CN109151816B - A kind of network authentication method and system - Google Patents

Abstract

The present application discloses a network authentication method and system, which belong to the technical field of communication. The method includes: when the MME of the LTE-U network receives the first attach request, adding the network identifier of the LTE-U network to the first attach request to generate a second attach request and send it to the MME of the LTE network; LTE Based on the second attachment request, the MME of the network sends an authentication data request carrying the network identity of the LTE-U network and the network identity of the LTE network to the HSS; the HSS generates an authentication vector based on the authentication data request, and sends it to the LTE network. MME: The MME of the LTE network interacts with the UE and the MME of the LTE‑U network based on the authentication vector to implement network authentication. That is, with the method provided in this application, when the UE accesses the operator network and the LTE-U network, the authentication with the operator network and the LTE-U network can be completed at one time.

Description

A kind of network authentication method and system

technical field

The present application relates to the field of communication technologies, and in particular, to a network authentication method and system.

Background technique

A Long Term Evolution-Unlicensed (Long Term Evolution-Unlicensed, LTE-U) network refers to a network composed of network devices deployed by a third party in addition to network devices deployed by operators and users. For example, a hospital has deployed network equipment such as LTE-U base station (Evolved Node B, eNB), LTE-U Mobility Management Entity (MME), and LTE-U gateway (Gateway, GW) within the scope of the hospital. These network devices constitute an LTE-U network, and user equipment (User Equipment, UE) within the scope of the hospital can communicate by accessing the LTE-U network. In order to ensure that the UE can use the network services provided by the operator network such as the Long Term Evolution (Long Term Evolution, LTE) network while accessing the LTE-U network, the network equipment of the LTE-U network can be connected with the network equipment of the operator network. , in this way, when a UE that does not currently access the operator's network accesses the LTE-U network, the UE needs to perform authentication with the LTE-U network and the operator's network.

In the related art, when the UE accesses the LTE network for the first time, the UE first performs two-way authentication with the MME of the LTE network. If the UE determines that the LTE network is authentic and the MME also determines that the UE is authentic, then the two-way authentication is successful. After the two-way authentication is successful, the MME will generate a non-access stratum (Non-Access Stratum, NAS) key, and perform algorithm negotiation with the UE according to the NAS key. After the algorithm negotiation between the MME and the UE is successful, the base station (Evolved Node B, eNodeB) of the LTE network will generate an access stratum (Access Stratum, AS) key, and perform algorithm negotiation with the UE according to the AS key , if the algorithm negotiation between the eNodeB and the UE is successful, the authentication between the UE and the LTE network is completed, and the UE can successfully access the LTE network.

It can be seen from the above description that the related art only provides a method for directly authenticating with a network device in the operator's network when the UE accesses the operator's network, and does not provide the method for the UE to access the operator's network and the network device when the LTE-U network exists. A method for network authentication in LTE-U network.

SUMMARY OF THE INVENTION

In order to solve the problem that a method for UE to access LTE network and LTE-U network for network authentication is not provided in the related art, the present application provides a network authentication method, and the technical solution is as follows:

In a first aspect, a network authentication method is provided, the method comprising:

When the mobility management entity MME based on the long-term evolution unlicensed LTE-U network receives the first attach request from the user equipment UE, the network identifier of the LTE-U network is added to the first attach request to generate a second attach request, and sending the second attach request to the MME of the Long Term Evolution LTE network;

When the MME of the LTE network receives the second attach request, based on the second attach request, it sends an authentication data request to the home subscriber server HSS, where the authentication data request carries the LTE-U The network identifier of the network and the network identifier of the LTE network;

When the HSS receives the authentication data request, it generates an authentication vector based on the network identifier of the LTE-U network and the network identifier of the LTE network, and sends the authentication vector to the MME of the LTE network. a weight vector, the authentication vector including parameters for authenticating the UE, the LTE-U network and the LTE network;

When the MME of the LTE network receives the authentication vector, it interacts with the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication.

Optionally, the authentication vector includes a first basic key, expected reply information, a first random number and an authentication flag AUTN, and the first basic key is a key corresponding to the LTE-U network;

The interaction with the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication includes:

The MME of the LTE network stores the expected reply information, and sends the first random number, the AUTN, the network identifier of the LTE-U network and the first random number to the UE through the MME of the LTE-U network. an encryption result, the first encryption result is generated by the MME of the LTE-U network based on the first basic key;

When the UE receives the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, the LTE-U based on the first random number and the AUTN the network verifies, and verifies the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result;

When the UE determines that both the LTE network and the LTE-U network have passed the verification, a reply message is generated, and a first random number is generated based on the first random number, the AUTN and the network identifier of the LTE-U network. 2. Encryption result;

The UE sends the second encryption result to the MME of the LTE-U network, and sends the reply information to the MME of the LTE network;

When the MME of the LTE-U network receives the second encryption result, it verifies the UE based on the second encryption result; when the MME of the LTE network receives the reply information, it verifies the UE based on the second encryption result. The expected reply information and the reply information are used to verify the UE.

Optionally, the MME of the LTE network sends the first random number, the AUTN and the first encryption result to the UE through the MME of the LTE-U network, including:

The MME of the LTE network stores the expected reply information, and sends the first basic key, the first random number and the AUTN to the MME of the LTE-U network;

When the MME of the LTE-U network receives the first basic key, the first random number and the AUTN, the first basic key is stored, based on the first basic key A first encryption result is generated, and the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result are sent to the UE.

Optionally, the generating the first encryption result based on the first basic key includes:

The MME of the LTE-U network generates a second random number, and encrypts the second random number by using the first basic key to obtain the first encryption result;

Correspondingly, the sending the first random number, the AUTN, the network identifier of the LTE-U network and the first encryption result to the UE includes:

The MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result and the second random number to the UE.

Optionally, the AUTN includes a message authentication code MAC;

The UE verifies the LTE network based on the first random number and the AUTN, including:

generating, by the UE, an expected message authentication code XMAC based on the first random number and parameters other than the MAC in the AUTN;

If the XMAC and the MAC are the same, the UE determines that the verification of the LTE network is passed.

Optionally, the UE verifies the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, including:

generating, by the UE, a second basic key according to the network identifier of the LTE-U network, the first random number and the AUTN;

The UE encrypts the second random number by using the second basic key to obtain a third encryption result;

If the first encryption result is equal to the third encryption result, the UE determines that the verification of the LTE-U network is passed.

Optionally, generating the second encryption result based on the first random number, the AUTN and the network identifier of the LTE-U network includes:

generating, by the UE, a third random number, and performing integral encryption on the second random number and the third random number by using the second basic key to obtain a second encryption result;

Correspondingly, the UE sends the second encryption result to the MME of the LTE-U network, including:

sending, by the UE, the second encryption result and the third random number to the MME of the LTE-U network;

Correspondingly, the MME of the LTE-U network verifies the UE based on the second encryption result, including:

The MME of the LTE-U network performs overall encryption on the second random number and the third random number by using the stored first basic key to obtain a fourth encryption result;

If the second encryption result and the fourth encryption result are equal, the MME of the LTE-U network determines that the verification of the UE is passed.

Optionally, the MME of the LTE network sends the first random number, the AUTN, the network identifier of the LTE-U network and the first encryption result to the UE through the MME of the LTE-U network, include:

The MME of the LTE network stores the expected reply information, and sends the first basic key, the expected reply information, the first random number and the AUTN to the LTE-U network. MME;

When the MME of the LTE-U network receives the first basic key, the expected reply information, the first random number and the AUTN, the MME converts the first basic key and the expected reply information is stored, a first encryption result is generated based on the first basic key, and the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result are sent to the described UE.

Optionally, the AUTN includes a MAC;

The generating a first encryption result based on the first basic key includes:

The MME of the LTE-U network encrypts the MAC by using the first basic key to obtain the first encryption result.

Optionally, the UE verifies the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, including:

generating, by the UE, a second basic key according to the network identifier of the LTE-U network, the first random number and the AUTN;

The UE encrypts the MAC by using the second basic key to obtain a fifth encryption result;

If the first encryption result is equal to the fifth encryption result, the UE determines that the verification of the LTE-U network is passed.

Optionally, generating the second encryption result based on the first random number, the AUTN and the network identifier of the LTE-U network includes:

The UE encrypts the reply information by using the second basic key to obtain a second encryption result;

Correspondingly, the MME of the LTE-U network verifies the UE based on the second encryption result, including:

The MME of the LTE-U network encrypts the reply information by using the stored first basic key to obtain a sixth encryption result;

If the expected reply information stored by the MME of the LTE-U network is the same as the reply information, and the sixth encryption result is equal to the second encryption result, the MME of the LTE-U network determines The verification of the UE is passed.

