[go: up one dir, main page]

CN108282775A - Dynamic Additional Verification method towards mobile ad hoc network and system - Google Patents

Dynamic Additional Verification method towards mobile ad hoc network and system Download PDF

Info

Publication number
CN108282775A
CN108282775A CN201711401758.6A CN201711401758A CN108282775A CN 108282775 A CN108282775 A CN 108282775A CN 201711401758 A CN201711401758 A CN 201711401758A CN 108282775 A CN108282775 A CN 108282775A
Authority
CN
China
Prior art keywords
sas
key
hss
control plane
access authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711401758.6A
Other languages
Chinese (zh)
Other versions
CN108282775B (en
Inventor
张顺亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201711401758.6A priority Critical patent/CN108282775B/en
Publication of CN108282775A publication Critical patent/CN108282775A/en
Application granted granted Critical
Publication of CN108282775B publication Critical patent/CN108282775B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W64/00Locating users or terminals or network equipment for network management purposes, e.g. mobility management
    • H04W64/003Locating users or terminals or network equipment for network management purposes, e.g. mobility management locating network equipment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明提供一种面向移动专用网络的动态附加认证方法及系统,该方法的步骤包括:UE判断是否需要启动接入认证,如需要,则向SAS发起接入认证请求;或者,S/P‑GW收到UE发出的业务请求触发判断是否需要启动SAS和UE之间的接入认证,如需要,则向SAS发起接入认证请求;SAS收到接入认证请求后,确定是否启动接入认证,如果启动,则向HSS发送用户ID和由S/P‑GW提供的IMSI信息;HSS收到后,生成初始密钥;SAS根据初始密钥生成密钥,保护其与UE之间的控制面交互信息;UE生成初始密钥,根据该初始密钥生成密钥,保护其与SAS之间的控制面交互信息;UE接收SAS的认证命令后,认证专用核心网的合法性,并通知SAS;SAS认证UE的合法性,并通知UE。

The present invention provides a dynamic additional authentication method and system oriented to a mobile dedicated network. The steps of the method include: UE judges whether access authentication needs to be started, and if necessary, initiates an access authentication request to SAS; or, S/P- The GW receives the service request sent by the UE and triggers to judge whether it is necessary to start the access authentication between the SAS and the UE. If necessary, it initiates an access authentication request to the SAS; after the SAS receives the access authentication request, it determines whether to start the access authentication , if activated, send user ID and IMSI information provided by S/P‑GW to HSS; HSS generates initial key after receiving it; SAS generates key according to initial key to protect the control plane between itself and UE Interaction information; UE generates an initial key, generates a key according to the initial key, and protects the control plane interaction information between itself and SAS; after receiving the authentication command from SAS, UE authenticates the legitimacy of the dedicated core network and notifies SAS; The SAS authenticates the legitimacy of the UE and notifies the UE.

Description

面向移动专用网络的动态附加认证方法及系统Dynamic additional authentication method and system for mobile private network

技术领域technical field

本发明涉及网络通信安全技术领域,尤其涉及在移动通信网络中用户及设备和专用网络之间的相互认证方法及系统。The invention relates to the technical field of network communication security, in particular to a mutual authentication method and system between users and equipment and a special network in a mobile communication network.

背景技术Background technique

移动通信网络服务由于其移动性和便利性已经广泛应用于人们的日常生活。随着4G移动通信网络的大规模部署,越来越多人开始使用4G网络服务。在享受移动通信网络带来的便利同时,伪基站、伪网络也给移动应用带来新的安全问题。同时,移动通信网络也面临着来自越来智能手持终端设备,越来越多样化,承受数量具大的物联网终端的非法接入及攻击。Due to its mobility and convenience, mobile communication network services have been widely used in people's daily life. With the large-scale deployment of 4G mobile communication networks, more and more people are beginning to use 4G network services. While enjoying the convenience brought by the mobile communication network, pseudo base stations and pseudo networks also bring new security issues to mobile applications. At the same time, the mobile communication network is also faced with more and more intelligent handheld terminal devices, which are becoming more and more diverse, and are subject to illegal access and attacks from a large number of IoT terminals.

移动专用网络用户使用网络业务的过程中,由于用户的移动性及专用网络运营商网络覆盖的局限性,在一些情况下,如漫游场景,用户可能需要通过公共移动网络以漫游的方式接入专用移动核心网。漫游地公共移动接入网对于专网用户及专用核心网来说是不完全可信的。在漫游情况下,用户接入专用核心网时需要进行认证,缺省的认证流程是经过漫游地核心网MME执行并决定认证结果的,那么对于专用核心网就可能存在中间人攻击的风险。此外,当专网用户处于非漫游状态时,此时,用户经过可信的专用接入网直接接入专用核心网,那么上述非完全可信MME充当中间人的问题就没有了,如何针对不同场景采取灵活高效的安全防护措施是一个值得考虑的问题。In the process of mobile private network users using network services, due to user mobility and network coverage limitations of private network operators, in some cases, such as roaming scenarios, users may need to roam through public mobile networks to access private Mobile core network. Roaming public mobile access network is not completely reliable for private network users and private core network. In the case of roaming, the user needs to be authenticated when accessing the private core network. The default authentication process is performed by the roaming core network MME to determine the authentication result, so there may be a risk of man-in-the-middle attacks on the private core network. In addition, when the private network user is in the non-roaming state, at this time, the user directly accesses the private core network through the trusted private access network, then the above-mentioned problem of the non-fully trusted MME acting as a middleman is gone. How to address different scenarios Taking flexible and efficient security protection measures is a problem worth considering.

