CN103731826A - D2d user equipment authentication method and device - Google Patents

Abstract

The invention discloses a D2D user equipment authentication method and device. The method comprises the steps that one or more D2D authorization data corresponding to one or more D2D UE are obtained; the D2D UE is authenticated by using the authorization data. By means of the D2D user equipment authentication method and device, the problem that two kinds of UE can not be mutually authenticated in a D2D UE finding process in the correlation technique is solved, the D2D UE is mutually authenticated through the D2D authorization data, and therefore mutual D2D authentication authorization of the UE is possible.

Description

D2D user equipment authentication method and device

Technical field

The present invention relates to the communications field, in particular to a kind of device-to-device (Device to Device, referred to as D2D) subscriber equipment (User Equipment, referred to as UE) authentication method and device.

Background technology

Wireless communication field, along with the fast development of intelligent terminal and mobile Internet application, requirement to user's experience and data volume is more and more higher, device-to-device (Device to Device, referred to as D2D) technology proposes just under this background, D2D technology broken before in evolved packet system (Evolved Package System, referred to as EPS), two restrictions that wireless terminal device must could be communicated by letter by base station or radio reception device.

Whole EPS system is divided into wireless access network and core net two parts, and wireless access network is divided into third generation partner program (3rdGeneration Partnership Project, referred to as 3GPP) Access Network and non-3 GPP access network.

3GPP Access Network is by evolution base station (Evolved NodeB, referred to as eNB) composition, and it is the transmitting-receiving of responsible wireless signal mainly, by air interface and terminal contact, Radio Resource, scheduling of resource and the access control of management air interface.

Core net, comprised home subscriber server (Home Subscriber Server, referred to as HSS), Mobility Management Entity (Mobility Management Entity, referred to as MME), policy charging rule function (Policy and Charging RuleFunction, referred to as PCRF), gateway (Serving Gateway, referred to as S-GW) and packet data gateway (PDNGateway, referred to as P-GW).

Fig. 1 is the structural representation of the 3GPP of correlation technique and the packet-based core networks (Evolved Packet Core, referred to as EPC) of non-3GPP connecting system access evolution.As shown in Figure 1, EPS system is supported 3GPP access.HSS is the permanent storage place of user contracting data, is positioned at the signing home network of user; MME is responsible for the chain of command correlation functions such as the processing of mobile management, Non-Access Stratum signaling and the management of user mobility managing context; S-GW is the accessing gateway equipment being connected with 3GPP Access Network, forwarding data between 3GPP access and P-GW, and data are carried out to buffer memory; P-GW is the borde gateway of EPS and packet data network (PacketData Network, referred to as PDN), is responsible for the access of PDN and the function such as forwarding data between EPS and PDN; PCRF is "Policy and Charging Rules Function entity, and it is connected with Operator Specific Service network by receiving interface Rx, is responsible for providing charging control, online credit control, thresholding control and service quality (Quality of Service, referred to as QoS).

As shown in Figure 1, EPS system is also supported non-3GPP access.Wherein, by S2a/S2b/S2c Interface realization, P-GW is as the anchor point between 3GPP and non-3GPP access with the intercommunication of non-3GPP access.Non-3GPP access is divided into the non-3GPP access of credit and the non-3GPP access of non-credit.Wherein, the non-3GPP access of credit can directly be connected with P-GW by S2a interface, and S2a interface adopts proxy-mobile IP (Proxy Mobile IP, referred to as PMIP) agreement to carry out information interaction.The non-3GPP access of non-credit needs to be connected with P-GW through the packet data gateway (evolved Packet Data Gateway, ePDG) of evolution, and the interface between ePDG and P-GW is S2b.S2c interface provides subscriber equipment (User Equipment, referred to as UE) and P-GW between the control of user's face and mobility support, the mobility protocol of its support is the mobile IP v 6 (Mobile IPv6support for Dual Stack Hosts and Routers, referred to as DSMIPv6) of supporting two stacks.

Fig. 2 is the D2D network architecture diagram of correlation technique, and as shown in Figure 2, this network architecture comprises two UE that D2D finds and carries out D2D communication mutually, the radio reception device that UE is connected to, and the network equipment and Home Environment.Radio reception device can be eNB, non-3GPP access, the network equipment can be that the network equipment is as MME, neighbours' discovery server, Home Environment can comprise home subscriber server (Home Subscriber Server, referred to as HSS), access network discovery and selection function unit (Access Network Discovery and Selection Function, referred to as ANDSF), application server, P-GW etc.

D2D technology comprises that D2D finds the two parts of communicating by letter with D2D, and D2D discovery refers between wireless terminal device, when near distance is to can direct communication between wireless device time, can find each other the other side.D2D communication refers to two wireless terminal devices, after finding the other side, and not by core net, direct communication.

When D2D user need to use the D2D service of operator, operator should be able to control and add up the situation of using D2D service according to this user, and carries out charging.Whether user also needs this user can be found select and limit by some specific user.

For the poor problem of D2D UE communications security in correlation technique, effective solution is not yet proposed at present.

Summary of the invention

For the poor problem of D2D UE communications security, the invention provides a kind of D2D UE authentication method and device, at least to address this problem.

According to an aspect of the present invention, provide a kind of D2D UE authentication method, having comprised: obtained one or more D2D authorization datas that one or more D2D UE are corresponding; Use described one or more D2D authorization data to authenticate described one or more D2DUE.

Preferably, it is one of following that the D2D authorization data that obtains one or more D2D UE comprises:

The described network equipment obtains one or more D2D authorization datas of one or more D2D UE;

The described network equipment obtains the D2D authorization data of one or more D2D UE; The described network equipment generates one or more D2D according to described one or more D2D authorization datas and finds list.

Preferably, the described network equipment generates one or more D2D according to described one or more D2D authorization datas and finds that list comprises: the described network equipment generates described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE and finds list; Or

The described network equipment generates described one or more D2D according to described one or more D2D authorization datas and user's application ID and finds list.

Preferably, use described one or more D2D authorization data that described one or more D2D UE are authenticated and comprised: the described network equipment finds that according to multiple D2D list and/or multiple D2D authorization data judge that between described multiple D2D UE, whether allowing to carry out D2D finds operation.

Preferably, the described network equipment finds that according to described multiple D2D list judges that between described multiple D2D UE, whether allowing to carry out D2D finds that operation comprises: the described network equipment finds according to described multiple D2D list and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE in described multiple D2D UE can find the 2nd D2DUE in described two D2D UE, and described the 2nd D2DUE can be found by a D2DUE;

If judged result is yes, the described network equipment determines that between described two D2D UE, allowing to carry out described D2D finds operation; If judged result is no, the described network equipment determines that between described two D2D UE, not allowing to carry out described D2D finds operation.

Preferably, obtaining one or more D2D authorization datas that one or more D2D UE are corresponding comprises: the described network equipment obtains one or more D2D authorization datas that one or more D2D UE are corresponding;

Use described one or more D2D authorization data that described one or more D2D UE are authenticated and comprised: the described network equipment generates one or more D2D according to described one or more D2D authorization datas and finds list; The described network equipment finds that by described one or more D2D list sends to radio reception device, by described radio reception device, uses this D2D to find that list authenticates described D2DUE.

Preferably, the described network equipment generates one or more D2D according to described one or more D2D authorization datas and finds that list comprises:

The described network equipment generates described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE and finds list; Or

The described network equipment generates described one or more D2D according to described one or more D2D authorization datas and user's application ID and finds list.

Preferably, it is one of following that the D2D authorization data that obtains D2D UE comprises:

Radio reception device receives one or more D2D authorization datas corresponding to described one or more D2D UE that the network equipment forwards;

Described radio reception device receives one or more D2D authorization datas corresponding to described one or more D2D UE that the network equipment forwards; Described radio reception device generates one or more D2D according to described one or more D2D authorization datas and finds list.

Preferably, described radio reception device generates one or more D2D according to described one or more D2D authorization datas and finds that list comprises:

Described radio reception device generates described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE and finds list; Or

Described radio reception device generates described one or more D2D according to described one or more D2D authorization datas and user's application ID and finds list.

Preferably, use described one or more D2D authorization data that described one or more D2D UE are authenticated and comprised: described radio reception device finds that according to described multiple D2D list and/or multiple D2D authorization data judge that between described multiple D2D UE, whether allowing to carry out D2D finds operation.

