[go: up one dir, main page]

WO2019192275A1 - Procédé d'authentification et élément de réseau - Google Patents

Procédé d'authentification et élément de réseau Download PDF

Info

Publication number
WO2019192275A1
WO2019192275A1 PCT/CN2019/076823 CN2019076823W WO2019192275A1 WO 2019192275 A1 WO2019192275 A1 WO 2019192275A1 CN 2019076823 W CN2019076823 W CN 2019076823W WO 2019192275 A1 WO2019192275 A1 WO 2019192275A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
authentication
indication information
seaf
ausf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2019/076823
Other languages
English (en)
Chinese (zh)
Inventor
谢振华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2019192275A1 publication Critical patent/WO2019192275A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the embodiments of the present application relate to the field of communications technologies, such as an authentication method and a network element.
  • the 3rd Generation Partnership Project (3GPP) proposes a certification framework under the 5th-Generation Mobile Communication Technology (5G) architecture, which includes user equipment that needs to access the network.
  • 5G 5th-Generation Mobile Communication Technology
  • UE User Equipment
  • SEAF Security Anchor Function
  • AUSF Authentication Service Function
  • ARPF Authentication Repository Function
  • the SEAF network element is responsible for performing the visitor authentication of the UE and maintaining the access key during the authentication process.
  • the UE also generates an access key during the authentication process.
  • the UE can access the service provided by the visited network through the same access key.
  • the AUSF network element is responsible for performing home authentication on the UE to confirm whether the authentication of the visited place is successful.
  • the home key generated by the authentication process is stored locally by the UE and the AUSF network element; the ARPF network element is responsible for storing the subscription information, and is responsible for storing the subscription information.
  • the information generates an authentication vector, which is used by the UE to confirm the legitimacy of the network during the authentication process, and the network confirms the legitimacy of the UE.
  • the network side when receiving the fast authentication command, allocates a fast authentication identifier to the UE in the current authentication process to instruct the UE to initiate a fast authentication request when the next authentication occurs.
  • this method can only send the fast authentication identifier to the UE by the network side to enable the UE to initiate the fast authentication request, and when performing fast authentication, the network side and the UE can only determine the authentication method according to the method specified in the fast authentication identifier. Fast authentication, so the flexibility is poor.
  • the embodiment of the present application provides an authentication method and a network element, which can flexibly perform fast authentication.
  • An embodiment of the present application provides an authentication method, including: a first network element receives a request from a security anchor function SEAF network element and carries first indication information; wherein the first indication information is used to indicate a second network The element has the capability of performing fast authentication; the first network element performs fast authentication with the second network element according to the first indication information.
  • the embodiment of the present application further provides an authentication method, where the UE sends a registration request carrying the first indication information to the SEAF network element, or the UE receives the first indication information that is sent by the SEAF network element and carries the first indication information. a message, wherein the first indication information is used to indicate that the sender has the capability of performing fast authentication; the UE receives the derived parameter from the SEAF network element, and sends an authentication response to the SEAF network element; The authentication response is generated based at least on the derived parameters and the stored home key.
  • the embodiment of the present application further provides an AUSF network element, including: a first receiving module, configured to receive an authentication request from the SEAF network element and carrying the first indication information and the permanent user identifier; wherein the first indication information
  • the UE is configured to perform the fast authentication by using the UE corresponding to the permanent user identifier.
  • the first processing module is configured to perform fast authentication with the second network element according to the first indication information.
  • the embodiment of the present application further provides a UE, including: a second processing module, configured to send a registration request carrying the first indication information to the SEAF network element, or receive the first indication sent by the SEAF network element a message of the information, wherein the first indication information is used to indicate that the UE is capable of performing fast authentication; and the second receiving module is configured to receive a derived parameter from the SEAF network element, and send the parameter to the SEAF network element.
  • An authentication response wherein the authentication response is generated based at least on the derived parameter and the stored home key.
  • FIG. 1 is a schematic flowchart of an authentication method according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of another authentication method according to an embodiment of the present application.
  • FIG. 3 is a schematic flowchart diagram of still another authentication method according to an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of still another authentication method according to an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of still another authentication method according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a first network element according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a UE according to an embodiment of the present disclosure.