为了防止非法用户接入3G及4G网络,设计了AKA的认证机制,利用网络侧HSS和终端的共享安全凭据信息及AKA算法使得网络可以认证用户的合法性,同时用户终端设备也可以认证网络的合法性。目前3GPP设计移动网络安全认证机制假定接入网及核心网所有功能都是安全可信的。现有的3G和4G移动网络假设漫游地网络和归属地网络在安全上是相互可信的,即归属地网络总是信任漫游地网络,因此就没有考虑上述漫游地核心网MME成为中间人的安全风险。目前4G网络对漫游用户认证方法是基于漫游地网络完全可信的假设,还没有针对漫游地核心网功能成为中间人问题的解决方法。现有的漫游用户认证措施无法解决移动专用网络新使用场景面临的新问题。In order to prevent illegal users from accessing 3G and 4G networks, the AKA authentication mechanism is designed, using the shared security credential information and AKA algorithm of the HSS on the network side and the terminal to enable the network to authenticate the legitimacy of the user, and the user terminal device can also authenticate the network. legality. At present, 3GPP designs mobile network security authentication mechanism assuming that all functions of access network and core network are safe and reliable. Existing 3G and 4G mobile networks assume that the roaming network and the home network are mutually trustworthy in terms of security, that is, the home network always trusts the roaming network, so the security of the above-mentioned roaming core network MME becoming a middleman is not considered. risk. The current 4G network authentication method for roaming users is based on the assumption that the roaming network is completely trustworthy, and there is no solution to the problem of the roaming core network becoming a man-in-the-middle. Existing roaming user authentication measures cannot solve new problems faced by new usage scenarios of mobile private networks.

发明内容Contents of the invention

本发明的目的在于提出一种面向移动专用网络的动态附加认证方法及系统,即专用移动通信网络和专网用户相互认证方法,可以实现非可信3GPP接入网环境下或漫游环境下专网用户和专用网络之间的安全可靠相互认证,从而避免专网用户及设备接入伪专用网络,也可防止非法用户及设备接入专用网络。The purpose of the present invention is to propose a dynamic additional authentication method and system for mobile private networks, that is, a mutual authentication method for private mobile communication networks and private network users, which can realize private networks in untrusted 3GPP access network environments or roaming environments. Safe and reliable mutual authentication between users and the private network, so as to prevent private network users and equipment from accessing pseudo-private networks, and also prevent illegal users and equipment from accessing private networks.

为达到上述目的,本发明采用的技术方案如下:In order to achieve the above object, the technical scheme adopted in the present invention is as follows:

一种面向移动专用网络的动态附加认证方法,其步骤包括:A dynamic additional authentication method oriented to a mobile private network, the steps of which include:

已与位于专用核心网的移动管理节点MME和服务器HSS进行过双向认证的用户终端UE判断是否需要启动动态附加接入认证,如需要,则该UE向位于专用核心网的安全接入服务器SAS发起接入认证请求;或者,专用核心网的网关S/P-GW收到所述UE发出的业务请求触发判断是否需要启动SAS和UE之间的动态附加接入认证,如需要,则该S/P-GW向SAS发起接入认证请求;The user terminal UE that has conducted two-way authentication with the mobile management node MME and the server HSS located in the private core network judges whether it is necessary to start dynamic additional access authentication. If necessary, the UE initiates a Access authentication request; or, the gateway S/P-GW of the dedicated core network receives the service request sent by the UE and triggers to judge whether it is necessary to start the dynamic additional access authentication between the SAS and the UE. If necessary, the S/P-GW The P-GW initiates an access authentication request to the SAS;

SAS收到所述接入认证请求后,确定是否启动接入认证,如果启动,则SAS向HSS发送用户ID和由S/P-GW提供的用户身份IMSI信息;After receiving the access authentication request, the SAS determines whether to start the access authentication, and if it is started, the SAS sends the user ID and the user identity IMSI information provided by the S/P-GW to the HSS;

HSS收到所述用户ID和IMSI信息后,生成控制面安全保护需要的初始密钥;After receiving the user ID and IMSI information, the HSS generates the initial key required for the security protection of the control plane;

SAS根据所述初始密钥生成控制面安全保护需要的密钥,保护其与UE之间的控制面交互信息;The SAS generates the key required for the security protection of the control plane according to the initial key, and protects the control plane interaction information between it and the UE;

UE生成控制面安全保护需要的初始密钥,根据该初始密钥生成控制面安全保护需要的密钥,保护其与SAS之间的控制面交互信息;The UE generates the initial key required for the security protection of the control plane, generates the key required for the security protection of the control plane according to the initial key, and protects the control plane interaction information between it and the SAS;

UE接收SAS的认证命令后,认证专用核心网的合法性,并通知SAS;After receiving the authentication command from SAS, UE authenticates the legitimacy of the private core network and notifies SAS;

SAS认证UE的合法性,并将该认证结果通知UE。The SAS authenticates the legitimacy of the UE, and notifies the UE of the authentication result.

进一步地,根据所述UE的当前位置、是否漫游、接入网络安全可信度、接入网络类型、接入网络ID、UE访问的业务是否为专网相关业务以及预配置的安全策略判断是否启动动态附加接入认证。Further, according to the current location of the UE, whether it is roaming, the security reliability of the access network, the type of the access network, the ID of the access network, whether the service accessed by the UE is a private network-related service, and the pre-configured security policy, it is judged whether the Enable dynamic additional access authentication.

进一步地,所述安全策略用于判断所述UE与专用核心网之间是否需要启动接入认证,该策略定义了需要启动附加认证的条件。例如:所述UE如果通过非可信3GPP或在漫游状态下通公共LTE网(PLMN ID=A)接入专用核心网,则需要启动接入认证;如果在非漫游状态下通过专用LTE接入网(PLMN ID=B)接入专用核心网,则不需要启动接入认证。Further, the security policy is used to determine whether access authentication needs to be started between the UE and the dedicated core network, and the policy defines conditions for starting additional authentication. For example: if the UE accesses the private core network through an untrusted 3GPP or through a public LTE network (PLMN ID=A) in a roaming state, it needs to start access authentication; If the network (PLMN ID=B) accesses the dedicated core network, then access authentication does not need to be activated.

进一步地,所述接入认证请求包括UE当前位置、硬件ID、接入网络类型、接入网ID及PLMN ID、IP地址信息。Further, the access authentication request includes UE current location, hardware ID, access network type, access network ID and PLMN ID, and IP address information.

进一步地,所述UE和HSS根据UE和HSS共享的安全凭据信息(包括CK,IK和共享因子factor)生成初始密钥。Further, the UE and the HSS generate an initial key according to security credential information shared by the UE and the HSS (including CK, IK and shared factor factor).

进一步地,所述初始密钥的生成算法如图2所示(图中USIM设置于UE上),具体为:以UE和HSS共享的安全凭据信息的CK,IK和共享因子Factor、服务网络标识SN ID以及序列号SQN异或AK为输入,通过标准密钥演算函数KDF运算生成初始密钥Ks_init。Further, the generation algorithm of the initial key is as shown in Figure 2 (the USIM is set on the UE in the figure), specifically: the CK, IK and sharing factor Factor of the security credential information shared by the UE and the HSS, and the service network identifier SN ID and serial number SQN XOR AK are input, and the initial key Ks_init is generated through the standard key calculation function KDF operation.