Optionally, the second attach request carries the security algorithm of the UE, the authentication vector includes a third basic key, expected reply information, a first random number, and an authentication flag AUTN, and the third basic key The key is the key corresponding to the LTE network;

The interaction with the UE and the MME of the LTE-U based on the authentication vector to implement network authentication includes:

The MME of the LTE network interacts with the UE based on the third basic key, the expected reply information, the first random number and the AUTN, so as to realize the authentication of the LTE network by the UE , and the verification of the UE by the MME of the LTE network;

When the MME of the LTE network determines that the verification of the UE is passed, a second random number is generated, and a first basic key is generated based on the network identifier of the LTE-U network and the third basic key;

The MME of the LTE network generates a non-access stratum NAS key based on the security algorithm of the UE, and encrypts the second random number by using the NAS key to obtain a seventh encryption result;

The MME of the LTE network combines the first basic key, the third basic key, the NAS key, the network identifier of the LTE-U network, the second random number, and the seventh sending the encryption result to the MME of the LTE-U network;

The MME of the LTE-U network encrypts the second random number by using the first basic key to obtain an eighth encryption result, and encrypts the third basic key, the NAS key, the sending the network identifier of the LTE-U network, the seventh encryption result and the eighth encryption result to the UE;

The UE generates a second basic key based on the third basic key and the network identifier of the LTE-U network, and decrypts the eighth encryption result by using the second basic key to obtain the first Decryption result, decrypt the seventh encryption result by the NAS key to obtain the second decryption result;

If the first decryption result and the second decryption result are the same, the UE determines that the verification of the LTE-U network is passed.

In a second aspect, a network authentication system is provided, and the network authentication system has a function of implementing the behavior of the network authentication method in the first aspect. The network authentication system includes the UE, the MME of the LTE-U network, the MME of the LTE network, and the HSS. The UE, the MME of the LTE-U network, and the MME and the HSS of the LTE network are used to implement the network provided in the first aspect. Authentication method.

In a third aspect, a network device is provided, the structure of the network device includes a processor and a memory, and the memory is used to store a program that supports the network device to perform the network authentication method provided in the first aspect, and stores Data involved in implementing the network authentication method provided by the first aspect. The processor is configured to execute programs stored in the memory. The operating means of the storage device may further include a communication bus for establishing a connection between the processor and the memory.

In a fourth aspect, a computer-readable storage medium is provided, where instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium runs on a computer, the computer executes the network authentication method described in the first aspect.

In a fifth aspect, there is provided a computer program product containing instructions, which, when run on a computer, cause the computer to execute the network authentication method described in the first aspect above.

The technical effects obtained by the second aspect, the third aspect, the fourth aspect and the fifth aspect are similar to the technical effects obtained by the corresponding technical means in the first aspect, and will not be repeated here.

The beneficial effects brought by the technical solutions provided in the present application are: in the embodiment of the present invention, for a UE that does not access the operator's network, when the UE accesses the LTE-U network, the first attach request can be sent to the LTE The MME of the -U network, when the MME of the LTE-U network receives the first attach request, may add the network identifier of the LTE-U network to the first attach request, thereby generating a second attach request, and attaching the first attach request to the MME of the LTE-U network. The second attach request is sent to the MME of the LTE network, and the MME of the LTE network generates an authentication data request based on the second attach request to request an authentication vector from the HSS. When the HSS receives the authentication data request, based on the authentication data Request to generate an authentication vector, and send the authentication vector to the MME of the LTE network. After that, the MME of the LTE network can interact with the UE and the MME of the LTE-U network according to the received authentication vector to realize network authentication. right. That is, with the network authentication method provided by the embodiment of the present invention, when the UE accesses the operator network and the LTE-U network, the authentication with the operator network and the LTE-U network can be completed at one time, thereby The UE can access the operator network and the LTE-U network smoothly at the same time, which brings convenience to the user.

Description of drawings

1 is a system architecture diagram of a network authentication method provided by an embodiment of the present invention;

FIG. 2 is a schematic structural diagram of a network device provided by an embodiment of the present invention;

3 is a flowchart of a network authentication method provided by an embodiment of the present invention;

4 is a flowchart of a method for performing network authentication through interaction between an MME of an LTE network, an MME of an LTE-U network, and a UE according to an embodiment of the present invention;

5 is a flowchart of another method for performing network authentication through interaction between an MME of an LTE network, an MME of an LTE-U network, and a UE provided by an embodiment of the present invention;

FIG. 6 is a flowchart of another method for performing network authentication between an MME of an LTE network, an MME of an LTE-U network, and a UE according to an embodiment of the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

Before explaining the embodiments of the present invention in detail, an application scenario of the embodiments of the present invention is introduced. Currently, organizations such as enterprises, hospitals, government units and other organizations can deploy their own network equipment in a certain area and use unlicensed spectrum in order to facilitate the communication among internal employees, or to push specific information and services to service users. , communicate through deployed network devices, wherein the unlicensed spectrum may be the same spectrum as the wireless fidelity (WIreless-Fidelity, WIFI) spectrum. These networks, which consist of network devices deployed by third parties and communicate using unlicensed spectrum, are LTE-U networks. A third party deploying the LTE-U network can provide specific services to users accessing the LTE-U network by controlling the deployed network equipment. For example, a hospital deploys LTE-U eNB, LTE-U MME, LTE-U GW and other network equipment within the scope of the hospital to form an LTE-U network. Users provide medical services, and users who access the LTE-U network can conveniently and quickly search for information such as doctor information, number of people in line, and department locations in the hospital through the LTE-U network.

It should be noted that a third party can not only provide specific services to users through the deployed LTE-U network, but also can connect the network equipment in the LTE-U network with the network equipment in the operator's network to Users who access the LTE-U network can use the network services provided by the operator's network at the same time. Under this premise, when a UE that does not currently access the operator's network accesses the LTE-U network, the UE needs to perform authentication with the LTE-U network and the operator's network. The network authentication method and system provided in this application can be used in a scenario where a UE not currently accessing an operator network performs authentication with the operator network and the LTE-U network when accessing the LTE-U network.

After the application scenarios of the embodiments of the present invention are introduced, the system architecture involved in the embodiments of the present invention is described next.

FIG. 1 is a system architecture diagram of a network authentication method provided by an embodiment of the present invention. As shown in FIG. 1 , the system includes UE 101 , eNB 102 of LTE-U network, MME 103 of LTE-U network, MME 104 and HSS 105 of LTE network. The UE 101 is connected to the eNB 102 of the LTE-U network, the MME 103 of the LTE-U network is connected to the MME 104 of the LTE network, and the MME 104 of the LTE network is connected to the HSS 105 .

The UE 101 may be a user equipment such as a smart phone, a tablet computer, or the like. When performing network authentication, the UE 101 initiates an attach request to the eNB 102 of the LTE-U network, and the eNB 102 of the LTE-U network forwards the attach request sent by the UE 101 to the MME 103 of the LTE-U network, and the MME 103 of the LTE-U network It interacts with the UE 101, the MME 103 of the LTE-U network, and the MME 104 of the LTE network, and interacts with the UE according to the attach request sent by the UE. In this process, the MME 104 of the LTE network can request an authentication vector from the HSS according to the attach request sent by the UE 101, the network identity of the LTE-U network and the network identity of the LTE network, and the HSS 105 generates an authentication vector according to the received information vector, and return the authentication vector to the MME 104 of the LTE network, so that the MME 103 of the LTE-U network and the MME 104 of the LTE network authenticate the UE 101 according to the authentication vector.

FIG. 2 is a schematic structural diagram of a network device according to an embodiment of the present invention. The network device may be the UE, eNB, MME or HSS in FIG. 1 . Referring to FIG. 2 , the network device includes at least one processor 201 , a communication bus 202 , a memory 203 and at least one communication interface 204 .

The processor 201 may be a general-purpose central processing unit (Central Processing Unit, CPU), a microprocessor, an application-specific integrated circuit (application-specific integrated circuit, ASIC), or one or more processors for controlling the execution of the programs of the present application. integrated circuit.

Communication bus 202 may include a path to communicate information between the components described above.

Memory 203 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, random access memory (RAM)) or other type of static storage device that can store information and instructions type of dynamic storage device, it can also be Electrically Erasable Programmable Read-Only Memory (EEPROM), CompactDisc Read-Only Memory (CD-ROM) or other optical disk storage, optical disk storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being executed by a computer Access any other medium without limitation. The memory 203 can exist independently and is connected to the processor 201 through the communication bus 202 . The memory 203 may also be integrated with the processor 201 .

The communication interface 204, using any device such as a transceiver, is used to communicate with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN) and the like.

In a specific implementation, as an embodiment, the processor 201 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 2 .

In a specific implementation, as an embodiment, the network device may include multiple processors, such as the processor 201 and the processor 205 shown in FIG. 2 . Each of these processors can be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).

In a specific implementation, as an embodiment, the network device may further include an output device 206 and an input device 207 . The output device 206 is in communication with the processor 201 and can display information in a variety of ways. For example, the output device 206 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, a projector, or the like. Input device 207 is in communication with processor 201 and can receive user input in a variety of ways. For example, the input device 207 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.

