• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    METHOD AND APPARATUS FOR AUTHENTICATION. The present invention relates to a method and an apparatus for authentication. The method includes: deciding to release a connection or to continue a current service according to the native information and network policy after an AKA authentication procedure fails. When the AKA EPS authentication procedure fails, the connection is not released immediately in the present invention, but the connection is released or the current service is continued in accordance with native information and network policy, thereby avoiding unnecessary release of connections and saving resources.
    公开号:BR112012006409B1
    申请号:R112012006409-6
    申请日:2010-09-19
    公开日:2021-01-19
    发明作者:Xiaoyu BI;Aiqin Zhang;Dongmei Zhang
    申请人:Huawei Technologies Co., Ltd.;
    IPC主号:
    专利说明:

    [0001] This application claims priority to Chinese Patent Application No. 200910093828.5, filed with the Chinese Patent Office on September 21, 2009 and entitled "Method and Apparatus for Authentication", which is hereby incorporated by reference in its entirety. Field of invention
    [0002] The present invention relates to communication technologies, and in particular, a method and apparatus for authentication. Background of the invention
    [0003] The Layer Without Access account (Layer Without Access, abbreviation: NAS) is part of the security context in a Long Term Evolution system (Long Term Evolution, abbreviation: LTE). In the LTE system, the NAS account can serve as a key's expiration date to make that key current; and the NAS count ensures key synchronization between a User Equipment (User Equipment, abbreviation: UE) and a network, and resists reproduction attacks. Each security context of the Wrapped Package System (Wrapped Package System, abbreviation: EPS) includes two independent NAS count values: a NAS link uplink value, and a NAS count downlink value. The counters for the two NAS count values are maintained independently by the UE and a Mobility Management Entity (MME) respectively.
    [0004] The length of the NAS count is 32 digits, and consists of two parts: NAS sequence number (SQN), and NAS excess value (OVERFLOW). The NAS sequence number is up to 8 digits, and the NAS excess value is up to 16 digits. The NAS sequence number is loaded into each NAS message. When a message from the new NAS or retransmitted under security protection is sent, the recipient adds 1 to the NAS sequence number; when the NAS sequence number reaches its maximum value and a cycle is completed, the NAS excess value increases by 1.
    [0005] In the prior art, when the MME detects that the downlink value of the NAS count is almost approaching, namely, when the NAS count value approaches the maximum value of 224, the MME triggers a new procedure of authentication of the EPS Key and Authentication Agreement (Key and Authentication Agreement, abbreviation: AKA) to set up a new security context. When the security context is activated, the value of the NAS count is initialized to 0. When the MME detects that the uplink value of the NAS count of the UE also approaches the maximum value, namely, when it is almost approaching , MME triggers a new authentication procedure for EPS's AKA.
    [0006] In the prior art, the connection will be released if the EPS AKA authentication procedure fails. Such a security process leads to a waste of resources. Summary of the invention
    [0007] Modalities of the present invention provide a method and apparatus for authentication to save resources.
    [0008] An authentication method in an embodiment of the present invention includes: determining, by an entity of the wireless communication network, whether a current service is permitted as an unauthenticated service in accordance with the network policy if an Agreement procedure Authentication and Key fail; maintain a connection from the current service, if the current service is allowed as an unauthenticated service according to network policy, and the current service does not require authentication; or maintain the connection of the current service, if the current service is permitted as an unauthenticated service in accordance with network policy, and a User Equipment is unable to perform the Authentication and Key Agreement procedure; or maintain the connection of the current service, if the current service is permitted as an unauthenticated service in accordance with network policy, and no Subscriber Identity Module / Universal Subscriber Identity Module is inserted into the User Equipment.
    [0009] An apparatus in an embodiment of the present invention includes: an execution module, configured to perform an Authentication and Key Agreement procedure; and a processor, located in an entity of the wireless communication network, comprising: a first trial unit, configured to determine whether a current service is permitted as an unauthenticated service in accordance with network policy if the Agreement Agreement procedure Authentication and Key fail; a second trial unit, configured to determine if the current service requires authentication, or if the User Equipment can perform the Authentication and Key Agreement procedure, or if a Subscriber Identity Module / Universal Subscriber Identity Module is inserted on the User Equipment if the first trial unit determines that the current service is permitted as an unauthenticated service in accordance with network policy; an execution unit, configured to maintain a connection to the current service if the second trial unit determines that the current service does not require authentication, or the User Equipment is unable to perform the Authentication and Key Agreement procedure, or no Subscriber Identity / Universal Subscriber Identity Module is inserted into the User Equipment.
    [00010] In the technical solution in the present invention, when the AKA EPS authentication procedure fails, the connection is not released immediately, but the connection is released or the current service is continued according to native information and network policy , thus avoiding the unnecessary release of connections and saving resources. Brief description of the drawings
    [00011] Figure 1 is a flow chart of an authentication method in a first embodiment of the present invention; Figure 2 is a flow chart of an authentication method in a second embodiment of the present invention; Figure 3 is a flow chart of an authentication method in a third embodiment of the present invention; Figure 4 is a flow chart of an authentication method in a fourth embodiment of the present invention; Figure 5 is a flow chart of an authentication method in a fifth embodiment of the present invention; Figure 6 is a flow chart of an authentication method in a sixth embodiment of the present invention; Figure 7 is a flow chart of an authentication method in a seventh embodiment of the present invention; Figure 8 shows a structure of an authentication device in an eighth embodiment of the present invention; Figure 9 shows a structure of an authentication device in a ninth embodiment of the present invention; Figure 10 shows a structure of an authentication device in a tenth embodiment of the present invention; Figure 11 shows a structure of an authentication device in an eleventh embodiment of the present invention; Figure 12 shows a structure of an authentication device in a twelfth embodiment of the present invention; Figure 13 shows a structure of an authentication device in a thirteenth embodiment of the present invention. Detailed description of the modalities
    [00012] The technical solution in the present invention is described below with reference to the accompanying drawings and preferred embodiments.