  • An embodiment of the present application provides an authentication method. As shown in FIG. 1 , the method includes steps S101 and S102.
  • the first network element receives a request from the SEAF network element and carries the first indication information.
  • the first indication information is used to indicate that the second network element has the capability of performing fast authentication.
  • step 102 the first network element performs fast authentication with the second network element according to the first indication information.
  • the authentication server allocates a fast authentication identifier to the UE, so that the UE performs fast authentication at the next authentication.
  • the mobile communication technology before 5G is different from the 5G architecture.
  • the network element between the authentication server and the authenticated end only transmits information that can be exchanged between the two as a pipeline.
  • the SEAF network element between the AUSF network element and the UE is not a pure pipeline. Therefore, the identifier is used to route information between the AUSF network element and the UE, and the fast authentication identifier allocated by the authentication server in the related art cannot be used.
  • the SEAF network element is used to route messages between the AUSF network element and the UE. Therefore, the fast authentication method in the related art cannot be used in the 5G, and there is no feasible authentication method capable of implementing fast authentication in the 5G.
  • the first network element determines, according to the obtained first indication information, that the second network element has the capability of performing fast authentication, and the first network element needs to perform fast authentication on the second network element.
  • the first network element directly performs fast authentication with the second network element according to the first indication information, thereby ensuring flexibility of fast authentication.
  • the first network element is an authentication service function AUSF network element
  • the second network element is a user terminal UE; or the first network element is a UE, and the second network element is an AUSF network element.
  • the first network element when the first network element is the UE and the second network element is the AUSF network element, the first network element performs fast authentication with the second network element according to the first indication information, including:
  • the SEAF network element sends a registration request carrying the second indication information, where the second indication information is used to indicate that the AUSF network element performs fast authentication.
  • the UE receives the derived parameter sent by the AUSF network element through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.
  • the SEAF unit directly sends the derivative parameter to the UE. Fast certification, thus ensuring the timeliness and flexibility of fast certification.
  • the first network element when the first network element is an AUSF network element, and the second network element is a UE, the first network element performs fast authentication with the second network element according to the first indication information, including: the AUSF network.
  • the element sends a derived parameter to the UE through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.
  • the first indication information further includes: information about a fast authentication method that the first network element can use.
  • the method further includes: determining, by the AUSF network element, the message that sends the derivative parameter according to the first indication information.
  • the method further includes: the AUSF network element sending a network hash and a desired hash to the SEAF network element; wherein the network hash is generated based on at least the derived parameter and the home key stored in the AUSF network element; The generation is based on the derived parameters and the expected response; the expected response is generated based at least on the derived parameters and the home key.
  • the expected hash may be generated based on parameter A, parameter B, and home key.
  • the derived parameter is parameter A
  • the network hash is generated according to parameter A, parameter C and the home key
  • the expected hash may be generated according to parameter A and the home key, or may be based on parameter A, parameter D and The home key is generated.
  • the method further includes: the AUSF network element sends the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the embodiment of the present application further provides an authentication method. As shown in FIG. 2, the method includes step S201 and step S202.
  • step 201 the UE sends a registration request carrying the first indication information and the SEAF network element; or, the UE receives the message that is sent by the SEAF network element and carries the first indication information.
  • the first indication information is used to indicate that the sender has the capability to perform fast authentication.
  • step 202 the UE receives the derived parameter from the SEAF network element and sends an authentication response to the SEAF network element.
  • the authentication response is generated based at least on the derived parameters and the stored home key.
  • the UE sends a first indication information to the AUSF network element to the AUSF network element, because the UE sends a registration request to the SEAF unit that carries the first indication information that is used to indicate that the UE has the capability to perform the fast authentication. Therefore, when the AUSF network element needs to perform fast authentication on the UE, the SEAF network element directly sends the derived parameter to the UE for fast authentication, thereby ensuring the timeliness and flexibility of the fast authentication.
  • the first indication information further includes: information of a fast authentication method that the sender of the first indication information can use.
