[go: up one dir, main page]

WO2019192275A1 - Authentication method and network element - Google Patents

Authentication method and network element Download PDF

Info

Publication number
WO2019192275A1
WO2019192275A1 PCT/CN2019/076823 CN2019076823W WO2019192275A1 WO 2019192275 A1 WO2019192275 A1 WO 2019192275A1 CN 2019076823 W CN2019076823 W CN 2019076823W WO 2019192275 A1 WO2019192275 A1 WO 2019192275A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
authentication
indication information
seaf
ausf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2019/076823
Other languages
French (fr)
Chinese (zh)
Inventor
谢振华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2019192275A1 publication Critical patent/WO2019192275A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the embodiments of the present application relate to the field of communications technologies, such as an authentication method and a network element.
  • the 3rd Generation Partnership Project (3GPP) proposes a certification framework under the 5th-Generation Mobile Communication Technology (5G) architecture, which includes user equipment that needs to access the network.
  • 5G 5th-Generation Mobile Communication Technology
  • UE User Equipment
  • SEAF Security Anchor Function
  • AUSF Authentication Service Function
  • ARPF Authentication Repository Function
  • the SEAF network element is responsible for performing the visitor authentication of the UE and maintaining the access key during the authentication process.
  • the UE also generates an access key during the authentication process.
  • the UE can access the service provided by the visited network through the same access key.
  • the AUSF network element is responsible for performing home authentication on the UE to confirm whether the authentication of the visited place is successful.
  • the home key generated by the authentication process is stored locally by the UE and the AUSF network element; the ARPF network element is responsible for storing the subscription information, and is responsible for storing the subscription information.
  • the information generates an authentication vector, which is used by the UE to confirm the legitimacy of the network during the authentication process, and the network confirms the legitimacy of the UE.
  • the network side when receiving the fast authentication command, allocates a fast authentication identifier to the UE in the current authentication process to instruct the UE to initiate a fast authentication request when the next authentication occurs.
  • this method can only send the fast authentication identifier to the UE by the network side to enable the UE to initiate the fast authentication request, and when performing fast authentication, the network side and the UE can only determine the authentication method according to the method specified in the fast authentication identifier. Fast authentication, so the flexibility is poor.
  • the embodiment of the present application provides an authentication method and a network element, which can flexibly perform fast authentication.
  • An embodiment of the present application provides an authentication method, including: a first network element receives a request from a security anchor function SEAF network element and carries first indication information; wherein the first indication information is used to indicate a second network The element has the capability of performing fast authentication; the first network element performs fast authentication with the second network element according to the first indication information.
  • the embodiment of the present application further provides an authentication method, where the UE sends a registration request carrying the first indication information to the SEAF network element, or the UE receives the first indication information that is sent by the SEAF network element and carries the first indication information. a message, wherein the first indication information is used to indicate that the sender has the capability of performing fast authentication; the UE receives the derived parameter from the SEAF network element, and sends an authentication response to the SEAF network element; The authentication response is generated based at least on the derived parameters and the stored home key.
  • the embodiment of the present application further provides an AUSF network element, including: a first receiving module, configured to receive an authentication request from the SEAF network element and carrying the first indication information and the permanent user identifier; wherein the first indication information
  • the UE is configured to perform the fast authentication by using the UE corresponding to the permanent user identifier.
  • the first processing module is configured to perform fast authentication with the second network element according to the first indication information.
  • the embodiment of the present application further provides a UE, including: a second processing module, configured to send a registration request carrying the first indication information to the SEAF network element, or receive the first indication sent by the SEAF network element a message of the information, wherein the first indication information is used to indicate that the UE is capable of performing fast authentication; and the second receiving module is configured to receive a derived parameter from the SEAF network element, and send the parameter to the SEAF network element.
  • An authentication response wherein the authentication response is generated based at least on the derived parameter and the stored home key.
  • FIG. 1 is a schematic flowchart of an authentication method according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of another authentication method according to an embodiment of the present application.
  • FIG. 3 is a schematic flowchart diagram of still another authentication method according to an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of still another authentication method according to an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of still another authentication method according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a first network element according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a UE according to an embodiment of the present disclosure.
  • An embodiment of the present application provides an authentication method. As shown in FIG. 1 , the method includes steps S101 and S102.
  • the first network element receives a request from the SEAF network element and carries the first indication information.
  • the first indication information is used to indicate that the second network element has the capability of performing fast authentication.
  • step 102 the first network element performs fast authentication with the second network element according to the first indication information.
  • the authentication server allocates a fast authentication identifier to the UE, so that the UE performs fast authentication at the next authentication.
  • the mobile communication technology before 5G is different from the 5G architecture.
  • the network element between the authentication server and the authenticated end only transmits information that can be exchanged between the two as a pipeline.
  • the SEAF network element between the AUSF network element and the UE is not a pure pipeline. Therefore, the identifier is used to route information between the AUSF network element and the UE, and the fast authentication identifier allocated by the authentication server in the related art cannot be used.
  • the SEAF network element is used to route messages between the AUSF network element and the UE. Therefore, the fast authentication method in the related art cannot be used in the 5G, and there is no feasible authentication method capable of implementing fast authentication in the 5G.
  • the first network element determines, according to the obtained first indication information, that the second network element has the capability of performing fast authentication, and the first network element needs to perform fast authentication on the second network element.
  • the first network element directly performs fast authentication with the second network element according to the first indication information, thereby ensuring flexibility of fast authentication.
  • the first network element is an authentication service function AUSF network element
  • the second network element is a user terminal UE; or the first network element is a UE, and the second network element is an AUSF network element.
  • the first network element when the first network element is the UE and the second network element is the AUSF network element, the first network element performs fast authentication with the second network element according to the first indication information, including:
  • the SEAF network element sends a registration request carrying the second indication information, where the second indication information is used to indicate that the AUSF network element performs fast authentication.
  • the UE receives the derived parameter sent by the AUSF network element through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.
  • the SEAF unit directly sends the derivative parameter to the UE. Fast certification, thus ensuring the timeliness and flexibility of fast certification.
  • the first network element when the first network element is an AUSF network element, and the second network element is a UE, the first network element performs fast authentication with the second network element according to the first indication information, including: the AUSF network.
  • the element sends a derived parameter to the UE through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.
  • the first indication information further includes: information about a fast authentication method that the first network element can use.
  • the method further includes: determining, by the AUSF network element, the message that sends the derivative parameter according to the first indication information.
  • the method further includes: the AUSF network element sending a network hash and a desired hash to the SEAF network element; wherein the network hash is generated based on at least the derived parameter and the home key stored in the AUSF network element; The generation is based on the derived parameters and the expected response; the expected response is generated based at least on the derived parameters and the home key.
  • the expected hash may be generated based on parameter A, parameter B, and home key.
  • the derived parameter is parameter A
  • the network hash is generated according to parameter A, parameter C and the home key
  • the expected hash may be generated according to parameter A and the home key, or may be based on parameter A, parameter D and The home key is generated.
  • the method further includes: the AUSF network element sends the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the embodiment of the present application further provides an authentication method. As shown in FIG. 2, the method includes step S201 and step S202.
  • step 201 the UE sends a registration request carrying the first indication information and the SEAF network element; or, the UE receives the message that is sent by the SEAF network element and carries the first indication information.
  • the first indication information is used to indicate that the sender has the capability to perform fast authentication.
  • step 202 the UE receives the derived parameter from the SEAF network element and sends an authentication response to the SEAF network element.
  • the authentication response is generated based at least on the derived parameters and the stored home key.
  • the UE sends a first indication information to the AUSF network element to the AUSF network element, because the UE sends a registration request to the SEAF unit that carries the first indication information that is used to indicate that the UE has the capability to perform the fast authentication. Therefore, when the AUSF network element needs to perform fast authentication on the UE, the SEAF network element directly sends the derived parameter to the UE for fast authentication, thereby ensuring the timeliness and flexibility of the fast authentication.
  • the first indication information further includes: information of a fast authentication method that the sender of the first indication information can use.
  • the method before the sending the authentication response to the SEAF network element, the method further includes: receiving, by the UE, second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the method further includes: the UE receiving a network hash from the SEAF network element.
  • the UE generates a desired network hash based on at least the derived parameters and the stored home key.
  • the UE In response to determining that the desired network hash is the same as the received network hash, the UE sends an authentication response.
  • the embodiment of the present application further provides an authentication method, which is a fast authentication according to an Enhanced Authentication Protocol-Authentication and Key Agreemen (EAP-AKA'), as shown in FIG.
  • the method includes steps 301 to 310.
  • the UE registers the network.
  • the SEAF network element notifies the AUSF network element to perform the authentication process.
  • the AUSF network element requests the authentication vector from the ARPF network element, and the ARPF network element selects the authentication method and notifies the AUSF of the authentication vector and the authentication method.
  • the network element and the AUSF network element authenticate the UE through the SEAF network element by using the authentication method and the authentication vector.
  • the SEAF network element If the SEAF network element has previously participated in the authentication of the UE, the permanent identity of the UE is saved in the SEAF network element. If the UE has not been authenticated by the SEAF network element, the ARPF network element will also notify the AUSF network element of the permanent identity of the UE. The network element sends the permanent identity of the UE to the SEAF network element. After the authentication is complete, the SEAF network element allocates a temporary identifier to the UE and sends the temporary identifier to the UE. During the authentication process, the AUSF network element and the UE respectively use the same method to derive the home key and store it. The AUSF network element generates an access key and sends an access key to the SEAF network element to protect the communication between the UE and the network. The UE uses the same. The same method generates an access key.
  • the UE initiates a registration request to the network, for example, sends a registration request (Register Request) message, and carries a temporary user identifier and indication information allocated by the network, where the indication information indicates that the UE has the capability to perform fast authentication.
  • the indication information may include an authentication method that the UE can use, such as at least one of EAP-AKA' and 5G AKA.
  • the SEAF network element receives the registration request, and sends an authentication request message (such as the 5th-Generation mobile communication technology-Authentication Information Request (5G-AIR) message) to the AUSF network element.
  • the SEAF network element finds the matching permanent user identifier by using the temporary user identifier, and carries the permanent user identifier and the indication information in the authentication request.
  • the AUSF network element determines that there is indication information in the authentication request, and may select an authentication method according to an authentication method used when the UE is previously authenticated, or according to the authentication method information included in the indication information. For example, if the AUSF network element previously uses the EAP-AKA' authentication UE, EAP-AKA' or 5G AKA may be selected; if the AUSF network element previously uses the 5G AKA authentication UE, the 5G AKA may be selected.
  • the AUSF network element chooses to use EAP-AKA', so it sends an AKA re-authentication request to the SEAF, such as the Enhanced Authentication Protocol Request/Authentication and Key Agreemen-Reauthentication (EAP-).
  • EAP- Enhanced Authentication Protocol Request/Authentication and Key Agreemen-Reauthentication
  • the EAP-Request/AKA-Reauthentication message carries the derived parameters (such as the number once (NONCE) and the counter (COUNTER)), and the derived parameters are generated by the AUSF, EAP-Request/ The AKA-Reauthentication message also carries a message authentication code 1 (Message1, MAC1), which is based on the security key generated during the last authentication process (the security key refers to the integrity protection key). And the content of the message is generated, for example, using a hash-based message authentication code-Secure Hash Algorithm-256 (HMAC-SHA-256) algorithm, where the guaranteed key is based on The home key or access key is derived.
  • HMAC-SHA-256 hash-based message authentication code-Secure Hash Algorithm-256
  • step 305 the SEAF network element forwards an Authentication and Key Agreemen (AKA) re-authentication request to the UE.
  • AKA Authentication and Key Agreemen
  • step 306 the UE derives a new home key based on the key derivation parameter and the stored home key, and then sends an AKA re-authentication response to the SEAF network element, where the AKA re-authentication response carries the message verification code 2 (MAC2).
  • the message verification code 2 is generated based on the security key generated in the last authentication process and the content of the AKA re-authentication response message, such as using the HMAC-SHA-256 algorithm, where the security key is derived based on the home key or the access key.
  • step 307 the SEAF network element forwards the AKA re-authentication response to the AUSF network element, and the AUSF network element checks MAC2.
  • step 308 in response to determining that the AUSF network element check MAC2 is successful, determining that the UE and the ASUF network element authentication succeeds, the AUSF network element generates a new home key based on the stored home key and the derived parameter, such as using HMAC-SHA- With the 256 algorithm, the AUSF network element derives a new access key based on the new home key.
  • the AUSF network element sends an authentication success message to the SEAF network element, such as an Enhanced Authentication Protocal-Success (EAP-Success) message, which carries the new access key.
  • EAP-Success Enhanced Authentication Protocal-Success
  • step 310 the SEAF network element saves the new access key and sends a registration success message to the UE, such as sending a Register Accept message.
  • the embodiment of the present application further provides an authentication method, which is a fast authentication according to the 5th-Generation Mobile Communication Technology Authentication and Key Agreemen (5G AKA), as shown in FIG. 4 .
  • the method includes steps 401 to 411.
  • the UE registers the network.
  • the SEAF network element notifies the AUSF network element to perform the authentication process.
  • the AUSF network element requests the authentication vector from the ARPF network element, and the ARPF network element selects the authentication method and notifies the AUSF of the authentication vector and the authentication method.
  • the network element and the AUSF network element authenticate the UE through the SEAF network element by using the authentication method and the authentication vector.
  • the permanent identifier of the UE is saved in the SEAF network element. If the UE is not authenticated by the SEAF network element, the ARPF network element notifies the AUSF network element of the permanent identifier of the UE. The permanent identity of the UE is sent to the SEAF network element. After the authentication is complete, the SEAF network element allocates a temporary identifier to the UE and sends the temporary identifier to the UE. During the authentication process, the AUSF network element and the UE respectively use the same method to derive the home key and store it. The AUSF network element generates an access key and sends an access key to the SEAF network element to protect the communication between the UE and the network. The UE uses the same. The same method generates an access key.
  • step 402 after a period of time, the UE initiates a registration request to the network again, for example, sends a Register Request message, and carries a temporary user identifier and indication information 1 allocated by the network, where the indication information 1 indicates that the UE has the capability to perform fast authentication, and the indication
  • the information may include authentication methods that the UE can use, such as at least one of EAP-AKA' and 5G AKA.
  • the SEAF network element receives the registration request, and sends an authentication request message (such as sending a 5-AIR message) to the AUSF network element.
  • the SEAF network element finds the matching permanent user identifier through the temporary user identifier, and carries the permanent in the authentication request. User ID and indication information.
  • the AUSF network element determines that there is indication information in the authentication request, and may select an authentication method according to an authentication method used when the UE is previously authenticated, or select an authentication method according to the authentication method information included in the indication information. For example, if the AUSF network element previously uses the EAP-AKA' authentication UE, EAP-AKA' or 5G AKA may be selected; if the AUSF network element previously uses the 5G AKA authentication UE, the 5G AKA may be selected.