进一步地,所述UE和SAS还根据UE和SAS共享的安全凭据信息(包括共享因子Factor和共享时间戳Timestamp)以及UE和HSS共享的安全凭据信息生成密钥;所述共享包括静态预配置或通过共享的第三方设备传递的信息。Further, the UE and the SAS also generate a key according to the security credential information shared by the UE and the SAS (including the shared factor Factor and the shared timestamp Timestamp) and the security credential information shared by the UE and the HSS; the sharing includes static pre-configuration or Information Passed Through Shared Third-Party Devices.

进一步地,所述密钥包括机密性保护密钥和完整性保护密钥;Further, the key includes a confidentiality protection key and an integrity protection key;

所述机密性保护密钥的生成算法如图3所示(图中USIM设置于UE上),具体为:以初始密钥Ks_init、UE和HSS共享的安全凭据信息、UE和SAS共享的安全凭据信息、Alg-ID、新定义的机密性保护算法类型标识符SA-init-enc-alg以及新定义的算法标识256-EEA4 AESbased algorithm(AES-CTR)作为输入,经密钥演算函数KDF运算生成机密性保护密钥Kinit_enc;The generation algorithm of the confidentiality protection key is shown in Figure 3 (the USIM is set on the UE in the figure), specifically: the security credential information shared by the initial key Ks_init, UE and HSS, and the security credential shared by UE and SAS Information, Alg-ID, the newly defined confidentiality protection algorithm type identifier SA-init-enc-alg, and the newly defined algorithm identifier 256-EEA4 AESbased algorithm (AES-CTR) are used as input and generated by the key calculation function KDF operation Confidentiality protection key Kinit_enc;

所述完整性保护密钥的生成算法如图3所示,具体为:以初始密钥Ks_init、UE和HSS共享的安全凭据信息、UE和SAS共享的安全凭据信息、Alg-ID、新定义的完整性保护算法类型标识符SA-init-int-alg以及新定义的算法标识256-EIA4 AES based algorithm(AES-CMAC)作为输入,经密钥演算函数KDF运算生成完整性保护密钥Kinit_int;The generation algorithm of the integrity protection key is shown in Figure 3, specifically: the initial key Ks_init, the security credential information shared by the UE and the HSS, the security credential information shared by the UE and the SAS, the Alg-ID, the newly defined The integrity protection algorithm type identifier SA-init-int-alg and the newly defined algorithm identification 256-EIA4 AES based algorithm (AES-CMAC) are used as input, and the integrity protection key Kinit_int is generated by the key calculation function KDF operation;

该密钥演算架构具体如下:The key calculus architecture is as follows:

Algorithm type distinguishersAlgorithm type distinguishers

拓展定义:Extended definition:

SA-init-enc-alg=0x09,SA-init-enc-alg=0x09,

SA-init-int-alg=0x10;SA-init-int-alg = 0x10;

Alg-ID;Alg-ID;

拓展定义:Extended definition:

"0100"=256-EEA4 AES based algorithm(AES-CTR),"0100"=256-EEA4 AES based algorithm (AES-CTR),

"0110"=256-EIA4 AES based algorithm(AES-CMAC);"0110"=256-EIA4 AES based algorithm(AES-CMAC);

机密性保护密钥:Confidentiality protected key:

Kinit_encKinit_enc

=KDF(Factor,TIME,SA-init-enc-alg,256-EEA4 AES based algorithm(AES-CTR),Ks_init);=KDF(Factor,TIME,SA-init-enc-alg,256-EEA4 AES based algorithm(AES-CTR),Ks_init);

完整性保护密钥:Integrity protected key:

Kinit_intKinit_int

=KDF(Factor,TIME,SA-init-int-alg,256-EIA4 AES based algorithm(AES-CMAC),Ks_init)。= KDF(Factor, TIME, SA-init-int-alg, 256-EIA4 AES based algorithm (AES-CMAC), Ks_init).

进一步地,所述认证命令包括HSS生成的随机数RAND以及认证令牌AUTN信息。Further, the authentication command includes the random number RAND generated by the HSS and the information of the authentication token AUTN.

进一步地,所述UE根据其生成的初始密钥、UE和SAS共享的安全凭据信息以及AKA算法来认证专用核心网的合法性。Further, the UE authenticates the legitimacy of the dedicated core network according to the initial key generated by the UE, the security credential information shared by the UE and the SAS, and the AKA algorithm.

进一步地,所述SAS根据HSS生成的初始密钥、UE和SAS共享的安全凭据信息以及AKA算法来认证UE的合法性。Further, the SAS authenticates the legitimacy of the UE according to the initial key generated by the HSS, the security credential information shared by the UE and the SAS, and the AKA algorithm.

一种面向移动专用网络的动态附加认证系统,包括:A dynamic additional authentication system for mobile private networks, including:

UE,用于发送接入认证请求或业务请求,生成控制面安全保护需要的初始密钥及密钥,保护其与SAS之间的控制面交互信息,并认证专用核心网的合法性;UE is used to send access authentication requests or service requests, generate initial keys and keys required for control plane security protection, protect the control plane interaction information between it and SAS, and authenticate the legitimacy of the dedicated core network;

SAS,位于专用核心网,用于确定是否启动动态附加接入认证,生成控制面安全保护需要的密钥,保护其与UE之间的控制面交互信息,并认证UE的合法性;SAS, located in the dedicated core network, is used to determine whether to start dynamic additional access authentication, generate the key required for the security protection of the control plane, protect the control plane interaction information between it and the UE, and authenticate the legitimacy of the UE;

HSS,位于专用核心网,用于生成控制面安全保护需要的初始密钥;HSS, located in the dedicated core network, is used to generate the initial key required for the security protection of the control plane;

S/P-GW,位于专用核心网,用于向SAS提供用户身份IMSI信息。The S/P-GW is located in the dedicated core network and is used to provide the user identity IMSI information to the SAS.