  • the method before the sending the authentication response to the SEAF network element, the method further includes: receiving, by the UE, second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the method further includes: the UE receiving a network hash from the SEAF network element.
  • the UE generates a desired network hash based on at least the derived parameters and the stored home key.
  • the UE In response to determining that the desired network hash is the same as the received network hash, the UE sends an authentication response.
  • the embodiment of the present application further provides an authentication method, which is a fast authentication according to an Enhanced Authentication Protocol-Authentication and Key Agreemen (EAP-AKA'), as shown in FIG.
  • the method includes steps 301 to 310.
  • the UE registers the network.
  • the SEAF network element notifies the AUSF network element to perform the authentication process.
  • the AUSF network element requests the authentication vector from the ARPF network element, and the ARPF network element selects the authentication method and notifies the AUSF of the authentication vector and the authentication method.
  • the network element and the AUSF network element authenticate the UE through the SEAF network element by using the authentication method and the authentication vector.
  • the SEAF network element If the SEAF network element has previously participated in the authentication of the UE, the permanent identity of the UE is saved in the SEAF network element. If the UE has not been authenticated by the SEAF network element, the ARPF network element will also notify the AUSF network element of the permanent identity of the UE. The network element sends the permanent identity of the UE to the SEAF network element. After the authentication is complete, the SEAF network element allocates a temporary identifier to the UE and sends the temporary identifier to the UE. During the authentication process, the AUSF network element and the UE respectively use the same method to derive the home key and store it. The AUSF network element generates an access key and sends an access key to the SEAF network element to protect the communication between the UE and the network. The UE uses the same. The same method generates an access key.
  • the UE initiates a registration request to the network, for example, sends a registration request (Register Request) message, and carries a temporary user identifier and indication information allocated by the network, where the indication information indicates that the UE has the capability to perform fast authentication.
  • the indication information may include an authentication method that the UE can use, such as at least one of EAP-AKA' and 5G AKA.
  • the SEAF network element receives the registration request, and sends an authentication request message (such as the 5th-Generation mobile communication technology-Authentication Information Request (5G-AIR) message) to the AUSF network element.
  • the SEAF network element finds the matching permanent user identifier by using the temporary user identifier, and carries the permanent user identifier and the indication information in the authentication request.
  • the AUSF network element determines that there is indication information in the authentication request, and may select an authentication method according to an authentication method used when the UE is previously authenticated, or according to the authentication method information included in the indication information. For example, if the AUSF network element previously uses the EAP-AKA' authentication UE, EAP-AKA' or 5G AKA may be selected; if the AUSF network element previously uses the 5G AKA authentication UE, the 5G AKA may be selected.
  • the AUSF network element chooses to use EAP-AKA', so it sends an AKA re-authentication request to the SEAF, such as the Enhanced Authentication Protocol Request/Authentication and Key Agreemen-Reauthentication (EAP-).
  • EAP- Enhanced Authentication Protocol Request/Authentication and Key Agreemen-Reauthentication
  • the EAP-Request/AKA-Reauthentication message carries the derived parameters (such as the number once (NONCE) and the counter (COUNTER)), and the derived parameters are generated by the AUSF, EAP-Request/ The AKA-Reauthentication message also carries a message authentication code 1 (Message1, MAC1), which is based on the security key generated during the last authentication process (the security key refers to the integrity protection key). And the content of the message is generated, for example, using a hash-based message authentication code-Secure Hash Algorithm-256 (HMAC-SHA-256) algorithm, where the guaranteed key is based on The home key or access key is derived.
  • HMAC-SHA-256 hash-based message authentication code-Secure Hash Algorithm-256
  • step 305 the SEAF network element forwards an Authentication and Key Agreemen (AKA) re-authentication request to the UE.
  • AKA Authentication and Key Agreemen
  • step 306 the UE derives a new home key based on the key derivation parameter and the stored home key, and then sends an AKA re-authentication response to the SEAF network element, where the AKA re-authentication response carries the message verification code 2 (MAC2).
  • the message verification code 2 is generated based on the security key generated in the last authentication process and the content of the AKA re-authentication response message, such as using the HMAC-SHA-256 algorithm, where the security key is derived based on the home key or the access key.
  • step 307 the SEAF network element forwards the AKA re-authentication response to the AUSF network element, and the AUSF network element checks MAC2.
  • step 308 in response to determining that the AUSF network element check MAC2 is successful, determining that the UE and the ASUF network element authentication succeeds, the AUSF network element generates a new home key based on the stored home key and the derived parameter, such as using HMAC-SHA- With the 256 algorithm, the AUSF network element derives a new access key based on the new home key.
  • the AUSF network element sends an authentication success message to the SEAF network element, such as an Enhanced Authentication Protocal-Success (EAP-Success) message, which carries the new access key.
  • EAP-Success Enhanced Authentication Protocal-Success
