, 其中, 所述身份认证信息包括: 所述第一数 据、 所述第一函数的标识信息和演进型节点 B标识;  The eNodeB sends the identity authentication information to the server, where the eNodeB uses the evolved Node B password to perform operation on the first random string to obtain first data by using a first function; The eNodeB sends the identity authentication information to the server, where the identity authentication information includes: the first data, the identifier information of the first function, and the evolved Node B identifier; 所述服务器通过所述身份认证信息对所述演进型节点 B进行认证 包括: 所述服务器根据所述第一函数的标识信息获得所述第一函数; 所述服务器获取与所述演进型节点 B标识对应的演进型节点 B密码; 所述服务器使用获取的所述演进型节点 B密码通过所述第一函数对本 地存储的所述第一随机字符串进行运算, 将运算结果与所述第一数据 进行比较, 如果匹配, 则认证通过, 否则, 认证不通过。  The server performing the authentication on the evolved Node B by using the identity authentication information includes: the server obtaining the first function according to the identifier information of the first function; the server acquiring the evolved Node B Identifying the corresponding evolved Node B password; the server uses the obtained evolved Node B password to perform the operation on the first random string stored locally by using the first function, and the operation result is the first The data is compared. If it matches, the authentication passes. Otherwise, the authentication fails. 3. 根据权利要求 2所述的方法, 在所述服务器将所述第一随机字符串发 送给所述演进型节点 B之前, 所述方法还包括: The method according to claim 2, before the server sends the first random string to the evolved node B, the method further includes: 运营商为所述演进型节点 B分配所述演进型节点 B密码和所述演 进型节点 B标识。  The operator allocates the evolved Node B cipher and the evolved Node B identity to the evolved Node B. 4. 根据权利要求 2所述的方法, 在运营商没有为所述演进型节点 B分配 演进型节点 B密码和演进型节点 B标识的情况下, 所述演进型节点 B使用所述演进型节点 B密码通过所述第一函数 对所述第一随机字符串进行运算获得所述第一数据包括: 所述演进型 节点 B使用伪造的所述演进型节点 B密码通过所述第一函数对所述第 一随机字符串进行运算获得所述第一数据; 4. The method according to claim 2, in the case that the operator does not allocate the evolved Node B cipher and the evolved Node B identity to the evolved Node B, Using the evolved Node B cipher to perform operations on the first random string by using the first function to obtain the first data includes: the evolved Node B uses the forged evolution The type node B password is operated by the first function to obtain the first data; 所述演进型节点 B标识为伪造的演进型节点 B标识。 根据权利要求 1所述的方法, 在所述服务器对所述演进型节点 B进行 认证之后, 所述方法还包括:  The evolved Node B identifier is a forged Evolved Node B identifier. The method according to claim 1, after the server authenticates the evolved Node B, the method further includes: 所述服务器向所述演进型节点 B发送认证合法性信息; 所述演进型节点 B根据所述认证合法性信息对所述服务器进行认 证。 根据权利要求 5所述的方法,  The server sends the authentication legality information to the evolved node B. The evolved node B authenticates the server according to the authentication legality information. The method of claim 5, 在所述服务器向所述演进型节点 B发送认证合法性信息之前, 所 述演进型节点 B将第二随机字符串发送给所述服务器;  Before the server sends the authentication legality information to the evolved Node B, the evolved Node B sends the second random string to the server; 所述服务器向所述演进型节点 B发送认证合法性信息包括: 所述 服务器使用演进型节点 B密码通过第二函数对所述第二随机字符串进 行运算获得第二数据; 所述服务器将所述认证合法性信息发送给所述 演进型节点 B, 其中, 所述认证合法性信息包括: 所述第二数据和所 述第二函数的标识信息; 所述演进型节点 B根据所述认证合法性信息对所述服务器进行认 证包括: 所述演进型节点 B根据所述第二函数的标识信息获得所述第 二函数;所述演进型节点 B使用所述演进型节点 B的演进型节点 B密 码通过所述第二函数对本地存储的所述第二随机字符串进行运算, 将 运算结果与所述第二数据进行比较, 如果匹配, 则认证通过, 否则, 认证不通过。 