Preferably, described radio reception device finds that according to described multiple D2D list and/or multiple D2D authorization data judge that between described multiple D2D UE, whether can carry out D2D finds that operation comprises: described radio reception device finds according to described multiple D2D list and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE in described multiple D2D UE can find the 2nd D2D UE in described two D2D UE, and described the 2nd D2D UE can be found by a described D2DUE; If judged result is yes, described radio reception device determines that between described two D2D UE, allowing to carry out described D2D finds operation; If judged result is no, described radio reception device determines that between described two D2D UE, not allowing to carry out described D2D finds operation.

Preferably, the mobile management entity (MME) that described multiple D2D UE is corresponding, base station (eNB) and/or Home Environment (HE) are not identical, wherein, described HE comprises one of following: home subscriber server (HSS), access network discovery and selection function unit (ANDSF), application server, packet data gateway (P-GW).

Preferably, the described network equipment comprises one of following: MME, neighbours' discovery server.

Preferably, described radio reception device comprises one of following: base station, access controller (AC), access point (AP).

Preferably, the ID of described D2D UE comprise following one of at least: the sign in international mobile subscriber identity (IMSI), international Mobile Equipment identification code (IMEI), global unique customer equipment identification (GUTI), D2D discovery procedure.

Preferably, described D2D finds that list comprises: allow the sign of a D2D UE who finds described D2D UE and/or the sign of the 2nd D2DUE that permission is found by described D2DUE.

According to another aspect of the invention, also provide a kind of D2D UE authenticate device, having comprised: the first acquisition module, for obtaining one or more D2D authorization datas that one or more D2D UE are corresponding; The first authentication module, for being used described one or more D2D authorization data to authenticate described one or more D2D UE.

Preferably, described the first acquisition module is positioned at the network equipment, and wherein, it is one of following that described the first acquisition module comprises:

The second acquisition module, for obtaining one or more D2D authorization datas that one or more D2D UE are corresponding;

The 3rd acquisition module, for obtaining one or more D2D authorization datas of one or more D2D UE; With, the first generation module, finds list for generate one or more D2D according to described one or more D2D authorization datas.

Preferably, the first generation module comprises: the second generation module, for generate described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE, find list; Or the 3rd generation module, for generate described one or more D2D according to described one or more D2D authorization datas and user's application ID, find lists.

Preferably, described the first authentication module is positioned at the network equipment, wherein, described the first authentication module comprises: the first judge module, and for finding that according to multiple D2D list and/or multiple D2D authorization data judge that whether allowing to carry out D2D between described multiple D2D UE finds operation.

Preferably, described the first judge module comprises: the second judge module, for finding according to described multiple D2D lists and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE of described multiple D2D UE can find the 2nd D2D UE in described two D2D UE, and described the 2nd D2D UE can be found by a D2D UE; The first determination module, when being, determines that between described two D2D UE, allowing to carry out described D2D finds operation for the judged result of described the second judge module; The second determination module, while being no for the judged result of described the second judge module, determines that between described two D2D UE, not allowing to carry out described D2D finds operation.

Preferably, described the first acquisition module and described the first authentication module are positioned at the described network equipment, and wherein, described the first acquisition module comprises: the 3rd acquisition module, for obtaining one or more D2D authorization datas that one or more D2D UE are corresponding; Described the first authentication module comprises: the 4th generation module, for generate one or more D2D according to described one or more D2D authorization datas, find list; Sending module, for described D2D is found to list sends to radio reception device, wherein, described D2D finds that list is used for described radio reception device and uses this D2D to find that list authenticates described D2D UE.

Preferably, described the 4th generation module comprises: the 5th generation module, for generate described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE, find list; Or the 6th generation module, for generate described one or more D2D according to described one or more D2D authorization datas and user's application ID, find lists.

Preferably, described the first acquisition module is positioned at radio reception device, and wherein, it is one of following that described the first acquisition module comprises:

The first receiver module, one or more D2D authorization datas corresponding to described one or more D2D UE that forward for receiving the described network equipment;

The second receiver module, for receiving the D2D authorization data of the described D2D UE that the described network equipment forwards; With, the 7th generation module, finds list for generate one or more D2D according to described one or more D2D authorization datas.

Preferably, described the 7th generation module comprises: the 8th generation module, for generate described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE, find list; Or the 9th generation module, for generate described one or more D2D according to described one or more D2D authorization datas and user's application ID, find lists.

Preferably, described the first authentication module is positioned at radio reception device, described the first authentication module comprises: the 3rd judge module, and for finding that according to described multiple D2D list and/or multiple D2D authorization data judge that whether allowing to carry out D2D between described multiple D2D UE finds operation.

Preferably, described the 3rd judge module comprises: the 4th judge module, for finding according to described multiple D2D lists and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE of described multiple D2D UE can find the 2nd D2D UE in described two D2D UE, and described the 2nd D2D UE can be found by a D2D UE; The 3rd processing module, when being, determines that between described two D2D UE, allowing to carry out described D2D finds operation for the judged result of described the 4th judge module; The 4th determination module, while being no for the judged result of described the 4th judge module, determines that between described two D2D UE, not allowing to carry out described D2D finds operation.

By the present invention, the D2D authorization data of D2D UE is obtained in employing, then use this D2D authorization data to authenticate this D2D UE, make can certifiedly to manage by D2D UE, solved the poor problem of D2D UE communications security in correlation technique, thereby realized, D2D UE is authenticated by D2D authorization data, improved the fail safe of D2D UE communication.

Accompanying drawing explanation

Accompanying drawing described herein is used to provide a further understanding of the present invention, forms the application's a part, and schematic description and description of the present invention is used for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:

Fig. 1 is the structural representation of the 3GPP of correlation technique and the packet-based core networks (Evolved Packet Core, referred to as EPC) of non-3GPP connecting system access evolution;

Fig. 2 is the D2D network architecture schematic diagram of correlation technique;

Fig. 3 is according to the flow chart of the D2D UE authentication method of the embodiment of the present invention;

Fig. 4 is according to the structured flowchart of the D2D UE authenticate device of the embodiment of the present invention;

Fig. 5 is the preferred structured flowchart one of D2D UE authenticate device according to the embodiment of the present invention;

Fig. 6 is the preferred structured flowchart two of D2D UE authenticate device according to the embodiment of the present invention;

Fig. 7 is the preferred structured flowchart three of D2D UE authenticate device according to the embodiment of the present invention;

Fig. 8 is according to the flow chart one of the D2D authentication method of the embodiment of the present invention;

Fig. 9 is according to the flowchart 2 of the D2D authentication method of the embodiment of the present invention;

Figure 10 is according to the flow chart 3 of the D2D authentication method of the embodiment of the present invention;

Figure 11 is the flow chart one of D2D UE authentication method according to the preferred embodiment of the invention;

Figure 12 is the flowchart 2 of D2D UE authentication method according to the preferred embodiment of the invention;

Figure 13 is the flow chart 3 of D2D UE authentication method according to the preferred embodiment of the invention;

Figure 14 is the flow chart four of D2D UE authentication method according to the preferred embodiment of the invention;

Figure 15 is the flow chart five of D2D UE authentication method according to the preferred embodiment of the invention;

Figure 16 is the flow chart six of D2D UE authentication method according to the preferred embodiment of the invention;

Figure 17 is the flow chart seven of D2D UE authentication method according to the preferred embodiment of the invention; And

Figure 18 is the flow chart eight of D2D UE authentication method according to the preferred embodiment of the invention.

Embodiment

Hereinafter with reference to accompanying drawing, also describe the present invention in detail in conjunction with the embodiments.It should be noted that, in the situation that not conflicting, the feature in embodiment and embodiment in the application can combine mutually.

The present embodiment provides a kind of D2D UE authentication method, and Fig. 3 is that the method comprises that following step S302 is to step S304 according to the flow chart of the D2D UE authentication method of the embodiment of the present invention.

Step S302: obtain one or more D2D authorization datas that one or more D2D UE are corresponding.

Step S304: use these one or more D2D authorization datas to authenticate these one or more D2D UE.

Pass through above-mentioned steps, obtain the D2D authorization data of D2D UE, then use this D2D authorization data to authenticate this D2D UE, make can certifiedly to manage by D2D UE, solved the poor problem of D2D UE communications security in correlation technique, thereby realized, D2D UE is authenticated by D2D authorization data, improved the fail safe of D2D UE communication.