  • step 310 the SEAF network element saves the new access key and sends a registration success message to the UE, such as sending a Register Accept message.
  • the embodiment of the present application further provides an authentication method, which is a fast authentication according to the 5th-Generation Mobile Communication Technology Authentication and Key Agreemen (5G AKA), as shown in FIG. 4 .
  • the method includes steps 401 to 411.
  • the UE registers the network.
  • the SEAF network element notifies the AUSF network element to perform the authentication process.
  • the AUSF network element requests the authentication vector from the ARPF network element, and the ARPF network element selects the authentication method and notifies the AUSF of the authentication vector and the authentication method.
  • the network element and the AUSF network element authenticate the UE through the SEAF network element by using the authentication method and the authentication vector.
  • the permanent identifier of the UE is saved in the SEAF network element. If the UE is not authenticated by the SEAF network element, the ARPF network element notifies the AUSF network element of the permanent identifier of the UE. The permanent identity of the UE is sent to the SEAF network element. After the authentication is complete, the SEAF network element allocates a temporary identifier to the UE and sends the temporary identifier to the UE. During the authentication process, the AUSF network element and the UE respectively use the same method to derive the home key and store it. The AUSF network element generates an access key and sends an access key to the SEAF network element to protect the communication between the UE and the network. The UE uses the same. The same method generates an access key.
  • step 402 after a period of time, the UE initiates a registration request to the network again, for example, sends a Register Request message, and carries a temporary user identifier and indication information 1 allocated by the network, where the indication information 1 indicates that the UE has the capability to perform fast authentication, and the indication
  • the information may include authentication methods that the UE can use, such as at least one of EAP-AKA' and 5G AKA.
  • the SEAF network element receives the registration request, and sends an authentication request message (such as sending a 5-AIR message) to the AUSF network element.
  • the SEAF network element finds the matching permanent user identifier through the temporary user identifier, and carries the permanent in the authentication request. User ID and indication information.
  • the AUSF network element determines that there is indication information in the authentication request, and may select an authentication method according to an authentication method used when the UE is previously authenticated, or select an authentication method according to the authentication method information included in the indication information. For example, if the AUSF network element previously uses the EAP-AKA' authentication UE, EAP-AKA' or 5G AKA may be selected; if the AUSF network element previously uses the 5G AKA authentication UE, the 5G AKA may be selected.
  • the AUSF network element chooses to use 5G AKA, thus generating a derived parameter (such as NONCE), generating a network hash hash based on the derived parameter and the stored home key (such as using the HMAC-SHA-256 algorithm), based on the derived parameter and the stored home secret.
  • the key generates an expected response hash (such as using the HMAC-SHA-256 algorithm), and generates a desired hash based on the derived parameter and the expected response (for example, using a Secure Hash Algorithm-256 (SHA-256) algorithm), based on
  • the derived parameters and the stored home key generate a new home key (such as using the HMAC-SHA-256 algorithm) to generate a new access key based on the new home key.
  • the AUSF network element sends an authentication response to the SEAF network element, such as the 5th-Generation mobile communication technology-Authentication Information Answer (5G-AIA) message, and the 5G-AIA message carries
  • the authentication vector includes a derived parameter, a network hash, a desired hash, and a new access key.
  • the 5G-AIR message also carries indication information 2, and the indication information 2 is used to indicate that the UE uses fast authentication.
  • the SEAF network element sends a user authentication request to the UE, such as a user authentication request (User Authentication Request) message, which carries the derived parameter and the network hash in the authentication vector, and further carries the indication information 2.
  • a user authentication request User Authentication Request
  • the SEAF network element sends a user authentication request to the UE, such as a user authentication request (User Authentication Request) message, which carries the derived parameter and the network hash in the authentication vector, and further carries the indication information 2.
  • the UE receives the user authentication request carrying the indication information 2, and uses the fast authentication.
  • the UE checks the network hash, for example, generates a desired network hash based on the derived parameter and the stored home key, compares whether the network hash and the expected network hash are the same, and determines the verification success based on the same comparison result of the network hash and the expected network hash, based on the network.
  • the hash is not the same as the expected network hash, and the verification fails.
  • the UE After the verification succeeds, the UE generates an authentication response (Response, RES) based on the derived parameter and the stored home key (for example, using the HMAC-SHA-256 algorithm), and generates a new home key based on the derived parameter and the stored home key ( For example, using the HMAC-SHA-256 algorithm, a new access key is generated based on the new home key to derive a new home key, and then a user authentication response is sent to the SEAF network element, such as sending a User Authentication Response message. , carrying the certification response RES.
  • RES authentication response