The above-mentioned network device may be a general-purpose computer device or a special-purpose computer device. In a specific implementation, the network device may be a desktop computer, a portable computer, a network server, a PDA (Personal Digital Assistant, PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device or an embedded device. The embodiment of the present invention does not limit the type of the network device.

Wherein, the memory 203 is used for storing the program code for executing the solution of the present application, and the execution is controlled by the processor 201 . The processor 201 is used to execute the program code 208 stored in the memory 203 . One or more software modules may be included in the program code 208 . The network device shown in FIG. 1 may implement network authentication through the processor 201 and one or more software modules in the program code 208 in the memory 203 .

Through the above description, after explaining the application scenarios and system architecture involved in the embodiments of the present invention, the specific implementation process of the embodiments of the present invention is described in detail next.

FIG. 3 is a flowchart of a network authentication method provided by an embodiment of the present invention. As shown in FIG. 3 , the method includes the following steps:

Step 301: The UE sends the first attach request to the MME of the LTE-U network.

Wherein, for a UE that does not access the operator's network, when the UE accesses the LTE-U network, the UE may send a first attach request (Attach Request) to the eNB of the LTE-U network, and when the eNB of the LTE-U network receives When the first attach request is reached, the eNB of the LTE-U network forwards the first attach request to the MME of the LTE-U network.

It should be noted that the first attach request is a NAS message, and the eNB of the LTE-U network cannot parse the first attach request. Moreover, the first attach request may carry the UE's International Mobile Subscriber Identification Number (IMSI) and the UE's security algorithm. The IMSI of the UE can be used to uniquely identify the UE, and the mobile network to which the UE currently belongs can be determined through the IMSI of the UE. In addition, the security algorithm of the UE refers to an encryption algorithm and an integrity protection algorithm supported by the UE.

Step 302: When the MME of the LTE-U network receives the first attach request from the UE, the network identifier of the LTE-U network is added to the first attach request to generate a second attach request.

When the MME of the LTE-U network receives the first attach request, it can add its own network identifier to the first attach request, thereby generating the second attach request. After the second attach request is generated, the MME of the LTE-U network may determine the MME of the LTE network corresponding to the UE according to the IMSI of the UE carried in the first attach request.

Step 303: The MME of the LTE-U network sends the second attach request to the MME of the LTE network.

After the MME of the LTE network corresponding to the UE is determined, the MME of the LTE-U network may send the generated second attach request to the determined MME of the LTE network.

Step 304: When the MME of the LTE network receives the second attach request, it sends an authentication data request to the HSS based on the second attach request.

When the MME of the LTE network receives the second attach request, it can be seen from the foregoing description that the second attach request carries the IMSI, security capabilities and network identifier of the LTE-U network of the UE. At this time, the MME of the LTE network can The network identifier of the LTE network is added to the second attach request, thereby generating an authentication data request, and sending the authentication data request to the HSS.

Step 305: When the HSS receives the authentication data request, an authentication vector is generated based on the network identifier of the LTE-U network and the network identifier of the LTE network.

When receiving the authentication data request, the HSS can determine the long-term key corresponding to the UE's IMSI from a plurality of stored long-term keys according to the IMSI carried in the authentication data request, and the long-term key can also be called It is the mobile phone authentication code (Key identifier, Ki). Afterwards, the HSS can generate the third basic key corresponding to the LTE network according to the determined long-term key and the network identifier of the LTE network, and use the long-term key and the network identifier of the LTE-U network to generate the third basic key corresponding to the LTE-U network. a base key. In addition, after Ki, the HSS can also generate a first random number and a serial number, and generate an authentication token (Authentication Token, AUTN) and expected reply information according to the first random number and the serial number. The AUTN includes a serial number, a message authentication code (Message authentication code, MAC), an authentication management field (Authentication Management Field, AMF), and the like.

It should be noted that the authentication vector may include the first basic key, the third basic key, the first random number, the expected reply information and the AUTN, or may not include the first basic key, but only the third basic key. key, first random number, expected reply information and AUTN. Alternatively, the authentication vector may also include the first basic key, the first random number, the expected reply information and the AUTN instead of the third basic key. When the authentication vector does not include the first base key or the third base key, the HSS may not need to generate the first base key or the third base key in the above process.

Step 306: The HSS sends the authentication vector to the MME of the LTE network.

Step 307: When the MME of the LTE network receives the authentication vector, it interacts with the UE and the MME of the LTE-U network based on the authentication vector to implement network authentication.

When the MME of the LTE network receives the authentication vector, it can interact with the UE and the MME of the LTE-U network according to the authentication vector, so as to complete the authentication of the UE by the LTE network, the authentication of the UE by the LTE-U network, and the authentication of the UE by the LTE-U network. Verification of LTE network and LTE-U network.

It should be noted that, in this embodiment of the present invention, the UE may perform verification on the LTE-U network and the LTE network at the same time, or may perform mutual verification with the LTE-U network after successful mutual verification with the LTE network. In addition, when the UE authenticates the LTE-U network and the LTE network at the same time, the UE may also use different parameters in the authentication vector to authenticate the LTE-U network. The specific implementation process of performing network authentication based on the interaction with the UE and the MME of the LTE-U network based on the authentication vector will be described in detail through subsequent embodiments.

In this embodiment of the present invention, for a UE that does not access the operator's network, when the UE accesses the LTE-U network, the first attach request may be sent to the MME of the LTE-U network. When the MME of the LTE-U network When the first attach request is received, the network identifier of the LTE-U network can be added to the first attach request, thereby generating a second attach request, and sending the second attach request to the MME of the LTE network, and the LTE network's MME. The MME generates an authentication data request based on the second attach request to request an authentication vector from the HSS, when the HSS receives the authentication data request, generates an authentication vector based on the authentication data request, and sends the authentication vector to the MME of the LTE network, and then the MME of the LTE network can interact with the UE and the MME of the LTE-U network according to the received authentication vector, so as to implement network authentication. That is, with the network authentication method provided in the embodiment of the present invention, when the UE accesses the operator network and the LTE-U network, the authentication with the operator network and the LTE-U network can be completed at one time, thereby The UE can smoothly access the operator network and the LTE-U network at the same time, which brings convenience to the user.

Based on the foregoing description, the UE may perform verification on the LTE-U network and the LTE network at the same time, or may perform mutual verification with the LTE-U network after the mutual verification with the LTE network is successful. In addition, when the UE authenticates the LTE-U network and the LTE network at the same time, the UE may also use different parameters in the authentication vector to authenticate the LTE-U network. In the following, three implementation manners in which the MME of the LTE network interacts with the UE and the MME of the LTE-U network based on the authentication vector to realize network authentication will be explained and described with reference to the accompanying drawings.

FIG. 4 is a flowchart of a first method for performing network authentication based on an authentication vector provided by an embodiment of the present invention. As shown in FIG. 4 , the method includes the following steps:

Step 401: The MME of the LTE network stores the expected reply information in the authentication vector.

Based on the descriptions in the foregoing embodiments, the authentication vector may include the first basic key, the first random number, the expected reply information, and the AUTN. When the MME of the LTE network receives the authentication vector, it may include the authentication vector in the authentication vector. The expected reply information is stored, and the UE is verified later. And the first basic key, the first random number and the AUTN in the authentication vector can be forwarded to the MME of the LTE-U network.

Step 402: The MME of the LTE network sends the first basic key, the first random number and the AUTN to the MME of the LTE-U network.

Step 403: When the MME of the LTE-U network receives the first basic key, the first random number and the AUTN, it stores the first basic key, generates a second random number, and generates a second random number based on the first basic key and the first random number. Two random numbers generate the first encrypted result.

When receiving the first basic key, the first random number and the AUTN sent by the LTE network, the MME of the LTE-U network may store the first basic key for subsequent verification of the UE. At the same time, the MME of the LTE-U network may also generate a first encryption result based on the first basic key, where the first encryption result is used for the UE to verify the LTE-U network.

Wherein, when receiving the first basic key, the first random number and the AUTN, the MME of the LTE-U network can use the random number generator to generate a second random number, and use the first basic key to generate the second random number. Encryption is performed to obtain the first encryption result.

Step 404: The MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result and the second random number to the UE.

After the MME of the LTE-U network generates the first encryption result, it may send the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result, and the second random number used to generate the first encryption result to The eNB of the LTE-U network, and then the eNB of the LTE-U network forwards the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result and the second random number to the UE.

Step 405: When the UE receives the first random number, the network identifier of the AUTN, the LTE-U network, the first encryption result and the second random number, based on the first random number, the network identifier of the AUTN, the LTE-U network, the An encryption result and a second random number are used to authenticate the LTE network and the LTE-U network.

When the UE receives the first random number, the AUTN and the first encryption result, the UE can verify the LTE network according to the first random number and the AUTN, and verifies the LTE-U network according to the first random number, the AUTN and the first encryption result. verify.

When the UE verifies the LTE network, the UE can generate an expected message authentication code XMAC based on the first random number and other parameters except the MAC in the AUTN; if the XMAC and the MAC are the same, the UE determines that the verification of the LTE network is passed.

