[go: up one dir, main page]

WO2018103655A1 - Procédé d'accès à un appareil de réseau, appareil de terminal associé et appareil de réseau - Google Patents

Procédé d'accès à un appareil de réseau, appareil de terminal associé et appareil de réseau Download PDF

Info

Publication number
WO2018103655A1
WO2018103655A1 PCT/CN2017/114765 CN2017114765W WO2018103655A1 WO 2018103655 A1 WO2018103655 A1 WO 2018103655A1 CN 2017114765 W CN2017114765 W CN 2017114765W WO 2018103655 A1 WO2018103655 A1 WO 2018103655A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
cell
terminal device
request message
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/114765
Other languages
English (en)
Chinese (zh)
Inventor
杨铮杰
曾信
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2018103655A1 publication Critical patent/WO2018103655A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present application relates to the field of communications, and in particular, to a method for accessing a network device, a terminal device thereof, and a network device.
  • GSM Global System for Mobile Communication
  • the terminal device does not have an authentication and authentication process on the network side. Therefore, a pseudo base station exists in the GSM network system, and the pseudo base station refers to a base station masquerading as an operator, and can use the mobile phone number of another person to forcibly send short messages such as fraud and advertisement promotion to the user's mobile phone.
  • the GSM pseudo base station has strong concealment, and has formed a fraud industry chain with pseudo base stations as the source, causing users to be deceived and suffered heavy losses.
  • the pseudo base station technology is continuously upgraded, even if the terminal device and the network are upgraded to the 3/4G network, as long as the terminal device supports GSM, the pseudo base station can interfere with the 3/4G signal through the full frequency band, and the terminal device can also fall back to the 2G. The network, so that it can continue to send spam messages to the terminal device.
  • the embodiment of the present application provides a method for accessing a network device and a network device thereof, which can minimize the impact of the pseudo base station on the network.
  • a terminal device receives a system message sent by a base station controller, determines, according to the system message, that the terminal device is allowed to access a first cell, and the terminal device performs network authentication when accessing the first cell.
  • the first cell is a cell that supports two-way authentication; the terminal device sends an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to The terminal device performs authentication; when the terminal device receives the downlink authentication request message sent by the core network device, performs network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the embodiment of the present application can indicate that the terminal device can only access the cell supporting the two-way authentication, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed, thereby preventing the pseudo base station from being caused to the network. Cyber attack.
  • the first cell is a cell identified as a R99+ version in a system message.
  • the embodiment of the present application indicates that the terminal device only allows access to the cell identified as the R99+ version, because R99+ The version of the cell supports the two-way authentication. Therefore, the terminal device determines whether the target cell of the R99+ version can be accessed by performing network authentication on the target cell to be accessed, so that the network attack caused by the pseudo base station to the network can be avoided as much as possible.
  • the performing, by using the target cell in the first cell, performing network authentication, determining whether to access the target cell includes: when the terminal device passes the network authentication of the target cell, determining to access the target cell; when the terminal device fails to pass the network authentication of the target cell, determining to not access the target cell.
  • the terminal device does not pass the authentication of the pseudo cell, that is, does not access the pseudo cell, and avoids the terminal device accessing the pseudo cell, and the network suffering from the pseudo base station. attack.
  • the method further includes: The core network device returns an authentication response message, where the authentication response message is used to identify the terminal device by performing authentication authentication on the target cell.
  • the terminal device can notify the core network device terminal device to perform authentication authentication on the target cell by returning the authentication response to the core network device.
  • the uplink authentication request message is an access request message, where the access request message includes The secret key serial number CKSN field is used to trigger the authentication process of the network device by the network device.
  • the core network device can be instructed to trigger the authentication of the terminal device, and the information interaction between the network device and the terminal device is implemented without increasing the signaling overhead.
  • the access request message is one of: a location update request message, a connection management CM service request message, Call the reply message.
  • the system message carries the identifier information, where the identifier information is used to indicate that the first cell is an identifier of the R99+ version. Community.
  • the terminal device can be notified to allow access to the first cell with the version of 99+.
  • the second aspect provides a method for accessing a network device, where the core network device receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is sent by the terminal device to the base station controller. a request message sent after the system message, the system message is used by the terminal device to determine to allow access to the first cell, and the terminal device is instructed to perform network authentication when accessing the first cell, where the first cell is a cell that supports bidirectional authentication; the core network authenticates the terminal device according to the uplink authentication request message, so that the terminal device performs network authentication on the target cell in the first cell. And determining whether to access the target cell.
  • the embodiment of the present application can indicate that the terminal device can only access the cell supporting the two-way authentication, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed, thereby preventing the pseudo base station from being caused to the network. Cyber attack.