  • the AUSF network element chooses to use 5G AKA, thus generating a derived parameter (such as NONCE), generating a network hash hash based on the derived parameter and the stored home key (such as using the HMAC-SHA-256 algorithm), based on the derived parameter and the stored home secret.
  • the key generates an expected response hash (such as using the HMAC-SHA-256 algorithm), and generates a desired hash based on the derived parameter and the expected response (for example, using a Secure Hash Algorithm-256 (SHA-256) algorithm), based on
  • the derived parameters and the stored home key generate a new home key (such as using the HMAC-SHA-256 algorithm) to generate a new access key based on the new home key.
  • the AUSF network element sends an authentication response to the SEAF network element, such as the 5th-Generation mobile communication technology-Authentication Information Answer (5G-AIA) message, and the 5G-AIA message carries
  • the authentication vector includes a derived parameter, a network hash, a desired hash, and a new access key.
  • the 5G-AIR message also carries indication information 2, and the indication information 2 is used to indicate that the UE uses fast authentication.
  • the SEAF network element sends a user authentication request to the UE, such as a user authentication request (User Authentication Request) message, which carries the derived parameter and the network hash in the authentication vector, and further carries the indication information 2.
  • a user authentication request User Authentication Request
  • the SEAF network element sends a user authentication request to the UE, such as a user authentication request (User Authentication Request) message, which carries the derived parameter and the network hash in the authentication vector, and further carries the indication information 2.
  • the UE receives the user authentication request carrying the indication information 2, and uses the fast authentication.
  • the UE checks the network hash, for example, generates a desired network hash based on the derived parameter and the stored home key, compares whether the network hash and the expected network hash are the same, and determines the verification success based on the same comparison result of the network hash and the expected network hash, based on the network.
  • the hash is not the same as the expected network hash, and the verification fails.
  • the UE After the verification succeeds, the UE generates an authentication response (Response, RES) based on the derived parameter and the stored home key (for example, using the HMAC-SHA-256 algorithm), and generates a new home key based on the derived parameter and the stored home key ( For example, using the HMAC-SHA-256 algorithm, a new access key is generated based on the new home key to derive a new home key, and then a user authentication response is sent to the SEAF network element, such as sending a User Authentication Response message. , carrying the certification response RES.
  • RES authentication response
  • the SEAF network element checks the expected hash based on the authentication response RES, such as generating a check hash based on the derived parameter and the authentication response RES (eg, using the SHA-256 algorithm), comparing the checksum and the expected hash, based on the checksum. The same comparison result as the expected Hash, the verification success is determined, and the verification failure is determined based on the comparison result that the verification hash and the expected hash are not the same.
  • step 409 after the SEAF network element checks that the desired hash is successful, the authentication confirmation is sent to the AUSF network element, for example, the 5th-Generation mobile communication technology-Authentication Certification (5G-AC) message is sent. Carry the authentication response RES.
  • 5G-AC 5th-Generation mobile communication technology-Authentication Certification
  • the AUSF network element verifies the authentication response. For example, comparing the expected response and the authentication response, determining that the verification is successful based on the same comparison result of the expected response and the authentication response; determining the verification failure based on the comparison result of the expected response and the authentication response being different.
  • the AUSF network element sends an authentication success message to the SEAF network element, for example, the 5th-Generation mobile communication technology-Authentication Certification Answer (5G-ACA) message.
  • 5G-ACA 5th-Generation mobile communication technology-Authentication Certification Answer
  • the SEAF network element saves the new access key and sends a registration success message to the UE, such as sending a Register Accept message.
  • the embodiment of the present application further provides an authentication method, which is a fast authentication according to 5G AKA. As shown in FIG. 5, the method includes steps 501 to 513.
  • the UE registers the network.
  • the SEAF network element notifies the AUSF network element to perform the authentication process.
  • the AUSF network element requests the authentication vector from the ARPF network element, and the ARPF network element selects the authentication method and notifies the AUSF of the authentication vector and the authentication method.
  • the network element and the AUSF network element authenticate the UE through the SEAF network element by using the authentication method and the authentication vector.
  • the permanent identifier of the UE is saved in the SEAF network element. If the UE is not authenticated by the SEAF network element, the ARPF network element notifies the AUSF network element of the permanent identifier of the UE. The permanent identity of the UE is sent to the SEAF network element. After the authentication is complete, the SEAF network element allocates a temporary identifier to the UE and sends the temporary identifier to the UE. During the authentication process, the AUSF network element and the UE respectively use the same method to derive the home key and store it. The AUSF network element generates an access key and sends an access key to the SEAF network element to protect the communication between the UE and the network. The UE uses the same. The same method generates an access key.
  • the AUSF may select an authentication method that can be used for fast authentication according to an authentication method used when the UE was previously authenticated. For example, if the AUSF network element previously uses the EAP-AKA' authentication UE, EAP-AKA' or 5G AKA may be selected; if the AUSF network element previously uses the 5G AKA authentication UE, the 5G AKA may be selected.
  • the AUSF sends a message to the SEAF, such as an Insert Subscribe Data message, carrying the indication information 1.
  • the indication information 1 indicates that the AUSF has the capability to perform fast authentication, and the indication information may include an authentication method that the AUSF can use, such as EAP- At least one of AKA' and 5G AKA.
  • step 503 the SEAF forwards the indication information 1 to the UE.
  • steps 502-503 may be initiated by the AUSF after the completion of the step 501, or may be sent by a certain AUSF triggered in the process of step 501.
  • step 504 after a period of time, the UE initiates a registration request to the network again, for example, sends a Register Request message, and carries a temporary user identification indication information 2 allocated by the network, for indicating that the AUSF uses fast authentication.
  • the SEAF network element receives the registration request, and sends an authentication request message (such as sending a 5-AIR message) to the AUSF network element.
  • the SEAF network element finds the matching permanent user identifier through the temporary user identifier, and carries the permanent in the authentication request.
  • User ID and indication information 2 2.
  • the AUSF network element determines that there is indication information 2 in the authentication request, and the authentication method can be selected according to the indication information 1 previously sent to the UE.
  • the AUSF network element selects to use the 5G AKA, thus generating a derived parameter, such as NONCE, generating a network hash hash based on the derived parameter and the stored home key (such as using the HMAC-SHA-256 algorithm), based on the derived parameters and the stored
  • the home key generates a desired response hash (such as using the HMAC-SHA-256 algorithm), and generates a desired hash based on the derived parameter and the expected response (such as using a Secure Hash Algorithm-256 (SHA-256) algorithm).
  • a new home key is generated based on the derived parameters and the stored home key (eg, using the HMAC-SHA-256 algorithm), and a new access key is generated based on the new home key.
  • the AUSF network element sends an authentication response to the SEAF network element, such as sending a 5G-AIA message, the message carries an authentication vector, the authentication vector includes a derived parameter, a network hash, a desired hash, and a new access key.
  • the SEAF network element sends a user authentication request to the UE, such as sending a User Authentication Request message, where the message carries the derived parameter and the network hash in the authentication vector.
  • the UE uses fast authentication, and the UE checks the network hash, for example, generates a desired network hash based on the derived parameter and the stored home key, and compares whether the network hash and the desired network hash are the same, based on the network hash and the desired network hash.
  • the result of the comparison is that the verification is successful; the verification fails based on the comparison result of the network hash and the expected network hash.
  • the UE After the verification is successful, the UE generates an authentication response RES based on the derived parameter and the stored home key (for example, using the HMAC-SHA-256 algorithm), and generates a new home key based on the derived parameter and the stored home key (for example, using HMAC-
  • the SHA-256 algorithm generates a new access key based on the new home key to derive a new home key, and then sends a user authentication response to the SEAF network element, such as sending a User Authentication Response message carrying the authentication response RES.
  • the SEAF network element checks the expected hash based on the authentication response RES, such as generating a check hash based on the derived parameter and the authentication response RES, such as using the SHA-256 algorithm to compare the checksum and the expected hash, based on the checksum and the hash. It is expected that the Hash has the same comparison result, and the verification is successful; based on the comparison result that the verification Hash and the expected Hash are not the same, the verification fails.
  • step 511 after the SEAF network element checks that the desired hash is successful, it sends an authentication confirmation to the AUSF network element, for example, sends a 5G-AC message, and carries the authentication response RES.
  • the AUSF network element checks the authentication response, such as comparing the expected response with the authentication response, and the verification is successful based on the same comparison result of the expected response and the authentication response; and the comparison is based on the comparison result of the expected response and the authentication response being different. failure.
  • the AUSF network element sends an authentication success message to the SEAF network element, for example, sending a 5G-ACA message.
  • the SEAF network element saves the new access key and sends a registration success message to the UE, such as sending a Register Accept message.
  • the embodiment of the present application further provides a computer readable storage medium, where computer executable instructions are stored, and the computer executable instructions are set to execute any one of the foregoing authentication methods.
  • the embodiment of the present application provides a first network element.
  • the first network element 6 includes a first receiving module 601 and a first processing module 602.
  • the first receiving module 601 is configured to receive an authentication request from the SEAF network element and carrying the first indication information and the permanent user identifier, where the first indication information is used to identify that the UE corresponding to the permanent user identifier has the capability of performing fast authentication. .
  • the first processing module 602 is configured to perform fast authentication with the second network element according to the first indication information.
  • the first network element is an AUSF network element
  • the second network element is a UE
  • the first network element is a UE
  • the second network element is an AUSF network element
  • the first processing module 602 is configured to: send the registration request carrying the second indication information to the SEAF network element,
  • the second indication information is used to indicate that the AUSF network element performs fast authentication, and receives the derived parameter sent by the AUSF network element through the SEAF network element.
  • the derived parameter is generated by the AUSF network element.
  • the first processing module 602 is configured to: send a derivative parameter to the UE by using the SEAF network element; wherein, the derived parameter is AUSF network element generation.
  • the first indication information further includes: information about a fast authentication method that the first network element can use.
  • the first processing module 602 is further configured to determine, according to the first indication information, a message that sends the derived parameter.
  • the first processing module 602 is further configured to send a network hash and a desired hash to the SEAF network element; wherein the network hash is generated based at least on the derived parameter and the home key stored in the AUSF network element; The hash is generated based at least on the derived parameters and the expected response; the expected response is generated based at least on the derived parameters and the home key.
  • the first processing module 602 is further configured to send the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the first network element provided by the embodiment of the present application determines that the second network element has the capability of performing fast authentication according to the obtained first indication information, and in the case that the first network element needs to perform fast authentication on the second network element, The first network element directly performs fast authentication with the second network element according to the first indication information, thereby ensuring flexibility of fast authentication.
  • the first receiving module 601 and the first processing module 602 can be processed by a central processing unit (CPU), a microprocessor (Micro Processor Unit (MPU), and a digital signal processing unit located in the first network element.
  • CPU central processing unit
  • MPU Micro Processor Unit
  • DSP Digital Signal Processor
  • FPGA Field Programmable Gate Array
  • the embodiment of the present application further provides a UE.
  • the UE 7 includes a second processing module 701, a second receiving module 702, and a sending module 703.
  • the second processing module 701 is configured to send a registration request carrying the first indication information to the SEAF network element, or receive a message that is sent by the SEAF network element and carries the first indication information, where the first indication information is used to indicate the UE Ability to perform fast certifications.
  • the second receiving module 702 is configured to receive the derived parameter from the SEAF network element, and send an authentication response to the SEAF network element; wherein the authentication response is generated based on at least the derived parameter and the stored home key.
  • the first indication information further includes: information of a fast authentication method that the sender of the first indication information can use.
  • the second receiving module 702 is further configured to receive second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the second receiving module 702 is further configured to receive a network hash from the SEAF network element.
  • the second processing module 701 is configured to generate a desired network hash based on at least the derived parameters and the stored home key.
  • a transmitting module 703 configured to send an authentication response in response to determining that the desired network hash is the same as the received network hash.
  • the UE provided by the embodiment of the present application sends a first indication information to the AUSF network element, because the UE sends the first indication information that is used to indicate that the UE has the capability to perform the fast authentication, so that the UE can send the first indication information to the AUSF network element.
  • the SEAF unit directly sends the derived parameter to the UE for fast authentication, thereby ensuring the timeliness and flexibility of the fast authentication.
  • the second processing module 701, the second receiving module 702, and the sending module 703 can all be implemented by a CPU, an MPU, a DSP, an FPGA, or the like located in the UE.
  • the embodiment of the present application further provides a first network element, including a first memory and a first processor, where the first memory stores the following instructions executable by the first processor: receiving the information from the SEAF network element and carrying And a first indication information, where the first indication information is used to indicate that the second network element has the capability of performing fast authentication.
  • the first network element is an authentication service function AUSF network element
  • the second network element is a user terminal UE; or the first network element is a UE, and the second network element is an AUSF network element.
  • the first memory stores the following instructions executable by the first processor:
  • the first memory stores the following instructions executable by the first processor:
  • the derived parameter is sent to the UE through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.
  • the first indication information further includes: information about a fast authentication method that the first network element can use.
  • the first memory further stores an instruction executable by the first processor to determine a message to send the derived parameter according to the first indication information.
  • the first memory further stores an instruction executable by the first processor to: send a network hash and a desired hash to the SEAF network element; wherein the network hash is based at least on the derived parameter and the AUSF network element
  • the home key stored in the generation the expected hash is generated based at least on the derived parameters and the expected response; the expected response is generated based at least on the derived parameters and the home key.
  • the first memory further stores an instruction that is executable by the first processor: sending the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the embodiment of the present application further provides a UE, including a second memory and a second processor, where the second memory stores the following instructions executable by the second processor: sending the first indication information to the SEAF network element Or the UE receives the message that is sent by the SEAF network element and carries the first indication information.
  • the first indication information is used to indicate that the sender has the capability to perform fast authentication.
  • a derived parameter from the SEAF network element is received, and an authentication response is sent to the SEAF network element; wherein the authentication response is generated based at least on the derived parameter and the stored home key.
  • the first indication information further includes: information of a fast authentication method that the sender of the first indication information can use.
  • the second memory further stores the following instructions executable by the second processor: receiving second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.
  • the second memory further stores an instruction executable by the second processor to receive a network hash from the SEAF network element.
  • a desired network hash is generated based at least on the derived parameters and the stored home key.
  • An authentication response is sent in response to determining that the desired network hash is the same as the received network hash.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Disclosed are an authentication method and a network element. The authentication method comprises: a first network element receiving a request that comes from an SEAF network element and carries first indication information, wherein the first indication information is used for indicating that a second network element has the capability to execute fast authentication; and according to the first indication information, the first network element executing fast authentication with the second network element.