    [00013] Figure 1 is a flow chart of an authentication method in the first embodiment of the present invention. As shown in figure 1, the method in this modality includes the following steps:
    [00014] Step 101: Detect native information when a NAS count value approaches a maximum value;
    [00015] Step 102: Decide whether to trigger a procedure to carry out the Authentication and Key Agreement procedure with the UE according to the native information.
    [00016] When the NAS count value approaches the maximum value, the NAS count value is almost approximate. The Authentication Agreement and Authentication Key procedure can be an authentication procedure for the AKA of EPS.
    [00017] The entity that performs the two previously mentioned steps can be an MME. When the downlink value or upstream link value of the NAS count is almost approximate, the MME detects the native information, and decides whether to trigger the EPS AKA authentication procedure according to the detection result.
    [00018] Taking the detection of the uplink value of the NAS count as an example, the MME receives a NAS message, and the NAS count value increases 1. The MME detects whether the NAS count value approaches the maximum value in this way: the MME verifies that the NAS count value is equal to a predefined limit value that is close to the maximum value; if so, MME detects the native information, and decides whether to trigger an Authentication and Key Agreement procedure according to the detection result; if not, MME continues to receive the NAS message.
    [00019] In this modality, the MME does not activate the AKA EPS authentication procedure as soon as it detects that the NAS count value is almost approximate, thus reducing sometimes to trigger the EPS AKA authentication procedure, avoiding waste of unnecessary feature caused by the AKA authentication procedure for EPSs, and saving features.
    [00020] The following is the description of the relevant technologies before the second modality.
    [00021] In the LTE system, EPS security contexts are categorized in two modes. From a usage status perspective, EPS security contexts are categorized in the current EPS security context and in the non-current EPS security context. The current EPS security context refers to the security context that was last activated, namely the security context currently in use. The current EPS security context and a non-current native EPS security context can coexist. According to the generation mode, EPS security contexts can be categorized into a mapped EPS security context and native EPS security context. The EPS security context mapped refers to a security context mapped from another system, for example, mapped from the Universal Mobile Telecommunications System (UMTS) to an LTE system. The native EPS security context refers to a security context generated in an LTE system through the EPS AKA. The native EPS security contexts are categorized in the context of partial native EPS security and the context of full native EPS security. The main difference between them is: a partial native EPS security context does not go through a NAS security mode procedure successfully. In this way, a partial native EPS security context includes a KASME root key for UE authentication that accesses an LTE network, a Key Ajout Identifier (KSI), UE security capabilities, and an adjusted NAS count value to 0 only. A full native EPS security context goes through an EPS AKA authentication procedure and is successfully activated by a NAS Safe Mode Command (SMC) procedure, and includes a set of EPS NAS security contexts total. As such, the full native EPS security context includes a NAS Integrity Key (IK) (KNASint) and a NAS Encryption Key (CK) (KNASenc), a selected NAS encryption algorithm, and an integrity algorithm identifier additionally.
    [00022] Figure 2 is a flow chart of an authentication method in the second embodiment of the present invention. The native information in this modality is the security contexts stored locally. The security contexts mentioned below refer to the native EPS security contexts.
    [00023] As shown in figure 2, the method in this modality includes the following steps:
    [00024] Step 201: The MME receives a NAS message, and the NAS count value increases by 1.
    [00025] Step 202: The MME verifies that the NAS count value approaches the maximum value. If so, step 203 occurs; if not, step 201 occurs.
    [00026] Specifically, a value close to the maximum value can be predefined as a limit value. The MME verifies that the NAS count value is equal to the maximum value. If so, step 203 occurs; if not, step 201 occurs.
    [00027] Step 203: The MME checks whether the native security contexts include any non-current security contexts in addition to the current security contexts. If so, step 204 occurs; if not, the MME triggers an authentication procedure for the AKA of EPS.
    [00028] Step 204: The MME activates non-current security contexts.
    [00029] MME can activate non-current security contexts by successfully executing a NAS SMC procedure. A successful NAS SMC procedure includes: MME uses the security context to perform integrity protection for the NAS SMC message. When the UE successfully checks the integrity of the NAS SMC message, the UE sends a NAS Safe Mode Completed message to the MME. The MME decodes the NAS Completed Safe Mode message, and performs the integrity check. In this way, MME knows that this security context is shared with the UE and is activated. In this step, MME activates non-current security contexts by successfully excluding the NAS SMC procedure.
    [00030] However, if the NAS SMC procedure fails, MME triggers an EPS AKA authentication procedure.
    [00031] The non-current native security context can be a non-current partial native security context or a non-current full native security context, and step 204 can be: the MME activates the non-current partial native security context or the non-current full native security context.
    [00032] In this modality, through a NAS SMC procedure successfully triggered by MME, the non-current native security context shared by MME and the UE is activated. If the MME receives no NAS Safe Mode Completed messages from the UE, the MME triggers an EPS AKA authentication procedure.
    [00033] The application scenario for this modality is described below through two examples.
    [00034] (1) When the MME detects that the NAS count value approaches the maximum value, the MME detects the security context to know that a non-current partial security context is stored in the MME and the Integrated Circuit Card of the UMTS Subscriber Identity Module (UICC). MME activates the non-current partial security context. In this case, the NAS count value is initialized to 0, and the AKA of EPS authentication procedure is avoided.
    [00035] In this scenario, the MME does not immediately trigger the authentication procedure for EPS's AKA, thus avoiding a waste of resources from the non-current partial security context, and avoiding a waste of resources caused by the implementation of the AKA's authentication procedures. Unnecessary EPS.
    [00036] (2) The UE creates the current security context in the EPS access process. Then, when the UE delivers an Involved Universal Terrestrial Radio Access Network (E-UTRAN) to a Universal Terrestrial Radio Access Network (UTRAN) or GSM / EDGE Radio Access Network (GERAN), the UE stores the local security context generated in the E-UTRAN. Then, when the UE returns the E-UTRAN, the mapped security context is applied. The mapped security context becomes the current security context. The security context previously stored by the UE and the MME and generated in the E-UTRAN becomes a non-current total security context. In this scenario, when the MME detects that the NAS count value approaches the maximum value, the MME detects the security context to know that this non-current total security context is stored locally. In this way, MME activates the non-current full security context, thus avoiding the authentication procedure of the AKA of EPS.