  • the core network device after the core network device receives the uplink authentication request message sent by the terminal device, the core network is configured according to the uplink authentication request message, The authentication of the terminal device further includes: a downlink authentication request message sent to the terminal device, where the downlink authentication request message is used to instruct the terminal device to perform network authentication on the target cell, where Carrying the downlink authentication request message The identifier of the target cell.
  • the network covered by the core network device is a network supporting two-way authentication, and further, the core network device is The network covered is the R99+ version.
  • a third aspect provides a method for accessing a network device, where the base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and the terminal device
  • the base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and the terminal device
  • the first cell is accessed, the first cell is authenticated, the first cell is a cell that supports bidirectional authentication
  • the base station controller receives an uplink authentication request message sent by the terminal device, where the uplink packet is sent.
  • the right request message is used to indicate that the terminal device needs to perform network authentication on the first cell;
  • the base station controller sends the uplink authentication request message to the core network device, to notify the core network device to The terminal device performs authentication to facilitate access by the terminal device to a cell authenticated by the network.
  • the method further includes: receiving a downlink authentication request message sent by the core network device, where the downlink authentication request message is used to notify the The terminal device performs network authentication on the target cell in the first cell, where the downlink authentication request message carries the identifier of the target cell, and sends the downlink authentication request message to the terminal device.
  • the system message carries the identifier information, where the identifier information is used to indicate that the first cell is identified as an R99+ version.
  • the cell the system message is one of the following: base station subsystem BSS system message 2, BSS system message 3, BSS system message 4.
  • the method before the base station controller sends the system message to the terminal device, the method further includes: determining the core network device The network covered is the R99+ version.
  • a terminal device for performing the method of any of the above first aspect or any of the possible implementations of the first aspect.
  • the terminal device comprises means for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect.
  • a network device for performing the method of any of the foregoing second aspect or any of the possible implementations of the second aspect.
  • the apparatus comprises means for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect.
  • the apparatus comprises means for performing the method of any of the possible implementations of the third aspect or the third aspect described above.
  • a terminal device comprising: a transceiver, a memory, a processor, and a bus system.
  • the transceiver, the memory and the processor are connected by the bus system
  • the memory is for storing instructions for executing instructions stored by the memory to control the transceiver to receive and/or transmit signals
  • the processor executes the instructions stored by the memory, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
  • a network device comprising: a transceiver, a memory, a processor, and a bus system.
  • the transceiver, the memory and the processor are coupled by the bus system, the memory is for storing instructions for executing instructions stored by the memory to control the transceiver to receive signals and/or transmit signals, and And when the processor executes the instructions stored by the memory, the executing causes the processor to perform the method of any of the possible implementations of the second aspect or the second aspect.
  • a network device comprising: a transceiver, a memory, a processor, and a bus system.
  • the transceiver, the memory and the processor are connected by the bus system
  • the memory is for storing instructions for executing instructions stored by the memory to control the transceiver to receive signals and/or transmit signals
  • the processor executes the instructions stored by the memory, the execution causes the processor to perform the method of any of the possible implementations of the third aspect or the third aspect.
  • a tenth aspect a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • a computer readable medium for storing a computer program comprising instructions for performing the method of any of the second aspect or any of the possible implementations of the second aspect.
  • a computer readable medium for storing a computer program comprising instructions for performing the method of any of the third aspect or any of the possible implementations of the third aspect.
  • FIG. 1 is a schematic diagram of an authentication scenario applied in an embodiment of the present application.
  • FIG. 2 shows a schematic flow chart of a method of an embodiment of the present application.
  • Figure 3 shows a schematic diagram of a method of one embodiment of the present application.
  • Figure 4 shows a schematic diagram of a method of one embodiment of the present application.
  • FIG. 5 shows a schematic flow chart of a method of an embodiment of the present application.
  • FIG. 6 shows a schematic block diagram of a terminal device of one embodiment of the present application.
  • FIG. 7 shows a schematic block diagram of a network device according to an embodiment of the present application.
  • FIG. 8 shows a schematic block diagram of a network device of another embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • FIG. 10 is a schematic block diagram of a network device according to an embodiment of the present application.
  • FIG. 11 is a schematic block diagram of a network device of another embodiment of the present application.
  • FIG. 1 is a schematic diagram of an authentication scenario applied in an embodiment of the present application.
  • a user ie, a user using a USIM card
  • UMTS Universal Mobile Telecommunications System
  • the terminal device 110 communicates with the core network 130 through a Global System for Mobile Communication (GSM) radio access network 120, where the GSM radio access network 120 includes a Base Station Controller (BSC).