Description

一种认证方法及网元Authentication method and network element

本申请要求在2018年04月04日提交中国专利局、申请号为201810301013.0的中国专利申请的优先权,该申请的全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 20110130101, the entire disclosure of which is hereby incorporated by reference.

技术领域Technical field

本申请实施例涉及通信技术领域,例如一种认证方法及网元。The embodiments of the present application relate to the field of communications technologies, such as an authentication method and a network element.

背景技术Background technique

第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)提出了一种第五代移动通信技术(the 5th-Generationmobile communication technology,5G)架构下的认证框架,该框架包括需要接入网络的用户设备(User Equipment,UE),安全锚点功能(Security Anchor Function,SEAF)网元,认证服务功能(AuthenticationSeverice Function,AUSF)网元,以及认证签约存储功能(Authentication Repository Function,ARPF)网元。其中SEAF网元负责对UE进行拜访地认证,并保持认证过程中的访问密钥,UE在认证过程中也会产生访问密钥,通过相同的访问密钥,UE可以访问拜访地网络提供的服务;AUSF网元负责对UE进行归属地认证,以确认拜访地的认证是否成功,认证过程产生的归属密钥被UE和AUSF网元分别存储在本地;ARPF网元负责存储签约信息,并依据签约信息生成认证向量,认证向量用于认证过程中UE确认网络的合法性,以及网络确认UE的合法性。The 3rd Generation Partnership Project (3GPP) proposes a certification framework under the 5th-Generation Mobile Communication Technology (5G) architecture, which includes user equipment that needs to access the network. (User Equipment, UE), Security Anchor Function (SEAF) network element, Authentication Service Function (AUSF) network element, and Authentication Repository Function (ARPF) network element. The SEAF network element is responsible for performing the visitor authentication of the UE and maintaining the access key during the authentication process. The UE also generates an access key during the authentication process. The UE can access the service provided by the visited network through the same access key. The AUSF network element is responsible for performing home authentication on the UE to confirm whether the authentication of the visited place is successful. The home key generated by the authentication process is stored locally by the UE and the AUSF network element; the ARPF network element is responsible for storing the subscription information, and is responsible for storing the subscription information. The information generates an authentication vector, which is used by the UE to confirm the legitimacy of the network during the authentication process, and the network confirms the legitimacy of the UE.

相关技术中,当接收到快速认证指令时,网络侧会在本次认证过程中为UE分配快速认证标识以指示UE下一次认证时发起快速认证请求。In the related art, when receiving the fast authentication command, the network side allocates a fast authentication identifier to the UE in the current authentication process to instruct the UE to initiate a fast authentication request when the next authentication occurs.

然而,这种方法只能由网络侧向UE发送快速认证标识以使UE发起快速认证请求,并且当进行快速认证时,网络侧与UE只能按照快速认证标识中指定的方法所确定的认证方法进行快速认证,因此灵活性差。However, this method can only send the fast authentication identifier to the UE by the network side to enable the UE to initiate the fast authentication request, and when performing fast authentication, the network side and the UE can only determine the authentication method according to the method specified in the fast authentication identifier. Fast authentication, so the flexibility is poor.