Wherein, the UE can obtain the expected message authentication code (Expected Message Authentication Code, XMAC) according to the stored Ki, the first random number, the sequence number in the AUTN, and the AMF. Based on the description of step 305 in the foregoing embodiment, it can be known that the AUTN includes a MAC, and the MAC is calculated by the HSS according to the determined Ki, the first random number, the sequence number in the AUTN, and the AMF. After the UE generates the XMAC, If the XMAC and the MAC are the same, it means that the Ki determined by the HSS is consistent with the Ki stored in the UE. The Ki determined by the HSS is determined according to the IMSI of the UE, that is, the Ki determined by the HSS is actually the Ki stored by the UE on the LTE network side. Therefore, when the XMAC and MAC are the same, the UE can determine the current LTE The network is real, that is, the authentication of the LTE network by the UE is passed.

When the UE verifies the LTE-U network, the UE may generate a second basic key according to the network identifier of the LTE-U network, the first random number and the AUTN; the UE encrypts the second random number by using the second basic key, A third encryption result is obtained; if the first encryption result is equal to the third encryption result, the UE determines that the verification of the LTE-U network is passed.

Wherein, when the UE verifies the LTE-U network, the UE may generate the second basic key according to the stored Ki, the network identifier of the LTE-U network, the first random number and the AUTN. After that, the second random number is encrypted with the second basic key, so as to obtain a third encryption result. Since the first basic key is the key corresponding to the LTE-U network, the first encryption result is obtained by encrypting the second random number with the first basic key. Therefore, if the third encryption result and the first encryption result If they are the same, it means that the second basic key and the first basic key are the same, that is, the UE can determine that the verification of the LTE-U network is passed. Conversely, if the third encryption result is different from the first encryption result, it means that the second basic key and the first basic key are different, and at this time, the authentication of the UE to the LTE-U network will fail.

Step 406: When the UE determines that both the LTE network and the LTE-U network have passed the verification, a reply message and a third random number are generated, and based on the network identifier of the LTE-U network, the first random number, the AUTN and the third random number are generated. The second encryption result.

After the UE determines that the verification of the LTE network is passed, the reply information can be generated by using the stored Ki and the received first random number, and the reply information is used for subsequent verification of the UE by the LTE network.

After the UE determines that the verification of the LTE-U network is passed, a third random number may be generated, and then the UE may, according to the network identifier of the LTE-U network, the first random number and the second basic key generated by the AUTN, verify the receiving The obtained second random number and the generated third random number are encrypted as a whole, so as to obtain a second encryption result.

Step 407: The UE sends the second encryption result, the third random number and the reply information to the MME of the LTE-U network.

After the UE generates the reply information and the second encryption result, it can send the second encryption result, the third random number and the reply information to the eNB of the LTE-U network, and the eNB of the LTE-U network can send the second encryption result, the third random number and the reply information to the eNB of the LTE-U network. The third random number and the reply information are forwarded to the MME of the LTE-U network.

Step 408: When the MME of the LTE-U network receives the second encryption result and the third random number, it verifies the UE based on the second encryption result.

Based on the description in the foregoing step 403, it can be known that the MME of the LTE-U network stores the first basic key, and the second random number is generated by the MME of the LTE-U network and stored in the MME of the LTE-U network Therefore, after the MME of the LTE-U network receives the second encryption result and the third random number, it can perform the stored second random number and the received third random number by using the stored first basic key. Entire encryption, thereby obtaining the fourth encryption result. If the fourth encryption result is the same as the second encryption result, it means that the second basic key generated by the UE and the first basic key stored in the MME of the LTE-U network are the same, that is, the LTE-U network The MME can determine that the verification of the UE is passed. On the contrary, if the fourth encryption result and the second encryption result are different, it means that the first basic key and the second basic key are different, and at this time, the verification of the UE by the LTE-U network fails.

Step 409: When the MME of the LTE-U network receives the reply information, it sends the reply information to the MME of the LTE network.

Based on the description in step 407, the UE sends the second encryption result, the third random number and the reply information to the MME of the LTE-U network, wherein the MME of the LTE-U network can use the second encryption result and the third random number, The UE is verified by the method in step 408, and for the received reply information, since the reply information is used for the LTE network to verify the UE, the MME of the LTE-U network can directly forward the reply information to the UE. MME for LTE networks.

Step 410: When the MME of the LTE network receives the reply information, it verifies the UE based on the reply information.

Based on the description in step 401, it can be known that the expected reply information is stored in the MME of the LTE network, and the expected reply information is generated by the HSS according to the determined Ki and the first random number. Therefore, when the MME of the LTE network receives the reply information, if the reply information is the same as the expected reply information, then the MME of the LTE network can determine that the Ki used to generate the expected reply information and the Ki used to generate the reply information are The same, that is, the Ki stored on the LTE network side is consistent with the Ki stored by the UE itself. At this time, the MME of the LTE network can determine that the current UE is real and effective, that is, the LTE network The MME can determine that the verification of the UE is passed.

In this embodiment of the present invention, after the MME of the LTE network receives the authentication vector, the MME of the LTE network and the MME of the LTE-U network may send the first random number, AUTN and the first encryption result to the UE. After the first random number, AUTN, and the first encryption result, the LTE-U network and the LTE network may be verified according to the first random number, AUTN, and the first encryption result. After that, the MME of the LTE-U network and the LTE network The MME of the UE then verifies the UE according to the reply information from the UE and the second encryption result. That is, through the network authentication method provided by the embodiment of the present invention, when the UE accesses the operator network and the LTE-U network, the authentication with the operator network and the LTE-U network can be completed at the same time, so that the The UE can access the operator network and the LTE-U network at the same time, which brings convenience to the user.

The above embodiment introduces a method for the UE to simultaneously verify the LTE-U network and the LTE network according to the second random number and other parameters generated by the LTE-U network. A method for verifying an LTE network.

FIG. 5 is a flowchart of a second method for performing network authentication based on an authentication vector provided by an embodiment of the present invention. As shown in FIG. 5 , the method includes the following steps:

Step 501: The MME of the LTE network stores the expected reply information in the authentication vector.

Based on the description of step 305 in the foregoing embodiment, it can be known that the authentication vector includes the first basic key, the first random number, the expected reply information and the AUTN. When the MME of the LTE network receives the authentication vector, the expected reply information can be stored for subsequent verification of the UE.

Step 502: The MME of the LTE network sends the first basic key, the expected reply information, the first random number and the AUTN to the MME of the LTE-U network.

After the MME of the LTE network stores the expected reply information, in addition to sending the remaining first basic key, the first random number and the AUTN in the authentication vector to the MME of the LTE-U network, the expected reply information also needs to be sent. MME for LTE-U networks.

Step 503: When the MME of the LTE-U network receives the first basic key, the expected reply information, the first random number and the AUTN, it stores the first basic key and the expected reply information, and generates a The first encryption result.

When the MME of the LTE-U network receives the first basic key, the expected reply information, the first random number and the AUTN, the first basic key and the expected reply information may be stored for subsequent verification of the UE. At the same time, the MME of the LTE-U network may generate the first encryption result based on the first basic key.

It should be noted that, as can be seen from the description of step 305 in the foregoing embodiment, the AUTN includes the MAC. When the MME of the LTE-U network receives the first basic key, the expected reply information, the first random number and the AUTN, it can The MAC in the AUTN is encrypted by the first basic key, thereby obtaining the first encryption result.

Step 504: The MME of the LTE-U network sends the first random number, the AUTN, the network identifier of the LTE-U network and the first encryption result to the UE.

After generating the first encryption result, the MME of the LTE-U network may send the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the eNB of the LTE-U network, and the LTE-U network will send the The eNB of the U network forwards the first random number, the AUTN, the network identifier of the LTE-U network and the first encryption result to the UE.

Step 505: When the UE receives the first random number, the network identifier of the AUTN, and the LTE-U network and the first encryption result, based on the first random number, the network identifier of the AUTN, and the LTE-U network and the first encryption result, the LTE network and LTE-U network for verification.

When the UE receives the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, the UE can verify the LTE network according to the first random number and AUTN, and according to the first random number, AUTN, LTE-U The LTE-U network is verified by the network identifier of the U network and the first encryption result.

For a specific implementation manner of the UE verifying the LTE network, reference may be made to the verification method of the UE on the LTE network in step 405, which is not repeated in this embodiment of the present invention.

When the UE verifies the LTE-U network, the UE can generate a second basic key according to the network identifier of the LTE-U network, the first random number and the AUTN; encrypt the MAC with the second basic key to obtain a fifth encryption key Result: if the first encryption result is equal to the fifth encryption result, the UE determines that the verification of the LTE-U network is passed.