  • GSM Global System for Mobile Communication
  • BSC Base Station Controller
  • the terminal device 110 is a terminal device with UMTS authentication and encryption capability, and has a Universal Subscriber Identity Module (USIM) with UMTS security.
  • the core network supports Release 99+ and later, that is, core network support. Two-way authentication authentication on the network side and the terminal device side.
  • terminal devices supporting 3/4G networks and using Universal Subscriber Identity Module (USIM) and supporting UMTS authentication have been defined.
  • the device lives in the GSM radio access network (GRAN) network (2G), and when the core network is the R99+ version, the two-way authentication process is performed, that is, the terminal device will also authenticate the authentication. Community. That is, as long as the core network initiates the authentication process, the terminal device authenticates the network.
  • GRAN GSM radio access network
  • USIM Universal Subscriber Identity Module
  • the pseudo base station bypasses this process and does not initiate authentication for the mobile phone, so that the mobile phone cannot authenticate the pseudo base station.
  • FIG. 2 is a schematic flowchart of a method of an embodiment of the present application, where an execution entity of the method is a terminal device, where the terminal device can communicate with a core network via a Radio Access Network (RAN).
  • a terminal may refer to a User Equipment (UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user device.
  • the access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), with wireless communication.
  • the base station may be a network device used for communication with the terminal device, for example, may be a base station (Base Transceiver Station, BTS) in the GSM system or CDMA, or a base station (NodeB, NB) in the WCDMA system. It may be an evolved base station (Evolutional Node B, eNB or eNodeB) in the LTE system, or the base station may be a relay station, an access point, an in-vehicle device, a wearable device, and a network side device in a future 5G network.
  • BTS Base Transceiver Station
  • NodeB NodeB
  • NB evolved base station
  • eNodeB evolved base station
  • the base station may be a relay station, an access point, an in-vehicle device, a wearable device, and a network side device in a future 5G network.
  • the core network device is composed of a series of devices that complete the user location management, the network function, and the service control function, and is not limited in this embodiment.
  • the method includes the following steps.
  • Step 210 The terminal device receives the system message sent by the base station controller, determines, according to the system message, that the terminal device is allowed to access the first cell, and the terminal device performs network authentication when accessing the first cell, where the first cell supports the two-way. The community of authentication.
  • Step 220 The terminal device sends an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device.
  • Step 230 When the terminal device receives the downlink authentication request message sent by the core network device, perform network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the first cell is a cell supporting bidirectional authentication, that is, a cell supporting Terrestrial Radio Access Network (UTRAN) or Long Term Evolution (LTE) authentication authentication. .
  • UTRAN Terrestrial Radio Access Network
  • LTE Long Term Evolution
  • the first cell is a cell identified as a R99+ version in the system message.
  • the first cell refers to a type of cell identified as a R99+ version in a system message
  • the base station controller refers to a communication device that manages the terminal device.
  • the terminal device determines that only the first cell of the R99+ version can be accessed, but cannot access other types of cells, and further, in the R99+ version of the cell, the two-way authentication between the supporting network side and the terminal device is supported.
  • the terminal device also needs to authenticate whether it can access the network.
  • the base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and when the terminal device accesses the first cell
  • the first cell is authenticated, and the first cell is a cell identified as a R99+ version in the system message.
  • the system message carries the identifier information, where the identifier information is used to indicate that the first cell is a cell identified as an R99+ version.
  • the system message is one of the following: a base station system (BSS) system message 2, a BSS system message 3, and a BSS system message 4. That is to say, the system message can use the vacant field in the above message to carry the identification information for identifying the message of the R99+ version.
  • BSS base station system
  • the system message can use the vacant field in the above message to carry the identification information for identifying the message of the R99+ version.
  • system message may be a newly defined message, or may be an existing system message carrying the identification information, which is not limited in the embodiment of the present application, and the system message capable of carrying the identification information falls within the scope of the embodiment of the present application.
  • the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device.
  • the uplink authentication request message may be one of the following three conditions:
  • the core network device learns that the terminal device performs cross-location reselection, and the terminal device continues to send the uplink authentication request message to the core network device to notify The core network device authenticates the terminal device, and determines whether the terminal device can access the network covered by the core network device;
  • the uplink authentication request message may be a newly defined message, and the newly defined uplink authentication request message can be used not only to notify the core network device to authenticate the terminal device, but also to indicate that the terminal device will perform Re-selection across location areas;
  • the uplink authentication request message is an access request message
  • the access request message includes a Ciphering Key Sequence Number (CKSN) field set to be unavailable for the key, so that And triggering the authentication process of the network device by the network device, optionally, the access request message is one of the following: a location update request message, a connection management (CM) service request message, Paging response message.