进一步地,如果所述UE发送接入认证请求,则在发送之前先判断是否需要启动动态附加接入认证;如果所述UE发送业务请求,则该业务请求触发所述S/P-GW判断是否需要启动SAS和UE之间的动态附加接入认证。Further, if the UE sends an access authentication request, it is judged whether dynamic additional access authentication needs to be started before sending; if the UE sends a service request, the service request triggers the S/P-GW to judge whether Dynamic additional access authentication between SAS and UE needs to be activated.

本发明提出了一种专用移动通信网络用户和专用移动通信网络之间安全可靠的相互认证的方法。为了避免漫游情况下公共核心网控制面功能MME引起的可信问题,在专用核心网引入SAS。该方法通过利用UE和专用核心网共享的安全凭据信息及依据密钥生成算法生成的密钥,保护UE到SAS之间的接口消息。SAS根据UE的当前位置、接入网络安全可信度、用户漫游状态等信息,决定是否对该UE进行动态附加接入认证。如果需要进行认证,SAS和HSS交互获取根据UE和HSS共享的安全凭据信息生成的认证数据,并使用该认证数据和UE进行接入认证。根据认证结果,确定该UE是否可以接入专用网络。The invention proposes a safe and reliable mutual authentication method between a dedicated mobile communication network user and a dedicated mobile communication network. In order to avoid the credibility problem caused by the public core network control plane function MME in the roaming situation, SAS is introduced in the private core network. The method protects the interface message between the UE and the SAS by using the security credential information shared by the UE and the dedicated core network and the key generated according to the key generation algorithm. The SAS decides whether to perform dynamic additional access authentication on the UE based on information such as the current location of the UE, the security reliability of the access network, and the roaming status of the user. If authentication is required, the SAS and the HSS interact to obtain authentication data generated according to the security credential information shared by the UE and the HSS, and use the authentication data to perform access authentication with the UE. According to the authentication result, it is determined whether the UE can access the private network.

此外,本发明通过增强终端功能,使得UE利用和HSS及SAS共享的安全凭据信息及初始密钥生成算法生成密钥,以保护UE与SAS之间的接口。此外需要增强核心网HSS功能,HSS需要利用和UE共享的安全凭据信息及初始密钥生成算法生成初始密钥并将该密钥传递给SAS。UE或S/P-GW根据接入网络ID、接入网络可信度、漫游状态及预配置的安全策略,决定是否触发SAS启动附加独立认证。In addition, the present invention enables the UE to generate a key by using the security credential information shared with the HSS and the SAS and the initial key generation algorithm by enhancing the terminal function, so as to protect the interface between the UE and the SAS. In addition, the HSS function of the core network needs to be enhanced. The HSS needs to use the security credential information shared with the UE and the initial key generation algorithm to generate an initial key and pass the key to the SAS. UE or S/P-GW decides whether to trigger SAS to start additional independent authentication according to access network ID, access network credibility, roaming status and pre-configured security policies.

图1所示为在现有LTE密钥演算体系基础之上的控制面安全保护密钥的演算体系。图中USIM/AUC、UE/HSS、UE/MME以及UE/ENB相关的密钥演算部分为目前现有机制。为了解决UE和新增安全接入服务器SAS之间控制面安全保护问题,在现有LTE密钥演算体系基础之上进行了扩展,引入了UE/SAS相关密钥演算机制。UE和HSS各自使用IK、CK及新引进的参数,如共享因子Factor等,通过KDF函数演算生成初始密钥Ks_init。HSS将生成的初始密钥传递给SAS。然后,UE和SAS各自使用初始密钥Ks_init,以及其它新定义参数,包括共享因子Factor、时间戳Timestamp等,利用KDF函数演算生成机密性保护密钥Kinit_enc以及完整性保护密钥Kinit_int,用于保护UE和安全接入服务器SAS之间信令交互安全。Figure 1 shows the calculation system of the control plane security protection key based on the existing LTE key calculation system. The key calculation part related to USIM/AUC, UE/HSS, UE/MME and UE/ENB in the figure is the current existing mechanism. In order to solve the security protection problem of the control plane between the UE and the newly added security access server SAS, the existing LTE key calculation system is extended, and the UE/SAS related key calculation mechanism is introduced. UE and HSS respectively use IK, CK and newly introduced parameters, such as the sharing factor Factor, to generate the initial key Ks_init through KDF function calculation. HSS passes the generated initial key to SAS. Then, the UE and the SAS each use the initial key Ks_init, and other newly defined parameters, including the sharing factor Factor, the timestamp Timestamp, etc., and use the KDF function to generate the confidentiality protection key Kinit_enc and the integrity protection key Kinit_int for protection The signaling interaction between the UE and the security access server SAS is secure.

附图说明Description of drawings

图1是控制面安全保护需要的密钥演算体系图。Figure 1 is a diagram of the key calculation system required for the security protection of the control plane.

图2是控制面安全保护需要的初始密钥演算示意图。Fig. 2 is a schematic diagram of the initial key calculation required for the security protection of the control plane.

图3是控制面安全保护需要的密钥演算示意图。Fig. 3 is a schematic diagram of the key calculation required for the security protection of the control plane.

图4是实施例一的一种面向移动专用网络的动态附加认证系统结构图。Fig. 4 is a structural diagram of a dynamic additional authentication system oriented to a mobile private network in Embodiment 1.

图5是实施例一的一种面向移动专用网络的动态附加认证方法流程图。Fig. 5 is a flow chart of a dynamic additional authentication method oriented to a mobile private network in Embodiment 1.

图6是实施例二的一种面向移动专用网络的动态附加认证系统结构图。Fig. 6 is a structural diagram of a dynamic additional authentication system oriented to a mobile private network in Embodiment 2.

图7是实施例二的一种面向移动专用网络的动态附加认证方法流程图。Fig. 7 is a flowchart of a dynamic additional authentication method oriented to a mobile private network in Embodiment 2.

具体实施方式Detailed ways

为使本发明的上述特征和优点能更明显易懂,下文特举实施例,并配合所附图作详细说明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.

基于本发明同样的技术构思,考虑到对现有终端及网络的不同影响,本发明提出了两种实施例。Based on the same technical idea of the present invention, and considering different impacts on existing terminals and networks, the present invention proposes two embodiments.