Wherein, when the UE verifies the LTE-U network, the UE can generate a second basic key according to the stored Ki, the network identifier of the LTE-U network, the first random number and the AUTN, and then use the second basic key The key encrypts the MAC included in the AUTN, thereby obtaining a fifth encryption result. Since the first basic key is the key corresponding to the LTE-U network, the first encryption result is obtained by encrypting the MAC with the first basic key, and the fifth encryption result is obtained by encrypting the MAC with the second basic key . Therefore, if the first encryption result and the fifth encryption result are the same, it means that the first basic key and the second basic key are the same, that is, the UE can determine that the verification of the LTE-U network is passed. On the contrary, if the fifth encryption result is different from the first encryption result, it means that the second basic key is different from the first basic key, and at this time, the verification of the LTE-U network by the UE will fail.

Step 506: When the UE determines that both the LTE network and the LTE-U network have passed the verification, a reply message is generated, and a second encryption result is generated based on the network identifier of the LTE-U network, the first random number and the AUTN.

When the UE determines that the verification of the LTE network is passed, the reply information can be generated by using the stored Ki and the received first random number.

When the UE determines that the verification of the LTE-U network is passed and the reply information is generated, the UE can reply to the reply information according to the network identifier of the LTE-U network, the first random number and the second basic key generated by the AUTN in step 505. The information is encrypted to obtain a second encrypted result.

Step 507: The UE sends the second encryption result and the reply information to the MME of the LTE-U network.

After the UE generates the reply information and the second encryption result, the reply information and the second encryption result may be sent to the eNB of the LTE-U network, and the eNB of the LTE-U network forwards the reply information and the second encryption result to the eNB of the LTE-U network. MME for LTE-U networks.

Step 508: When the MME of the LTE-U network receives the reply information and the second encryption result, it verifies the UE based on the reply information and the second encryption result.

Based on the description in step 503, it can be known that the MME of the LTE-U network stores the first basic key and expected reply information, wherein the expected reply information is generated by the HSS according to the stored Ki and the first random number. When the MME of the LTE-U network receives the reply information and the second decryption result, it can first compare the reply information with the expected reply information, and then the MME of the LTE-U network can use the first basic key stored by itself to pair the The reply information is encrypted to obtain a sixth encryption result. Since the reply information is generated by the UE according to the stored Ki and the first random number, if the reply information is the same as the expected reply information, and the sixth encryption result is also the same as the second encryption result, it means that the UE has generated The second basic key of the LTE-U network is consistent with the first basic key stored by the MME of the LTE-U network. At this time, the MME of the LTE-U network can confirm that the current UE is real and valid, that is, the LTE-U network The MME of the U network may determine that the authentication of the UE is passed. On the contrary, if the sixth encryption result and the second encryption result are different, it means that the first basic key and the second basic key are different, and at this time, the verification of the UE by the LTE-U network fails.

Step 509: The MME of the LTE-U network sends the reply information to the MME of the LTE network.

The MME of the LTE-U network can send the reply information to the MME of the LTE network when receiving the reply information. Of course, it can also send the reply information to the MME of the LTE network after completing the verification of the UE.

Step 510: When the MME of the LTE network receives the reply information, it verifies the UE based on the reply information.

When the MME of the LTE network receives the reply information, for a specific implementation manner of verifying the UE based on the reply information, reference may be made to the implementation manner in step 410, which is not repeated in this embodiment of the present invention.

In this embodiment of the present invention, after the MME of the LTE network receives the authentication vector, the MME of the LTE network and the MME of the LTE-U network may send the first random number, the AUTN and the first encryption result to the UE, where the first random number, AUTN and the first encryption result are sent to the UE. An encryption result is obtained after the MME of the LTE-U network encrypts the MAC in the AUTN. After receiving the first random number, AUTN and the first encryption result, the UE can An encryption result verifies the LTE-U network and the LTE network, and then the MME of the LTE-U network and the MME of the LTE network verifies the UE according to the reply information from the UE and the second encryption result, wherein the second encryption The result is obtained by the UE encrypting the reply information. That is, in the network authentication method provided by the embodiment of the present invention, neither the LTE-U network nor the UE need to generate random numbers, and only need to encrypt the parameters in the authentication vector to complete mutual authentication, which simplifies the operation. . With the network authentication method provided by the embodiment of the present invention, when the UE accesses the operator network and the LTE-U network, the authentication with the operator network and the LTE-U network can be completed at the same time, so that the UE can connect to the operator network and the LTE-U network at the same time. It is connected to the operator network and LTE-U network, which brings convenience to users.

The foregoing introduces two verification methods for the UE to verify the LTE-U network and the LTE network at the same time in conjunction with Figures 4 and 5. After that, the MME of the LTE-U network and the MME of the LTE network verify the UE. FIG. 6 introduces a network authentication method in which the UE first authenticates with the LTE network and then authenticates the LTE-U network.

FIG. 6 is a flowchart of a third method for performing network authentication based on an authentication vector provided by an embodiment of the present invention. In this method, the MME of the LTE network first based on the third basic key and expected reply information, the first random The data and AUTN interact with the UE through the methods in steps 601 to 60, so as to complete the mutual authentication with the UE, and then proceed as shown in Figure 6. The method includes the following steps:

Step 601: The MME of the LTE network stores the third basic key in the authentication vector and the expected reply information.

Based on the description of step 305 in the foregoing embodiment, the authentication vector may include the third base key, the expected reply information, the first random number and the AUTN. When the authentication vector includes the third basic key, the expected reply information, the first random number and the AUTN, the MME of the LTE network may, when receiving the authentication vector, use the third basic key in the authentication vector and the expected reply information for subsequent verification of the UE.

Step 602: The MME of the LTE network sends the first random number and the AUTN to the UE.

After the MME of the LTE network stores the third basic key and the expected reply information, the MME of the LTE network can send the first random number and AUTN in the authentication vector to the MME of the LTE-U network, and the LTE-U network After receiving the first random number and AUTN, the MME can send the first random number and AUTN to the eNB of the LTE-U network, and the eNB of the LTE-U network, after receiving the first random number and AUTN, The first random number and AUTN are forwarded to the UE.

Step 603: When the UE receives the first random number and the AUTN, it verifies the LTE network based on the first random number and the AUTN.

For a specific implementation manner of this step, reference may be made to the implementation manner in which the UE verifies the LTE network based on the first random number and the AUTN in step 405, which is not repeated in this embodiment of the present invention.

Step 604: When the UE determines that the verification of the LTE network is passed, a reply message is generated.

For the specific implementation of this step, reference may be made to the relevant description of generating reply information when the UE determines that the verification of the LTE network is passed in step 406, which is not repeated in this embodiment of the present invention.

Step 605: The UE sends the reply information to the MME of the LTE network.

After the UE generates the reply information, the reply information may be sent to the MME of the LTE network via the eNB and the MME of the LTE-U network.

Step 606: When the MME of the LTE network receives the reply information, it verifies the UE based on the reply information.

For the specific implementation of this step, reference may be made to the relevant description of the MME of the LTE network verifying the UE based on the reply information in step 410, which is not repeated in this embodiment of the present invention.

Step 607: When the MME of the LTE network determines that the verification of the UE is passed, a second random number is generated, and a first basic key is generated based on the network identifier of the LTE-U network and the third basic key, based on the UE's security algorithm A NAS key is generated, and the second random number is encrypted by the NAS key to obtain a seventh encryption result.

Based on the description in step 302, it can be known that the MME of the LTE-U network adds the network identifier of the LTE-U network to the first attach request, thereby generating a second attach request, and sending the second attach request to the LTE network Therefore, when the MME of the LTE network determines that the verification of the UE is passed, the first basic key can be generated based on the network identifier of the LTE-U network and the third basic key. At the same time, the MME of the LTE network may generate a second random number using the random number generator.

It should be noted that since the second attach request also includes the security algorithm of the UE, after the MME of the LTE network generates the second random number and the first basic key, the NAS key can be generated according to the security algorithm of the UE . Afterwards, the MME of the LTE network may encrypt the second random number by using the NAS key to obtain a seventh encryption result.

Step 608: The MME of the LTE network sends the first basic key, the third basic key, the NAS key, the network identifier of the LTE-U network, the second random number and the seventh encryption result to the MME of the LTE-U network.

Step 609: When the MME of the LTE-U network receives the first basic key, the third basic key, the NAS key, the network identifier of the LTE-U network, the second random number and the seventh encryption result, the The basic key encrypts the second random number to obtain an eighth encryption result.

Step 610: The MME of the LTE-U network sends the third basic key, the NAS key, the network identifier of the LTE-U network, the seventh encryption result and the eighth encryption result to the UE.

The MME of the LTE-U network sends the third basic key, the NAS key, the network identifier of the LTE-U network, the seventh encryption result and the eighth encryption result to the eNB of the LTE-U network, and the LTE-U network The eNB forwards to the UE.

Step 611: When the UE receives the third basic key, the NAS key, the network identifier of the LTE-U network, the seventh encryption result and the eighth encryption result, based on the third basic key and the network identifier of the LTE-U network The second basic key is generated, and the eighth encryption result is decrypted by the second basic key to obtain the first decryption result, and the seventh encryption result is decrypted by the NAS key to obtain the second decryption result.