  • the SEAF network element checks the expected hash based on the authentication response RES, such as generating a check hash based on the derived parameter and the authentication response RES (eg, using the SHA-256 algorithm), comparing the checksum and the expected hash, based on the checksum. The same comparison result as the expected Hash, the verification success is determined, and the verification failure is determined based on the comparison result that the verification hash and the expected hash are not the same.
  • step 409 after the SEAF network element checks that the desired hash is successful, the authentication confirmation is sent to the AUSF network element, for example, the 5th-Generation mobile communication technology-Authentication Certification (5G-AC) message is sent. Carry the authentication response RES.
  • 5G-AC 5th-Generation mobile communication technology-Authentication Certification
  • the AUSF network element verifies the authentication response. For example, comparing the expected response and the authentication response, determining that the verification is successful based on the same comparison result of the expected response and the authentication response; determining the verification failure based on the comparison result of the expected response and the authentication response being different.
  • the AUSF network element sends an authentication success message to the SEAF network element, for example, the 5th-Generation mobile communication technology-Authentication Certification Answer (5G-ACA) message.
  • 5G-ACA 5th-Generation mobile communication technology-Authentication Certification Answer
  • the SEAF network element saves the new access key and sends a registration success message to the UE, such as sending a Register Accept message.
  • the embodiment of the present application further provides an authentication method, which is a fast authentication according to 5G AKA. As shown in FIG. 5, the method includes steps 501 to 513.
  • the UE registers the network.
  • the SEAF network element notifies the AUSF network element to perform the authentication process.
  • the AUSF network element requests the authentication vector from the ARPF network element, and the ARPF network element selects the authentication method and notifies the AUSF of the authentication vector and the authentication method.
  • the network element and the AUSF network element authenticate the UE through the SEAF network element by using the authentication method and the authentication vector.
  • the permanent identifier of the UE is saved in the SEAF network element. If the UE is not authenticated by the SEAF network element, the ARPF network element notifies the AUSF network element of the permanent identifier of the UE. The permanent identity of the UE is sent to the SEAF network element. After the authentication is complete, the SEAF network element allocates a temporary identifier to the UE and sends the temporary identifier to the UE. During the authentication process, the AUSF network element and the UE respectively use the same method to derive the home key and store it. The AUSF network element generates an access key and sends an access key to the SEAF network element to protect the communication between the UE and the network. The UE uses the same. The same method generates an access key.
  • the AUSF may select an authentication method that can be used for fast authentication according to an authentication method used when the UE was previously authenticated. For example, if the AUSF network element previously uses the EAP-AKA' authentication UE, EAP-AKA' or 5G AKA may be selected; if the AUSF network element previously uses the 5G AKA authentication UE, the 5G AKA may be selected.
  • the AUSF sends a message to the SEAF, such as an Insert Subscribe Data message, carrying the indication information 1.
  • the indication information 1 indicates that the AUSF has the capability to perform fast authentication, and the indication information may include an authentication method that the AUSF can use, such as EAP- At least one of AKA' and 5G AKA.
  • step 503 the SEAF forwards the indication information 1 to the UE.
  • steps 502-503 may be initiated by the AUSF after the completion of the step 501, or may be sent by a certain AUSF triggered in the process of step 501.
  • step 504 after a period of time, the UE initiates a registration request to the network again, for example, sends a Register Request message, and carries a temporary user identification indication information 2 allocated by the network, for indicating that the AUSF uses fast authentication.
  • the SEAF network element receives the registration request, and sends an authentication request message (such as sending a 5-AIR message) to the AUSF network element.
  • the SEAF network element finds the matching permanent user identifier through the temporary user identifier, and carries the permanent in the authentication request.
  • User ID and indication information 2 2.
  • the AUSF network element determines that there is indication information 2 in the authentication request, and the authentication method can be selected according to the indication information 1 previously sent to the UE.
  • the AUSF network element selects to use the 5G AKA, thus generating a derived parameter, such as NONCE, generating a network hash hash based on the derived parameter and the stored home key (such as using the HMAC-SHA-256 algorithm), based on the derived parameters and the stored
  • the home key generates a desired response hash (such as using the HMAC-SHA-256 algorithm), and generates a desired hash based on the derived parameter and the expected response (such as using a Secure Hash Algorithm-256 (SHA-256) algorithm).
  • a new home key is generated based on the derived parameters and the stored home key (eg, using the HMAC-SHA-256 algorithm), and a new access key is generated based on the new home key.
  • the AUSF network element sends an authentication response to the SEAF network element, such as sending a 5G-AIA message, the message carries an authentication vector, the authentication vector includes a derived parameter, a network hash, a desired hash, and a new access key.
  • the SEAF network element sends a user authentication request to the UE, such as sending a User Authentication Request message, where the message carries the derived parameter and the network hash in the authentication vector.