In force, in the main body of authentication operation, be the network equipment, step S302 can be divided into following two kinds of modes and obtain authorization data:

Mode one: the network equipment obtains one or more D2D authorization datas of one or more D2D UE.

Mode two: after the network equipment obtains one or more D2D authorization datas of one or more D2D UE, this network equipment generates D2D according to these one or more D2D authorization datas and finds list, makes this network equipment use this D2D to find that list authenticates this D2D UE.

The main body of above-mentioned two kinds of authentication operations is the network equipment, makes the network equipment can control the authentication scenario of D2D UE, guarantees the privacy of D2D UE in D2D discovery procedure.Ratio preferably, in the implementation process of mode two, the network equipment can be accomplished in several ways according to one or more D2D authorization datas and generate D2D discovery list, for example: the network equipment generates one or more D2D according to the ID of one or more D2D authorization datas and one or more D2D UE and finds lists; Or the network equipment generates one or more D2D discovery lists according to one or more D2D authorization datas and user's application ID.

In verification process, the network equipment can authenticate D2D UE according to existing authentication method, in order to improve the reliability of authentication, can authenticate in the following way: the network equipment finds that according to multiple D2D list and/or multiple D2D authorization data judge that between multiple D2D UE, whether allowing to carry out D2D finds operation.Ratio preferably, in the implementation process of mode, the network equipment can find list and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE in multiple D2D UE can find the 2nd D2D UE in two D2D UE according to multiple D2D, and the 2nd D2D UE can be found by a D2D UE; In judged result, when being, the network equipment determines that between two D2D UE, allowing to carry out D2D finds operation; In judged result, while being no, the network equipment determines that between two D2D UE, not allowing to carry out D2D finds operation.

In force, in the main body of authentication operation, be radio reception device, step S302 can be divided into following two kinds of modes and obtain authorization data:

Mode one: the network equipment obtains the D2D authorization data of D2D UE, then, this network equipment generates D2D according to this D2D authorization data and finds list, this network equipment finds that by this D2D list sends to radio reception device, for this radio reception device, uses this D2D to find that list authenticates this D2D UE.

Ratio preferably, in the implementation process of mode one, the network equipment can be accomplished in several ways according to one or more D2D authorization datas and generate D2D discovery list, for example: the network equipment generates one or more D2D according to the ID of one or more D2D authorization datas and one or more D2D UE and finds lists; Or the network equipment generates one or more D2D discovery lists according to one or more D2D authorization datas and user's application ID.

Mode two: radio reception device receives the D2D authorization data of this D2D UE of network equipment forwarding, then this radio reception device generates D2D by the sign ID of this D2D authorization data and this D2D UE and finds list; Use this D2D to find that list authenticates this D2D UE.

Ratio preferably, in the implementation process of mode two, radio reception device can be accomplished in several ways according to one or more D2D authorization datas and generate D2D discovery list, for example: radio reception device generates one or more D2D according to the ID of one or more D2D authorization datas and one or more D2D UE and finds lists; Or radio reception device generates one or more D2D discovery lists according to one or more D2D authorization datas and user's application ID.

In above-mentioned which, the main body of this authentication operation is radio reception device, makes radio reception device can control the authentication scenario of D2DUE, guarantees the privacy of D2D UE in D2D discovery procedure.

In verification process, radio reception device can authenticate D2D UE according to existing authentication method, in order to improve the reliability of authentication, can authenticate in the following way: radio reception device finds that according to multiple D2D list and/or multiple D2D authorization data judge that between multiple D2D UE, whether allowing to carry out D2D finds operation.Ratio preferably, in the implementation process of which, radio reception device can find list and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE in multiple D2DUE can find the 2nd D2D UE in two D2D UE according to multiple D2D, and the 2nd D2D UE can be found by a D2D UE; In judged result, when being, radio reception device determines that between two D2D UE, allowing to carry out D2D finds operation; In judged result, while being no, radio reception device determines that between two D2D UE, not allowing to carry out D2D finds operation.

Preferably, in force, Mobility Management Entity (the Mobility Management Entity that multiple D2D UE are corresponding, referred to as MME), base station and/or Home Environment (Home Environment, referred to as HE) can be not identical, wherein, it is one of following that HE can comprise: home subscriber server (HSS), access network discovery and selection function unit (ANDSF), application server, packet data gateway (P-GW).

Preferably, in force, the network equipment can comprise multiple network element, for example: this network equipment can comprise one of following: Mobility Management Entity (MME), neighbours' discovery server.

Preferably, in force, radio reception device can comprise multiple network element, for example: this radio reception device can comprise one of following: base station, access controller (AC), access point (AP).

When implementing, in order to improve the accuracy that indicates D2D UE, the ID of D2D UE can comprise following one of at least: international mobile subscriber identity (International Mobie Subscriber Identity, referred to as IMSI), international Mobile Equipment identification code (International Mobie Equipment Identity, referred to as IMEI), the sign in global unique customer equipment identification (GloballyUnique Temporary UE Identity, referred to as GUTI), D2D discovery procedure.

As an execution mode preferably, the accuracy of finding in order to improve D2D, this D2D finds that list comprises: allow the sign of a D2D UE who finds D2D UE and/or allow the sign of the 2nd D2D UE being found by described D2D UE.

It should be noted that, in the step shown in the flow chart of accompanying drawing, can in the computer system such as one group of computer executable instructions, carry out, and, although there is shown logical order in flow process, but in some cases, can carry out shown or described step with the order being different from herein.

In another embodiment, also provide a kind of D2D UE authentication software, the technical scheme that this software is described for carrying out above-described embodiment and preferred embodiment.

In another embodiment, also provide a kind of storage medium, stored above-mentioned D2D UE authentication software in this storage medium, this storage medium includes but not limited to: CD, floppy disk, hard disk, scratch pad memory etc.

The embodiment of the present invention also provides a kind of D2D UE authenticate device, this D2D UE authenticate device can be for realizing above-mentioned D2D UE authentication method and preferred implementation, carried out explanation, repeated no more, below the module relating in this D2D UE authenticate device had been described.As used below, the combination of software and/or the hardware of predetermined function can be realized in term " module ".Although the described system and method for following examples is preferably realized with software, hardware, or the realization of the combination of software and hardware also may and be conceived.

Fig. 4 is that as shown in Figure 4, the method comprises according to the structured flowchart of the D2D UE authenticate device of the embodiment of the present invention: the first acquisition module 42 and the first authentication module 44, be described in detail said structure below.

The first acquisition module 42, for obtaining the D2D authorization data of one or more D2D UE; The first authentication module 44, is connected to the first acquisition module 42, for using one or more D2D authorization datas that the first acquisition module 42 gets to authenticate these one or more D2D UE.

Fig. 5 is the preferred structured flowchart one of D2D UE authenticate device according to the embodiment of the present invention, in the preferred embodiment, the first acquisition module 42 and the first authentication module 44 are positioned at the network equipment, and as shown in Figure 5, the first acquisition module 42 comprises: the second acquisition module 422; The 3rd acquisition module 424 and the first generation module 426; Wherein, the first generation module 426 comprises: the second generation module 4262 or the 3rd generation module 4264; The first authentication module 44 comprises: the first judge module 441, wherein, the first judge module 441 comprises: the second judge module 4412, the first determination module 4414, the second determination modules 4416, are described in detail said structure below.

It is one of following that the first acquisition module 42 comprises: the second acquisition module 422, for one or more D2D authorization datas corresponding to one or more D2D UE; The 3rd acquisition module 424, for obtaining one or more D2D authorization datas of one or more D2D UE; With, the first generation module 426, finds list for generate one or more D2D according to one or more D2D authorization datas.

Preferably, the first generation module 426 comprises: the second generation module 4262, for generate one or more D2D according to the sign ID of one or more D2D authorization datas and one or more D2D UE, find list; Or the 3rd generation module 4264, for generate one or more D2D according to one or more D2D authorization datas and user's application ID, find lists.

The first authentication module 44 comprises: the first judge module 441, and for finding that according to multiple D2D list and/or multiple D2D authorization data judge that whether allowing to carry out D2D between multiple D2D UE finds operation.

Preferably, the first judge module 441 comprises: the second judge module 4412, for finding according to multiple D2D lists and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE of multiple D2D UE can find the 2nd D2D UE in two D2D UE, and the 2nd D2D UE can be found by a D2D UE; The first determination module 4414, is connected to the second judge module 4412, for the judged result of the second judge module 4412, when being, determines that between two D2D UE, allowing to carry out D2D finds operation; The second determination module 4416, is connected to the second judge module 4412, while being no for the judged result of the second judge module 4412, determines that between two D2D UE, not allowing to carry out D2D finds operation.