Since the first basic key is generated by the MME of the LTE network according to the third basic key and the network identifier of the LTE-U network, in order to verify the authenticity of the LTE-U network, when the UE receives the third basic key and the When the network identifier of the LTE-U network is used, the second basic key can be generated according to the third basic key and the network identifier of the LTE-U network, so as to verify whether the second basic key and the first basic key are the same, so that To realize the verification of the LTE-U network.

It should be noted that, in order to prevent the information from being tampered in the process of transmitting the information to the UE by the MME of the LTE-U network, the MME of the LTE-U network does not directly send the first basic key to the UE, but passes the key in step 609. The method encrypts the second random number with the first basic key to obtain an eighth encryption result, and sends the eighth encryption result to the UE. After the UE receives the eighth encryption result, the UE can decrypt the eighth encryption result through the second basic key to obtain the first decryption result, and decrypt the seventh encryption result through the NAS key to obtain the second decryption result .

Step 612: The UE verifies the LTE-U network based on the first decryption result and the second decryption result.

Because the eighth encryption result is obtained by the MME of the LTE-U network encrypting the second random number with the first basic key, and the seventh encryption result is obtained by the MME of the LTE network encrypting the second random number with the NAS key Therefore, when the UE decrypts the eighth encryption result with the second basic key and decrypts the seventh encryption result with the NAS key, if the first encryption result and the second encryption result are equal, it means that the second encryption result generated by the UE is equal to The basic key and the first basic key are the same, that is, the UE can determine that the LTE-U network is authentic, and at this time, the UE can determine that the verification of the LTE-U network is passed.

In this embodiment of the present invention, after the MME of the LTE network receives the authentication vector, the MME of the LTE network may first perform a communication with the UE based on the third basic key, the first random number, the expected reply information and the AUTN in the authentication vector. interaction to complete the mutual authentication with the UE, after that, the MME of the LTE network can generate the first basic key and the second random number to obtain the NAS key, and combine the first basic key, the second random number and the NAS key with the It is sent to the MME of the LTE-U network, and then the MME and the UE of the LTE-U network can perform network authentication through the first basic key, the second random number and the NAS key. That is, with the network authentication method provided by the embodiment of the present invention, when the UE accesses the operator network and the LTE-U network, the authentication with the operator network and the LTE-U network can be completed at the same time, so that the The UE can access the operator network and the LTE-U network at the same time, which brings convenience to the user.

After the network authentication method provided by the embodiment of the present invention is introduced, the network authentication system provided by the embodiment of the present invention is introduced next.

An embodiment of the present invention provides a network authentication system, where the network authentication system includes a UE, an MME of an LTE-U network, an MME of an LTE network, and an HSS.

The MME of the LTE-U network is used to perform steps 302 and 303 in the foregoing embodiment;

The MME of the LTE network is configured to perform step 304 in the foregoing embodiment;

The HSS is used to perform steps 305 and 306 in the above embodiment;

The MME of the LTE network is used to perform step 307 in the above embodiment.

Optionally, the authentication vector includes a first basic key, expected reply information, a first random number and an authentication flag AUTN, and the first basic key is a key corresponding to the LTE-U network;

The MME of the LTE network is specifically configured to store the expected reply information, and send the first random number, the AUTN, and the network of the LTE-U network to the UE through the MME of the LTE-U network an identifier and a first encryption result, the first encryption result is generated by the MME of the LTE-U network based on the first basic key;

The UE is configured to, when receiving the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result, perform a pairing of all the data based on the first random number and the AUTN. verifying the LTE network, and verifying the LTE-U network based on the first random number, the AUTN, the network identifier of the LTE-U network and the first encryption result;

The UE is further configured to generate reply information when it is determined that both the LTE network and the LTE-U network have passed the verification, and based on the first random number, the AUTN and the network of the LTE-U network identifying the generation of the second encryption result;

The UE is further configured to send the second encryption result to the MME of the LTE-U network, and send the reply information to the MME of the LTE network;

The MME of the LTE-U network is configured to authenticate the UE based on the second encryption result when receiving the second encryption result, and when the MME of the LTE network receives the reply information, The UE is authenticated based on the expected reply information and the reply information.

Optionally, the MME of the LTE network is specifically used for:

storing the expected reply information, and sending the first basic key, the first random number and the AUTN to the MME of the LTE-U network;

The MME of the LTE-U network is further configured to store the first basic key when receiving the first basic key, the first random number and the AUTN, based on the first basic key The base key generates a first encryption result, and sends the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.

Optionally, the MME of the LTE-U network is specifically used for:

generating a second random number, and encrypting the second random number by using the first basic key to obtain the first encryption result;

Send the first random number, the AUTN, the network identifier of the LTE-U network, the first encryption result and the second random number to the UE.

Optionally, the AUTN includes a message authentication code MAC;

The UE is specifically used for:

generating a desired message authentication code XMAC based on the first random number and other parameters in the AUTN except the MAC;

If the XMAC and the MAC are the same, it is determined that the verification of the LTE network is passed.

Optionally, the UE is specifically used for:

generating a second basic key according to the network identifier of the LTE-U network, the first random number and the AUTN;

Encrypting the second random number with the second basic key to obtain a third encryption result;

If the first encryption result is equal to the third encryption result, it is determined that the verification of the LTE-U network is passed.

Optionally, the UE is specifically used for:

generating a third random number, and performing integral encryption on the second random number and the third random number by using the second basic key to obtain a second encryption result;

sending the second encryption result and the third random number to the MME of the LTE-U network;

Correspondingly, the MME of the LTE-U network is specifically used for:

Encrypt the second random number and the third random number as a whole by using the stored first basic key to obtain a fourth encryption result;

If the second encryption result and the fourth encryption result are equal, it is determined that the verification of the UE is passed.

Optionally, the MME of the LTE network is specifically used for:

storing the expected reply information, and sending the first basic key, the expected reply information, the first random number and the AUTN to the MME of the LTE-U network;

The MME of the LTE-U network is configured to, when receiving the first basic key, the expected reply information, the first random number and the AUTN, combine the first basic key with the Store the expected reply information, generate a first encryption result based on the first basic key, and send the first random number, the AUTN, the network identifier of the LTE-U network, and the first encryption result to the UE.

Optionally, the AUTN includes a MAC;

The MME of the LTE-U network is specifically used for:

The MAC is encrypted by using the first basic key to obtain the first encryption result.

Optionally, the UE is specifically used for:

generating a second basic key according to the network identifier of the LTE-U network, the first random number and the AUTN;

The MAC is encrypted by the second basic key to obtain a fifth encryption result;

If the first encryption result is equal to the fifth encryption result, it is determined that the verification of the LTE-U network is passed.

Optionally, the UE is specifically used for:

Encrypting the reply information by using the second basic key to obtain a second encryption result;

Correspondingly, the MME of the LTE-U network is specifically used for:

Encrypt the reply information by using the stored first basic key to obtain a sixth encryption result;

If the expected reply information stored by the MME of the LTE-U network is the same as the reply information, and the sixth encryption result is equal to the second encryption result, it is determined that the verification of the UE is passed.

Optionally, the second attach request carries the security algorithm of the UE, the authentication vector includes a third basic key, expected reply information, a first random number, and an authentication flag AUTN, and the third basic key The key is the key corresponding to the LTE network;

The MME of the LTE network is specifically configured to interact with the UE based on the third basic key, the expected reply information, the first random number, and the AUTN, so as to implement the UE's response to the UE. Verification of the LTE network, and verification of the UE by the MME of the LTE network;

The MME of the LTE network is further configured to generate a second random number when it is determined that the verification of the UE is passed, and generate a first basic number based on the network identifier of the LTE-U network and the third basic key key;

The MME of the LTE network is further configured to generate a non-access stratum NAS key based on the security algorithm of the UE, and encrypt the second random number by using the NAS key to obtain a seventh encryption result;

The MME of the LTE network is further configured to convert the first basic key, the third basic key, the NAS key, the network identifier of the LTE-U network, the second random number and the all The seventh encryption result is sent to the MME of the LTE-U network;

The MME of the LTE-U network is specifically configured to encrypt the second random number by using the first basic key to obtain an eighth encryption result, and use the third basic key and the NAS key to encrypt the second random number. , the network identifier of the LTE-U network, the seventh encryption result and the eighth encryption result are sent to the UE;

The UE is specifically configured to generate a second basic key based on the third basic key and the network identifier of the LTE-U network, and decrypt the eighth encryption result by using the second basic key, Obtain the first decryption result, decrypt the seventh encryption result by the NAS key, and obtain the second decryption result;

The UE is further configured to determine that the verification of the LTE-U network is passed if the first decryption result and the second decryption result are the same.