  • the UE uses fast authentication, and the UE checks the network hash, for example, generates a desired network hash based on the derived parameter and the stored home key, and compares whether the network hash and the desired network hash are the same, based on the network hash and the desired network hash.
  • the result of the comparison is that the verification is successful; the verification fails based on the comparison result of the network hash and the expected network hash.
  • the UE After the verification is successful, the UE generates an authentication response RES based on the derived parameter and the stored home key (for example, using the HMAC-SHA-256 algorithm), and generates a new home key based on the derived parameter and the stored home key (for example, using HMAC-
  • the SHA-256 algorithm generates a new access key based on the new home key to derive a new home key, and then sends a user authentication response to the SEAF network element, such as sending a User Authentication Response message carrying the authentication response RES.
  • the SEAF network element checks the expected hash based on the authentication response RES, such as generating a check hash based on the derived parameter and the authentication response RES, such as using the SHA-256 algorithm to compare the checksum and the expected hash, based on the checksum and the hash. It is expected that the Hash has the same comparison result, and the verification is successful; based on the comparison result that the verification Hash and the expected Hash are not the same, the verification fails.
  • step 511 after the SEAF network element checks that the desired hash is successful, it sends an authentication confirmation to the AUSF network element, for example, sends a 5G-AC message, and carries the authentication response RES.
  • the AUSF network element checks the authentication response, such as comparing the expected response with the authentication response, and the verification is successful based on the same comparison result of the expected response and the authentication response; and the comparison is based on the comparison result of the expected response and the authentication response being different. failure.
  • the AUSF network element sends an authentication success message to the SEAF network element, for example, sending a 5G-ACA message.
  • the SEAF network element saves the new access key and sends a registration success message to the UE, such as sending a Register Accept message.
  • the embodiment of the present application further provides a computer readable storage medium, where computer executable instructions are stored, and the computer executable instructions are set to execute any one of the foregoing authentication methods.
  • the embodiment of the present application provides a first network element.
  • the first network element 6 includes a first receiving module 601 and a first processing module 602.
  • the first receiving module 601 is configured to receive an authentication request from the SEAF network element and carrying the first indication information and the permanent user identifier, where the first indication information is used to identify that the UE corresponding to the permanent user identifier has the capability of performing fast authentication. .
  • the first processing module 602 is configured to perform fast authentication with the second network element according to the first indication information.
  • the first network element is an AUSF network element
  • the second network element is a UE
  • the first network element is a UE
  • the second network element is an AUSF network element
  • the first processing module 602 is configured to: send the registration request carrying the second indication information to the SEAF network element,
  • the second indication information is used to indicate that the AUSF network element performs fast authentication, and receives the derived parameter sent by the AUSF network element through the SEAF network element.
  • the derived parameter is generated by the AUSF network element.
  • the first processing module 602 is configured to: send a derivative parameter to the UE by using the SEAF network element; wherein, the derived parameter is AUSF network element generation.
  • the first indication information further includes: information about a fast authentication method that the first network element can use.
  • the first processing module 602 is further configured to determine, according to the first indication information, a message that sends the derived parameter.
  • the first processing module 602 is further configured to send a network hash and a desired hash to the SEAF network element; wherein the network hash is generated based at least on the derived parameter and the home key stored in the AUSF network element; The hash is generated based at least on the derived parameters and the expected response; the expected response is generated based at least on the derived parameters and the home key.
  • the first processing module 602 is further configured to send the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the first network element provided by the embodiment of the present application determines that the second network element has the capability of performing fast authentication according to the obtained first indication information, and in the case that the first network element needs to perform fast authentication on the second network element, The first network element directly performs fast authentication with the second network element according to the first indication information, thereby ensuring flexibility of fast authentication.
  • the first receiving module 601 and the first processing module 602 can be processed by a central processing unit (CPU), a microprocessor (Micro Processor Unit (MPU), and a digital signal processing unit located in the first network element.
  • CPU central processing unit
  • MPU Micro Processor Unit
  • DSP Digital Signal Processor
  • FPGA Field Programmable Gate Array
  • the embodiment of the present application further provides a UE.
  • the UE 7 includes a second processing module 701, a second receiving module 702, and a sending module 703.