  • CKSN Ciphering Key Sequence Number
  • CM connection management
  • the base station controller receives the uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell; further, And sending, by the base station controller, the uplink authentication request message to the core network device, to notify the core network device to perform authentication on the terminal device, so that the terminal device accesses a cell that is authenticated by the terminal.
  • step 230 after the core network device receives the uplink authentication request message in step 220, the authentication process for the terminal device is triggered, and the downlink authentication request message sent to the terminal device is sent, and the downlink is sent.
  • the authentication request message is used to instruct the terminal device to perform network authentication on the target cell in the first cell.
  • the downlink authentication request message sent by the core network device to the terminal device, where the downlink authentication request message is used to indicate that the terminal device performs network authentication on the target cell, where the downlink authentication is performed.
  • the request message carries an identifier of the target cell.
  • the performing network authentication on the target cell in the first cell to determine whether to access the target cell includes:
  • the terminal device passes the network authentication of the target cell, determining to access the target cell;
  • the terminal device fails to pass the network authentication of the target cell, it is determined that the target cell is not accessed.
  • the location update request message, the access request message, the uplink authentication request message, and the offline authentication request message are all forwarded by the base station controller, where the location update request message and the access request sent by the terminal device
  • the message and the uplink authentication request message are forwarded to the core network device by the base station controller, and the downlink authentication request message sent by the core network device is also sent to the terminal device by using the base station controller.
  • the target cell is one of the cells in the first cell and belongs to the base station controller.
  • the uplink authentication request message is sent to the base station controller by the target cell, and the base station controller further forwards the uplink authentication request message to the core network device, thereby triggering the core network.
  • the device authenticates the terminal device, that is, the core network device sends a downlink authentication request message to the terminal device by using the base station controller, and the terminal device determines, according to the downlink authentication request message, whether the target cell can pass the authentication of the terminal device. Only the target cell can access the target cell through the authentication of the terminal device, otherwise the terminal device will not access the target cell.
  • the terminal device will not access the pseudo cell generated by the pseudo base station, and thus will not be affected by the pseudo base station, thereby avoiding the influence of the pseudo base station on the network. .
  • the terminal device fails to pass the authentication of the pseudo cell, that is, does not access the pseudo cell.
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • the method further includes: returning an authentication response message to the core network device, where the authentication The response message is used to characterize the terminal device by authenticating the target cell.
  • the terminal device notifies the core network device by returning an authentication response message to the core network device, and the terminal device accesses the target cell.
  • FIG. 3 is a schematic diagram of a method of an embodiment of the present application.
  • the execution body of the method may be a core network device. As shown in FIG. 3, the method 300 includes the following steps.
  • Step 310 The core network device receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving the system message sent by the base station controller, and the system message is used by the terminal device to determine that the terminal device is allowed to connect. And entering the first cell, and instructing the terminal device to perform network authentication when accessing the first cell, where the first cell is a cell identified as a R99+ version in the system message.
  • Step 320 The core network authenticates the terminal device according to the uplink authentication request message, so that the terminal device performs network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the core network device after the core network device receives the uplink authentication request message sent by the terminal device, the core network performs the authentication on the terminal device according to the uplink authentication request message.
  • the right further includes: a downlink authentication request message sent to the terminal device, where the downlink authentication request message is used to indicate that the terminal device performs network authentication on the target cell, where the downlink authentication request message is carried in the The identifier of the target cell.
  • the network covered by the core network device is an R99+ version.
  • the execution body of the method is a base station controller. As shown in FIG. 4, the method 400 includes the following steps.
  • Step 410 The base station controller sends a system message to the terminal device, where the system message is used to indicate that the terminal device is allowed to connect. And entering the first cell, and performing authentication on the first cell network when the terminal device accesses the first cell, where the first cell is a cell that supports bidirectional authentication.
  • Step 420 The base station controller receives an uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell.
  • Step 430 The base station controller sends an uplink authentication request message to the core network device, and notifies the core network device to perform authentication on the terminal device, so that the terminal device accesses the cell that is authenticated by the network.
  • the method further includes: receiving a downlink authentication request message sent by the core network device, where the downlink authentication request message is used to notify the terminal device to the first The target cell in the cell performs network authentication, where the downlink authentication request message carries the identifier of the target cell, and the downlink authentication request message is sent to the terminal device.