    [00037] In this scenario, the MME does not trigger the authentication procedure for the AKA of EPS immediately, thus avoiding a waste of resources from the total non-current security context previously stored, and avoiding the waste of resources caused by the implementation of authentication procedures of the EPS AKA unnecessary.
    [00038] In this modality, the MME does not trigger the authentication procedure of the AKA of EPS as soon as it detects that the value of the NAS count is almost approximate, thus reducing the periods to trigger the authentication procedure of the AKA of EPSs, avoiding waste of resource caused by unnecessary EPS AKA authentication procedures, and cost savings.
    [00039] Figure 3 is a flow chart of an authentication method in the third embodiment of the present invention. In this mode, the native information is the status of the timer. In this mode, a timer is pre-defined in the MME. The timer status is "running" or "stopped". When the NAS count value reaches the limit and the EPS AKA authentication procedure is reached and completed successfully, the timer status changes to "running"; when the duration of the timer reaches the set time limit, the status of the timer changes to "stopped".
    [00040] As shown in figure 3, the method in this modality includes the following steps:
    [00041] Step 301: the MME receives the NAS message, and the NAS count value increases by 1.
    [00042] Step 302: MME checks if the NAS count value approaches the maximum value. If so, step 303 occurs; if not, step 301 occurs.
    [00043] Specifically, a value close to the maximum value is predefined as a limit value (such as 224-100). The MME verifies that the NAS count value is 224-100. If so, step 303 occurs; if not, step 301 occurs.
    [00044] Step 303: MME checks if the timer is operating. If so, step 304 occurs; if not, the MME triggers an authentication procedure for the AKA of EPS.
    [00045] Step 304: MME activates non-current security contexts.
    [00046] Non-current security contexts are successfully activated by a NAS SMC procedure. A successful NAS SMC procedure includes: MME uses the security context to perform integrity protection for the NAS SMC Message. When the UE successfully checks the integrity of the NAS SMC Message, the UE sends a message from the MME NAS Completed Security Mode to the MME. The MME decodes the NAS Completed Safe Mode message, and performs the integrity check. In this way, MME knows that this security context is shared with the UE and is activated. In step 304, the MME activates the non-current native security context by successfully deleting the NAS SMC procedure.
    [00047] However, if the NAS SMC procedure fails, MME triggers an EPS AKA authentication procedure.
    [00048] In practice, the downlink value of the NAS count is generally close to the uplink value of the NAS count. When the MME detects that the downlink value of the NAS count is nearly approached, the upward link value of the NAS count will be detected shortly. In addition, MME triggers the NAS SMC procedure within a period after triggering the EPS AKA authentication procedure. The NAS count value is initialized to 0 by performing the NAS SMC procedure. If the MME triggers the EPS AKA authentication procedure with difficulty when detecting that the NAS count downlink value is almost approximate, but it does not trigger the NAS SMC procedure to activate the last generated security context before detecting that the NAS count uplink value is almost approximate, the NAS count value is not initialized, and the prior art triggers the EPS AKA authentication procedure again after detecting the NAS count uplink value is almost approached. In this mode, the timer status is detected to verify that the period that starts from the completion of the previous EPS AKA authentication procedure successfully fulfills the defined time limit value. This time limit value is determined according to the duration of the completion of the EPS AKA authentication procedure by successfully triggering the NAS SMC procedure. If this NAS count value approaches the maximum value, and the initial period of completion of the previous EPS AKA authentication procedure successfully is less than the set time limit value, the MME triggers the NAS SMC procedure . If this value of the NAS count approaches the maximum value, and the period that starts the completion of the AKA authentication procedure of the previous EPS successfully is greater than or equal to the defined time limit value, the MME triggers the authentication procedure of the EPS AKA. Thus, with respect to the current application scenario previously mentioned, this modality avoids the second triggering of the authentication procedure of the AKA of EPS, as no SMC procedure of NAS is triggered before detecting that the uplink value of the NAS count is almost approximate, thus reducing the implemented AKA EPS authentication procedures, avoiding the waste of resources caused by triggering unnecessary EPS AKA authentication procedures, and saving resources.
    [00049] Figure 4 is a flow chart of an authentication method in the fourth embodiment of the present invention. In this mode, the native information is the status of a state machine. In this mode, the state machine is predefined in the MME. The status machine status is "operating" or "null". Specifically, "0" represents "operand", and "1" represents "null". "Operand" indicates that the period starting from the completion of the AKA authentication procedure of the previous EPS successfully is less than the defined time limit value; and "null" indicates that the period starting from the completion of the AKA authentication procedure of the previous EPS successfully is greater than or equal to the defined time limit value. The status machine can be triggered by the timer.
    [00050] As shown in figure 4, the method in this modality includes the following steps:
    [00051] Step 401: the MME receives the NAS message, and the value of the NAS count increases by 1.
    [00052] Step 402: MME checks if the NAS count value approaches the maximum value. If so, step 403 occurs; if not, step 401 occurs.
    [00053] Specifically, a value close to the maximum value is predefined as a limit value (such as 224-100). The MME verifies that the NAS count value is 224-100. If so, step 403 occurs; if not, MME triggers the EPS AKA authentication procedure.
    [00054] Step 403: MME checks if the status machine status is "0". If so, step 404 occurs; if not, the MME triggers an authentication procedure for the AKA of EPS.
    [00055] Step 404: MME activates non-current security contexts.
    [00056] Non-current security contexts are successfully activated by a NAS SMC procedure. A successful NAS SMC procedure includes: MME uses the security context to perform integrity protection for the NAS SMC Message. When the UE successfully checks the integrity of the NAS SMC Message, the UE sends a message from the MME NAS Completed Security Mode to the MME. The MME decodes the NAS Completed Safe Mode message, and performs the integrity check. In this way, MME knows that this security context is shared with the UE and is activated. In step 404, the MME activates the non-current native security context by successfully deleting the NAS SMC procedure.
    [00057] However, if the NAS SMC procedure fails, MME triggers an EPS AKA authentication procedure.