  • the second processing module 701 is configured to send a registration request carrying the first indication information to the SEAF network element, or receive a message that is sent by the SEAF network element and carries the first indication information, where the first indication information is used to indicate the UE Ability to perform fast certifications.
  • the second receiving module 702 is configured to receive the derived parameter from the SEAF network element, and send an authentication response to the SEAF network element; wherein the authentication response is generated based on at least the derived parameter and the stored home key.
  • the first indication information further includes: information of a fast authentication method that the sender of the first indication information can use.
  • the second receiving module 702 is further configured to receive second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the second receiving module 702 is further configured to receive a network hash from the SEAF network element.
  • the second processing module 701 is configured to generate a desired network hash based on at least the derived parameters and the stored home key.
  • a transmitting module 703 configured to send an authentication response in response to determining that the desired network hash is the same as the received network hash.
  • the UE provided by the embodiment of the present application sends a first indication information to the AUSF network element, because the UE sends the first indication information that is used to indicate that the UE has the capability to perform the fast authentication, so that the UE can send the first indication information to the AUSF network element.
  • the SEAF unit directly sends the derived parameter to the UE for fast authentication, thereby ensuring the timeliness and flexibility of the fast authentication.
  • the second processing module 701, the second receiving module 702, and the sending module 703 can all be implemented by a CPU, an MPU, a DSP, an FPGA, or the like located in the UE.
  • the embodiment of the present application further provides a first network element, including a first memory and a first processor, where the first memory stores the following instructions executable by the first processor: receiving the information from the SEAF network element and carrying And a first indication information, where the first indication information is used to indicate that the second network element has the capability of performing fast authentication.
  • the first network element is an authentication service function AUSF network element
  • the second network element is a user terminal UE; or the first network element is a UE, and the second network element is an AUSF network element.
  • the first memory stores the following instructions executable by the first processor:
  • the first memory stores the following instructions executable by the first processor:
  • the derived parameter is sent to the UE through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.
  • the first indication information further includes: information about a fast authentication method that the first network element can use.
  • the first memory further stores an instruction executable by the first processor to determine a message to send the derived parameter according to the first indication information.
  • the first memory further stores an instruction executable by the first processor to: send a network hash and a desired hash to the SEAF network element; wherein the network hash is based at least on the derived parameter and the AUSF network element
  • the home key stored in the generation the expected hash is generated based at least on the derived parameters and the expected response; the expected response is generated based at least on the derived parameters and the home key.
  • the first memory further stores an instruction that is executable by the first processor: sending the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the embodiment of the present application further provides a UE, including a second memory and a second processor, where the second memory stores the following instructions executable by the second processor: sending the first indication information to the SEAF network element Or the UE receives the message that is sent by the SEAF network element and carries the first indication information.
  • the first indication information is used to indicate that the sender has the capability to perform fast authentication.
  • a derived parameter from the SEAF network element is received, and an authentication response is sent to the SEAF network element; wherein the authentication response is generated based at least on the derived parameter and the stored home key.
  • the first indication information further includes: information of a fast authentication method that the sender of the first indication information can use.
  • the second memory further stores the following instructions executable by the second processor: receiving second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the second memory further stores an instruction executable by the second processor to receive a network hash from the SEAF network element.
  • a desired network hash is generated based at least on the derived parameters and the stored home key.
  • An authentication response is sent in response to determining that the desired network hash is the same as the received network hash.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Procédé d'authentification et élément de réseau. Selon le procédé d'authentification : un premier élément de réseau reçoit une demande qui provient d'un élément de réseau SEAF et qui contient des premières informations d'indication, ces premières informations d'indication servant à indiquer qu'un second élément de réseau peut exécuter une authentification rapide ; et, conformément aux premières informations d'indication, le premier élément de réseau exécute une authentification rapide avec le second élément de réseau.
PCT/CN2019/076823 2018-04-04 2019-03-04 Procédé d'authentification et élément de réseau Ceased WO2019192275A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810301013.0 2018-04-04
CN201810301013.0A CN110366178A (zh) 2018-04-04 2018-04-04 一种认证方法及网元