Fig. 6 is the preferred structured flowchart two of D2D UE authenticate device according to the embodiment of the present invention, in the preferred embodiment, the first acquisition module 42 and the first authentication module 44 are positioned at the network equipment, and as shown in Figure 5, the first acquisition module 42 comprises: the 3rd acquisition module 428; The first authentication module 44 comprises: the 4th generation module 442 and sending module 443, the four generation modules 442 comprise: the 5th generation module 4422 or the 6th generation module 4424, be described in detail said structure below.

The first acquisition module 42 comprises: the 3rd acquisition module 428, and for obtaining one or more D2D authorization datas that one or more D2D UE are corresponding.

The 4th generation module 442, finds list for generate one or more D2D according to these one or more D2D authorization datas; Sending module 444, is connected to the 4th generation module 442, and for these one or more D2D are found to list sends to radio reception device, D2D finds that list is used for this radio reception device and uses this D2D to find that list authenticates D2D UE.

Preferably, the 4th generation module 442 comprises: the 5th generation module 4422, for generate one or more D2D according to the sign ID of one or more D2D authorization datas and one or more D2D UE, find list; Or the 6th generation module 4424, for generate one or more D2D according to one or more D2D authorization datas and user's application ID, find lists.

Fig. 7 is the preferred structured flowchart three of D2D UE authenticate device according to the embodiment of the present invention, in the preferred embodiment, the first acquisition module 42 and the first authentication module 44 are positioned at radio reception device, and as shown in Figure 7, the first acquisition module 42 comprises: the first receiver module 429; The second receiver module 430 and the 7th generation module 432; The first authentication module 44 comprises: the 3rd judge module 444, the three judge modules 444 comprise: the 4th judge module 4442, the three processing module 4444, the four determination modules 4446, are described in detail said structure below.

The first acquisition module 42 comprises: the first receiver module 429, one or more D2D authorization datas corresponding to one or more D2D UE that forward for receiving the network equipment; The second receiver module 430, the D2D authorization data of D2D UE forwarding for receiving the network equipment; With, the 7th generation module 432, is connected to the second receiver module 430, for generate one or more D2D according to one or more D2D authorization datas, finds list.

Preferably, the 7th generation module 432 comprises: the 8th generation module 4322, for generate one or more D2D according to the sign ID of one or more D2D authorization datas and one or more D2D UE, find list; Or the 9th generation module 4324, for generate one or more D2D according to one or more D2D authorization datas and user's application ID, find lists.

The first authentication module 44 comprises: the 3rd judge module 444, and for finding that according to multiple D2D list and/or multiple D2D authorization data judge that whether allowing to carry out D2D between multiple D2D UE finds operation.

Preferably, the 3rd judge module 444 comprises: the 4th judge module 4442, for finding according to multiple D2D lists and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE of multiple D2D UE can find the 2nd D2D UE in two D2D UE, and the 2nd D2D UE can be found by a D2D UE; The 3rd processing module 4444, is connected to the 4th judge module 4442, for the judged result of the 4th judge module 4442, when being, determines that between two D2D UE, allowing to carry out D2D finds operation; The 4th determination module 4446, is connected to the 4th judge module 4442, while being no for the judged result of the 4th judge module 4442, determines that between two D2D UE, not allowing to carry out D2D finds operation.

Below in conjunction with preferred embodiment, describe, below preferred embodiment combine above-described embodiment and preferred implementation.

Preferred embodiment one

This preferred embodiment provides the authentication method of a kind of D2DUE, and in the present embodiment, the network equipment that user is corresponding, as MME gets this user's authorization data.The network equipment, according to authorization data, judges, which user can find this user, or which terminal can find this terminal, and which user this user can be found by, and which terminal this terminal can be found by, etc.; Or the network equipment sends to authorization data and user-dependent sign base station or other radio reception devices of this user terminal connection, is judged by base station or other radio reception devices; Or the network equipment is according to authorization data, and user-dependent sign, generate list, wherein can comprise user or the terminal list that can find this user or terminal, can comprise the found user of this user or terminal or terminal list; The network equipment judges according to list, or the network equipment sends to base station or other radio reception devices by list, by base station or other radio reception devices, judged.

Preferably, in this user's subscription data, there are corresponding data to show to authorize this user to use D2D service, comprise that D2D finds and D2D Communications service.And, in D2D discovery procedure, according to the associated authorization information of user D2D service, D2D user's D2D is found to ask to carry out authentication.

D2D user is in verification process, obtain the user contracting data of authentication center, comprising D2D user, with D2D, serve relevant authorization data, this authorization data can comprise whether this user can use D2D service, whether this user uses open D2D service, and whether this user uses restrictive D2D service, and which user this user allows find this user, this user can find those other users, etc.

Preferably, D2D user's authorization data also may be from application service, the a certain application that this user uses, there is corresponding authorization data, comprise whether this user can use D2D service, and whether this user uses open D2D service, whether this user uses restrictive D2D service, which user this user allows find this user, and this user can find those other users, etc.

As an execution mode preferably: relevant device can judge according to authorization data, which user can find this user, or which terminal can find this terminal, and which user this user can be found by, which terminal this terminal can be found by, etc.

Preferably, relevant device can be according to authorization data, and user-dependent sign, generates list, judges with list.In list, can comprise the user's correlated identities list that can find this user, can comprise the list of the found user's correlated identities of this user.

Preferably, user-dependent sign, can be IMSI, IMEI, and GUTI, the sign of using in D2D discovery procedure, etc.

Preferably, the relevant device that generates list can be the network equipment, as the MME of LTE, as the ANDSF of WLAN D2D discovery, neighbours' discovery server etc., or the relevant device that generates list can be also radio reception device, as the base station eNB of LTE, as the AC of WLAN, AP.

Preferably, the network equipment that generates list can send to list other network equipments, or radio reception device, by other network equipments or radio reception device, is judged.

Preferably, the relevant device judging can be the network equipment, or radio reception device.

It should be noted that, in order to judge, relevant device need to obtain user's correlation ID.

Preferred embodiment two

This preferred embodiment provides a kind of D2D UE authentication method, and Fig. 8 is according to the flow chart one of the D2D authentication method of the embodiment of the present invention, and as shown in Figure 8, the method comprises the steps that S802 is to step S818.

Step S802: the network equipment obtains this user's D2D authorization data.

It should be noted that, after step S802, the network equipment can be processed according to one of following flow process:

Flow process one: the network equipment can directly judge (step S808) according to D2D authorization data.

Flow process two: the network equipment can be according to D2D authorization data, generates D2D and finds list (step S804), then according to D2D, finds that list judges (step S806).

Flow process three: the network equipment can be according to D2D authorization data, generate D2D and find list (step S804), then the network equipment can be found D2D that list sends to radio reception device (step S810), then by radio reception device, according to D2D, finds that list judges (step S812).

Flow process four: the network equipment can send to D2D authorisation device radio reception device (step S814), and then radio reception device directly judges (step S818) according to this D2D authorization data.

Flow process five: the network equipment can send to D2D authorisation device radio reception device (step S814), then radio reception device is used D2D authorization data and user's correlation ID to generate D2D and finds list (step S816), and radio reception device finds that according to D2D list judges (step S812).

Step S804: the network equipment, according to this user's D2D authorization data, generates D2D and finds list.

Step S806: the network equipment finds that according to D2D list judges.

Step S808: the network equipment enters judgement according to D2D authorization data.

Step S810: radio reception device finds that by D2D list sends to radio reception device.

Step S812: radio reception device finds that according to D2D list judges.

Step S814: radio reception device obtains the D2D authorization data that obtains this user from the network equipment.

Step S816: radio reception device, according to this user's D2D authorization data, generates D2D and finds list.

Step S818: radio reception device judges according to D2D authorization data.

As an execution mode preferably, user's D2D authorization data comprises following information: whether this user can use D2D service, whether this user uses open D2D service, whether this user uses restrictive D2D service, which user this user allows find this user, which other user this user can find, etc.

As an execution mode preferably, this user's D2D finds that list comprises following information: the user list that can find this user; And/or the user list that can be found by this user; And/or cannot find this user's user list; And/or the user list that cannot be found by this user, etc.If what this user used is open D2D service, all users can find this user, the user list that can find so this user is " all users ", or this user can find all users, the user list that can be found by this user is so " all users ".