发明内容Summary of the invention

以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.

本申请实施例提供了一种认证方法及网元,能够灵活地进行快速认证。The embodiment of the present application provides an authentication method and a network element, which can flexibly perform fast authentication.

本申请实施例提供了一种认证方法,包括:第一网元接收来自安全锚点功能SEAF网元且携带有第一指示信息的请求;其中,所述第一指示信息用于指示第二网元具备执行快速认证的能力;所述第一网元根据所述第一指示信息,与所述第二网元执行快速认证。An embodiment of the present application provides an authentication method, including: a first network element receives a request from a security anchor function SEAF network element and carries first indication information; wherein the first indication information is used to indicate a second network The element has the capability of performing fast authentication; the first network element performs fast authentication with the second network element according to the first indication information.

本申请实施例还提供了一种认证方法,包括:UE向SEAF网元发送携带有第一指示信息的注册请求;或者,所述UE接收所述SEAF网元发送的携带有第一指示信息的消息;其中,所述第一指示信息用于指示发送方具备执行快速认证的能力;所述UE接收来自所述SEAF网元的派生参数,向所述SEAF网元发送认证响应;其中,所述认证响应至少基于所述派生参数和存储的归属密钥生成。The embodiment of the present application further provides an authentication method, where the UE sends a registration request carrying the first indication information to the SEAF network element, or the UE receives the first indication information that is sent by the SEAF network element and carries the first indication information. a message, wherein the first indication information is used to indicate that the sender has the capability of performing fast authentication; the UE receives the derived parameter from the SEAF network element, and sends an authentication response to the SEAF network element; The authentication response is generated based at least on the derived parameters and the stored home key.

本申请实施例还提供了一种AUSF网元,包括:第一接收模块,设置为接收来自SEAF网元且携带有第一指示信息和永久用户标识的认证请求;其中,所述第一指示信息用于标识与所述永久用户标识对应的UE具备执行快速认证的能力;第一处理模块,设置为根据所述第一指示信息,与所述第二网元执行快速认证。The embodiment of the present application further provides an AUSF network element, including: a first receiving module, configured to receive an authentication request from the SEAF network element and carrying the first indication information and the permanent user identifier; wherein the first indication information The UE is configured to perform the fast authentication by using the UE corresponding to the permanent user identifier. The first processing module is configured to perform fast authentication with the second network element according to the first indication information.

本申请实施例还提供了一种UE,包括:第二处理模块,设置为向SEAF网元发送携带有第一指示信息的注册请求,或者,接收所述SEAF网元发送的携带有第一指示信息的消息;其中,所述第一指示信息用于指示所述UE具备执行快速认证的能力;第二接收模块,设置为接收来自所述SEAF网元的派生参数,向所述SEAF网元发送认证响应;其中,所述认证响应至少基于所述派生参数和存储的归属密钥生成。The embodiment of the present application further provides a UE, including: a second processing module, configured to send a registration request carrying the first indication information to the SEAF network element, or receive the first indication sent by the SEAF network element a message of the information, wherein the first indication information is used to indicate that the UE is capable of performing fast authentication; and the second receiving module is configured to receive a derived parameter from the SEAF network element, and send the parameter to the SEAF network element. An authentication response; wherein the authentication response is generated based at least on the derived parameter and the stored home key.

在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.

附图说明DRAWINGS

附图用来提供对本申请技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本申请的技术方案,并不构成对本申请技术方案的限制。The drawings are used to provide a further understanding of the technical solutions of the present application, and constitute a part of the specification, which is used together with the embodiments of the present application to explain the technical solutions of the present application, and does not constitute a limitation of the technical solutions of the present application.

图1为本申请实施例提供的一种认证方法的流程示意图;FIG. 1 is a schematic flowchart of an authentication method according to an embodiment of the present application;

图2为本申请实施例提供的另一种认证方法的流程示意图;2 is a schematic flowchart of another authentication method according to an embodiment of the present application;

图3为本申请实施例提供的又一种认证方法的流程示意图;FIG. 3 is a schematic flowchart diagram of still another authentication method according to an embodiment of the present application;

图4为本申请实施例提供的又一种认证方法的流程示意图;4 is a schematic flowchart of still another authentication method according to an embodiment of the present application;

图5为本申请实施例提供的又一种认证方法的流程示意图;FIG. 5 is a schematic flowchart of still another authentication method according to an embodiment of the present application;

图6为本申请实施例提供的一种第一网元的结构示意图;FIG. 6 is a schematic structural diagram of a first network element according to an embodiment of the present disclosure;

图7为本申请实施例提供的一种UE的结构示意图。FIG. 7 is a schematic structural diagram of a UE according to an embodiment of the present disclosure.

具体实施方式detailed description

下文中将结合附图对本申请的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。Embodiments of the present application will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.

在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps illustrated in the flowchart of the figures may be executed in a computer system such as a set of computer executable instructions. Also, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.

本申请实施例提供一种认证方法,如图1所示,该方法包括步骤S101和步骤S102。An embodiment of the present application provides an authentication method. As shown in FIG. 1 , the method includes steps S101 and S102.

在步骤101中,第一网元接收来自SEAF网元且携带有第一指示信息的请求。In step 101, the first network element receives a request from the SEAF network element and carries the first indication information.

其中,第一指示信息用于指示第二网元具备执行快速认证的能力。The first indication information is used to indicate that the second network element has the capability of performing fast authentication.

在步骤102中,第一网元根据第一指示信息,与第二网元执行快速认证。In step 102, the first network element performs fast authentication with the second network element according to the first indication information.

需要说明的是,在5G之前的移动通信技术中需要对UE进行快速认证时,认证服务器会为UE分配一个快速认证标识,以使得UE在下一次认证时进行快速认证。然而,5G之前的移动通信技术与5G的架构不同,在5G之前的移动通信技术中,认证服务器和被认证端之间的网元都只是作为管道传递两者之间可交互的信息。而在5G中,AUSF网元和UE之间的SEAF网元不是一个纯粹的管道,因此需要使用标识来路由AUSF网元和UE之间的信息,而相关技术中认证服务器分配的快速认证标识无法被SEAF网元用来路由AUSF网元和UE之间的消息,因此相关技术中的快速认证方法在5G中无法使用,5G中缺乏可行的能够实现快速认证的认证方法。It should be noted that, when the mobile communication technology before the 5G needs to perform fast authentication on the UE, the authentication server allocates a fast authentication identifier to the UE, so that the UE performs fast authentication at the next authentication. However, the mobile communication technology before 5G is different from the 5G architecture. In the mobile communication technology before 5G, the network element between the authentication server and the authenticated end only transmits information that can be exchanged between the two as a pipeline. In 5G, the SEAF network element between the AUSF network element and the UE is not a pure pipeline. Therefore, the identifier is used to route information between the AUSF network element and the UE, and the fast authentication identifier allocated by the authentication server in the related art cannot be used. The SEAF network element is used to route messages between the AUSF network element and the UE. Therefore, the fast authentication method in the related art cannot be used in the 5G, and there is no feasible authentication method capable of implementing fast authentication in the 5G.

本申请实施例提供的认证方法,由于第一网元根据获得的第一指示信息确定了第二网元具备执行快速认证的能力,在第一网元需要对第二网元进行快速认证的情况下,第一网元根据第一指示信息,直接与第二网元执行快速认证, 因此保证了快速认证的灵活性。In the authentication method provided by the embodiment of the present application, the first network element determines, according to the obtained first indication information, that the second network element has the capability of performing fast authentication, and the first network element needs to perform fast authentication on the second network element. The first network element directly performs fast authentication with the second network element according to the first indication information, thereby ensuring flexibility of fast authentication.

在一实施例中,第一网元为认证服务功能AUSF网元,且第二网元为用户终端UE;或者,第一网元为UE,且第二网元为AUSF网元。In an embodiment, the first network element is an authentication service function AUSF network element, and the second network element is a user terminal UE; or the first network element is a UE, and the second network element is an AUSF network element.

在一实施例中,在第一网元为UE,且第二网元为AUSF网元的情况下,第一网元根据第一指示信息,与第二网元执行快速认证,包括:UE向SEAF网元发送携带有第二指示信息的注册请求;其中,第二指示信息用于指示AUSF网元进行快速认证。In an embodiment, when the first network element is the UE and the second network element is the AUSF network element, the first network element performs fast authentication with the second network element according to the first indication information, including: The SEAF network element sends a registration request carrying the second indication information, where the second indication information is used to indicate that the AUSF network element performs fast authentication.

UE接收AUSF网元通过SEAF网元发送的派生参数;其中,派生参数由AUSF网元生成。The UE receives the derived parameter sent by the AUSF network element through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.

需要说明的是,由于AUSF网元根据获得的第一指示信息确定了UE具备执行快速认证的能力,在AUSF网元需要对UE进行快速认证的情况下,通过SEAF单元直接向UE发送派生参数以进行快速认证,因此保证了快速认证的时效性和灵活性。It should be noted that, because the AUSF network element determines that the UE has the capability of performing fast authentication according to the obtained first indication information, if the AUSF network element needs to perform fast authentication on the UE, the SEAF unit directly sends the derivative parameter to the UE. Fast certification, thus ensuring the timeliness and flexibility of fast certification.

在一实施例中,在第一网元为AUSF网元,且第二网元为UE的情况下,第一网元根据第一指示信息,与第二网元执行快速认证,包括:AUSF网元通过SEAF网元向UE发送派生参数;其中,派生参数由AUSF网元生成。In an embodiment, when the first network element is an AUSF network element, and the second network element is a UE, the first network element performs fast authentication with the second network element according to the first indication information, including: the AUSF network. The element sends a derived parameter to the UE through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.

在一实施例中,第一指示信息还包括:第一网元能够使用的快速认证方法的信息。In an embodiment, the first indication information further includes: information about a fast authentication method that the first network element can use.

在一实施例中,还包括:AUSF网元根据第一指示信息确定发送派生参数的消息。In an embodiment, the method further includes: determining, by the AUSF network element, the message that sends the derivative parameter according to the first indication information.

在一实施例中,还包括:AUSF网元向SEAF网元发送网络哈希和期望哈希;其中,网络哈希至少基于派生参数和AUSF网元中存储的归属密钥生成;期望哈希至少基于派生参数和期望响应生成;期望响应至少基于派生参数和归属密钥生成。In an embodiment, the method further includes: the AUSF network element sending a network hash and a desired hash to the SEAF network element; wherein the network hash is generated based on at least the derived parameter and the home key stored in the AUSF network element; The generation is based on the derived parameters and the expected response; the expected response is generated based at least on the derived parameters and the home key.