    [00058] In practice, the downlink value of the NAS count is generally close to the uplink value of the NAS count. When the MME detects that the downlink value of the NAS count is nearly approached, the upward link value of the NAS count will be detected shortly. In addition, MME triggers the NAS SMC procedure within a period after triggering the EPS AKA authentication procedure. The NAS count value is initialized to 0 by performing the NAS SMC procedure. If the MME triggers the EPS AKA authentication procedure with difficulty in detecting that the NAS count downlink value is nearly approaching, but it does not trigger the NAS SMC procedure before detecting the count downlink value the NAS count is almost approached, the NAS count value is not initialized, and the prior art triggers the EPS AKA authentication procedure again after detecting that the NAS count uplink value is almost approached. In this mode, the status machine status is detected to verify that the period that starts from the completion of the previous EPS AKA authentication procedure successfully reaches the defined time limit value. This time limit value is determined according to the duration of the completion of the EPS AKA authentication procedure by successfully triggering the NAS SMC procedure. At this value of the NAS count it approaches the maximum value, and the period that starts from the completion of the AKA authentication procedure of the previous EPS is less than the defined time limit value, the MME triggers the NAS SMC procedure . If this NAS count value approaches the maximum value, and the period starting from the completion of the AKA authentication procedure of the previous EPS successfully is greater than or equal to the defined time limit value, the MME triggers the AKA authentication procedure of NAS. Thus, with respect to the current application scenario previously mentioned, this modality avoids the second triggering of the authentication procedure of the AKA of EPS, as no SMC procedure of NAS is triggered before detecting that the uplink value of the NAS count it is almost approximate, thus reducing the implemented AKA EPS authentication procedures, avoiding the waste of resources caused by triggering unnecessary EPS AKA authentication procedures, and saving resources.
    [00059] Figure 5 is a flow chart of an authentication method in the fifth embodiment of the present invention. In this mode, the native information is the current type of service, Quality of Service (QoS), or UE's ability to perform authentication.
    [00060] As shown in figure 5, the method in this modality includes the following steps:
    [00061] Step 501: the MME receives the NAS message, and the NAS count value increases by 1.
    [00062] Step 502: MME checks if the NAS count value approaches the maximum value. If so, step 503 occurs; if not, step 501 occurs.
    [00063] Specifically, a value close to the maximum value can be predefined as a limit value. The MME verifies that the NAS count value is equal to the maximum value. If so, step 503 occurs; if not, step 501 occurs.
    [00064] Step 503: MME detects the current service type to find out if the current service, which is requested by the UE and corresponding to the current service type, requires authentication; or, the MME detects the QoS to find out if the current service, which is requested by the UE and corresponding to the QoS, requires authentication; or, the MME detects the UE's ability to perform authentication to see if the UE can perform the EPS AKA authentication procedure.
    [00065] If yes, the MME triggers an authentication procedure for the AKA of EPS; if not, step 504 occurs.
    [00066] Step 504: MME continues to use the current security context, or does not provide any security protection for the current service, or disconnects the current service.
    [00067] For example, in this modality, the MME detects the current type of service to know that the service requested by the UE is an Emergency Call service (EMC), and the EMC service requested by the UE does not require authentication, and the MME no longer triggers the EPS AKA authentication procedure. The MME ignores the detection result that the NAS count value approaches the maximum value, and either uses the current security context, or does not provide security protection for the current service, or disconnects the current service.
    [00068] When a UE with a Subscriber Identity Module (SIM) Delivery of an EMC service on a UMTS network on an LTE network, the MME obtains the security parameter "Kc" from a Services GPRS Support Node ( SGSN) (GPRS is an acronym for the General Package Radio Service), and obtains KASME according to the CK and an Integrity Key (IK). The NAS count value starts from 0. In this case, the security protection for the UE on the LTE network is provided by the subkey derived from KASME. When the NAS count value is almost approximate, the MME can detect that the UE is a SIM user incapable of the EPS AKA authentication procedure according to the Kc. In this way, the MME no longer triggers the AKA of EPS authentication procedure, and ignores the detection result that the NAS count value approaches the maximum value. MME continues to use the current security context, or provide no security protection for the current service, or disconnect the current service.
    [00069] In this modality, if the service requested by the UE does not require authentication, or the UE is unable to perform the Authentication and Key Agreement procedure, the MME triggers no authentication procedure for the AKA of EPS, thus reducing the authentication procedures of the AKA of EPS implemented, avoiding the waste of resources caused by triggering unnecessary AKA of EPS authentication procedures, and saving resources.
    [00070] Figure 6 is a flow chart of an authentication method in the sixth embodiment of the present invention. As shown in figure 6, the method in this modality includes the following steps:
    [00071] Step 601: the MME receives the NAS message, and the value of the NAS count increases by 1.
    [00072] Step 602: MME checks if the NAS count value approaches the maximum value. If so, step 603 occurs; if not, step 601 occurs. This NAS count value can be a NAS link uplink value, or a NAS count downlink value.
    [00073] Specifically, a value close to the maximum value can be predefined as a limit value. The MME verifies that the NAS count value is equal to the limit value. If so, step 603 occurs; if not, step 601 occurs.
    [00074] Step 603: MME triggers an EPS AKA authentication procedure and a NAS SMC procedure at the same time, and activates the security context generated by the AKA authentication procedure. The NAS count value is initialized to 0.
    [00075] In this modality, the EPS AKA authentication procedure is linked to the NAS SMC procedure, thus avoiding the repeated triggering of the EPS AKA authentication procedure in case it detects that the NAS count value in different directions (uplink direction and downlink direction) is almost approximate, reducing EPS AKA authentication procedures, avoiding wasted resources caused by triggering unnecessary EPS AKA authentication procedures, and saving resources.
    [00076] Figure 7 is a flow chart of an authentication method in the seventh embodiment of the present invention. As shown in figure 7, the method in this modality includes the following steps:
    [00077] Step 801: MME initiates an authentication procedure for the AKA of EPS.
    [00078] Step 802: MME determines to release or maintain a connection from the current service according to native information if an Authentication Agreement and Key (AKA) authentication procedure for the current service fails.