实施例一Embodiment one

本实施例为增强现有UE功能,系统架构如图4所示。UE依据漫游状态、接入网类型、接入网可信度等判断是否触发SAS启动动态附加接入认证,如果需要,则汇报UE相关信息及接入网相关信息给SAS。此外,在专用核心网引入SAS,SAS根UE当前位置、接入网络安全可信度、接入网络类型、接入网ID、接入网的PLMN ID及预配置的安全策略确定是否启动对该UE进行接入认证。如SAS确定认证必要,则UE利用和网络侧HSS共享的安全凭据信息及初始密钥生成算法,生成UE和SAS之间控制面安全保护需要的初始密钥,并启动UE到SAS之间的信令消息安全保护。同时SAS和HSS交互获取HSS根据共享的安全凭据信息生成的认证数据及控制面安全保护需要的密钥。HSS需要利用和UE共享的安全凭据信息及初始密钥生成算法,生成控制面安全保护需要的初始密钥并将该初始密钥及认证数据传递给SAS。SAS根据初始密钥生成密钥,根据该密钥及预配置的安全策略保护SAS到UE的接口消息。同时,SAS使用HSS提供的认证数据通过安全保护的接口和UE依据AKA算法进行接入认证,并根据认证结果确定UE是否可以接入专用网络。UE可以根据认证结果确定是否接入该网络。In this embodiment, in order to enhance the existing UE functions, the system architecture is shown in FIG. 4 . UE judges whether to trigger SAS to start dynamic additional access authentication based on roaming status, access network type, and access network credibility, and reports UE-related information and access network-related information to SAS if necessary. In addition, when SAS is introduced into the dedicated core network, the SAS determines whether to enable the UE based on the current location of the UE, the security credibility of the access network, the type of the access network, the ID of the access network, the PLMN ID of the access network, and the pre-configured security policy. UE performs access authentication. If the SAS determines that authentication is necessary, the UE uses the security credential information shared with the HSS on the network side and the initial key generation algorithm to generate the initial key required for the security protection of the control plane between the UE and the SAS, and initiates the communication between the UE and the SAS. Keep messages safe. At the same time, the SAS and the HSS interact to obtain the authentication data generated by the HSS based on the shared security credential information and the key required for the security protection of the control plane. The HSS needs to use the security credential information shared with the UE and the initial key generation algorithm to generate the initial key required for the security protection of the control plane and transmit the initial key and authentication data to the SAS. The SAS generates a key according to the initial key, and protects the interface messages from the SAS to the UE according to the key and the pre-configured security policy. At the same time, the SAS uses the authentication data provided by the HSS to perform access authentication with the UE based on the AKA algorithm through the security-protected interface, and determines whether the UE can access the private network according to the authentication result. The UE can determine whether to access the network according to the authentication result.

本实施例的方法如图5所示,主要步骤如下:The method of this embodiment is shown in Figure 5, and the main steps are as follows:

(1)UE向核心网功能的MME发送附着请求消息,MME和HSS交互获取用户认证数据,并使用该认证数据与UE交互完成用户和网络之间的双向认证。(1) The UE sends an attach request message to the MME of the core network function, and the MME and the HSS interact to obtain user authentication data, and use the authentication data to interact with the UE to complete the two-way authentication between the user and the network.

(2)UE依据其当前位置、接入网络安全可信度、接入网络类型、接入网络ID、漫游状态以及要访问的业务(是否为专网相关业务),判断是否触发动态附加接入认证。(2) The UE judges whether to trigger dynamic additional access based on its current location, access network security reliability, access network type, access network ID, roaming status, and the service to be accessed (whether it is a private network-related service) certified.

(3)如果需要触发接入认证,UE向SAS发起接入认证请求消息,该消息包含:UE当前位置、硬件ID、接入网络类型、接入网ID及PLMN ID、用户IP地址等信息。(3) If access authentication needs to be triggered, the UE sends an access authentication request message to the SAS, which includes: UE current location, hardware ID, access network type, access network ID and PLMN ID, user IP address and other information.

(4)SAS根据UE当前位置、漫游状态、接入网络是否可信、当前位置是否安全等信息,并根据预配置的安全策略确定是否启动接入认证。(4) The SAS determines whether to start access authentication according to the UE's current location, roaming status, whether the access network is trusted, whether the current location is safe, etc., and according to the pre-configured security policy.

安全策略例如:UE在非漫游状态下,通过专用LTE接入网(PLMN ID=B)接入专用核心网时,不需要启动接入认证;在漫游状态下,通公共LTE网(PLMN ID=A)接入时,需要启动接入认证。For example, security policies: when a UE accesses a dedicated core network through a dedicated LTE access network (PLMN ID=B) in a non-roaming state, access authentication does not need to be activated; in a roaming state, access to a public LTE network (PLMN ID=B) A) When accessing, access authentication needs to be activated.

(5)SAS向S/P-GW发送消息,请求用户身份IMSI信息。(5) The SAS sends a message to the S/P-GW to request the user identity IMSI information.

(6)S/P-GW查找到对应的IMSI信息,通过响应消息将IMSI信息告诉SAS。(6) The S/P-GW finds the corresponding IMSI information, and informs the SAS of the IMSI information through a response message.

(7)如果需要启动接入认证,SAS向HSS发送消息请求用户认证数据,该数据包含用户ID和IMSI信息。(7) If access authentication needs to be started, the SAS sends a message to the HSS to request user authentication data, which includes user ID and IMSI information.

(8)HSS根据和UE共享的安全凭据信息生成认证向量,根据初始密钥生成算法生成控制面安全保护需要的初始密钥。(8) The HSS generates the authentication vector according to the security credential information shared with the UE, and generates the initial key required for the security protection of the control plane according to the initial key generation algorithm.

(9)HSS将生成的认证向量及初始密钥,通过响应消息通知给SAS。(9) The HSS notifies the generated authentication vector and initial key to the SAS through a response message.

(10)SAS回复UE响应消息,该消息包含接入检查结果,即是否需要启动接入认证。(10) The SAS replies to the UE with a response message, which includes the access check result, that is, whether access authentication needs to be started.

(11)如果需要启动接入认证,UE以和HSS共享的安全凭据信息,利用初始密钥生成算法生成控制面安全保护需要的初始密钥。(11) If the access authentication needs to be started, the UE uses the security credential information shared with the HSS to use the initial key generation algorithm to generate the initial key required for the security protection of the control plane.