例如,假设派生参数是参数A,网络哈希是根据参数A和归属密钥生成的,那么期望哈希可能是根据参数A、参数B和归属密钥生成的。假设派生参数是参数A,网络哈希是根据参数A、参数C和归属密钥生成的,那么期望哈希可能是根据参数A和归属密钥生成的,也可能是根据参数A、参数D和归属密钥生成的。For example, assuming that the derived parameter is parameter A and the network hash is generated based on parameter A and the home key, then the expected hash may be generated based on parameter A, parameter B, and home key. Assuming that the derived parameter is parameter A, the network hash is generated according to parameter A, parameter C and the home key, then the expected hash may be generated according to parameter A and the home key, or may be based on parameter A, parameter D and The home key is generated.

在一实施例中,还包括:AUSF网元通过SEAF网元向UE发送第二指示信 息;其中,第二指示信息用于指示UE进行快速认证。In an embodiment, the method further includes: the AUSF network element sends the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.

本申请实施例还提供一种认证方法,如图2所示,该方法包括步骤S201和步骤S202。The embodiment of the present application further provides an authentication method. As shown in FIG. 2, the method includes step S201 and step S202.

在步骤201中,UE向SEAF网元发送携带有第一指示信息和的注册请求;或者,UE接收SEAF网元发送的携带有第一指示信息的消息。In step 201, the UE sends a registration request carrying the first indication information and the SEAF network element; or, the UE receives the message that is sent by the SEAF network element and carries the first indication information.

其中,第一指示信息用于指示发送方具备执行快速认证的能力。The first indication information is used to indicate that the sender has the capability to perform fast authentication.

在步骤202中,UE接收来自SEAF网元的派生参数,向SEAF网元发送认证响应。In step 202, the UE receives the derived parameter from the SEAF network element and sends an authentication response to the SEAF network element.

其中,认证响应至少基于派生参数和存储的归属密钥生成。Wherein the authentication response is generated based at least on the derived parameters and the stored home key.

本申请实施例提供的认证方法,由于UE向SEAF单元发送了携带有用于指示UE具备执行快速认证的能力的第一指示信息的注册请求,使得SEAF网元向AUSF网元可以发送第一指示信息,因此使得AUSF网元需要对UE进行快速认证时,通过SEAF网元直接向UE发送派生参数以进行快速认证,因此保证了快速认证的时效性和灵活性。In the authentication method provided by the embodiment of the present application, the UE sends a first indication information to the AUSF network element to the AUSF network element, because the UE sends a registration request to the SEAF unit that carries the first indication information that is used to indicate that the UE has the capability to perform the fast authentication. Therefore, when the AUSF network element needs to perform fast authentication on the UE, the SEAF network element directly sends the derived parameter to the UE for fast authentication, thereby ensuring the timeliness and flexibility of the fast authentication.

在一实施例中,第一指示信息还包括:第一指示信息的发送方能够使用的快速认证方法的信息。In an embodiment, the first indication information further includes: information of a fast authentication method that the sender of the first indication information can use.

在一实施例中,向SEAF网元发送认证响应前,还包括:UE接收来自SEAF网元的第二指示信息;其中,第二指示信息用于指示UE进行快速认证。In an embodiment, before the sending the authentication response to the SEAF network element, the method further includes: receiving, by the UE, second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.

在一实施例中,还包括:UE接收来自SEAF网元的网络哈希。In an embodiment, the method further includes: the UE receiving a network hash from the SEAF network element.

UE至少基于派生参数和存储的归属密钥生成期望网络哈希。The UE generates a desired network hash based on at least the derived parameters and the stored home key.

响应于确定期望网络哈希与接收的网络哈希相同,UE发送认证响应。In response to determining that the desired network hash is the same as the received network hash, the UE sends an authentication response.

本申请实施例还提供一种认证方法,该方法是根据增强的认证协议-认证与密钥协商协议(Enhanced AuthenticationProtocal-Authentication and Key Agreemen,EAP-AKA’)进行的快速认证,如图3所示,该方法包括步骤301至步骤310。The embodiment of the present application further provides an authentication method, which is a fast authentication according to an Enhanced Authentication Protocol-Authentication and Key Agreemen (EAP-AKA'), as shown in FIG. The method includes steps 301 to 310.

在步骤301中,UE注册网络,注册过程中,SEAF网元通知AUSF网元执行认证过程,AUSF网元向ARPF网元请求认证向量,ARPF网元选择认证方法并将认证向量与认证方法通知AUSF网元,AUSF网元使用认证方法与认证向量通过SEAF网元认证UE。In step 301, the UE registers the network. During the registration process, the SEAF network element notifies the AUSF network element to perform the authentication process. The AUSF network element requests the authentication vector from the ARPF network element, and the ARPF network element selects the authentication method and notifies the AUSF of the authentication vector and the authentication method. The network element and the AUSF network element authenticate the UE through the SEAF network element by using the authentication method and the authentication vector.

如果SEAF网元之前参与过认证过UE,则SEAF网元中会保存UE的永久标识;如果SEAF网元之前没认证过UE,ARPF网元会将UE的永久标识也通 知给AUSF网元,AUSF网元会把UE的永久标识发送给SEAF网元。认证完成后,SEAF网元会为UE分配一个临时标识,并将临时标识发送给UE。认证过程中AUSF网元和UE会分别使用相同方法派生归属密钥并存储,AUSF网元会生成访问密钥并向SEAF网元发送访问密钥,用于保护UE和网络的通讯,UE会使用相同方法产生访问密钥。If the SEAF network element has previously participated in the authentication of the UE, the permanent identity of the UE is saved in the SEAF network element. If the UE has not been authenticated by the SEAF network element, the ARPF network element will also notify the AUSF network element of the permanent identity of the UE. The network element sends the permanent identity of the UE to the SEAF network element. After the authentication is complete, the SEAF network element allocates a temporary identifier to the UE and sends the temporary identifier to the UE. During the authentication process, the AUSF network element and the UE respectively use the same method to derive the home key and store it. The AUSF network element generates an access key and sends an access key to the SEAF network element to protect the communication between the UE and the network. The UE uses the same. The same method generates an access key.

在步骤302中,经过一段时间后,UE再次向网络发起注册请求,比如发送登记请求(Register Request)消息,携带网络分配的临时用户标识和指示信息,该指示信息表示UE有能力执行快速认证,该指示信息可以包含UE能够使用的认证方法,比如EAP-AKA’和5G AKA中的至少一种。In step 302, after a period of time, the UE initiates a registration request to the network, for example, sends a registration request (Register Request) message, and carries a temporary user identifier and indication information allocated by the network, where the indication information indicates that the UE has the capability to perform fast authentication. The indication information may include an authentication method that the UE can use, such as at least one of EAP-AKA' and 5G AKA.

在步骤303中,SEAF网元收到注册请求,向AUSF网元发送认证请求消息(比如发送第五代移动通信技术认证信息请求(the 5th-Generationmobile communication technology-Authentication Information Request,5G-AIR)消息),SEAF网元通过临时用户标识找到匹配的永久用户标识,在认证请求中携带永久用户标识以及指示信息。In step 303, the SEAF network element receives the registration request, and sends an authentication request message (such as the 5th-Generation mobile communication technology-Authentication Information Request (5G-AIR) message) to the AUSF network element. The SEAF network element finds the matching permanent user identifier by using the temporary user identifier, and carries the permanent user identifier and the indication information in the authentication request.

在步骤304中,AUSF网元判断认证请求中有指示信息,可以根据之前认证UE时使用的认证方法,或根据指示信息中包含的认证方法信息选择认证方法。比如,如果AUSF网元之前使用EAP-AKA’认证UE,则可以选择EAP-AKA’或5G AKA;如果AUSF网元之前使用5G AKA认证UE,则可以选择5G AKA。AUSF网元选择使用EAP-AKA’,于是向SEAF发送AKA重认证请求,比如发送增强认证协议请求/认证与密钥协商协议重认证(Enhanced Authentication Protocal-Request/Authentication and Key Agreemen-Reauthentication,EAP-Request/AKA-Reauthentication)消息,EAP-Request/AKA-Reauthentication消息中携带有派生参数(比如使用一次的数字(Number once,NONCE)和计数器(COUNTER)),派生参数由AUSF生成,EAP-Request/AKA-Reauthentication消息中还携带有消息验证码1(Message Authentication Code 1,MAC1),该消息验证码1基于上次认证过程中产生的完保密钥(完保密钥是指完整性保护密钥)以及该消息的内容产生,比如使用哈希消息认证码-安全散列算法-256(Hash-based Message Authentication Code-Secure Hash Algorithm-256,HMAC-SHA-256)算法,其中完保密钥基于归属密钥或访问密钥派生。In step 304, the AUSF network element determines that there is indication information in the authentication request, and may select an authentication method according to an authentication method used when the UE is previously authenticated, or according to the authentication method information included in the indication information. For example, if the AUSF network element previously uses the EAP-AKA' authentication UE, EAP-AKA' or 5G AKA may be selected; if the AUSF network element previously uses the 5G AKA authentication UE, the 5G AKA may be selected. The AUSF network element chooses to use EAP-AKA', so it sends an AKA re-authentication request to the SEAF, such as the Enhanced Authentication Protocol Request/Authentication and Key Agreemen-Reauthentication (EAP-). Request/AKA-Reauthentication message, the EAP-Request/AKA-Reauthentication message carries the derived parameters (such as the number once (NONCE) and the counter (COUNTER)), and the derived parameters are generated by the AUSF, EAP-Request/ The AKA-Reauthentication message also carries a message authentication code 1 (Message1, MAC1), which is based on the security key generated during the last authentication process (the security key refers to the integrity protection key). And the content of the message is generated, for example, using a hash-based message authentication code-Secure Hash Algorithm-256 (HMAC-SHA-256) algorithm, where the guaranteed key is based on The home key or access key is derived.

在步骤305中,SEAF网元转发认证与密钥协商协议(Authentication and Key  Agreemen,AKA)重认证请求给UE。In step 305, the SEAF network element forwards an Authentication and Key Agreemen (AKA) re-authentication request to the UE.

在步骤306中,UE基于密钥派生参数和存储的归属密钥派生新的归属密钥,然后向SEAF网元发送AKA重认证响应,AKA重认证响应中携带有消息验证码2(MAC2),该消息验证码2基于上次认证过程中产生的完保密钥以及AKA重认证响应消息的内容产生,比如使用HMAC-SHA-256算法,其中完保密钥基于归属密钥或访问密钥派生。In step 306, the UE derives a new home key based on the key derivation parameter and the stored home key, and then sends an AKA re-authentication response to the SEAF network element, where the AKA re-authentication response carries the message verification code 2 (MAC2). The message verification code 2 is generated based on the security key generated in the last authentication process and the content of the AKA re-authentication response message, such as using the HMAC-SHA-256 algorithm, where the security key is derived based on the home key or the access key. .