    [00079] In addition, the MME in step 801 can initiate the authentication procedure for the AKA of EPS under various conditions. For example, when the value of the NAS count reaches an account limit (approaches the maximum value), the MME initiates the authentication procedure for the AKA of EPS; or an operator policy triggers the EPS AKA authentication procedure. Specifically, the operator can adjust a certain policy, and the MME triggers the authentication procedure for the AKA of the EPS of the UE within the scope of the MME. The policy can be configured by the operator based on a certain security policy or other requirements. Alternatively, the network triggers the EPS AKA authentication procedure when the UE delivers between networks. Specifically, when the UE delivers (including active mode mobility and null mode mobility) from a lower security level network (such as the GSM Network or UMTS Network) to a higher security level network (such as a LTE Network), the network triggers the EPS AKA authentication procedure.
    [00080] Native information can include at least one of the following types: current service type, QoS, UE's ability to perform authentication, network policy, Universal Subscriber Identity Module (USIM) / SIM type, or information whether a SIM / USIM is inserted in the UE, or any combination thereof. The current service type indicates the type of the current service. MME can determine whether the current service needs authentication according to the current service type. QoS identifies the service that does not require authentication, and the MME can also determine whether the current service needs authentication according to QoS. The UE's ability to perform authentication serves as a basis for the MME to determine whether the UE can perform the EPS AKA authentication procedure. The SIM type indicates whether the UE can perform the EPS AKA authentication procedure, and the MME knows whether the UE can perform the EPS AKA authentication procedure according to the type of SIM. Because authentication is feasible only if a SIM / USIM is inserted in the UE, if the EPS AKA authentication procedure fails after a SIM / USIM is inserted in the UE, the NAS signaling connection must be released; if no SIM / USIM is inserted in the UE, the MME decides to release the connection according to the network policy. The network policy is adjusted by a network device to decide whether to authenticate the current service.
    [00081] According to the previously mentioned native information and network policy, step 802 may include:
    [00082] If MME the current service is not allowed as an unauthenticated service according to network policy, MME releases the connection to the current service.
    [00083] The MME that maintains the connection to the current service if it determines that the current service is allowed as an unauthenticated service in accordance with network policy and determines that any of the following conditions are met: the current service does not require authentication according to the current type of service or the QoS in the native information; or the UE is unable to perform the AKA authentication procedure according to the information of the UE's capacity or type of SIM / USIM in the native information; or no SIM / USIM is entered in the UE.
    [00084] The MME releases the connection of the current service if it determines that the network policy allows the current service as an unauthenticated service and determines that any of the following conditions are met: the current service requires authentication according to the type of current service or QoS in native information; or the UE can perform the Authentication and Key Agreement procedure according to the information of the UE's capacity or the type of SIM / USIM in the native information; or a SIM / USIM is inserted into the UE.
    [00085] For example, if the MME determines that the network policy allows authentication of the non-current service, the MME detects the current service type to know that the service requested by the UE is an EMC service or a public alarm service. If the EMC service or the public alarm service does not require authentication, and the network policy allows for the unauthenticated EMC or public alarm service, the MME and the UE continue the current service.
    [00086] If the current service is a single service loaded on the NAS signaling connection, MME can release the current service connection by releasing the NAS signaling connection. If the NAS signaling connection supports multiple services, and the current service type indicates that all of the various current services need authentication, MME releases the NAS signaling connection. If so, current services need authentication and other current services may not need authentication (such as EMC), MME releases the EPS carrier corresponding to the service that requires authentication, and retains the EPS carrier (such as the EMC carrier) corresponding to the service that does not require authentication. The previously mentioned EPS carrier is based on the NAS signaling connection.
    [00087] In this modality, the current service can still continue in the event that: authentication fails; the service requested by the UE does not require authentication or the UE is unable to perform the authentication procedure of the EPS AKA or no SIM / USIM is inserted in the UE; and the network policy supports authentication for the non-current service. In this way, interruption of the current service is avoided, and system resources are saved.
    [00088] Figure 8 shows a structure of an authentication device in the eighth embodiment of the present invention. As shown in figure 8, the authentication device in this mode includes a detection module 11 and a processor 12. The detection module 11 is configured to detect native information when a NAS count value approaches a maximum value; and processor 12 is configured to decide whether to trigger a procedure to perform the Authentication and Key Agreement procedure with the UE according to a detection result.
    [00089] The authentication device in this mode can operate according to the method provided in the first mode above.
    [00090] Figure 9 shows a structure of an authentication device in the ninth embodiment of the present invention. As shown in figure 9, this modality is based on the eighth modality above, the native information is the security context, and processor 12 includes a first activation unit 21 and a first drive unit 22. The first activation unit 21 is configured to enable non-current security contexts if detection module 11 determines that security contexts include non-current security contexts. The first drive unit 22 is configured to trigger an Authentication and Key Agreement procedure if the detection module 11 determines that the security contexts include no non-current security contexts.
    [00091] Processor 12 in this mode can also include: a transceiver unit 23, configured to send a NAS SMC FROM the UE, receive a NAS Completed Safe Mode message, and send information to the first activation unit 21 on the processor 12, where the information triggers the first activation unit 21 to take action. The first activation unit 21 activates non-current safety contexts according to the triggering information. The first drive unit 22 triggers an Authentication and Key Agreement procedure if the transceiver unit 23 receives no messages from the UE's Completed Security Mode from the UE.
    [00092] The authentication device in this mode can operate according to the method provided in the second mode above.
    [00093] Figure 10 shows a structure of an authentication device in the tenth embodiment of the present invention. As shown in figure 10, this mode is based on the eighth mode above, the native information is timer status, and processor 12 includes a second activation unit 31 and a second drive unit 32. The second activation unit 31 is configured to activate non-current security contexts if detection module 11 detects that the timer status is "operating". The second drive unit 32 is configured to trigger the Authentication and Key Agreement procedure if detection module 11 detects that the timer status is "stopped".
    [00094] Processor 12 in this mode can also include: a transceiver unit 33, configured to send a NAS SMC to the UE, receive a NAS Completed Safe Mode message, and send information to the second activation unit 31 on the processor 12, where the information triggers the second activation unit 31 to take action. The second activation unit 31 activates non-current safety contexts according to the triggering information. The second drive unit 32 triggers an Authentication and Key Agreement procedure if the transceiver unit 33 receives no messages from the Completed Security Mode of the NAS from the UE.