  • the system message carries the identifier information, where the identifier information is used to indicate that the first cell is a cell identified as an R99+ version, and the system message is one of the following: BSS system message 2, 2BIS, BSS system message 3, BSS system message 4.
  • FIG. 5 shows a schematic flow chart of a method of an embodiment of the present application. As shown in FIG. 5, the method includes the following steps.
  • Step 501 The base station controller sends a system message to the terminal device, where the system message is used to indicate that the UE can only access the first cell, and the terminal device performs network authentication when accessing the first cell, where the first cell Refers to a cell identified by the system message as the R99+ version.
  • system message may be a newly defined system message, or may be an existing system message indicating that the first cell is a R99+ version of the cell, for example, may be BSS system message 2, 2BIS, BSS system message 3, BSS System message 4, in the blank field of the system message, carries the identifier information indicating the first cell type, indicating that the UE can only allow access to the identified first cell.
  • Step 502 The terminal device sends an uplink authentication request to the core network device.
  • the uplink authentication request is used to notify the core network device to perform authentication on the terminal device.
  • the uplink authentication message is sent by the terminal device to the base station controller, and is forwarded by the base station controller to the core network device.
  • the terminal device sends an access request message to the core network device, where the access request message is used to notify the core network device that the terminal device is about to enter the cross-location area reselection.
  • the uplink authentication request message is an access request message, where the access request message includes a CKSN field set to be unavailable for the key, for example, a CKSN field set to “111”, in order to trigger the network device to The authentication process of the terminal device.
  • the access request message includes a CKSN field set to be unavailable for the key, for example, a CKSN field set to “111”, in order to trigger the network device to The authentication process of the terminal device.
  • the foregoing access request message is one of the following: a location update request message, a CM service request message, and a page response message.
  • Step 503 The core network device sends a downlink authentication request message to the UE, that is, when the core network device receives the uplink authentication request message in step 502, the network side authenticates the UE.
  • the core network device sends a downlink authentication request message to the UE through the base station controller, and notifies the UE to perform network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the target cell is one of the first cells that the UE desires to access.
  • Step 504 The UE authenticates the network, that is, the UE performs network authentication on the target cell to determine whether to access the network. Target cell.
  • the terminal device passes the network authentication of the target cell, determining to access the target cell; when the terminal device fails to pass the network authentication of the target cell, determining not to access the target cell .
  • Step 506 The UE returns an authentication response message to the core network device, where the authentication response message is used to identify the terminal device by authenticating the target cell.
  • Step 507 The network authenticates the terminal, that is, the core network device determines whether the UE can access the target cell. If the target cell can be accessed, step 508 is performed.
  • Step 508 The core network device sends a location update success notification message to the UE, where the UE has completed cross-location area reselection and accesses the target cell.
  • step 501 when it is determined that the network covered by the current core network device is the R99+ version, that is, the control switch is added to the base station controller to ensure that the foregoing process is performed under the R99+ network.
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • FIG. 6 shows a schematic block diagram of a terminal device of one embodiment of the present application. It should be understood that the terminal device 600 can perform the various steps performed by the UE in FIG. 2 and FIG. 5, and is not detailed herein to avoid repetition.
  • the terminal device 600 includes the following units.
  • a receiving unit 610 configured to receive a system message sent by the base station controller, determine, according to the system message, that the terminal device allows access to the first cell, and the terminal device performs access to the first cell.
  • Network authentication where the first cell is a cell that supports two-way authentication.
  • the sending unit 620 is configured to send an uplink authentication request message to the core network device, where the uplink authentication request message is used to notify the core network device to perform authentication on the terminal device.
  • the authentication unit 630 is configured to: when receiving the downlink authentication request message sent by the core network device, perform network authentication on the target cell in the first cell, and determine whether to access the target cell. .
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • FIG. 7 shows a schematic block diagram of a network device according to an embodiment of the present application. It should be understood that the network device 700 can perform the various steps performed by the core network device in FIG. 3 and FIG. 5, and is not detailed herein to avoid repetition.
  • network device 700 includes the following units.
  • the receiving unit 710 is configured to receive an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving the system message sent by the base station controller, The system message is used by the terminal device to determine that the first cell is allowed to access, and the terminal device is instructed to perform network authentication when accessing the first cell, where the first cell is a cell that supports two-way authentication;
  • the authentication unit 720 is configured to perform authentication on the terminal device according to the uplink authentication request message, so that the terminal device performs network on the target cell in the first cell. Authentication, determining whether to access the target cell.