As another execution mode preferably, the content judging is, this user is when finding, found another D2D user, now need to judge whether this user can find another D2D user, or this user, in the process of being found by another D2D user, now needs to judge whether this user can be found by another D2D user.

Preferred embodiment three

This preferred embodiment provides a kind of D2D UE authentication method, and Fig. 9 is according to the flowchart 2 of the D2D authentication method of the embodiment of the present invention, and as shown in Figure 9, the method comprises the steps that S902 is to step S906.In this preferred embodiment, the network equipment finds that according to user's D2D authorization data or D2D list judges whether to carry out D2D discovery.

Step S902: the network equipment obtains user's D2D authorization data from Home Environment, or the D2D that the network equipment obtains user from Home Environment finds list.

Step S904: the D2D that the network equipment may generate this user according to D2D authorization data finds list, if 402 D2D that to be network equipments obtain user from Home Environment find list, need not generate.

Step S906: the network equipment finds that according to this user's D2D authorization data or D2D list judges, whether this user can be found by other user, or whether this user can find other user.

Preferred embodiment four

This preferred embodiment provides a kind of D2D UE authentication method, and Figure 10 is according to the flow chart 3 of the D2D authentication method of the embodiment of the present invention, and as shown in figure 10, the method comprises the steps that S1002 is to step S1008.In this preferred embodiment, radio reception device finds that according to user's D2D authorization data or D2D list judges whether to carry out D2D discovery.

Step S1002: the network equipment obtains user's D2D authorization data from Home Environment, or the D2D that the network equipment obtains user from Home Environment finds list.

Step S1004: the D2D that the network equipment may generate this user according to D2D authorization data finds list, if 502 D2D that to be network equipments obtain user from Home Environment find list, need not generate.

Step S1006: the network equipment finds that by D2D authorization data or D2D list sends to radio reception device.

Step S1008: radio reception device finds that according to this user's D2D authorization data or D2D list judges, whether this user can be found by other user, or whether this user can find other user.

Preferred embodiment five

This preferred embodiment provides a kind of D2D UE authentication method, and Figure 11 is the flow chart one of D2D UE authentication method according to the preferred embodiment of the invention, and as shown in figure 11, the method comprises the steps that S1102 is to step S1138.This preferred embodiment has been described two flow processs that UE carries out D2D authentication that are linked into 3GPP access.In this preferred embodiment, the eNB of UE1 and UE2 can be same eNB, can be also that different eNB.UE1 and the MME of UE2 can be same MME, can be also different MME.The HE of UE1 and UE2 can be same HE, can be also different HE.

Step S1102:UE2 sends user authentication request to MME, the user's correlation ID that comprises UE2.

Step S1104:MME is to Home Environment request UE2 user's Ciphering Key, and this user's D2D authorization data.

Step S1106: Home Environment sends UE2 user's Ciphering Key to MME, and this user's D2D authorization data.If MME has preserved this user's Ciphering Key and D2D authorization data, step S1104 and S1106 can not carry out.

Step S1108:MME replys user authentication response to UE2.

Step S1110～step S1116 is the process that UE1 obtains D2D authorization data, and S1102～step S1108 is consistent with step.

The process that UE1 obtains D2D authorization data after UE2 obtains the process of D2D authorization data and before all can.

Step S1118:UE1 and UE2 perception terminal equipment nearby, need to further be confirmed whether to carry out mutually D2D discovery.As, UE1 perceives UE2 nearby, and this terminal of notice UE2 has perceived it, and the user of UE1 wants to find the user of UE2; And UE2 learns that UE1 has perceived it nearby, and the user of UE1 wants to find the user of UE2.

Step S1120:UE2 sends D2D to eNB and finds request, wherein carries user's correlation ID of UE2.

Step S1122:eNB sends D2D to MME and finds request, wherein carries user's correlation ID of UE2.In user's correlation ID in this step and S1120 can be identical, can be also different I D corresponding to this user, for example, the ID in step S1120 can be the D2DID of base station assigns to this user, and ID in this step is GUTI or other ID.

Step S1124:MME judges according to UE2 user's D2D authorization data, and whether UE2 user can be found by the user of UE1.

Step S1126:MME sends D2D to eNB and finds response, wherein carries the judged result whether UE2 user can be found by UE1 user.

Step S1128:eNB sends D2D to UE2 and finds response.

Step S1130～step S1132 is consistent with step S1120～step S1122,

Step S1134:MME judges according to UE1 user's D2D authorization data, and whether UE1 user can find the user of UE2.

Step S1136～step S1138 is consistent with step S1126～step S1128.

It should be noted that, the discovery procedure of UE1 all could before or after the discovery procedure of UE2.

If judged result is, UE2 user can find by UE1 user, and UE1 user can find UE2 user, and D2D finds to carry out; If judged result is, UE2 user can not find by UE1 user, and UE1 user can find UE2 user; Or UE2 user can find by UE1 user, UE1 user can not find UE2 user; Or UE2 user can not find by UE1 user, UE1 user can not find UE2 user, and D2D finds to carry out.

Preferred embodiment six

This preferred embodiment provides a kind of D2D UE authentication method, and Figure 12 is the flowchart 2 of D2D UE authentication method according to the preferred embodiment of the invention, and as shown in figure 12, the method comprises the steps that S1202 is to step S1236.This preferred embodiment has been described two flow processs that UE carries out D2D authentication that are linked into 3GPP access.In this preferred embodiment, MME generates D2D and finds that list is for judgement, and only by UE1 transmission D2D, finds request.In this embodiment, the eNB of UE1 and UE2 can be same eNB, can be also that different eNB.UE1 and the MME of UE2 can be same MME, can be also different MME.The HE of UE1 and UE2 can be same HE, can be also different HE.

Step S1202～step S1216: with step S1102～step S1116.

The process that UE1 obtains D2D authorization data after UE2 obtains the process of D2D authorization data and before all can.

Step S1218:MME generates UE1 user D2D according to UE1 user's D2D authorization data and finds list.This step is before step S1206 and step S1228.If what obtain from HE is that D2D finds list, this step can be omitted.

Step S1220:MME generates UE2 user D2D according to UE2 user's D2D authorization data and finds list.This step is between S1214 and S1228.If what obtain from HE is that D2D finds list, this step can be omitted.

Step S1222:UE1 and UE2 perception terminal equipment nearby, need to further be confirmed whether to carry out mutually D2D discovery.As, UE1 perceives UE2 nearby, and the user of UE1 wants to find the user of UE2.

Step S1224:UE1 sends D2D to eNB and finds request, wherein carries user's correlation ID of UE1 and user's correlation ID of UE2.

Step S1226:eNB sends D2D to MME and finds request, wherein carries user's correlation ID of UE1 and user's correlation ID of UE2.In user's correlation ID in this step and S1120 can be identical, can be also different I D corresponding to this user, for example, the ID in step S1120 can be the D2D ID of base station assigns to this user, and ID in this step is GUTI or other ID.

Step S1228:MME finds that according to the D2D of UE1 list judges, whether the user of UE1 can find the user of UE2.

Step S1230:MME finds that according to the D2D of UE2 list judges, whether the user of UE2 can be found by the user of UE1.

Step S1232:MME sends D2D to eNB and finds response, and whether the user who wherein carries UE1 can find the user of UE2, the judged result whether UE2 user can be found by UE1 user.

If judged result is, UE2 user can find by UE1 user, and UE1 user can find UE2 user, and D2D finds to carry out; If judged result is, UE2 user can not find by UE1 user, and UE1 user can find UE2 user; Or UE2 user can find by UE1 user, UE1 user can not find UE2 user; Or UE2 user can not find by UE1 user, UE1 user can not find UE2 user, and D2D finds to carry out.

Step S1234:eNB sends D2D to UE1 and finds response.

Step S1236:eNB sends D2D to UE2 and finds response.This step is optional, also needs to learn that D2D finds during result to occur being found terminal UE 2.