    [00095] The authentication device in this mode can operate according to the method provided in the third mode above.
    [00096] Figure 11 shows a structure of an authentication device in the eleventh embodiment of the present invention. As shown in figure 11, this mode is based on the eighth mode above, the native information is the status of the state machine, processor 12 includes a third activation unit 41 and a third drive unit 42. The third activation unit 41 is configured to activate non-current security contexts if detection module 11 detects that the status machine status is "operating". The third drive unit 42 is configured to trigger an Authentication and Key Agreement procedure if detection module 11 detects that the status machine status is "null".
    [00097] Processor 12 in this mode can also include: a transceiver unit 43, configured to send a NAS SMC to the UE, receive a NAS Completed Safe Mode message, and send information to the third activation unit 41 on the processor 12, where the information triggers the third activation unit 41 to take action. The third activation unit 41 activates non-current security contexts according to the triggering information. The third drive unit 42 triggers an Authentication and Key Agreement procedure if the transceiver unit 43 receives no messages from the Completed Security Mode of the NAS from the UE.
    [00098] The authentication device in this mode can operate according to the method provided in the fourth mode above.
    [00099] Figure 12 shows a structure of an authentication device in the twelfth embodiment of the present invention. As shown in figure 12, this mode is based on the eighth mode above, the native information is the current service type, or QoS, or UE's ability to perform authentication. Processor 12 includes a fourth drive unit 51 and a processing unit 52. The fourth drive unit 51 is configured to trigger an Authentication and Key Agreement procedure if detection module 11 determines that the service corresponding to the type of service current needs authentication, or the corresponding QoS service needs authentication, or the UE can perform an Authentication and Key Agreement procedure. Processing unit 52 is configured to: continue to use the current security context, or provide no security protection for the current service, or disconnect the current service if detection module 11 determines that the service corresponding to the current service type does not need authentication, or the service corresponding to QoS does not need authentication, or the UE is unable to perform an Authentication and Key Agreement procedure.
    [000100] The authentication device in this mode can operate according to the method provided in the fifth mode above.
    [000101] In the device provided in this mode, MME does not trigger the AKA EPS authentication procedure since it detects that the NAS count value is almost approximate, thus reducing the periods for triggering the EPS AKA authentication procedures, avoiding wasted resources caused by unnecessary EPS AKA authentication procedures, and saving resources.
    [000102] Figure 13 shows a structure of an authentication device in the thirteenth embodiment of the present invention. As shown in figure 13, the apparatus in this mode includes: an execution module 61, configured to perform an AKA authentication procedure; and a processor 62, configured to decide to release a connection or continue a current service according to native information and network policy after execution module 61 fails to perform the Authentication and Key Agreement procedure.
    [000103] The device in this mode can also include: a drive module 63, configured to drive the execution module 61 to perform an Authentication and Key Agreement procedure according to the trigger conditions such as the NAS count value if approaching the maximum value, political operator, or handover of the UE between the networks.
    [000104] Processor 62 may further include: a first judgment unit 64, configured to judge whether the network policy supports authentication of the non-current service if execution module 61 fails to perform the Authentication and Key Agreement procedure; a first release unit 65, configured to release the current service connection if the first trial unit 64 makes a negative judgment; a second trial unit 66, configured for: if the first trial unit 64 makes a positive judgment, judge whether the current service needs authentication according to the current service type or QoS in the native information, or judge whether the UE you can perform the Authentication and Key Agreement procedure according to the UE capacity information or the type of SIM / USIM in the native information, or judge whether a SIM / USIM is inserted in the UE; a second release unit 67, configured to release the current service connection if the second trial unit 66 makes a positive judgment; and an execution unit 68, configured to continue performing the current service if the second trial unit 66 makes a negative judgment.
    [000105] The authentication device in this mode can operate according to the method provided in the seventh mode above.
    [000106] In this modality, the current service can still continue in the event that: authentication fails; the service requested by the UE does not require authentication or the UE is unable to perform the authentication procedure of the EPS AKA or no SIM / USIM is inserted in the UE; and the network policy supports authentication for the non-current service. In this way, interruption of the current service is avoided, and system resources are saved.
    [000107] The technicians in the subject must understand that all the stages, or part of them, of the method according to the modalities of the present invention can be implemented by a relevant program instruction hardware. The program can be stored on a computer-readable storage medium. When the program operates, the steps of the method according to the modalities of the present invention are carried out. The storage medium can be any medium that can store program codes, such as a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or a Compact Disc Read Only Memory (CD- ROM).
    [000108] Finally, it should be noted that the above modalities are merely provided to describe the technical solutions of the present invention, but are not intended to limit the present invention. It is evident that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. The present invention is intended to cover the modifications and variations provided that are within the scope of protection defined by the following embodiments or their equivalents.
    权利要求:
    Claims (12)
    [0001]
    1. Authentication method, characterized by the fact that it comprises the steps of: initiating (801), by a Mobility Management Entity, an Authentication and Key Agreement procedure for a current service supported by a Layer Without signaling connection Access (NAS), if a NAS count value approaches a maximum value; determine (802), by the Mobility Management Entity, whether the current service is permitted as an unauthenticated service in accordance with a network policy if the Authentication and Key Agreement procedure for the current service fails; determine (802), whether the current service needs authentication in accordance with a current service type or Quality of Service; maintain (802) the NAS signaling connection of the current service, if the current service is allowed as an unauthenticated service in accordance with network policy, and the current service does not require authentication.
    [0002]
    2. Method, according to claim 1, characterized by the fact that it still comprises the step of: releasing the NAS signaling connection from the current service, if the current service is not allowed as an unauthenticated service in accordance with the policy from the Web.
    [0003]
    3. Method, according to claim 1 or 2, characterized by the fact that it still comprises the step of: releasing the NAS signaling connection from the current service, if the current service is allowed as an unauthenticated service in accordance with the network policy, and the current service requires authentication.