(12)UE根据其生成的初始密钥、和HSS共享的安全凭据信息以及和SAS共享的安全凭据信息作为输入,以密钥生成算法生成控制面安全保护需要的密钥,采用预配置算法保护SAS和UE的控制面交互的AKA认证信息。(12) According to the initial key generated by the UE, the security credential information shared with the HSS and the security credential information shared with the SAS as input, the key generation algorithm is used to generate the key required for the security protection of the control plane, and the pre-configured algorithm is used for protection. AKA authentication information exchanged between the SAS and the control plane of the UE.

(13)SAS以初始密钥、和UE共享的安全凭据信息、UE和HSS的安全凭据信息作为输入,依据密钥生成算法生成控制面保护需要的密钥。采用预配置的安全策略保护SAS和UE之间的控制面交互的AKA认证信息。(13) The SAS takes the initial key, the security credential information shared with the UE, and the security credential information of the UE and the HSS as input, and generates the key required for control plane protection according to the key generation algorithm. Pre-configured security policies are used to protect the AKA authentication information of the control plane interaction between the SAS and the UE.

(14)SAS向UE发送附加认证命令消息,该消息包含HSS生成的随机数RAND及认证令牌AUTN信息。(14) The SAS sends an additional authentication command message to the UE, and the message includes the random number RAND generated by the HSS and the authentication token AUTN information.

(15)UE依据和HSS共享的安全凭据信息及AKA算法认证专用核心网的合法性。(15) The UE authenticates the legitimacy of the dedicated core network based on the security credential information shared with the HSS and the AKA algorithm.

(16)认证专用核心网通过后,UE发送认证请求消息,该消息包含使用安全凭据信息及AKA算法生成的认证响应结果RES。(16) After passing the authentication of the dedicated core network, the UE sends an authentication request message, which includes the authentication response result RES generated by using the security credential information and the AKA algorithm.

(17)收到UE的认证响应数据后,SAS认证UE的合法性。(17) After receiving the UE's authentication response data, the SAS authenticates the legitimacy of the UE.

(18)SAS回复UE附加认证响应消息,该消息包含认证结果。(18) The SAS replies to the UE with an additional authentication response message, which contains the authentication result.

实施例二Embodiment two

本实施例引入新网络功能的安全接入服务器SAS,位于专用核心网,以避免对现有网络功能的MME的影响,系统架构如图6所示。专用核心网网关S/P-GW收到用户访问业务请求后,根据接入网络ID、接入网类型、PLMN ID、接入网络可信度、漫游状态(是否漫游)、预配置的安全策略以及用户访问的业务类型/名称,决定是否触发动态附加接入认证。如果需要触发,S/P-GW通过和SAS之间新定义的接口汇报UE当前位置、接入网类型、接入网可信度、漫游状态等信息。SAS根据UE当前位置、接入网络安全可信度、接入网络类型、接入网ID、接入网的PLMN ID及预配置的安全策略,确定是否启动对该UE进行接入认证。如果必要,启动UE和专用核心网之间的认证过程。In this embodiment, a secure access server SAS of a new network function is introduced, which is located in a dedicated core network to avoid influence on the MME of an existing network function. The system architecture is shown in FIG. 6 . After the dedicated core network gateway S/P-GW receives the user's access service request, according to the access network ID, access network type, PLMN ID, access network credibility, roaming status (whether roaming), pre-configured security policy And the service type/name accessed by the user determines whether to trigger dynamic additional access authentication. If triggering is required, the S/P-GW reports information such as the UE's current location, access network type, access network reliability, and roaming status through the newly defined interface with the SAS. The SAS determines whether to start access authentication for the UE according to the current location of the UE, the security reliability of the access network, the type of the access network, the ID of the access network, the PLMN ID of the access network, and the pre-configured security policy. If necessary, an authentication procedure between the UE and the private core network is initiated.

本实施例的方法流程如图7所示,主要步骤如下:The method flow of this embodiment is shown in Figure 7, and the main steps are as follows:

(1)UE向核心网功能MME发送附着请求消息。MME和HSS交互获取用户认证数据,使用该认证数据和UE交互完成用户和网络之间的双向认证。(1) The UE sends an attach request message to the core network function MME. The MME and the HSS interact to obtain user authentication data, and use the authentication data to interact with the UE to complete the two-way authentication between the user and the network.

(2)UE向应用服务器AF发起业务请求,如HTTP请求消息,先由S/P-GW接收。(2) The UE initiates a service request to the application server AF, such as an HTTP request message, which is first received by the S/P-GW.

(3)S/P-GW根据接入网络ID、接入网类型、PLMN ID、接入网络可信度、漫游状态及预配置的安全策略及用户访问的业务类型/名称,决定是否触发动态附加接入认证。(3) The S/P-GW decides whether to trigger dynamic traffic based on the access network ID, access network type, PLMN ID, access network credibility, roaming status, pre-configured security policy, and service type/name accessed by the user. Additional access authentication.

(4)如果需要触发接入认证,S/P-GW通过新定义的接口向SAS发送接入认证请求消息,该消息包含以下相关信息:UE当前位置、接入网络类型、接入网络PLMN名称、接入网可信度、漫游状态、用户身份IMSI信息等。(4) If access authentication needs to be triggered, S/P-GW sends an access authentication request message to SAS through the newly defined interface, which contains the following relevant information: UE current location, access network type, access network PLMN name , access network reliability, roaming status, user identity IMSI information, etc.

(5)SAS根据S/P-GW上报的UE当前位置、漫游状态、接入网络是否可信、UE当前位置是否安全等信息,根据预配置的安全策略确定是否启动接入认证。(5) The SAS determines whether to start access authentication according to the pre-configured security policy according to the current location of the UE reported by the S/P-GW, the roaming status, whether the access network is trusted, and whether the current location of the UE is safe.

(6)如果需要启动接入认证,SAS向HSS发送消息请求用户认证数据,该数据包含用户ID和IMSI信息。(6) If access authentication needs to be started, the SAS sends a message to the HSS to request user authentication data, which includes user ID and IMSI information.

(7)HSS根据和UE共享的安全凭据信息生成认证向量,根据初始密钥生成算法生成控制面安全保护需要的初始密钥。(7) The HSS generates the authentication vector according to the security credential information shared with the UE, and generates the initial key required for the security protection of the control plane according to the initial key generation algorithm.

(8)HSS将生成的认证向量及初始密钥,通过响应消息通知给SAS。(8) The HSS notifies the generated authentication vector and initial key to the SAS through a response message.