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • FIG. 8 shows a schematic block diagram of a network device of another embodiment of the present application. It should be understood that the network device 800 is capable of performing the various steps performed by the base station controller device of FIGS. 4 and 5, and to avoid repetition, it will not be described in detail herein.
  • the network device 800 includes the following units.
  • a sending unit 810 configured to send a system message to the terminal device, where the system message is used to indicate that the terminal device allows access to the first cell, and is performed when the terminal device accesses the first cell
  • the first cell network is authenticated, and the first cell is a cell that supports bidirectional authentication.
  • the receiving unit 820 is configured to receive an uplink authentication request message sent by the terminal device, where the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell.
  • the sending unit 810 is further configured to send the uplink authentication request message to the core network device, to notify the core network device to perform authentication on the terminal device, so that the terminal device accesses the network through the network for authentication. Community.
  • the embodiment of the present application can indicate that the terminal device can only access the cell identified as the R99+ version, and perform network authentication on the target cell to be accessed to determine whether the network can be accessed. Cyber attack.
  • FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application. It should be understood that the terminal device 900 can perform the various steps performed by the UE in FIG. 2 and FIG. 5, and is not detailed herein to avoid repetition.
  • Device 900 includes the following components.
  • the memory 910 is configured to store a program.
  • the transceiver 920 is configured to communicate with other devices.
  • the processor 930 is configured to execute a program in the memory 910, and the processor 930 is respectively connected to the memory 910 and the transceiver 920, and is configured to execute the instruction stored by the memory 910 to execute the instruction Perform the following steps:
  • the processor 930 is configured to receive, by using the transceiver 920, a system message sent by the base station controller, determine, according to the system message, that the terminal device is allowed to access the first cell, and the terminal device is in accessing the first cell. Performing network authentication, where the first cell is a cell that supports bidirectional authentication; and the uplink authentication request message is sent to the core network device, where the uplink authentication request message is used to notify the core network device to the terminal. The device performs authentication; when the terminal device receives the downlink authentication request message sent by the core network device, performs network authentication on the target cell in the first cell to determine whether to access the target cell.
  • terminal device 900 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the terminal device in the foregoing method embodiments.
  • FIG. 10 is a schematic block diagram of a network device according to an embodiment of the present application. It should be understood that the terminal device 1000 can perform the various steps performed by the core network device in FIG. 3 and FIG. 5, and is not detailed herein to avoid repetition.
  • Device 1000 includes the following components.
  • the memory 1010 is configured to store a program.
  • the transceiver 1020 is configured to communicate with other devices.
  • a processor 1030 configured to execute a program in the memory 1010, the processor 1030 is coupled to the memory 1010 and the transceiver 1020, respectively, for executing the instructions stored by the memory 1010 to execute the instructions And performing the following steps: receiving an uplink authentication request message sent by the terminal device, where the uplink authentication request message is a request message sent by the terminal device after receiving a system message sent by the base station controller, where the system message is used
  • the terminal device determines to allow access to the first cell, and instructs the terminal device to perform network authentication when accessing the first cell, where the first cell is a cell supporting two-way authentication; according to the uplink authentication request
  • the message is used to authenticate the terminal device, so that the terminal device performs network authentication on the target cell in the first cell to determine whether to access the target cell.
  • the network device 1000 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the core network device in the foregoing method embodiments.
  • FIG. 11 is a schematic block diagram of a network device of another embodiment of the present application.
  • terminal device 1100 can perform the various steps performed by the base station controller in FIGS. 3 and 5, and in order to avoid repetition, it will not be described in detail herein.
  • Device 1100 includes the following components.
  • the memory 1110 is configured to store a program.
  • the transceiver 1120 is configured to communicate with other devices.
  • the processor 1130 is configured to execute a program in the memory 1110, and the processor 1130 is respectively connected to the memory 1110 and the transceiver 1120, and is configured to execute the instruction stored by the memory 1110, when executing the instruction. Performing the following steps: sending a system message to the terminal device, where the system message is used to indicate that the terminal device is allowed to access the first cell, and performing network packetization on the first cell when the terminal device accesses the first cell.
  • the first cell is a cell that supports bidirectional authentication; the uplink authentication request message sent by the terminal device is received, and the uplink authentication request message is used to indicate that the terminal device needs to perform network authentication on the first cell.
  • the network device 1100 may be specifically the base station controller in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the base station controller in the foregoing method embodiments.
  • RAM random access memory
  • ROM read only memory
  • EEPROM electrically programmable ROM
  • EEPly erasable programmable ROM registers
  • hard disk removable disk
  • CD-ROM computer-readable media