在步骤307中,SEAF网元向AUSF网元转发AKA重认证响应,AUSF网元校验MAC2。In step 307, the SEAF network element forwards the AKA re-authentication response to the AUSF network element, and the AUSF network element checks MAC2.

在步骤308中,响应于确定AUSF网元校验MAC2成功,确定UE与ASUF网元认证成功,AUSF网元基于存储的归属密钥和派生参数生成新的归属密钥,比如使用HMAC-SHA-256算法,AUSF网元基于新的归属密钥派生新的访问密钥。In step 308, in response to determining that the AUSF network element check MAC2 is successful, determining that the UE and the ASUF network element authentication succeeds, the AUSF network element generates a new home key based on the stored home key and the derived parameter, such as using HMAC-SHA- With the 256 algorithm, the AUSF network element derives a new access key based on the new home key.

在步骤309中,AUSF网元向SEAF网元发送认证成功消息,比如发送增强认证协议成功(Enhanced Authentication Protocal-Success,EAP-Success)消息,该消息携带新的访问密钥。In step 309, the AUSF network element sends an authentication success message to the SEAF network element, such as an Enhanced Authentication Protocal-Success (EAP-Success) message, which carries the new access key.

在步骤310中,SEAF网元保存新的访问密钥,并向UE发送注册成功消息,比如发送登记接受(Register Accept)消息。In step 310, the SEAF network element saves the new access key and sends a registration success message to the UE, such as sending a Register Accept message.

本申请实施例还提供一种认证方法,该方法是根据第五代移动通信技术认证与密钥协商协议(the 5th-Generationmobile communication technologyAuthentication and Key Agreemen,5G AKA)进行的快速认证,如图4所示,该方法包括步骤401至步骤411。The embodiment of the present application further provides an authentication method, which is a fast authentication according to the 5th-Generation Mobile Communication Technology Authentication and Key Agreemen (5G AKA), as shown in FIG. 4 . The method includes steps 401 to 411.

在步骤401中,UE注册网络,注册过程中,SEAF网元通知AUSF网元执行认证过程,AUSF网元向ARPF网元请求认证向量,ARPF网元选择认证方法并将认证向量与认证方法通知AUSF网元,AUSF网元使用认证方法与认证向量通过SEAF网元认证UE。In step 401, the UE registers the network. During the registration process, the SEAF network element notifies the AUSF network element to perform the authentication process. The AUSF network element requests the authentication vector from the ARPF network element, and the ARPF network element selects the authentication method and notifies the AUSF of the authentication vector and the authentication method. The network element and the AUSF network element authenticate the UE through the SEAF network element by using the authentication method and the authentication vector.

如果SEAF网元之前认证过UE,则SEAF网元中会保存UE的永久标识;如果SEAF网元之前没认证过UE,ARPF网元会将UE的永久标识也通知给AUSF网元,AUSF网元会把UE的永久标识发送给SEAF网元。认证完成后,SEAF网元会为UE分配一个临时标识,并将临时标识发送给UE。认证过程中AUSF网元和UE会分别使用相同方法派生归属密钥并存储,AUSF网元会生成 访问密钥并向SEAF网元发送访问密钥,用于保护UE和网络的通讯,UE会使用相同方法产生访问密钥。If the UE is authenticated by the SEAF network element, the permanent identifier of the UE is saved in the SEAF network element. If the UE is not authenticated by the SEAF network element, the ARPF network element notifies the AUSF network element of the permanent identifier of the UE. The permanent identity of the UE is sent to the SEAF network element. After the authentication is complete, the SEAF network element allocates a temporary identifier to the UE and sends the temporary identifier to the UE. During the authentication process, the AUSF network element and the UE respectively use the same method to derive the home key and store it. The AUSF network element generates an access key and sends an access key to the SEAF network element to protect the communication between the UE and the network. The UE uses the same. The same method generates an access key.

在步骤402中,经过一段时间后,UE再次向网络发起注册请求,比如发送Register Request消息,携带网络分配的临时用户标识和指示信息1,该指示信息1表示UE有能力执行快速认证,该指示信息可以包含UE能够使用的认证方法,比如EAP-AKA’和5G AKA中的至少一种。In step 402, after a period of time, the UE initiates a registration request to the network again, for example, sends a Register Request message, and carries a temporary user identifier and indication information 1 allocated by the network, where the indication information 1 indicates that the UE has the capability to perform fast authentication, and the indication The information may include authentication methods that the UE can use, such as at least one of EAP-AKA' and 5G AKA.

在步骤403中,SEAF网元收到注册请求,向AUSF网元发送认证请求消息(比如发送5-AIR消息),SEAF网元通过临时用户标识找到匹配的永久用户标识,在认证请求中携带永久用户标识以及指示信息。In step 403, the SEAF network element receives the registration request, and sends an authentication request message (such as sending a 5-AIR message) to the AUSF network element. The SEAF network element finds the matching permanent user identifier through the temporary user identifier, and carries the permanent in the authentication request. User ID and indication information.

在步骤404中,AUSF网元判断认证请求中有指示信息,可以根据之前认证UE时使用的认证方法选择认证方法,或根据指示信息中包含的认证方法信息选择认证方法。比如,如果AUSF网元之前使用EAP-AKA’认证UE,则可以选择EAP-AKA’或5G AKA;如果AUSF网元之前使用5G AKA认证UE,则可以选择5G AKA。AUSF网元选择使用5G AKA,于是生成派生参数(比如NONCE),基于派生参数和存储的归属密钥生成网络哈希Hash(比如使用HMAC-SHA-256算法),基于派生参数和存储的归属密钥生成期望响应Hash(比如使用HMAC-SHA-256算法),基于派生参数和期望响应生成期望Hash,(比如使用安全散列算法-256(Secure Hash Algorithm-256,SHA-256)算法),基于派生参数和存储的归属密钥生成新的归属密钥(比如使用HMAC-SHA-256算法),基于新的归属密钥生成新的访问密钥。In step 404, the AUSF network element determines that there is indication information in the authentication request, and may select an authentication method according to an authentication method used when the UE is previously authenticated, or select an authentication method according to the authentication method information included in the indication information. For example, if the AUSF network element previously uses the EAP-AKA' authentication UE, EAP-AKA' or 5G AKA may be selected; if the AUSF network element previously uses the 5G AKA authentication UE, the 5G AKA may be selected. The AUSF network element chooses to use 5G AKA, thus generating a derived parameter (such as NONCE), generating a network hash hash based on the derived parameter and the stored home key (such as using the HMAC-SHA-256 algorithm), based on the derived parameter and the stored home secret. The key generates an expected response hash (such as using the HMAC-SHA-256 algorithm), and generates a desired hash based on the derived parameter and the expected response (for example, using a Secure Hash Algorithm-256 (SHA-256) algorithm), based on The derived parameters and the stored home key generate a new home key (such as using the HMAC-SHA-256 algorithm) to generate a new access key based on the new home key.

在步骤405中,AUSF网元向SEAF网元发送认证响应,比如发送第五代移动通信技术认证信息响应(the 5th-Generationmobile communication technology-Authentication Information Answer,5G-AIA)消息,5G-AIA消息携带认证向量,认证向量包含派生参数,网络Hash,期望Hash以及新的访问密钥,5G-AIR消息还携带指示信息2,指示信息2用于指示UE使用快速认证。In step 405, the AUSF network element sends an authentication response to the SEAF network element, such as the 5th-Generation mobile communication technology-Authentication Information Answer (5G-AIA) message, and the 5G-AIA message carries The authentication vector, the authentication vector includes a derived parameter, a network hash, a desired hash, and a new access key. The 5G-AIR message also carries indication information 2, and the indication information 2 is used to indicate that the UE uses fast authentication.

在步骤406中,SEAF网元向UE发送用户认证请求,比如发送用户认证请求(User Authentication Request)消息,该消息携带认证向量中的派生参数和网络Hash,还携带指示信息2。In step 406, the SEAF network element sends a user authentication request to the UE, such as a user authentication request (User Authentication Request) message, which carries the derived parameter and the network hash in the authentication vector, and further carries the indication information 2.

在步骤407中,UE收到携带指示信息2的用户认证请求,使用快速认证。UE校验网络Hash,比如基于派生参数和存储的归属密钥生成期望网络Hash, 比较网络Hash和期望网络Hash是否相同,基于网络Hash和期望网络Hash相同的比较结果,确定校验成功,基于网络Hash和期望网络Hash不相同的比较结果,确定校验失败。校验成功后,UE基于派生参数和存储的归属密钥生成认证响应(Response,RES)(比如使用HMAC-SHA-256算法),基于派生参数和存储的归属密钥生成新的归属密钥(比如使用HMAC-SHA-256算法),基于新的归属密钥生成新的访问密钥派生新的归属密钥,然后向SEAF网元发送用户认证响应,比如发送用户认证响应(User Authentication Response)消息,携带认证响应RES。In step 407, the UE receives the user authentication request carrying the indication information 2, and uses the fast authentication. The UE checks the network hash, for example, generates a desired network hash based on the derived parameter and the stored home key, compares whether the network hash and the expected network hash are the same, and determines the verification success based on the same comparison result of the network hash and the expected network hash, based on the network. The hash is not the same as the expected network hash, and the verification fails. After the verification succeeds, the UE generates an authentication response (Response, RES) based on the derived parameter and the stored home key (for example, using the HMAC-SHA-256 algorithm), and generates a new home key based on the derived parameter and the stored home key ( For example, using the HMAC-SHA-256 algorithm, a new access key is generated based on the new home key to derive a new home key, and then a user authentication response is sent to the SEAF network element, such as sending a User Authentication Response message. , carrying the certification response RES.

在步骤408中,SEAF网元基于认证响应RES校验期望Hash,比如基于派生参数和认证响应RES生成校验Hash(比如使用SHA-256算法),比较校验Hash和期望Hash,基于校验Hash和期望Hash相同的比较结果,确定校验成功,基于校验Hash和期望Hash不相同的比较结果,确定校验失败。In step 408, the SEAF network element checks the expected hash based on the authentication response RES, such as generating a check hash based on the derived parameter and the authentication response RES (eg, using the SHA-256 algorithm), comparing the checksum and the expected hash, based on the checksum. The same comparison result as the expected Hash, the verification success is determined, and the verification failure is determined based on the comparison result that the verification hash and the expected hash are not the same.

在步骤409中,SEAF网元校验期望hash成功后,向AUSF网元发送认证确认,比如发送第五代移动通信技术认证确认(the 5th-Generationmobile communication technology-Authentication Certification,5G-AC)消息,携带认证响应RES。In step 409, after the SEAF network element checks that the desired hash is successful, the authentication confirmation is sent to the AUSF network element, for example, the 5th-Generation mobile communication technology-Authentication Certification (5G-AC) message is sent. Carry the authentication response RES.