(9)SAS回复UE响应消息,该消息包含接入检查结果,即是否需要启动接入认证。(9) The SAS replies the UE with a response message, which includes the access check result, that is, whether access authentication needs to be started.

(10)如果需要启动接入认证,UE以和HSS共享的安全凭据信息,利用初始密钥生成算法生成控制面安全保护需要的初始密钥。(10) If access authentication needs to be started, the UE uses the security credential information shared with the HSS to generate an initial key required for control plane security protection using an initial key generation algorithm.

(11)UE根据其生成的初始密钥、和HSS共享的安全凭据信息以及和SAS共享的安全凭据信息作为输入,以密钥生成算法生成控制面安全保护需要的密钥,采用预配置算法保护SAS和UE的控制面交互的AKA认证信息。(11) According to the initial key generated by the UE, the security credential information shared with the HSS, and the security credential information shared with the SAS as input, the key generation algorithm is used to generate the key required for the security protection of the control plane, and the pre-configured algorithm is used for protection. AKA authentication information exchanged between the SAS and the control plane of the UE.

(12)SAS以初始密钥、和UE共享的安全凭据信息、UE和HSS的安全凭据信息作为输入,依据密钥生成算法生成控制面保护需要的密钥。采用预配置的安全策略保护SAS和UE之间的控制面交互的AKA认证信息。(12) The SAS takes the initial key, the security credential information shared with the UE, and the security credential information of the UE and the HSS as input, and generates the key required for control plane protection according to the key generation algorithm. Pre-configured security policies are used to protect the AKA authentication information of the control plane interaction between the SAS and the UE.

(13)SAS向UE发送附加认证命令消息,该消息包含HSS生成的随机数RAND及认证令牌AUTN信息。(13) The SAS sends an additional authentication command message to the UE, and the message includes the random number RAND generated by the HSS and the authentication token AUTN information.

(14)UE依据和HSS共享的安全凭据信息及AKA算法认证专用网络的合法性。(14) The UE authenticates the legitimacy of the private network based on the security credential information shared with the HSS and the AKA algorithm.

(15)认证专用核心网通过后,UE发送认证请求消息,该消息包含使用安全凭据信息及AKA算法生成的认证响应结果RES。(15) After the authentication of the dedicated core network is passed, the UE sends an authentication request message, which includes the authentication response result RES generated by using the security credential information and the AKA algorithm.

(16)收到UE的认证响应数据后,SAS认证UE的合法性。(16) After receiving the UE's authentication response data, the SAS authenticates the legitimacy of the UE.

(17)SAS回复UE附加认证响应消息,该消息包含认证结果;发送认证通知消息给S/P-GW,该消息包含用户认证结果。(17) The SAS replies to the UE with an additional authentication response message, which contains the authentication result; sends an authentication notification message to the S/P-GW, which contains the user authentication result.

(18)P-GW回复SAS响应消息。(18) The P-GW replies with a SAS response message.

(19)根据认证结果,S/P-GW决定是否允许该UE的业务请求通过。(19) According to the authentication result, the S/P-GW decides whether to allow the UE's service request to pass.

(20)如果认证通过,S/P-GW将该用户的IP数据包(业务请求消息)路由到位于专网之后的业务服务器AF。(20) If the authentication is passed, the S/P-GW routes the user's IP data packet (service request message) to the service server AF behind the private network.

(21)UE和AF进行业务交互。(21) UE and AF perform service interaction.

以上实施例仅用以说明本发明的技术方案而非对其进行限制,本领域的普通技术人员可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明的精神和范围,本发明的保护范围应以权利要求书所述为准。The above embodiments are only used to illustrate the technical solution of the present invention and not to limit it. Those of ordinary skill in the art can modify or equivalently replace the technical solution of the present invention without departing from the spirit and scope of the present invention. The scope of protection should be determined by the claims.

Claims (10)

1. a kind of dynamic Additional Verification method towards mobile ad hoc network, step include:
The UE for having carried out two-way authentication with the MME and HSS positioned at special core net judges whether to need to start dynamically additional connect Enter certification, if desired, then the UE initiates access authentication request to the SAS positioned at special core net;Alternatively, the S/ of special core net P-GW receives the service request triggering that the UE is sent out and judges whether to need to start that the dynamic between the SAS and the UE is additional Access authentication, if desired, then the S/P-GW initiates access authentication request to the SAS;
After the SAS receives access authentication request, it is determined whether start access authentication, if started, the SAS is to institute State the IMSI information that HSS sends User ID and provided by the S/P-GW;
After the HSS receives the User ID and the IMSI information, the initial key that control plane safeguard protection needs is generated;
The SAS generates the key that control plane safeguard protection needs according to the initial key, protects it between the UE Control plane interactive information;
The UE generates the initial key that control plane safeguard protection needs, and control plane safeguard protection need are generated according to the initial key The key wanted protects its control plane interactive information between the SAS;
After the UE receives the authentication command of the SAS, the legitimacy of the special core net of certification, and notify the SAS;
The legitimacy of UE described in the SAS certifications, and notify the UE.
2. according to the method described in claim 1, it is characterized in that, according to the current location of the UE, whether roaming, accessing Whether business is private network business, access network security confidence level, access network type, access network ID and the safety of pre-configuration Strategy judges whether to start the access authentication.
3. according to the method described in claim 1, it is characterized in that, the access authentication request include the current locations UE, Hardware ID, access network type, access net ID and PLMN ID, IP address information.
4. according to the method described in claim 1, it is characterized in that, the UE and the HSS between share safety with It is believed that breath generates initial key.
5. according to the method described in claim 4, it is characterized in that, the generating algorithm of the initial key is:With the UE and The CK, IK and sharing learning Factor of security documents the information shared HSS, service network identification SN ID and sequence number SQN exclusive or AK is input, and calculating function KDF operations by standard key generates the initial key.
6. according to the method described in claim 1, it is characterized in that, the safety that the UE and the SAS are shared also according between The security documents information that authority information and the UE and the HSS share generates key.
7. according to the method described in claim 6, it is characterized in that, the key includes Confidentiality protection key and integrality guarantor Protect key;
The generating algorithm of the Confidentiality protection key is:The security documents letter shared with initial key, the UE and the HSS It ceases, the security documents information that the UE and the SAS are shared, Alg-ID, the Confidentiality protection algorithm types identifier newly defined The SA-init-enc-alg and algorithm mark 256-EEA4AES based algorithm (AES-CTR) newly defined is used as defeated Enter, the Confidentiality protection key is generated through key calculation function KDF operations;
The generating algorithm of the tegrity protection key is:The security documents letter shared with initial key, the UE and the HSS It ceases, the security documents information that the UE and the SAS are shared, Alg-ID, the protection algorithm integrallty type identifier newly defined SA-init-int-alg and algorithm mark 256-EIA4AES based algorithm (AES-CMAC) conduct newly defined Input generates the tegrity protection key through key calculation function KDF operations.
8. according to the method described in claim 1, it is characterized in that, the UE according to its generation initial key, itself and it is described Security documents information and AKA algorithms shared SAS carrys out the legitimacy of the special core net of certification;The SAS gives birth to according to the HSS At initial key, the shared security documents information and AKA algorithms of itself and the UE carry out the legitimacy of UE described in certification.
9. a kind of dynamic Additional Verification system towards mobile ad hoc network, including:
UE, for send access authentication request or service request, generate control plane safeguard protection need initial key and key, Protect its control plane interactive information between SAS, and the legitimacy of the special core net of certification;
SAS is located at special core net, is used to determine whether that starting dynamic adds access authentication, generating control plane safeguard protection needs The key wanted protects its control plane interactive information between the UE, and the legitimacy of UE described in certification;
HSS is located at special core net, the initial key for generating control plane safeguard protection needs;
S/P-GW is located at special core net, for providing IMSI information to the SAS.
10. system according to claim 9, which is characterized in that if the UE sends access authentication request, sending First judge whether that needing to start dynamic adds access authentication before;If the UE sends service request, which touches It sends out S/P-GW described and judges whether that the dynamic for needing to start between SAS and UE adds access authentication.
CN201711401758.6A 2017-12-22 2017-12-22 Dynamic additional authentication method and system for mobile private network Expired - Fee Related CN108282775B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711401758.6A CN108282775B (en) 2017-12-22 2017-12-22 Dynamic additional authentication method and system for mobile private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711401758.6A CN108282775B (en) 2017-12-22 2017-12-22 Dynamic additional authentication method and system for mobile private network