Preferred embodiment seven

This preferred embodiment provides a kind of D2D UE authentication method, and Figure 13 is the flow chart 3 of D2D UE authentication method according to the preferred embodiment of the invention, and as shown in figure 13, the method comprises the steps that S1302 is to step S1336.This preferred embodiment has been described two flow processs that UE carries out D2D authentication that are linked into 3GPP access.This preferred embodiment has been described two flow processs that UE carries out D2D authentication that are linked into 3GPP access.In this preferred embodiment, MME finds that by UE1 user and UE2 user's D2D list sends to eNB, by eNB, is judged.In this preferred embodiment, the eNB of UE1 and UE2 can be same eNB, can be also that different eNB.UE1 and the MME of UE2 can be same MME, can be also different MME.The HE of UE1 and UE2 can be same HE, can be also different HE.

Step S1302～step S1320: with step S1202～step S1220.If what obtain from HE is that D2D finds list, step S1318, step S1320 step can be omitted.

Step S1322:MME, in Initial context setup message, finds that by UE1 user's D2D list sends to this step of eNB. after S1318, before S1330.

Step S1324:MME, in Initial context setup message, finds that by UE2 user's D2D list sends to this step of eNB. after step S1320, before step S1332.

Step S1326:UE1 and UE2 perception terminal equipment nearby, need to further be confirmed whether to carry out mutually D2D discovery.As, UE1 perceives UE2 nearby, and the user of UE1 wants to find the user of UE2.

Step S1328:UE1 sends D2D to eNB and finds request, wherein carries user's correlation ID of UE1 and user's correlation ID of UE2.

Step S1330:eNB finds that according to the D2D of UE1 list judges, whether the user of UE1 can find the user of UE2

Step S1332:eNB finds that according to the D2D of UE2 list judges, whether the user of UE2 can be found by the user of UE1.

If judged result is, UE2 user can find by UE1 user, and UE1 user can find UE2 user, and D2D finds to carry out; If judged result is, UE2 user can not find by UE1 user, and UE1 user can find UE2 user; Or UE2 user can find by UE1 user, UE1 user can not find UE2 user; Or UE2 user can not find by UE1 user, UE1 user can not find UE2 user, and D2D finds to carry out.

Step S1334:eNB sends D2D to UE1 and finds response.

Step S1336:eNB sends D2D to UE2 and finds response.This step is optional, also needs to learn that D2D finds during result to occur being found terminal UE 2.

Preferred embodiment eight

This preferred embodiment provides a kind of D2D UE authentication method, and Figure 14 is the flow chart four of D2D UE authentication method according to the preferred embodiment of the invention, and as shown in figure 14, the method comprises the steps that S1402 is to step S1442.This preferred embodiment has been described two flow processs that UE carries out D2D authentication that are linked into 3GPP access.This preferred embodiment has been described two flow processs that UE carries out D2D authentication that are linked into 3GPP access.In this preferred embodiment, the non-3GPP of UE1 and UE2 access can be identical, can be also that different UE1 and the AAA Server of UE2 can be same AAA Server, can be also different AAA Server.The HE of UE1 and UE2 can be same HE, can be also different HE.Neighbours' discovery server and AAA Server can be same equipment, can be also different equipment

Step S1402:UE2 sends user authentication request, the user's correlation ID that comprises UE2 to AAA Server.

Step S1404:AAA Server is to Home Environment request UE2 user's Ciphering Key, and this user's D2D authorization data.

Step S1406: Home Environment sends UE2 user's Ciphering Key to AAA Server, and this user's D2D authorization data.If AAA Server has preserved this user's Ciphering Key and D2D authorization data, step S1404 and step S1406 can not carry out.

Step S1408:AAA Server replys user authentication response to UE2.

Step S1410:AAA Server sends D2D authorization data to neighbours' discovery server.This step can occur between S1406 and step S1422.If AAA Server and neighbours' discovery server are same equipment, this step can not carried out.

Step S1412～step S1420: with step S1402～S1410.

The process that UE1 obtains D2D authorization data after UE2 obtains the process of D2D authorization data and before all can.

Step S1422: the D2D that neighbours' discovery server generates UE1 user according to the D2D authorization data of UE1 finds list.After this step can occur in S1420, before S1442.If what obtain from HE is that D2D finds list, this step can be omitted.

Step S1424: the D2D that neighbours' discovery server generates UE2 user according to the D2D authorization data of UE2 finds list.After this step can occur in step S1410, before step S1432.If what obtain from HE is that D2D finds list, this step can be omitted.

Step S1426:UE1 and UE2 perception terminal equipment nearby, need to further be confirmed whether to carry out mutually D2D discovery.As, UE1 perceives UE2 nearby, and the user of UE1 wants to find the user of UE2.

Step S1428:UE2 sends D2D to non-3GPP access and finds request, wherein carries user's correlation ID of UE2.

Step S1430: non-3GPP access sends D2D to neighbours' discovery server and finds request, wherein carries user's correlation ID of UE2.In user's correlation ID in this step and step S1428 can be identical, can be also different I D corresponding to this user, for example, the ID in the rapid S1428 of step can be the D2D ID of base station assigns to this user, and ID in this step is GUTI or other ID.

Step S1432: neighbours' discovery server finds that according to UE2 user's D2D authorization data or D2D list judges, whether UE2 user can be found by the user of UE1.If step S1424 step is not carried out, according to UE2 user's D2D authorization data judgement, if step S1424 step has been carried out, according to D2D, find that list judges.

Step S1434: neighbours' discovery server sends D2D to non-3GPP access and finds response, wherein carries the judged result whether UE2 user can be found by UE1 user.

Step S1436: non-3GPP access sends D2D to UE2 and finds response.

Step S1438～step S1440 is consistent with step S1428～step S1430.

Step S1442: neighbours' discovery server finds that according to UE1 user's D2D authorization data or D2D list judges, whether UE1 user can find the user of UE2.If step S1422 does not carry out, according to UE1 user's D2D authorization data judgement, if step S1422 has carried out, according to D2D, find that list judges.

Step S1444～step S1446: with step S1434～step S1436 step.The D2D discovery procedure of UE1 all could before or after the D2D of UE2 discovery procedure.

After step S1442 step, if judged result be, UE2 user can find by UE1 user, UE1 user can find UE2 user, D2D finds to carry out; If judged result is, UE2 user can not find by UE1 user, and UE1 user can find UE2 user; Or UE2 user can find by UE1 user, UE1 user can not find UE2 user; Or UE2 user can not find by UE1 user, UE1 user can not find UE2 user, and D2D finds to carry out.

Preferred embodiment nine

This preferred embodiment provides a kind of D2D UE authentication method, and Figure 15 is the flow chart five of D2D UE authentication method according to the preferred embodiment of the invention, and as shown in figure 15, the method comprises the steps that S1502 is to step S1524.This preferred embodiment has been described two flow processs that UE carries out D2D authentication that are linked into 3GPP access.This preferred embodiment has been described two flow processs that UE carries out D2D authentication that are linked into 3GPP access.In this preferred embodiment, after D2D discovery procedure starts, then carry out Network Capture authorization data, and, by a UE, to network, send D2D and find request.In this embodiment, the non-3GPP of UE1 and UE2 access can be identical, can be also that different .UE1 and the AAA Server of UE2 can be same AAAServer, can be also different AAA Server.The HE of UE1 and UE2 can be same HE, can be also different HE.Neighbours' discovery server and AAA Server can be same equipment, can be also different equipment

Step S1502:UE1 and UE2 perception terminal equipment nearby, need to further be confirmed whether to carry out mutually D2D discovery.As, UE1 perceives UE2 nearby, and the user of UE1 wants to find the user of UE2.

Step S1504:UE1 sends D2D to non-3GPP access and finds request, wherein carries user's correlation ID of UE1 and user's correlation ID of UE2.

Step S1506: non-3GPP access sends D2D to neighbours' discovery server and finds request, the D2D authorization data of request UE1 and UE2.If neighbours' discovery server of UE1 and UE2 is different, need two independent message to ask.

Step S1508: neighbours' discovery server sends to Home Environment the D2D authorization data request of obtaining, the D2D authorization data of request UE1 and UE2.If the Home Environment of UE1 and UE2 is different, need two independent message to ask.

Step S1510: attribution server returns and obtains the response of D2D authorization data, the D2D authorization data that comprises UE1 and UE2 to neighbours' discovery server.If the Home Environment of UE1 and UE2 is different, need two independent message.

Step S1512: the D2D that neighbours' discovery server generates UE1 user according to the D2D authorization data of UE1 finds list.If what obtain from HE is that D2D finds list, this step can be omitted.