To sum up, in this embodiment of the present invention, for a UE that does not access the operator's network, when the UE accesses the LTE-U network, the first attach request may be sent to the MME of the LTE-U network. When the MME of the -U network receives the first attach request, it can add the network identifier of the LTE-U network to the first attach request, thereby generating a second attach request, and sending the second attach request to the LTE network. MME, the MME of the LTE network generates an authentication data request based on the second attach request to request an authentication vector from the HSS, when the HSS receives the authentication data request, generates an authentication vector based on the authentication data request, and sends The authentication vector is sent to the MME of the LTE network, and then the MME of the LTE network can interact with the UE and the MME of the LTE-U network according to the received authentication vector to implement network authentication. That is, with the network authentication method provided by the embodiment of the present invention, when the UE accesses the operator network and the LTE-U network, the authentication with the operator network and the LTE-U network can be completed at one time, thereby The UE can smoothly access the operator network and the LTE-U network at the same time, which brings convenience to the user.

It should be noted that: when the network authentication system provided by the above embodiment performs network authentication, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules as required. , that is, dividing the internal structure of the device into different functional modules to complete all or part of the functions described above. In addition, the network authentication system and the network authentication method embodiments provided by the above embodiments belong to the same concept, and the specific implementation process is detailed in the method embodiments, which will not be repeated here.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present invention are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server or data center Transmission is performed to another website site, computer, server or data center by wire (eg coaxial cable, optical fiber, Digital Subscriber Line, DSL) or wireless (eg infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes an integration of one or more available media. The usable media may be magnetic media (eg: floppy disk, hard disk, magnetic tape), optical media (eg: Digital Versatile Disc (DVD)), or semiconductor media (eg: Solid State Disk (SSD)) )Wait.

Those of ordinary skill in the art can understand that all or part of the steps of implementing the above embodiments can be completed by hardware, or can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium. The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, etc.

The above-mentioned examples provided for this application are not intended to limit this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the protection scope of this application. Inside.

Claims (24)

1. A method of network authentication, the method comprising:

when a Mobile Management Entity (MME) of an unlicensed L TE-U network based on long term evolution receives a first attachment request from User Equipment (UE), adding a network identifier of the L TE-U network in the first attachment request to generate a second attachment request, and sending the second attachment request to an MME of a L TE network;

when the MME of the L TE network receives the second attach request, sending an authentication data request to a home subscriber server HSS based on the second attach request, where the authentication data request carries a network identifier of the L TE-U network and a network identifier of the L TE network;

when the HSS receives the authentication data request, generating an authentication vector based on a network identification of the L TE-U network and a network identification of the L TE network, and sending the authentication vector to an MME of the L TE network, the authentication vector including parameters for authenticating the UE, the L TE-U network, and the L TE network;

when the authentication vector is received by the MME of the L TE network, interacting with the UE and the MME of the L TE-U network based on the authentication vector to enable network authentication between the UE and the L TE network and between the UE and the L TE-U network.

2. The method of claim 1, wherein the authentication vector comprises a first basic key, expected reply information, a first random number and an authentication flag AUTN, and the first basic key is a key corresponding to the L TE-U network;

the interacting with the UE and the MME of the L TE-U network based on the authentication vector to realize network authentication comprises:

the MME of the L TE network storing the expected reply information and sending the first random number, the AUTN, the network identification of the L TE-U network, and a first ciphering result to the UE by the MME of the L TE-U network, the first ciphering result being generated by the MME of the L TE-U network based on the first base key;

when the UE receives the first random number, the AUTN, the L TE-U network identification, and the first ciphering result, authenticating the L TE network based on the first random number and the AUTN, and authenticating the L TE-U network based on the first random number, the AUTN, the L TE-U network identification, and the first ciphering result;

generating reply information and generating a second encryption result based on the first random number, the AUTN, and a network identification of the L TE-U network when the UE determines that both the L TE network and the L TE-U network are verified;

the UE sends the second encryption result to the MME of the L TE-U network and sends the reply information to the MME of the L TE network;

authenticating the UE based on the second ciphering result when the second ciphering result is received by the MME of the L TE-U network, and authenticating the UE based on the expected reply information and the reply information when the reply information is received by the MME of the L TE network.

3. The method of claim 2, wherein the L MME of the TE network sending the first random number, the AUTN, and a first ciphering result to the UE through the MME of the L TE-U network comprises:

the MME of the L TE network stores the expected reply information and sends the first basic key, the first random number and the AUTN to the MME of the L TE-U network;

when the MME of the L TE-U network receives the first basic key, the first random number and the AUTN, the MME stores the first basic key, generates a first encryption result based on the first basic key, and sends the first random number, the AUTN, the network identifier of the L TE-U network and the first encryption result to the UE.

4. The method of claim 3, wherein the generating a first encryption result based on the first base key comprises:

the MME of the L TE-U network generates a second random number, and encrypts the second random number through the first basic key to obtain the first encryption result;

accordingly, the sending the first random number, the AUTN, the network identification of the L TE-U network, and the first encryption result to the UE includes:

the MME of the L TE-U network sends the first random number, the AUTN, the network identification of the L TE-U network, the first encryption result and the second random number to the UE.

5. The method of claim 3 or 4, wherein the AUTN comprises a message authentication code MAC;

the UE authenticating the L TE network based on the first nonce and the AUTN, including:

the UE generates an expected message authentication code (XMAC) based on the first random number and other parameters except the MAC in the AUTN;

if the XMAC and the MAC are the same, the UE determines that the L TE network is authenticated.

6. The method of claim 4, wherein the UE authenticating the L TE-U network based on the first nonce, the AUTN, the L TE-U network's network identification, and the first ciphering result, comprising:

the UE generates a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;

the UE encrypts the second random number through the second basic key to obtain a third encryption result;

if the first encryption result is equal to the third encryption result, the UE determines that the L TE-U network is authenticated.

7. The method of claim 6, wherein the generating a second encryption result based on the first random number, the AUTN, and a network identification of the L TE-U network comprises:

the UE generates a third random number, and integrally encrypts the second random number and the third random number through the second basic key to obtain a second encryption result;

accordingly, the UE sending the second ciphering result to the MME of the L TE-U network, including:

the UE sends the second encryption result and the third random number to an MME of the L TE-U network;

accordingly, the L MME of the TE-U network authenticating the UE based on the second ciphering result includes:

the MME of the L TE-U network integrally encrypts the second random number and the third random number through the stored first basic key to obtain a fourth encryption result;

the MME of the L TE-U network determines that the UE is authenticated if the second ciphering result and the fourth ciphering result are equal.

8. The method of claim 1, wherein the authentication vector comprises a first basic key, expected reply information, a first random number and an authentication flag AUTN, and the first basic key is a key corresponding to the L TE-U network;

the interacting with the UE and the MME of the L TE-U network based on the authentication vector to enable network authentication between the UE and the L TE network and between the UE and the L TE-U network comprises:

the MME of the L TE network stores the expected reply information and sends the first basic key, the expected reply information, the first random number and the AUTN to the MME of the L TE-U network;

when the MME of the L TE-U network receives the first basic key, the expected reply information, the first random number and the AUTN, storing the first basic key and the expected reply information, generating a first encryption result based on the first basic key, and sending the first random number, the AUTN, the network identifier of the L TE-U network and the first encryption result to the UE;

when the UE receives the first random number, the AUTN, the L TE-U network identification, and the first ciphering result, authenticating the L TE network based on the first random number and the AUTN, and authenticating the L TE-U network based on the first random number, the AUTN, the L TE-U network identification, and the first ciphering result;

generating reply information and generating a second encryption result based on the first random number, the AUTN, and a network identification of the L TE-U network when the UE determines that both the L TE network and the L TE-U network are verified;

the UE sends the second encryption result and the reply information to an MME of the L TE-U network and sends the reply information to an MME of the L TE network;

authenticating the UE based on the reply information and the second ciphering result when the MME of the L TE-U network receives the second ciphering result and the reply information, and authenticating the UE based on the expected reply information and the reply information when the MME of the L TE network receives the reply information.

9. The method of claim 2 or 8, wherein the AUTN comprises a MAC;

the generating a first encryption result based on the first base key comprises:

and the MME of the L TE-U network encrypts the MAC through the first basic key to obtain the first encryption result.

10. The method of claim 9, wherein the UE authenticating the L TE-U network based on the first nonce, the AUTN, the L TE-U network's network identification, and the first ciphering result, comprising:

the UE generates a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;

the UE encrypts the MAC through the second basic key to obtain a fifth encryption result;

if the first encryption result is equal to the fifth encryption result, the UE determines that the L TE-U network is authenticated.

11. The method of claim 10, wherein the generating a second encryption result based on the first random number, the AUTN, and a network identification of the L TE-U network comprises:

the UE encrypts the reply information through the second basic key to obtain a second encryption result;

accordingly, the L MME of the TE-U network authenticating the UE based on the second ciphering result includes:

the MME of the L TE-U network encrypts the reply information through the stored first basic key to obtain a sixth encryption result;

if the expected reply information stored by the MME of the L TE-U network is the same as the reply information and the sixth encryption result is equal to the second encryption result, the MME of the L TE-U network determines that the UE is authenticated.