Publications (2)

Publication Number Publication Date
CN108282775A true CN108282775A (en) 2018-07-13
CN108282775B CN108282775B (en) 2021-01-01

Family

ID=62801979

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711401758.6A Expired - Fee Related CN108282775B (en) 2017-12-22 2017-12-22 Dynamic additional authentication method and system for mobile private network

Country Status (1)

Country Link
CN (1) CN108282775B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753346A (en) * 2019-10-30 2020-02-04 北京微智信业科技有限公司 Private mobile communication network key generation method, private mobile communication network key generation device and controller

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101472263A (en) * 2008-05-04 2009-07-01 中兴通讯股份有限公司 Method for deciding network connection mode
US9060263B1 (en) * 2011-09-21 2015-06-16 Cellco Partnership Inbound LTE roaming footprint control
WO2017077441A1 (en) * 2015-11-03 2017-05-11 Telefonaktiebolaget Lm Ericsson (Publ) Selection of gateway node in a communication system
EP2276281A4 (en) * 2008-05-05 2017-07-12 China Academy of Telecommunications Technology Method, system and device for obtaining a trust type of a non-3gpp access system
WO2017143521A1 (en) * 2016-02-23 2017-08-31 华为技术有限公司 Secure communication method and core network node

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101472263A (en) * 2008-05-04 2009-07-01 中兴通讯股份有限公司 Method for deciding network connection mode
EP2276281A4 (en) * 2008-05-05 2017-07-12 China Academy of Telecommunications Technology Method, system and device for obtaining a trust type of a non-3gpp access system
US9060263B1 (en) * 2011-09-21 2015-06-16 Cellco Partnership Inbound LTE roaming footprint control
WO2017077441A1 (en) * 2015-11-03 2017-05-11 Telefonaktiebolaget Lm Ericsson (Publ) Selection of gateway node in a communication system
WO2017143521A1 (en) * 2016-02-23 2017-08-31 华为技术有限公司 Secure communication method and core network node

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753346A (en) * 2019-10-30 2020-02-04 北京微智信业科技有限公司 Private mobile communication network key generation method, private mobile communication network key generation device and controller
CN110753346B (en) * 2019-10-30 2021-02-19 北京微智信业科技有限公司 Private mobile communication network key generation method, private mobile communication network key generation device and controller

Also Published As

Publication number Publication date
CN108282775B (en) 2021-01-01

Similar Documents

Publication Publication Date Title
CN107018676B (en) Mutual authentication between user equipment and evolved packet core
KR100896365B1 (en) Method and apparatus for authentication of mobile device
KR101508576B1 (en) Home node-b apparatus and security protocols
KR101195053B1 (en) Support for calls without PCI
JP2019512942A (en) Authentication mechanism for 5G technology
CN108880813B (en) A method and device for realizing an attachment process
JP2007535240A (en) Improved subscriber authentication for unlicensed mobile connection signaling
US11997078B2 (en) Secured authenticated communication between an initiator and a responder
WO2012174959A1 (en) Group authentication method, system and gateway in machine-to-machine communication
WO2021190273A1 (en) Communication method, apparatus, and system
CN103430582B (en) Prevention of eavesdropping type of attack in hybrid communication system
WO2013185709A1 (en) Call authentication method, device, and system
Ouaissa et al. New security level of authentication and key agreement protocol for the IoT on LTE mobile networks
CN108235300B (en) Method and system for protecting user data security of mobile communication network
US20250227465A1 (en) Communication method and communication apparatus
CN101483870A (en) Cross-platform mobile communication security system implementing method
Sharma et al. A review on wireless network security
CN108282775B (en) Dynamic additional authentication method and system for mobile private network
Moroz et al. Methods for ensuring data security in mobile standards
Ouaissa et al. Group access authentication of machine to machine communications in LTE networks
Abdrabou Robust pre-authentication protocol for wireless network
Apostol et al. Improving LTE EPS-AKA using the security request vector
KR100968522B1 (en) Mobile authentication method with enhanced mutual authentication and handover security
Khan et al. The threat of distributed denial-of-service attack for user equipment in 5g networks
Singh et al. Security analysis of lte/sae networks with the possibilities of tampering e-utran on ns3

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210101

CF01 Termination of patent right due to non-payment of annual fee