在步骤410中,AUSF网元校验认证响应。比如,比较期望响应和认证响应,基于期望响应和认证响应相同的比较结果,确定校验成功;基于期望响应和认证响应不相同的比较结果,确定校验失败。校验成功后,AUSF网元向SEAF网元发送认证成功消息,比如发送第五代移动通信技术认证确认响应(the 5th-Generationmobile communication technology-Authentication Certification Answer,5G-ACA)消息。In step 410, the AUSF network element verifies the authentication response. For example, comparing the expected response and the authentication response, determining that the verification is successful based on the same comparison result of the expected response and the authentication response; determining the verification failure based on the comparison result of the expected response and the authentication response being different. After the verification succeeds, the AUSF network element sends an authentication success message to the SEAF network element, for example, the 5th-Generation mobile communication technology-Authentication Certification Answer (5G-ACA) message.

在步骤411中,SEAF网元保存新的访问密钥,并向UE发送注册成功消息,比如发送Register Accept消息。In step 411, the SEAF network element saves the new access key and sends a registration success message to the UE, such as sending a Register Accept message.

本申请实施例还提供一种认证方法,该方法是根据5G AKA进行的快速认证,如图5所示,该方法包括步骤501至步骤513。The embodiment of the present application further provides an authentication method, which is a fast authentication according to 5G AKA. As shown in FIG. 5, the method includes steps 501 to 513.

在步骤501中,UE注册网络,注册过程中,SEAF网元通知AUSF网元执行认证过程,AUSF网元向ARPF网元请求认证向量,ARPF网元选择认证方法并将认证向量与认证方法通知AUSF网元,AUSF网元使用认证方法与认证向量通过SEAF网元认证UE。In step 501, the UE registers the network. During the registration process, the SEAF network element notifies the AUSF network element to perform the authentication process. The AUSF network element requests the authentication vector from the ARPF network element, and the ARPF network element selects the authentication method and notifies the AUSF of the authentication vector and the authentication method. The network element and the AUSF network element authenticate the UE through the SEAF network element by using the authentication method and the authentication vector.

如果SEAF网元之前认证过UE,则SEAF网元中会保存UE的永久标识;如果SEAF网元之前没认证过UE,ARPF网元会将UE的永久标识也通知给AUSF网元,AUSF网元会把UE的永久标识发送给SEAF网元。认证完成后,SEAF网元会为UE分配一个临时标识,并将临时标识发送给UE。认证过程中AUSF网元和UE会分别使用相同方法派生归属密钥并存储,AUSF网元会生成访问密钥并向SEAF网元发送访问密钥,用于保护UE和网络的通讯,UE会使用相同方法产生访问密钥。If the UE is authenticated by the SEAF network element, the permanent identifier of the UE is saved in the SEAF network element. If the UE is not authenticated by the SEAF network element, the ARPF network element notifies the AUSF network element of the permanent identifier of the UE. The permanent identity of the UE is sent to the SEAF network element. After the authentication is complete, the SEAF network element allocates a temporary identifier to the UE and sends the temporary identifier to the UE. During the authentication process, the AUSF network element and the UE respectively use the same method to derive the home key and store it. The AUSF network element generates an access key and sends an access key to the SEAF network element to protect the communication between the UE and the network. The UE uses the same. The same method generates an access key.

在步骤502中,AUSF可以根据之前认证UE时使用的认证方法,选择可以用于快速认证的认证方法。比如,如果AUSF网元之前使用EAP-AKA’认证UE,则可以选择EAP-AKA’或5G AKA;如果AUSF网元之前使用5G AKA认证UE,则可以选择5G AKA。AUSF向SEAF发送消息,比如发送插入订阅数据(Insert Subscribe Data)消息,携带指示信息1,该指示信息1表示AUSF有能力执行快速认证,该指示信息可以包含AUSF能够使用的认证方法,比如EAP-AKA’和5G AKA中的至少一种。In step 502, the AUSF may select an authentication method that can be used for fast authentication according to an authentication method used when the UE was previously authenticated. For example, if the AUSF network element previously uses the EAP-AKA' authentication UE, EAP-AKA' or 5G AKA may be selected; if the AUSF network element previously uses the 5G AKA authentication UE, the 5G AKA may be selected. The AUSF sends a message to the SEAF, such as an Insert Subscribe Data message, carrying the indication information 1. The indication information 1 indicates that the AUSF has the capability to perform fast authentication, and the indication information may include an authentication method that the AUSF can use, such as EAP- At least one of AKA' and 5G AKA.

在步骤503中,SEAF转发指示信息1给UE。In step 503, the SEAF forwards the indication information 1 to the UE.

上述步骤502~503可以是在步骤501完成后由AUSF发起,也可以是步骤501的过程中触发的某个AUSF下发消息。The foregoing steps 502-503 may be initiated by the AUSF after the completion of the step 501, or may be sent by a certain AUSF triggered in the process of step 501.

在步骤504中,经过一段时间后,UE再次向网络发起注册请求,比如发送Register Request消息,携带网络分配的临时用户标识指示信息2,用于指示AUSF使用快速认证。In step 504, after a period of time, the UE initiates a registration request to the network again, for example, sends a Register Request message, and carries a temporary user identification indication information 2 allocated by the network, for indicating that the AUSF uses fast authentication.

在步骤505中,SEAF网元收到注册请求,向AUSF网元发送认证请求消息(比如发送5-AIR消息),SEAF网元通过临时用户标识找到匹配的永久用户标识,在认证请求中携带永久用户标识以及指示信息2。In step 505, the SEAF network element receives the registration request, and sends an authentication request message (such as sending a 5-AIR message) to the AUSF network element. The SEAF network element finds the matching permanent user identifier through the temporary user identifier, and carries the permanent in the authentication request. User ID and indication information 2.

在步骤506中,AUSF网元判断认证请求中有指示信息2,可以根据之前发送给UE的指示信息1选择认证方法。本实施例AUSF网元选择使用5G AKA,于是生成派生参数,比如NONCE,基于派生参数和存储的归属密钥生成网络哈希Hash(比如使用HMAC-SHA-256算法),基于派生参数和存储的归属密钥生成期望响应Hash(比如使用HMAC-SHA-256算法),基于派生参数和期望响应生成期望Hash(比如使用安全散列算法-256(Secure Hash Algorithm-256,SHA-256)算法),基于派生参数和存储的归属密钥生成新的归属密钥(比如使 用HMAC-SHA-256算法),基于新的归属密钥生成新的访问密钥。In step 506, the AUSF network element determines that there is indication information 2 in the authentication request, and the authentication method can be selected according to the indication information 1 previously sent to the UE. In this embodiment, the AUSF network element selects to use the 5G AKA, thus generating a derived parameter, such as NONCE, generating a network hash hash based on the derived parameter and the stored home key (such as using the HMAC-SHA-256 algorithm), based on the derived parameters and the stored The home key generates a desired response hash (such as using the HMAC-SHA-256 algorithm), and generates a desired hash based on the derived parameter and the expected response (such as using a Secure Hash Algorithm-256 (SHA-256) algorithm). A new home key is generated based on the derived parameters and the stored home key (eg, using the HMAC-SHA-256 algorithm), and a new access key is generated based on the new home key.

在步骤507中,AUSF网元向SEAF网元发送认证响应,比如发送5G-AIA消息,消息携带认证向量,认证向量包含派生参数,网络Hash,期望Hash和新的访问密钥。In step 507, the AUSF network element sends an authentication response to the SEAF network element, such as sending a 5G-AIA message, the message carries an authentication vector, the authentication vector includes a derived parameter, a network hash, a desired hash, and a new access key.

在步骤508中,SEAF网元向UE发送用户认证请求,比如发送User Authentication Request消息,消息携带认证向量中的派生参数和网络Hash。In step 508, the SEAF network element sends a user authentication request to the UE, such as sending a User Authentication Request message, where the message carries the derived parameter and the network hash in the authentication vector.

在步骤509中,UE使用快速认证,UE校验网络Hash,比如基于派生参数和存储的归属密钥生成期望网络Hash,比较网络Hash和期望网络Hash是否相同,基于网络Hash和期望网络Hash相同的比较结果,校验成功;基于网络Hash和期望网络Hash不相同的比较结果,校验失败。校验成功后,UE基于派生参数和存储的归属密钥生成认证响应RES(比如使用HMAC-SHA-256算法),基于派生参数和存储的归属密钥生成新的归属密钥(比如使用HMAC-SHA-256算法),基于新的归属密钥生成新的访问密钥派生新的归属密钥,然后向SEAF网元发送用户认证响应,比如发送User Authentication Response消息,携带认证响应RES。In step 509, the UE uses fast authentication, and the UE checks the network hash, for example, generates a desired network hash based on the derived parameter and the stored home key, and compares whether the network hash and the desired network hash are the same, based on the network hash and the desired network hash. The result of the comparison is that the verification is successful; the verification fails based on the comparison result of the network hash and the expected network hash. After the verification is successful, the UE generates an authentication response RES based on the derived parameter and the stored home key (for example, using the HMAC-SHA-256 algorithm), and generates a new home key based on the derived parameter and the stored home key (for example, using HMAC- The SHA-256 algorithm generates a new access key based on the new home key to derive a new home key, and then sends a user authentication response to the SEAF network element, such as sending a User Authentication Response message carrying the authentication response RES.

在步骤510中,SEAF网元基于认证响应RES校验期望Hash,比如基于派生参数和认证响应RES生成校验Hash,比如使用SHA-256算法,比较校验Hash和期望Hash,基于校验Hash和期望Hash相同的比较结果,校验成功;基于校验Hash和期望Hash不相同的比较结果,校验失败。In step 510, the SEAF network element checks the expected hash based on the authentication response RES, such as generating a check hash based on the derived parameter and the authentication response RES, such as using the SHA-256 algorithm to compare the checksum and the expected hash, based on the checksum and the hash. It is expected that the Hash has the same comparison result, and the verification is successful; based on the comparison result that the verification Hash and the expected Hash are not the same, the verification fails.

在步骤511中,SEAF网元校验期望hash成功后,向AUSF网元发送认证确认,比如发送5G-AC消息,携带认证响应RES。In step 511, after the SEAF network element checks that the desired hash is successful, it sends an authentication confirmation to the AUSF network element, for example, sends a 5G-AC message, and carries the authentication response RES.

在步骤512中,AUSF网元校验认证响应,比如比较期望响应和认证响应,基于期望响应和认证响应相同的比较结果,校验成功;基于期望响应和认证响应不相同的比较结果,校验失败。校验成功后,AUSF网元向SEAF网元发送认证成功消息,比如发送5G-ACA消息。In step 512, the AUSF network element checks the authentication response, such as comparing the expected response with the authentication response, and the verification is successful based on the same comparison result of the expected response and the authentication response; and the comparison is based on the comparison result of the expected response and the authentication response being different. failure. After the verification succeeds, the AUSF network element sends an authentication success message to the SEAF network element, for example, sending a 5G-ACA message.