Publications (1)

Publication Number Publication Date
WO2019192275A1 true WO2019192275A1 (fr) 2019-10-10

Family

ID=68099771

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/076823 Ceased WO2019192275A1 (fr) 2018-04-04 2019-03-04 Procédé d'authentification et élément de réseau

Country Status (2)

Country Link
CN (1) CN110366178A (fr)
WO (1) WO2019192275A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788598A (zh) * 2019-11-01 2021-05-11 华为技术有限公司 一种保护认证流程中参数的方法及装置

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830985B (zh) * 2019-11-11 2022-04-29 重庆邮电大学 一种基于信任机制的5g轻量级终端接入认证方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566115A (zh) * 2016-07-01 2018-01-09 华为技术有限公司 密钥配置及安全策略确定方法、装置
WO2018053271A1 (fr) * 2016-09-16 2018-03-22 Idac Holdings, Inc. Cadre unifié d'authentification
US20180084427A1 (en) * 2016-09-16 2018-03-22 Zte Corporation Security features in next generation networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566115A (zh) * 2016-07-01 2018-01-09 华为技术有限公司 密钥配置及安全策略确定方法、装置
WO2018053271A1 (fr) * 2016-09-16 2018-03-22 Idac Holdings, Inc. Cadre unifié d'authentification
US20180084427A1 (en) * 2016-09-16 2018-03-22 Zte Corporation Security features in next generation networks

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3GPP: "3GPP. Technical Specification Group Services and System Aspects; Security Architecture and Procedures for 5G System (release 15)", 3GPP TS 33.501, vol. SA WG3, no. V1.0.0, 15 March 2018 (2018-03-15) - 31 March 2018 (2018-03-31), pages 1 - 128, XP051450455 *
ZT E: "Lightweight Secure Way for Protecting Anchor Key Transmitting-EAP-AKA", 3GPP TSG SA WG3 (SECURITY) MEETING #88 , S 3-171759, vol. SA WG3, 6 August 2017 (2017-08-06) - 11 August 2017 (2017-08-11), XP051310881 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788598A (zh) * 2019-11-01 2021-05-11 华为技术有限公司 一种保护认证流程中参数的方法及装置
CN112788598B (zh) * 2019-11-01 2022-11-11 华为技术有限公司 一种保护认证流程中参数的方法及装置

Also Published As

Publication number Publication date
CN110366178A (zh) 2019-10-22

Similar Documents

Publication Publication Date Title
US20230007475A1 (en) Method for Performing Verification by Using Shared Key, Method for Performing Verification by Using Public Key and Private Key, and Apparatus
US11405780B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US11496320B2 (en) Registration method and apparatus based on service-based architecture
KR100704675B1 (ko) 무선 휴대 인터넷 시스템의 인증 방법 및 관련 키 생성방법
CN112566119B (zh) 终端认证方法、装置、计算机设备及存储介质
CN108848112B (zh) 用户设备ue的接入方法、设备及系统
US10462671B2 (en) Methods and arrangements for authenticating a communication device
US20180131519A1 (en) Devices and methods for client device authentication
JP7237200B2 (ja) パラメータ送信方法及び装置
WO2020007461A1 (fr) Authentification et accord de clé entre un réseau et un équipement utilisateur
US11159940B2 (en) Method for mutual authentication between user equipment and a communication network
JP2007522695A (ja) 無線ローカルエリアネットワーク(wlan)における認証のためのシステム、方法、およびデバイス
CN108353279B (zh) 一种认证方法和认证系统
CN111866881B (zh) 无线局域网认证方法与无线局域网连接方法
US11445370B2 (en) Method and device for verifying key requester
KR20160058491A (ko) 사용자 기기의 식별자에 기반하여 서비스를 제공하는 방법 및 장치
CN104145465A (zh) 机器类型通信中基于群组的自举
CN110536292A (zh) 发送终端序列号的方法和装置以及认证方法和装置
CN103313242A (zh) 密钥的验证方法及装置
US20160227412A1 (en) Wireless Terminal Configuration Method, Apparatus, and Wireless Terminal
CN107820242A (zh) 一种认证机制的协商方法及装置
WO2018126791A1 (fr) Procédé et dispositif d'authentification, et support de stockage informatique
WO2019192275A1 (fr) Procédé d'authentification et élément de réseau
CN117098111A (zh) 用户设备的注册方法、装置、计算机可读介质及电子设备
WO2019024937A1 (fr) Procédé, appareil et système de négociation de clé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19780969

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04/02/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19780969

Country of ref document: EP

Kind code of ref document: A1