    [0004]
    4. Method, according to claim 1 or 2, characterized by the fact that it still comprises the step of: determining, if a User Equipment is capable of carrying out the Authentication and Key Agreement procedure in accordance with capacity information from User Equipment authentication or a type of Subscriber Identity Module.
    [0005]
    5. Method according to any of claims 2 to 4, characterized by the fact that the step of releasing the NAS signaling connection from the current service comprises any one of: if a signaling connection and No Access Layer supports a single service, release a No Access Layer signaling connection; if the No Access Layer signaling connection supports multiple services, and all multiple services need authentication, release the No Access Layer signaling connection; if a No Access Layer signaling connection supports multiple services, and some of the multiple services need authentication and the others do not need authentication, release an Involved Package system carrier corresponding to the service that requires authentication, and retain the System carrier of Package Involved corresponding to the service that does not require authentication.
    [0006]
    6. Method, according to claim 1 or 2, characterized by the fact that: the current service comprises at least one of an Emergency Call service and a public alarm service.
    [0007]
    7. Device, characterized by the fact that it comprises: a drive module (63), configured to trigger an Authentication Agreement and Key procedure for a current service supported by a Layer No Access (NAS) signaling connection, if a NAS count value approaches a maximum value; an execution module (61), configured to perform the Authentication and Key Agreement procedure; and a processor (62), located in a Mobility Management Entity, comprising: a first trial unit (64), configured to determine whether the current service is allowed as an unauthenticated service in accordance with a network policy if the Authentication and Key Agreement procedure fails; a second trial unit (66), configured to determine whether the current service requires authentication in accordance with a current service type or Quality of Service, if the first trial unit (64) determines that the current service is allowed as a service not authenticated in accordance with network policy; an execution unit (68), configured to maintain a NAS signaling connection from the current service if the second trial unit (67) determines that the current service does not require authentication.
    [0008]
    8. Apparatus, according to claim 7, characterized by the fact that it still comprises: a first release unit (65), configured to release the NAS signaling connection of the current service if the first trial unit (64) determines that the current service is not allowed as an unauthenticated service in accordance with network policy.
    [0009]
    9. Apparatus according to claim 7 or 8, characterized by the fact that it still comprises: a second release unit (67), configured to release the NAS signaling connection of the current service if the second trial unit (66 ) determines that the current service requires authentication.
    [0010]
    10. Apparatus according to claim 7 or 8, characterized by the fact that the second trial unit (66) is configured to determine whether the current service requires authentication if the first trial unit (64) determines that the current service it is allowed as an unauthenticated service in accordance with network policy.
    [0011]
    11. Apparatus according to claim 7 or 8, characterized by the fact that the first release unit (65) is configured to perform any one of the following: release a No Access Layer signaling connection if the signaling connection No Access Layer support single service; release the No Access Layer signaling connection if the No Access Layer signaling connection supports multiple services, and all multiple services require authentication; release an Involved Packet system carrier corresponding to the service that requires authentication, and keep the Involved Packet system carrier corresponding to the service that does not require authentication, if a No Access Layer signaling connection supports multiple services, and some of the multiple services need authentication and the others do not need authentication.
    [0012]
    12. Apparatus, according to claim 7, characterized by the fact that: the current service comprises at least one of an Emergency Call service and a public alarm service.
    类似技术:
    公开号 | 公开日 | 专利标题
    BR112012006409B1|2021-01-19|authentication method and apparatus
    BR112012032233B1|2021-03-02|methods and devices to facilitate synchronization of security settings
    US10404677B2|2019-09-03|Secure method for MTC device triggering
    BR112019019147A2|2020-04-14|user plan relocation techniques in wireless communication systems
    US20210084069A1|2021-03-18|Method and apparatus for managing non-integrity protected message
    US10645611B2|2020-05-05|Overload control for trusted WLAN access to EPC
    WO2009152759A1|2009-12-23|Method and device for preventing loss of network security synchronization
    US10512005B2|2019-12-17|Security in intersystem mobility
    BR112019022854A2|2020-08-18|method for processing a radio link failure, terminal and computer-readable storage medium
    JP2021517769A|2021-07-26|Communication method and communication device
    BR112020002515A2|2020-08-04|triggering network authentication method and related device
    US20190223249A1|2019-07-18|Pdcp count handling in rrc connection resume
    WO2015081784A1|2015-06-11|Method, device, and system for verifying security capability
    BR112019026010A2|2020-06-23|WIRELESS PROTOCOL LAYER ENTITY PROCESSING METHOD AND CORRESPONDING USER EQUIPMENT
    US20210235264A1|2021-07-29|Mobile cellular networks authenticated access
    EP3817501A1|2021-05-05|Control method in user equipment, and user equipment
    WO2019137250A1|2019-07-18|Method and device for management of integrity protection key
    KR20190058371A|2019-05-29|Method and apparatus for deregistration in untrusted non-3gpp access
    US20210368365A1|2021-11-25|Method and ue for handling ul nas transport message failure in wireless communication network
    WO2012079438A1|2012-06-21|Method and apparatus for updating call history count
    WO2021085259A1|2021-05-06|Wireless terminal and method therefor
    WO2019233432A1|2019-12-12|Network validity verification method and device and computer storage medium