12. The method of claim 1, wherein the second attach request carries a security algorithm of the UE, the authentication vector includes a third basic key, expected reply information, a first random number, and an authentication flag AUTN, and the third basic key is a key corresponding to the L TE network;

the interacting with the UE and the MME of the L TE-U network based on the authentication vector to realize network authentication comprises:

the MME of the L TE network interacting with the UE based on the third base key, the expected reply information, the first random number, and the AUTN to enable authentication of the UE to the L TE network and authentication of the UE to the MME of the L TE network;

generating a second random number when the MME of the L TE network determines that the authentication of the UE passes, and generating a first basic key based on the network identification of the L TE-U network and the third basic key;

the MME of the L TE network generates a non-access stratum (NAS) key based on the security algorithm of the UE, and encrypts the second random number through the NAS key to obtain a seventh encryption result;

the MME of the L TE network sending the first base key, the third base key, the NAS key, the network identification of the L TE-U network, the second random number, and the seventh ciphering result to the MME of the L TE-U network;

the MME of the L TE-U network encrypts the second random number through the first basic key to obtain an eighth encryption result, and sends the third basic key, the NAS key, the network identifier of the L TE-U network, the seventh encryption result and the eighth encryption result to the UE;

the UE generates a second basic key based on the third basic key and the network identifier of the L TE-U network, decrypts the eighth encryption result through the second basic key to obtain a first decryption result, and decrypts a seventh encryption result through the NAS key to obtain a second decryption result;

if the first decryption result and the second decryption result are the same, the UE determines that the L TE-U network is authenticated.

13. A network authentication system, the system comprising:

the mobile management entity MME of the unlicensed L TE-U network based on the long term evolution is used for adding a network identifier of the L TE-U network in a first attachment request to generate a second attachment request when the first attachment request is received from user equipment UE, and sending the second attachment request to the MME of the L TE network;

the MME of the L TE network is configured to send, when the second attach request is received, an authentication data request to a home subscriber server HSS based on the second attach request, where the authentication data request carries a network identifier of the L TE-U network and a network identifier of the L TE network;

the HSS to, upon receiving the authentication data request, generate an authentication vector based on a network identification of the L TE-U network and a network identification of the L TE network and send the authentication vector to an MME of the L TE network, the authentication vector including parameters for authenticating the UE, the L TE-U network, and the L TE network;

the MME of the L TE network, configured to interact with the UE and the MME of the L TE-U network based on the authentication vector when receiving the authentication vector, to implement network authentication between the UE and the L TE network and network authentication between the UE and the L TE-U network.

14. The system of claim 13, wherein the authentication vector comprises a first basic key, expected reply information, a first random number and an authentication flag AUTN, the first basic key being a key corresponding to the L TE-U network;

the MME of the L TE network is specifically configured to store the expected reply information, and send the first random number, the AUTN, the network identifier of the L TE-U network, and a first encryption result to the UE through the MME of the L TE-U network, where the first encryption result is generated by the MME of the L TE-U network based on the first basic key;

the UE is configured to authenticate the L TE network based on the first random number and the AUTN and authenticate the L TE-U network based on the first random number, the AUTN, a network identification of the L TE-U network, and the first ciphering result when the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result are received;

the UE is further configured to generate reply information and generate a second encryption result based on the first random number, the AUTN, and the network identification of the L TE-U network when it is determined that both the L TE network and the L TE-U network are verified;

the UE is further configured to send the second encryption result to the MME of the L TE-U network and send the reply information to the MME of the L TE network;

the MME of the L TE-U network is configured to authenticate the UE based on the second ciphering result when the second ciphering result is received, and to authenticate the UE based on the expected reply information and the reply information when the MME of the L TE network receives the reply information.

15. The system of claim 14, wherein the MME of the L TE network is specifically configured to:

storing the expected reply information, and sending the first basic key, the first random number and the AUTN to an MME of the L TE-U network;

the MME of the L TE-U network is further configured to, when receiving the first basic key, the first random number, and the AUTN, store the first basic key, generate a first encryption result based on the first basic key, and send the first random number, the AUTN, the network identifier of the L TE-U network, and the first encryption result to the UE.

16. The system of claim 15, wherein the MME of the L TE-U network is specifically configured to:

generating a second random number, and encrypting the second random number through the first basic key to obtain the first encryption result;

and sending the first random number, the AUTN, the network identifier of the L TE-U network, the first encryption result and the second random number to the UE.

17. The system of claim 15 or 16, wherein the AUTN comprises a message authentication code MAC;

the UE is specifically configured to:

generating an expected message authentication code (XMAC) based on the first random number and other parameters except the MAC in the AUTN;

if the XMAC and the MAC are the same, the authentication to the L TE network passes.

18. The system of claim 16, wherein the UE is specifically configured to:

generating a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;

encrypting the second random number through the second basic key to obtain a third encryption result;

determining that the L TE-U network is authenticated if the first encryption result is equal to the third encryption result.

19. The system of claim 18, wherein the UE is specifically configured to:

generating a third random number, and integrally encrypting the second random number and the third random number through the second basic key to obtain a second encryption result;

sending the second encryption result and the third random number to an MME of the L TE-U network;

correspondingly, the MME of the L TE-U network is specifically configured to:

integrally encrypting the second random number and the third random number through the stored first basic key to obtain a fourth encryption result;

and if the second encryption result and the fourth encryption result are equal, determining that the UE is verified.

20. The system of claim 14, wherein the authentication vector comprises a first basic key, expected reply information, a first random number and an authentication flag AUTN, and the first basic key is a key corresponding to the L TE-U network;

the MME of the L TE network is used for storing the expected reply information and sending the first basic key, the expected reply information, the first random number and the AUTN to the MME of the L TE-U network;

the MME of the L TE-U network is configured to, when receiving the first basic key, the expected reply information, the first random number, and the AUTN, store the first basic key and the expected reply information, generate a first encryption result based on the first basic key, and send the first random number, the AUTN, the network identifier of the L TE-U network, and the first encryption result to the UE;

the UE is configured to authenticate the L TE network based on the first random number and the AUTN and authenticate the L TE-U network based on the first random number, the AUTN, a network identification of the L TE-U network, and the first ciphering result when the first random number, the AUTN, the network identification of the L TE-U network, and the first ciphering result are received;

the UE is further configured to generate reply information and generate a second encryption result based on the first random number, the AUTN, and the network identification of the L TE-U network when it is determined that both the L TE network and the L TE-U network are verified;

the UE is further configured to send the second encryption result and the reply information to an MME of the L TE-U network and send the reply information to an MME of the L TE network;

the MME of the L TE-U network is further to authenticate the UE based on the reply information and the second ciphering result when the second ciphering result and the reply information are received;

the MME of the L TE network is further to authenticate the UE based on the expected reply information and the reply information when the reply information is received.

21. The system of claim 14 or 20, wherein the AUTN comprises a MAC;

the MME of the L TE-U network is specifically configured to:

and encrypting the MAC through the first basic key to obtain the first encryption result.

22. The system of claim 21, wherein the UE is specifically configured to:

generating a second basic key according to the network identifier of the L TE-U network, the first random number and the AUTN;

encrypting the MAC through the second basic key to obtain a fifth encryption result;

determining that the L TE-U network is authenticated if the first encryption result is equal to the fifth encryption result.

23. The system of claim 22, wherein the UE is specifically configured to:

encrypting the reply information through the second basic key to obtain a second encryption result;

correspondingly, the MME of the L TE-U network is specifically configured to:

encrypting the reply information through the stored first basic key to obtain a sixth encryption result;

determining that authentication of the UE is passed if the expected reply information stored by the MME of the L TE-U network is the same as the reply information and the sixth encryption result is equal to the second encryption result.

24. The system according to claim 13, wherein the second attach request carries a security algorithm of the UE, the authentication vector includes a third basic key, expected reply information, a first random number, and an authentication token AUTN, and the third basic key is a key corresponding to the L TE network;

the MME of the L TE network is specifically configured to interact with the UE based on the third basic key, the expected reply information, the first random number, and the AUTN to implement authentication of the UE to the L TE network and authentication of the UE to the MME of the L TE network;

the MME of the L TE network is further to generate a second random number when authentication of the UE is determined to be passed, and generate a first base key based on the network identification of the L TE-U network and the third base key;

the MME of the L TE network is further configured to generate a non-access stratum NAS key based on the security algorithm of the UE, and encrypt the second random number by using the NAS key to obtain a seventh encryption result;

the MME of the L TE network is further to send the first base key, the third base key, the NAS key, the network identification of the L TE-U network, the second random number, and the seventh ciphering result to the MME of the L TE-U network;

the MME of the L TE-U network is specifically configured to encrypt the second random number by using the first basic key to obtain an eighth encryption result, and send the third basic key, the NAS key, the network identifier of the L TE-U network, the seventh encryption result, and the eighth encryption result to the UE;

the UE is specifically configured to generate a second basic key based on the third basic key and the network identifier of the L TE-U network, decrypt the eighth encryption result by using the second basic key to obtain a first decryption result, and decrypt the seventh encryption result by using the NAS key to obtain a second decryption result;

the UE is further configured to determine that the L TE-U network is authenticated if the first decryption result and the second decryption result are the same.

Images