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention porte, dans le mode de réalisation, sur un appareil de terminal. L'appareil de terminal reçoit un message système transmis depuis un dispositif de commande de station de base, détermine, en fonction du message système, que l'appareil de terminal est autorisé à avoir accès à une première cellule, et effectue, lors de l'accès à la première cellule, une authentification de réseau, la première cellule étant une cellule prenant en charge une authentification bidirectionnelle. L'appareil de terminal transmet en outre un message de demande d'authentification de liaison montante à un appareil de réseau central, le message de demande d'authentification de liaison montante étant utilisé pour notifier à l'appareil de réseau central qu'il doit effectuer une authentification concernant l'appareil de terminal. Lors de la réception d'un message de demande d'authentification de liaison descendante transmis par l'appareil de réseau central, l'appareil de terminal effectue en outre une authentification de réseau concernant une cellule cible dans la première cellule pour déterminer s'il faut avoir accès à la cellule cible. Selon le mode de réalisation de l'invention, l'appareil de terminal reçoit l'instruction d'avoir accès uniquement à une cellule prenant en charge l'authentification bidirectionnelle et d'effectuer l'authentification de réseau concernant la cellule cible à laquelle il a accès, pour déterminer si le réseau est accessible, empêchant ainsi une fausse station de base d'effectuer une attaque de réseau sur le réseau.
PCT/CN2017/114765 2016-12-08 2017-12-06 Procédé d'accès à un appareil de réseau, appareil de terminal associé et appareil de réseau Ceased WO2018103655A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611124220.0A CN108174380A (zh) 2016-12-08 2016-12-08 接入网络设备的方法及其终端设备、网络设备
CN201611124220.0 2016-12-08