根据权利要求 6所述的方法, 在所述演进型节点 B将第二随机字符串 发送给所述艮务器之前, 所述方法还包括:  The sending, by the server, the authentication legality information to the evolved Node B includes: the server uses the evolved Node B password to perform operation on the second random string by using a second function to obtain second data; The authentication legality information is sent to the evolved node B, where the authentication legality information includes: the second data and the identifier information of the second function; the evolved node B is legal according to the authentication. The authentication of the server by the sexual information includes: the evolved Node B obtains the second function according to the identification information of the second function; and the evolved Node B uses the evolved Node B of the evolved Node B The password is operated by the second function on the locally stored second random string, and the operation result is compared with the second data. If the matching is performed, the authentication is passed; otherwise, the authentication fails. The method according to claim 6, before the eNodeB sends the second random string to the server, the method further includes: 运营商为所述演进型节点 B分配所述演进型节点 B密码和所述演 进型节点 B标识。 根据权利要求 6所述的方法, 在所述服务器未获取到运营商为所述演 进型节点 B分配的演进型节点 B密码的情况下, 所述艮务器使用所述演进型节点 B密码通过所述第二函数对所述 第二随机字符串进行运算获得所述第二数据包括: 所述服务器使用伪 造的所述演进型节点 B密码通过所述第二函数对所述第二随机字符串 进行运算获得所述第二数据。 The operator allocates the evolved Node B cipher and the evolved Node B identity to the evolved Node B. The method according to claim 6, in the case that the server does not obtain the evolved Node B password assigned by the operator to the evolved Node B, The server uses the evolved Node B password to perform operations on the second random string by using the second function to obtain the second data, including: the server uses the forged the evolved Node B password The second random string is operated by the second function to obtain the second data. 9. 一种演进型节点 B的身份认证系统, 包括: 演进型节点 B和服务器, 其巾, 9. An evolved Node B identity authentication system, comprising: an evolved Node B and a server, and a towel, 所述演进型节点 B设置为在向服务器申请互联网协议地址时, 将 身份认证信息发送给所述服务器;  The evolved node B is configured to send identity authentication information to the server when applying for an internet protocol address to the server; 所述服务器设置为在接收到所述身份认证信息之后, 通过所述身 份认证信息对所述演进型节点 B进行认证, 如果认证通过, 则为所述 演进型节点 B分配互联网协议地址。  The server is configured to authenticate the evolved Node B by using the identity authentication information after receiving the identity authentication information, and if the authentication passes, assign the Internet Protocol address to the evolved Node B. 10. 根据权利要求 9所述的系统, 10. The system of claim 9 所述服务器还设置为向所述演进型节点 B发送认证合法性信息; 所述演进型节点 B还设置为根据所述认证合法性信息对所述服务 器进行认证。  The server is further configured to send authentication legality information to the evolved Node B; the evolved Node B is further configured to authenticate the server according to the authentication legality information.
PCT/CN2011/072464 2010-08-16 2011-04-06 Identity authentication method and system for evolved node b Ceased WO2012022155A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010255447.5 2010-08-16
CN201010255447.5A CN102378165B (en) 2010-08-16 2010-08-16 Identity authentication method and system of evolved node B