    JP2021524690A|2021-09-13|Methods and devices for improving paging reliability, computer storage media
    BR112020008191A2|2020-12-08|MONITORING METHOD AND DEVICE, AND REGISTRATION EXCLUSION METHOD AND DEVICE
    WO2018036514A1|2018-03-01|Method and device for sending message
    同族专利:
    公开号 | 公开日
    EP3242498B1|2018-12-12|
    EP3242498A1|2017-11-08|
    CN102025685A|2011-04-20|
    EP3531731A1|2019-08-28|
    CN102025685B|2013-09-11|
    US20110072488A1|2011-03-24|
    TR201902606T4|2019-03-21|
    US9088616B2|2015-07-21|
    EP2472928A1|2012-07-04|
    WO2011032515A1|2011-03-24|
    BR112012006409A2|2016-04-12|
    EP2472928B1|2017-03-08|
    EP2472928A4|2012-07-04|
    EP3531731B1|2020-08-19|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US6125283A|1998-05-18|2000-09-26|Ericsson Inc.|Multi-mode mobile terminal and methods for operating the same|
    US7587598B2|2002-11-19|2009-09-08|Toshiba America Research, Inc.|Interlayer fast authentication or re-authentication for network communication|
    US20050149440A1|2003-12-23|2005-07-07|Leslie Michelassi|Systems and methods for routing requests for reconcilement information|
    TWI249316B|2004-02-10|2006-02-11|Ind Tech Res Inst|SIM-based authentication method for supporting inter-AP fast handover|
    US7372856B2|2004-05-27|2008-05-13|Avaya Technology Corp.|Method for real-time transport protocol packet authentication|
    JP2005352710A|2004-06-10|2005-12-22|Hitachi Ltd|Individual authenticating device|
    US7877787B2|2005-02-14|2011-01-25|Nokia Corporation|Method and apparatus for optimal transfer of data in a wireless communications system|
    CN101056171A|2006-06-20|2007-10-17|华为技术有限公司|An encryption communication method and device|
    CN101237334A|2007-01-31|2008-08-06|华为技术有限公司|Microwave access global intercommunication system and method and device for providing emergent service|
    CN101272251B|2007-03-22|2012-04-18|华为技术有限公司|Authentication and cryptographic key negotiation method, authentication method, system and equipment|
    US8699711B2|2007-07-18|2014-04-15|Interdigital Technology Corporation|Method and apparatus to implement security in a long term evolution wireless device|
    CN101119381B|2007-09-07|2013-01-16|中兴通讯股份有限公司|Method and system for preventing playback attack|
    CN101400059B|2007-09-28|2010-12-08|华为技术有限公司|Cipher key updating method and device under active state|
    US8379854B2|2007-10-09|2013-02-19|Alcatel Lucent|Secure wireless communication|
    CN101470794A|2007-12-27|2009-07-01|华为技术有限公司|Authentication method, equipment and system for wireless radio frequency recognition system|
    CN101232736B|2008-02-22|2012-02-29|中兴通讯股份有限公司|Method for setting initialization of cryptographic key existence counter among different access systems|
    US8179903B2|2008-03-12|2012-05-15|Qualcomm Incorporated|Providing multiple levels of service for wireless communication devices communicating with a small coverage access point|
    US8693642B2|2009-04-16|2014-04-08|Alcatel Lucent|Emergency call handling in accordance with authentication procedure in communication network|US9002357B2|2009-06-26|2015-04-07|Qualcomm Incorporated|Systems, apparatus and methods to facilitate handover security|
    SG194059A1|2011-04-01|2013-11-29|Interdigital Patent Holdings|Method and apparatus for controlling connectivity to a network|
    CN102595369B|2012-02-29|2015-02-25|大唐移动通信设备有限公司|Transmission method and device of non-access stratumalgorithm|
    GB2500720A|2012-03-30|2013-10-02|Nec Corp|Providing security information to establish secure communications over a device-to-devicecommunication link|
    GB2491047B|2012-06-07|2013-12-11|Renesas Mobile Corp|Apparatus and methods for security context selection|
    US20140068098A1|2012-09-04|2014-03-06|Qualcomm Incorporated|Reducing network latency resulting from non-access stratumauthentication for high performance content applications|
    US9519761B2|2012-09-06|2016-12-13|Paypal, Inc.|Systems and methods for authentication using low quality and high quality authentication information|
    CN103686651B|2012-09-12|2018-05-11|中兴通讯股份有限公司|A kind of authentication method based on urgent call, equipment and system|
    JP2015537279A|2012-09-24|2015-12-24|アルカテル−ルーセント|Initiating user authentication in communication networks|
    CN110493776A|2012-12-28|2019-11-22|北京三星通信技术研究有限公司|A kind of method of encryption information between synchronous secondary cell and UE|
    US9203835B2|2013-03-01|2015-12-01|Paypal, Inc.|Systems and methods for authenticating a user based on a biometric model associated with the user|
    CN104270752B|2014-09-30|2017-10-27|新华三技术有限公司|Cryptographic key negotiation method and device in wireless network|
    KR102213885B1|2014-11-28|2021-02-08|삼성전자주식회사|Apparatus and method for controlling security mode in wireless communication system|
    WO2017117721A1|2016-01-05|2017-07-13|华为技术有限公司|Mobile communication method, apparatus and device|
    CN105898894B|2016-05-13|2021-08-20|华为技术有限公司|RRC state control method and device|
    US10462837B2|2016-11-04|2019-10-29|Qualcomm Incorporated|Method, apparatus, and system for reestablishing radio communication links due to radio link failure|
    CN109842881B|2017-09-15|2021-08-31|华为技术有限公司|Communication method, related equipment and system|
    US11190934B2|2018-04-10|2021-11-30|Mediatek Singapore Pte. Ltd.|Incorrect KSI handling in mobile communications|
    US10805792B2|2018-09-07|2020-10-13|Nokia Technologies Oy|Method and apparatus for securing multiple NAS connections over 3GPP and non-3GPP access in 5G|
    CN110913393B|2018-09-15|2021-09-07|华为技术有限公司|Switching method and terminal equipment|
    CN109982260B|2019-03-08|2021-01-26|杭州迪普科技股份有限公司|Signaling decryption method and device, electronic equipment and machine-readable storage medium|
    法律状态:
    2019-01-08| B06F| Objections, documents and/or translations needed after an examination request according art. 34 industrial property law|
    2020-03-10| B06U| Preliminary requirement: requests with searches performed by other patent offices: suspension of the patent application procedure|
    2020-12-01| B09A| Decision: intention to grant|
    2021-01-19| B16A| Patent or certificate of addition of invention granted|Free format text: PRAZO DE VALIDADE: 10 (DEZ) ANOS CONTADOS A PARTIR DE 19/01/2021, OBSERVADAS AS CONDICOES LEGAIS. |
    优先权:
    申请号 | 申请日 | 专利标题
    CN2009100938285A|CN102025685B|2009-09-21|2009-09-21|Authentication processing method and device|
    CN200910093828.5|2009-09-21|
    PCT/CN2010/077085|WO2011032515A1|2009-09-21|2010-09-19|Method and device for authentication processing|
    [返回顶部]