Step S1514: the D2D that neighbours' discovery server generates UE2 user according to the D2D authorization data of UE2 finds list.If what obtain from HE is that D2D finds list, this step can be omitted.

Step S1516: neighbours' discovery server finds that according to UE1 user's D2D authorization data or D2D list judges, whether UE1 user can find the user of UE2.If step S1512 does not carry out, according to UE1 user's D2D authorization data judgement, if step S1512 step has been carried out, according to D2D, find that list judges.

Step S1518: neighbours' discovery server finds that according to UE2 user's D2D authorization data or D2D list judges, whether UE2 user can be found by the user of UE1.If step S1514 does not carry out, according to UE2 user's D2D authorization data judgement, if step S1514 has carried out, according to D2D, find that list judges.

If judged result is: UE2 user can find by UE1 user, UE1 user can find UE2 user, and D2D finds to carry out; If judged result is, UE2 user can not find by UE1 user, and UE1 user can find UE2 user; Or UE2 user can find by UE1 user, UE1 user can not find UE2 user; Or UE2 user can not find by UE1 user, UE1 user can not find UE2 user, and D2D finds to carry out.

Step S1520: neighbours' discovery server is replied D2D to non-3GPP access and found response.

Step S1522: non-3GPP access is replied D2D to UE1 and found response.

Step S1524: non-3GPP access is replied D2D to UE2 and found response.This step is optional, also needs to learn that D2D finds during result to occur being found terminal UE 2.

Preferred embodiment ten

This preferred embodiment provides a kind of D2D UE authentication method, and Figure 16 is the flow chart six of D2D UE authentication method according to the preferred embodiment of the invention, and as shown in figure 16, the method comprises the steps that S1602 is to step S1638.This preferred embodiment has been described two flow processs that UE carries out D2D authentication that are linked into 3GPP.In this preferred embodiment, MME finds that by UE1 user and UE2 user's D2D list sends to eNB, by eNB, is judged.In this embodiment, the eNB of UE1 and UE2 can be same eNB, can be also that different eNB.UE1 and the MME of UE2 can be same MME, can be also different MME.The HE of UE1 and UE2 can be same HE, can be also different HE.

Step S1602～step S1626: with step S1302～S1326.If what obtain from HE is that D2D finds list, step S1618, step S1620 step can be omitted.

Step S1628:UE2 sends D2D to eNB and finds request, wherein carries user's correlation ID of UE2.

Step S1630:eNB finds that according to the D2D of UE2 list judges, whether the user of UE2 can be found by the user of UE1.

Step S1632:eNB sends D2D to UE2 and finds response.

Step S1634:UE1 sends D2D to eNB and finds request, wherein carries user's correlation ID of UE1.

Step S1636:eNB finds that according to the D2D of UE1 list judges, whether the user of UE1 can be found by the user of UE1.

Step S1638:eNB sends D2D to UE1 and finds response.

If judged result is: UE2 user can find by UE1 user, UE1 user can find UE2 user, and D2D finds to carry out; If judged result is, UE2 user can not find by UE1 user, and UE1 user can find UE2 user; Or UE2 user can find by UE1 user, UE1 user can not find UE2 user; Or UE2 user can not find by UE1 user, UE1 user can not find UE2 user, and D2D finds to carry out.

Preferred embodiment 11

This preferred embodiment provides a kind of D2D UE authentication method, and Figure 17 is the flow chart seven of D2D UE authentication method according to the preferred embodiment of the invention, and as shown in figure 17, the method comprises the steps that S1702 is to step S1738.

Step S1702:UE2 sends user authentication request to MME2.

Step S1704:MME2 sends to HE the D2D authorization data request of obtaining.

Step S1706:HE sends and obtains the response of D2D authorization data to MME2.

Step S1708:MME2 sends user authentication response to UE2.

Step S1710:UE1 sends user authentication request to MME1.

Step S1712:MME1 sends to HE the D2D authorization data request of obtaining.

Step S1714:HE sends and obtains the response of D2D authorization data to MME1.

Step S1716:MME1 sends user authentication response to UE1.

Step S1718: generate D2D according to the D2D authorization data of UE1 and find list.

Step S1720: generate D2D according to the D2D authorization data of UE2 and find list.

D2D authorization data from UE1 to eNB1 or D2D that step S1722:MME1 sends find list.

D2D authorization data from UE1 to eNB2 or D2D that step S1724:MME2 sends find list.

There is UE1 in step S1726:UE2 perception.

Step S1728:UE2 sends D2D to eNB1 and finds request.

Step S1730:eNB1 finds that according to the D2D of UE2 list judges.

Step S1732:eNB1 sends D2D to UE2 and finds response.

Step S1734:UE1 sends D2D to eNB2 and finds request.

Step S1736:eNB2 finds that according to the D2D of UE1 list judges.

Step S1738:eNB2 sends D2D to UE1 and finds response.

Preferred embodiment 12

This preferred embodiment provides a kind of D2D UE authentication method, and Figure 18 is the flow chart eight of D2D UE authentication method according to the preferred embodiment of the invention, and as shown in figure 18, the method comprises the steps that S1802 is to step S1836.

Step S1802:UE2 sends user authentication request to MME2.

Step S1804:MME2 sends to HE the D2D authorization data request of obtaining.

Step S1806:HE sends and obtains the response of D2D authorization data to MME2.

Step S1808:MME2 sends user authentication response to UE2.

Step S1810:UE1 sends user authentication request to MME1.

Step S1812:MME1 sends to HE1 the D2D authorization data request of obtaining.

Step S1814:HE1 sends and obtains the response of D2D authorization data to MME1.

Step S1816:MME1 sends user authentication response to UE1.

Step S1818:MME1 generates D2D according to the D2D authorization data of UE1 and finds list.

Step S1820:MME2 generates D2D according to the D2D authorization data of UE2 and finds list.

Step S1822:UE1 and UE2 perception the other side exist.

Step S1824:UE1 sends D2D to eNB and finds request.

Step S1826:eNB sends D2D to MME1 and finds request.

Step S1828:MME1 finds that according to the D2D of UE1 list judges, and asks MME2 to judge.

Step S1830:MME2 finds that according to the D2D of UE2 list judges.

Step S1832:MME1 sends D2D to eNB and finds response.

Step S1834:eNB sends D2D to UE1 and finds response.

Step S1836:eNB sends D2D to UE2 and finds response.

Pass through above-described embodiment, a kind of D2D UE authentication method and device are provided, by obtaining the D2D authorization data of D2D UE, then use this D2D authorization data to authenticate this D2D UE, make can certifiedly to manage by D2D UE, solved the poor problem of D2D UE communications security in correlation technique, thereby realized, D2D UE is authenticated by D2D authorization data, improved the fail safe of D2D UE communication, and by the management to D2D authorization data, and according to D2D authorization data, carry out the judgement of D2D discovery, the authority that makes operator find D2D is objective controlled, the authority that can find D2D with seasonal user is controlled.It should be noted that, these technique effects are not that above-mentioned all execution modes have, and some technique effect is that some preferred implementation just can obtain.

Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on the network that multiple calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby they can be stored in storage device and be carried out by calculation element, or they are made into respectively to each integrated circuit modules, or the multiple modules in them or step are made into single integrated circuit module to be realized.Like this, the present invention is not restricted to any specific hardware and software combination.

The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.

Claims (27)

1. a device-to-device D2D user equipment (UE) authentication method, is characterized in that comprising:

Obtain one or more D2D authorization datas that one or more D2D UE are corresponding;

Use described one or more D2D authorization data to authenticate described one or more D2D UE.

2. method according to claim 1, is characterized in that,

It is one of following that the one or more D2D authorization datas that obtain one or more D2D UE comprise:

The described network equipment obtains one or more D2D authorization datas of one or more D2D UE;

The described network equipment obtains one or more D2D authorization datas of one or more D2D UE; The described network equipment generates one or more D2D according to described one or more D2D authorization datas and finds list.

3. method according to claim 2, is characterized in that, the described network equipment generates one or more D2D according to described one or more D2D authorization datas and finds that list comprises:

The described network equipment generates described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE and finds list; Or

The described network equipment generates described one or more D2D according to described one or more D2D authorization datas and user's application ID and finds list.

4. method according to claim 2, is characterized in that, uses described one or more D2D authorization data that described one or more D2DUE are authenticated and comprised:

The described network equipment finds that according to multiple D2D list and/or multiple D2D authorization data judge that between described multiple D2DUE, whether allowing to carry out D2D finds operation.