Publications (1)

Publication Number Publication Date
WO2018103655A1 true WO2018103655A1 (fr) 2018-06-14

Family

ID=62491720

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/114765 Ceased WO2018103655A1 (fr) 2016-12-08 2017-12-06 Procédé d'accès à un appareil de réseau, appareil de terminal associé et appareil de réseau

Country Status (2)

Country Link
CN (1) CN108174380A (fr)
WO (1) WO2018103655A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912661A (zh) * 2018-09-14 2020-03-24 华为技术有限公司 一种能力信息接收、发送方法及装置
CN112312389B (zh) * 2019-07-29 2022-05-06 中国移动通信集团广东有限公司 通信信息传输方法、装置及存储介质、电子设备
CN113132334B (zh) * 2019-12-31 2022-12-27 华为技术有限公司 授权结果的确定方法及装置
CN111479270B (zh) * 2020-04-15 2021-10-12 青岛交互物联科技有限公司 一种入网双向鉴权的方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090029677A1 (en) * 2007-07-26 2009-01-29 Sungkyunkwan University Foundation For Corporate Collaboration Mobile authentication through strengthened mutual authentication and handover security
CN104168568A (zh) * 2014-08-28 2014-11-26 中国联合网络通信集团有限公司 一种移动终端及其进行小区身份认证的方法
CN106028331A (zh) * 2016-07-11 2016-10-12 华为技术有限公司 一种识别伪基站的方法及设备

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090029677A1 (en) * 2007-07-26 2009-01-29 Sungkyunkwan University Foundation For Corporate Collaboration Mobile authentication through strengthened mutual authentication and handover security
CN104168568A (zh) * 2014-08-28 2014-11-26 中国联合网络通信集团有限公司 一种移动终端及其进行小区身份认证的方法
CN106028331A (zh) * 2016-07-11 2016-10-12 华为技术有限公司 一种识别伪基站的方法及设备

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHOUDHARY, ANILMIT: "Analysis of UMTS (3G) Authentication and Key Agree- ment Protocol (AKA) for LTE (4G) Network", INTERNATIONAL JOURNAL ON RECENT AND INNOVATION TRENDS IN COMPUTING AND CO- MMUNICATION, vol. 3, no. 4, 30 April 2015 (2015-04-30), pages 2146 - 2149, XP055606720, ISSN: 2321-8169 *

Also Published As

Publication number Publication date
CN108174380A (zh) 2018-06-15

Similar Documents

Publication Publication Date Title
US11653199B2 (en) Multi-RAT access stratum security
EP3731490B1 (fr) Authentification et validation de clé à confidentialité de transmission parfaite
CA2716681C (fr) Procedes, appareils et produits de programme d'ordinateur pour fournir une separation cryptographique a multiples sauts pour des transferts
US11503469B2 (en) User authentication method and apparatus
WO2018171703A1 (fr) Procédé et dispositif de communication
CN108464027B (zh) 对于未认证用户通过wlan接入3gpp演进分组核心支持紧急服务
US10165546B2 (en) Protection of privacy in paging of user equipment
CN108293259B (zh) 一种nas消息处理、小区列表更新方法及设备
US10582378B2 (en) Message protection method, user equipment, and core network device
US9161221B2 (en) Method, apparatus and computer program for operating a user equipment
KR101539242B1 (ko) 하이브리드 통신 시스템의 도청 타입 공격의 방지 방법
WO2018103655A1 (fr) Procédé d'accès à un appareil de réseau, appareil de terminal associé et appareil de réseau
WO2023004683A1 (fr) Procédé de communication, appareil et dispositif
US12113783B2 (en) Wireless-network attack detection
EP3360303B1 (fr) Communications sans fil
EP3228108B1 (fr) Procédé, programme d'ordinateur et noeud de réseau pour garantir la sécurité de requêtes de service.
US20210250727A1 (en) Notification information presentation method and apparatus
Cao et al. Security analysis of DoS attack against the LTE-A system
CN118714521A (zh) 消息处理的方法和装置
CN110933669A (zh) 一种跨rat用户的快速注册的方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17879165

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17879165

Country of ref document: EP

Kind code of ref document: A1