Publications (1)

Publication Number Publication Date
WO2012022155A1 true WO2012022155A1 (en) 2012-02-23

Family

ID=45604734

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/072464 Ceased WO2012022155A1 (en) 2010-08-16 2011-04-06 Identity authentication method and system for evolved node b

Country Status (2)

Country Link
CN (1) CN102378165B (en)
WO (1) WO2012022155A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230174851A1 (en) * 2020-05-18 2023-06-08 Shin-Etsu Chemical Co., Ltd. Coated semiconductor nanoparticles and method for producing the same

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105897764B (en) * 2016-06-15 2019-08-30 中电长城网际系统应用有限公司 A kind of safety certifying method, apparatus and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101043331A (en) * 2006-06-30 2007-09-26 华为技术有限公司 System and method for distributing address for network equipment
CN101141492A (en) * 2005-04-29 2008-03-12 华为技术有限公司 Method and system for implementing DHCP address security allocation
CN101425897A (en) * 2007-10-29 2009-05-06 上海交通大学 Customer authentication method, system, server and customer node
CN101656725A (en) * 2009-09-24 2010-02-24 杭州华三通信技术有限公司 Method for implementing safety access and access equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141492A (en) * 2005-04-29 2008-03-12 华为技术有限公司 Method and system for implementing DHCP address security allocation
CN101043331A (en) * 2006-06-30 2007-09-26 华为技术有限公司 System and method for distributing address for network equipment
CN101425897A (en) * 2007-10-29 2009-05-06 上海交通大学 Customer authentication method, system, server and customer node
CN101656725A (en) * 2009-09-24 2010-02-24 杭州华三通信技术有限公司 Method for implementing safety access and access equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Technical Specification Group Services and System Aspects.", 3GPP TR 33.820 V8.2.0: SECURITY OF H(E)NB (RELEASE 8)., 30 September 2009 (2009-09-30), pages 37 - 70 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230174851A1 (en) * 2020-05-18 2023-06-08 Shin-Etsu Chemical Co., Ltd. Coated semiconductor nanoparticles and method for producing the same
US12391870B2 (en) * 2020-05-18 2025-08-19 Shin-Etsu Chemical Co., Ltd. Coated semiconductor nanoparticles and method for producing the same

Also Published As

Publication number Publication date
CN102378165A (en) 2012-03-14
CN102378165B (en) 2014-06-11

Similar Documents

Publication Publication Date Title
CN110800331B (en) Network verification method, related equipment and system
CN106664561B (en) System and method for securing pre-association service discovery
US7961883B2 (en) System and method for securing a personalized indicium assigned to a mobile communications device
US20100122338A1 (en) Network system, dhcp server device, and dhcp client device
CN103067337B (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN102547701A (en) Authentication method and wireless access point as well as authentication server
JP2013504832A (en) Method and apparatus for reliable authentication and logon
TW201101865A (en) Authentication method selection using a home enhanced Node B profile
CN115843447B (en) Network authentication for user equipment access to edge data networks
JP7631284B2 (en) Apparatus and method for mediating authentication information configuration - Patents.com
CN111314269B (en) A security authentication method and device for automatic address allocation protocol
CN102231725A (en) Method, equipment and system for authenticating dynamic host configuration protocol message
WO2020224341A1 (en) Method and apparatus for identifying tls encrypted traffic
CN102082665A (en) Identity authentication method, system and equipment in EAP (Extensible Authentication Protocol) authentication
CN100591013C (en) Authentication method and authentication system
WO2010000157A1 (en) Configuration method, device and system for access device
US12476950B2 (en) Method, device, and system for authentication and authorization with edge data network
CN105873059A (en) Joint identity authentication method and system for distribution communication wireless private network
US20060026433A1 (en) Method and apparatus for minimally onerous and rapid cocktail effect authentication (MORCEAU)
WO2014201783A1 (en) Encryption and authentication method, system and terminal for ad hoc network
WO2012022155A1 (en) Identity authentication method and system for evolved node b
WO2011157142A2 (en) Method and apparatus for message transmission
JP2017139026A (en) Method and apparatus for reliable authentication and logon
WO2012000313A1 (en) Method and system for home gateway certification
CN101610509A (en) A method, device and system for protecting communication security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11817683

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11817683

Country of ref document: EP

Kind code of ref document: A1