5. method according to claim 4, is characterized in that, the described network equipment finds that according to described multiple D2D list judges that between described multiple D2D UE, whether allowing to carry out D2D finds that operation comprises:

The described network equipment finds according to described multiple D2D list and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE in described multiple D2D UE can find the 2nd D2DUE in described two D2D UE, and described the 2nd D2DUE can be found by a D2DUE;

If judged result is yes, the described network equipment determines that between described two D2D UE, allowing to carry out described D2D finds operation; If judged result is no, the described network equipment determines that between described two D2D UE, not allowing to carry out described D2D finds operation.

6. method according to claim 1, is characterized in that,

Obtaining one or more D2D authorization datas that one or more D2D UE are corresponding comprises: the described network equipment obtains one or more D2D authorization datas that one or more D2D UE are corresponding;

Use described one or more D2D authorization data that described one or more D2D UE are authenticated and comprised: the described network equipment generates one or more D2D according to described one or more D2D authorization datas and finds list; The described network equipment finds that by described one or more D2D list sends to radio reception device, by described radio reception device, uses this D2D to find that list authenticates described D2D UE.

7. method according to claim 6, is characterized in that, the described network equipment generates one or more D2D according to described one or more D2D authorization datas and finds that list comprises:

The described network equipment generates described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE and finds list; Or

The described network equipment generates described one or more D2D according to described one or more D2D authorization datas and user's application ID and finds list.

8. method according to claim 1, is characterized in that,

It is one of following that the D2D authorization data that obtains D2D UE comprises:

Radio reception device receives one or more D2D authorization datas corresponding to described one or more D2D UE that the network equipment forwards;

Described radio reception device receives one or more D2D authorization datas corresponding to described one or more D2D UE that the network equipment forwards; Described radio reception device generates one or more D2D according to described one or more D2D authorization datas and finds list.

9. method according to claim 8, is characterized in that, described radio reception device generates one or more D2D according to described one or more D2D authorization datas and finds that list comprises:

Described radio reception device generates described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE and finds list; Or

Described radio reception device generates described one or more D2D according to described one or more D2D authorization datas and user's application ID and finds list.

10. according to the method described in any one in claim 6 to 9, it is characterized in that, use described one or more D2D authorization data that described one or more D2D UE are authenticated and comprised:

Described radio reception device finds that according to described multiple D2D list and/or multiple D2D authorization data judge that between described multiple D2D UE, whether allowing to carry out D2D finds operation.

11. methods according to claim 10, is characterized in that, described radio reception device finds that according to described multiple D2D list and/or multiple D2D authorization data judge that between described multiple D2D UE, whether can carry out D2D finds that operation comprises:

Described radio reception device finds according to described multiple D2D list and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE in described multiple D2D UE can find the 2nd D2DUE in described two D2D UE, and described the 2nd D2DUE can be found by a described D2DUE;

If judged result is yes, described radio reception device determines that between described two D2D UE, allowing to carry out described D2D finds operation; If judged result is no, described radio reception device determines that between described two D2D UE, not allowing to carry out described D2D finds operation.

12. according to the method described in any one in claim 2 to 9,11, it is characterized in that, Mobility Management Entity MME corresponding to described multiple D2D UE, base station and/or Home Environment HE are not identical, wherein, described HE comprises one of following: home subscriber server HSS, access network discovery and selection function unit ANDSF, application server, packet data gateway P-GW.

13. according to the method described in any one in claim 2 to 9,11, it is characterized in that, it is one of following that the described network equipment comprises: MME, neighbours' discovery server.

14. according to the method described in any one in claim 6 to 9,11, it is characterized in that, it is one of following that described radio reception device comprises: base station, access controller AC, access point AP.

15. according to the method described in claim 3 or 7, it is characterized in that, the ID of described D2D UE comprise following one of at least:

Sign in international mobile subscriber identity IMSI, international Mobile Equipment identification code IMEI, global unique customer equipment identification GUTI, D2D discovery procedure.

16. according to the method described in any one in claim 2 to 9,11, and described D2D finds that list comprises: allow the sign of a D2D UE who finds described D2D UE and/or allow by the sign of the 2nd D2D UE of described D2D UE discovery.

17. 1 kinds of device-to-device D2D user equipment (UE) authenticate devices, is characterized in that comprising:

The first acquisition module, for obtaining one or more D2D authorization datas that one or more D2D UE are corresponding;

The first authentication module, for being used described one or more D2D authorization data to authenticate described one or more D2D UE.

18. devices according to claim 17, is characterized in that, described the first acquisition module is positioned at the network equipment, wherein,

It is one of following that described the first acquisition module comprises:

The second acquisition module, for obtaining one or more D2D authorization datas that one or more D2D UE are corresponding;

The 3rd acquisition module, for obtaining one or more D2D authorization datas of one or more D2D UE; With, the first generation module, finds list for generate one or more D2D according to described one or more D2D authorization datas.

19. devices according to claim 18, is characterized in that, the first generation module comprises:

The second generation module, finds list for generate described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE; Or

The 3rd generation module, finds list for generate described one or more D2D according to described one or more D2D authorization datas and user's application ID.

20. devices according to claim 18, is characterized in that, described the first authentication module is positioned at the network equipment, wherein,

Described the first authentication module comprises: the first judge module, and for finding that according to multiple D2D list and/or multiple D2D authorization data judge that whether allowing to carry out D2D between described multiple D2D UE finds operation.

21. devices according to claim 20, is characterized in that, described the first judge module comprises:

The second judge module, for finding according to described multiple D2D lists and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE of described multiple D2D UE can find the 2nd D2DUE in described two D2D UE, and described the 2nd D2DUE can be found by a D2DUE;

The first determination module, when being, determines that between described two D2D UE, allowing to carry out described D2D finds operation for the judged result of described the second judge module; The second determination module, while being no for the judged result of described the second judge module, determines that between described two D2D UE, not allowing to carry out described D2D finds operation.

22. devices according to claim 17, is characterized in that, described the first acquisition module and described the first authentication module are positioned at the described network equipment, wherein,

Described the first acquisition module comprises: the 3rd acquisition module, for obtaining one or more D2D authorization datas that one or more D2D UE are corresponding;

Described the first authentication module comprises: the 4th generation module, for generate one or more D2D according to described one or more D2D authorization datas, find list; Sending module, for described D2D is found to list sends to radio reception device, wherein, described D2D finds that list is used for described radio reception device and uses this D2D to find that list authenticates described D2D UE.

23. devices according to claim 22, is characterized in that, described the 4th generation module comprises:

The 5th generation module, finds list for generate described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE; Or

The 6th generation module, finds list for generate described one or more D2D according to described one or more D2D authorization datas and user's application ID.

24. devices according to claim 17, is characterized in that, described the first acquisition module is positioned at radio reception device, wherein,

It is one of following that described the first acquisition module comprises:

The first receiver module, one or more D2D authorization datas corresponding to described one or more D2D UE that forward for receiving the described network equipment;

The second receiver module, for receiving the D2D authorization data of the described D2D UE that the described network equipment forwards; With, the 7th generation module, finds list for generate one or more D2D according to described one or more D2D authorization datas.

25. devices according to claim 24, is characterized in that, described the 7th generation module comprises:

The 8th generation module, finds list for generate described one or more D2D according to the sign ID of described one or more D2D authorization datas and described one or more D2D UE; Or

The 9th generation module, finds list for generate described one or more D2D according to described one or more D2D authorization datas and user's application ID.

26. devices according to claim 24, is characterized in that, described the first authentication module is positioned at radio reception device,

Described the first authentication module comprises: the 3rd judge module, and for finding that according to described multiple D2D list and/or multiple D2D authorization data judge that whether allowing to carry out D2D between described multiple D2D UE finds operation.

27. devices according to claim 26, is characterized in that, described the 3rd judge module comprises:

The 4th judge module, for finding according to described multiple D2D lists and/or multiple D2D authorization data judge whether the D2D UE in two D2D UE of described multiple D2D UE can find the 2nd D2DUE in described two D2D UE, and described the 2nd D2DUE can be found by a D2DUE;

The 3rd processing module, when being, determines that between described two D2D UE, allowing to carry out described D2D finds operation for the judged result of described the 4th judge module;

The 4th determination module, while being no for the judged result of described the 4th judge module, determines that between described two D2D UE, not allowing to carry out described D2D finds operation.

Images