在步骤513中,SEAF网元保存新的访问密钥,并向UE发送注册成功消息,比如发送Register Accept消息。In step 513, the SEAF network element saves the new access key and sends a registration success message to the UE, such as sending a Register Accept message.

需要说明的是,以上过程也可以用于EAP-AKA’的快速认证过程。It should be noted that the above process can also be applied to the fast authentication process of EAP-AKA'.

本申请实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令设置为执行上述任一项认证方法。The embodiment of the present application further provides a computer readable storage medium, where computer executable instructions are stored, and the computer executable instructions are set to execute any one of the foregoing authentication methods.

本申请实施例提供一种第一网元,如图6所示,该第一网元6包括第一接收模块601和第一处理模块602。The embodiment of the present application provides a first network element. As shown in FIG. 6, the first network element 6 includes a first receiving module 601 and a first processing module 602.

第一接收模块601,设置为接收来自SEAF网元且携带有第一指示信息和永久用户标识的认证请求;其中,第一指示信息用于标识与永久用户标识对应的UE具备执行快速认证的能力。The first receiving module 601 is configured to receive an authentication request from the SEAF network element and carrying the first indication information and the permanent user identifier, where the first indication information is used to identify that the UE corresponding to the permanent user identifier has the capability of performing fast authentication. .

第一处理模块602,设置为根据第一指示信息,与第二网元执行快速认证。The first processing module 602 is configured to perform fast authentication with the second network element according to the first indication information.

在一实施例中,第一网元为AUSF网元,且第二网元为UE;或者,第一网元为UE,且第二网元为AUSF网元。In an embodiment, the first network element is an AUSF network element, and the second network element is a UE; or the first network element is a UE, and the second network element is an AUSF network element.

在一实施例中,在第一网元为UE,且第二网元为AUSF网元的情况下,第一处理模块602设置为:向SEAF网元发送携带有第二指示信息的注册请求,其中,第二指示信息用于指示AUSF网元进行快速认证;接收AUSF网元通过SEAF网元发送的派生参数;其中,派生参数由AUSF网元生成。In an embodiment, when the first network element is the UE and the second network element is the AUSF network element, the first processing module 602 is configured to: send the registration request carrying the second indication information to the SEAF network element, The second indication information is used to indicate that the AUSF network element performs fast authentication, and receives the derived parameter sent by the AUSF network element through the SEAF network element. The derived parameter is generated by the AUSF network element.

在一实施例中,在第一网元为AUSF网元,且第二网元为UE的情况下,第一处理模块602设置为:通过SEAF网元向UE发送派生参数;其中,派生参数由AUSF网元生成。In an embodiment, in a case where the first network element is an AUSF network element, and the second network element is a UE, the first processing module 602 is configured to: send a derivative parameter to the UE by using the SEAF network element; wherein, the derived parameter is AUSF network element generation.

在一实施例中,第一指示信息还包括:第一网元能够使用的快速认证方法的信息。In an embodiment, the first indication information further includes: information about a fast authentication method that the first network element can use.

在一实施例中,第一处理模块602,还设置为根据第一指示信息确定发送派生参数的消息。In an embodiment, the first processing module 602 is further configured to determine, according to the first indication information, a message that sends the derived parameter.

在一实施例中,第一处理模块602,还设置为向SEAF网元发送网络哈希和期望哈希;其中,网络哈希至少基于派生参数和AUSF网元中存储的归属密钥生成;期望哈希至少基于派生参数和期望响应生成;期望响应至少基于派生参数和归属密钥生成。In an embodiment, the first processing module 602 is further configured to send a network hash and a desired hash to the SEAF network element; wherein the network hash is generated based at least on the derived parameter and the home key stored in the AUSF network element; The hash is generated based at least on the derived parameters and the expected response; the expected response is generated based at least on the derived parameters and the home key.

在一实施例中,第一处理模块602,还设置为通过SEAF网元向UE发送第二指示信息;其中,第二指示信息用于指示UE进行快速认证。In an embodiment, the first processing module 602 is further configured to send the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.

本申请实施例提供的第一网元,由于根据获得的第一指示信息确定了第二网元具备执行快速认证的能力,在第一网元需要对第二网元进行快速认证的情况下,第一网元根据第一指示信息直接,与第二网元执行快速认证,因此保证了快速认证的灵活性。The first network element provided by the embodiment of the present application determines that the second network element has the capability of performing fast authentication according to the obtained first indication information, and in the case that the first network element needs to perform fast authentication on the second network element, The first network element directly performs fast authentication with the second network element according to the first indication information, thereby ensuring flexibility of fast authentication.

在实际应用中,第一接收模块601和第一处理模块602均可由位于第一网元中的中央处理器(Central Processing Unit,CPU)、微处理器(Micro Processor Unit,MPU)、数字信号处理器(Digital Signal Processor,DSP)或现场可编程门阵列(Field Programmable Gate Array,FPGA)等实现。In a practical application, the first receiving module 601 and the first processing module 602 can be processed by a central processing unit (CPU), a microprocessor (Micro Processor Unit (MPU), and a digital signal processing unit located in the first network element. (Digital Signal Processor, DSP) or Field Programmable Gate Array (FPGA) implementation.

本申请实施例还提供一种UE,如图7所示,该UE 7包括第二处理模块701,第二接收模块702和发送模块703。The embodiment of the present application further provides a UE. As shown in FIG. 7, the UE 7 includes a second processing module 701, a second receiving module 702, and a sending module 703.

第二处理模块701,设置为向SEAF网元发送携带有第一指示信息的注册请求,或者,接收SEAF网元发送的携带有第一指示信息的消息;其中,第一指示信息用于指示UE具备执行快速认证的能力。The second processing module 701 is configured to send a registration request carrying the first indication information to the SEAF network element, or receive a message that is sent by the SEAF network element and carries the first indication information, where the first indication information is used to indicate the UE Ability to perform fast certifications.

第二接收模块702,设置为接收来自SEAF网元的派生参数,向SEAF网元发送认证响应;其中,认证响应至少基于派生参数和存储的归属密钥生成。The second receiving module 702 is configured to receive the derived parameter from the SEAF network element, and send an authentication response to the SEAF network element; wherein the authentication response is generated based on at least the derived parameter and the stored home key.

在一实施例中,第一指示信息还包括:第一指示信息的发送方能够使用的快速认证方法的信息。In an embodiment, the first indication information further includes: information of a fast authentication method that the sender of the first indication information can use.

在一实施例中,第二接收模块702,还设置为接收来自SEAF网元的第二指示信息;其中,第二指示信息用于指示UE进行快速认证。In an embodiment, the second receiving module 702 is further configured to receive second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.

在一实施例中,第二接收模块702,还设置为接收来自SEAF网元的网络哈希。In an embodiment, the second receiving module 702 is further configured to receive a network hash from the SEAF network element.

第二处理模块701,设置为至少基于派生参数和存储的归属密钥生成期望网络哈希。The second processing module 701 is configured to generate a desired network hash based on at least the derived parameters and the stored home key.

还包括:发送模块703,设置为响应于确定期望网络哈希与接收的网络哈希相同,发送认证响应。Also included is a transmitting module 703 configured to send an authentication response in response to determining that the desired network hash is the same as the received network hash.

本申请实施例提供的UE,由于向SEAF单元发送了携带有用于指示UE具备执行快速认证的能力的第一指示信息的注册请求,使得SEAF网元向AUSF网元可以发送第一指示信息,因此使得AUSF网元需要对UE进行快速认证时,通过SEAF单元直接向UE发送派生参数以进行快速认证,因此保证了快速认证的时效性和灵活性。The UE provided by the embodiment of the present application sends a first indication information to the AUSF network element, because the UE sends the first indication information that is used to indicate that the UE has the capability to perform the fast authentication, so that the UE can send the first indication information to the AUSF network element. When the AUSF network element needs to perform fast authentication on the UE, the SEAF unit directly sends the derived parameter to the UE for fast authentication, thereby ensuring the timeliness and flexibility of the fast authentication.

在实际应用中,第二处理模块701、第二接收模块702和发送模块703均可由位于UE中的CPU、MPU、DSP或FPGA等实现。In a practical application, the second processing module 701, the second receiving module 702, and the sending module 703 can all be implemented by a CPU, an MPU, a DSP, an FPGA, or the like located in the UE.

本申请实施例还提供一种第一网元,包括第一存储器和第一处理器,其中,第一存储器中存储有以下可被第一处理器执行的指令:接收来自SEAF网元且 携带有第一指示信息的请求;其中,第一指示信息用于指示第二网元具备执行快速认证的能力。The embodiment of the present application further provides a first network element, including a first memory and a first processor, where the first memory stores the following instructions executable by the first processor: receiving the information from the SEAF network element and carrying And a first indication information, where the first indication information is used to indicate that the second network element has the capability of performing fast authentication.

根据第一指示信息,与第二网元执行快速认证。Performing fast authentication with the second network element according to the first indication information.

在一实施例中,第一网元为认证服务功能AUSF网元,且第二网元为用户终端UE;或者,第一网元为UE,且第二网元为AUSF网元。In an embodiment, the first network element is an authentication service function AUSF network element, and the second network element is a user terminal UE; or the first network element is a UE, and the second network element is an AUSF network element.

在一实施例中,在第一网元为UE,且第二网元为AUSF网元的情况下,第一存储器中存储有以下可被第一处理器执行的指令:In an embodiment, in a case where the first network element is a UE, and the second network element is an AUSF network element, the first memory stores the following instructions executable by the first processor:

向SEAF网元发送携带有第二指示信息的注册请求;其中,第二指示信息用于指示AUSF网元进行快速认证。Sending a registration request carrying the second indication information to the SEAF network element, where the second indication information is used to indicate that the AUSF network element performs fast authentication.

接收AUSF网元通过SEAF网元发送的派生参数;其中,派生参数由AUSF网元生成。Receiving a derived parameter sent by the AUSF network element through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.

在一实施例中,在第一网元为AUSF网元,且第二网元为UE的情况下,第一存储器中存储有以下可被第一处理器执行的指令:In an embodiment, where the first network element is an AUSF network element and the second network element is a UE, the first memory stores the following instructions executable by the first processor:

通过SEAF网元向UE发送派生参数;其中,派生参数由AUSF网元生成。The derived parameter is sent to the UE through the SEAF network element; wherein the derived parameter is generated by the AUSF network element.

在一实施例中,第一指示信息还包括:第一网元能够使用的快速认证方法的信息。In an embodiment, the first indication information further includes: information about a fast authentication method that the first network element can use.

在一实施例中,第一存储器中还存储有以下可被第一处理器执行的指令:根据第一指示信息确定发送派生参数的消息。In an embodiment, the first memory further stores an instruction executable by the first processor to determine a message to send the derived parameter according to the first indication information.

在一实施例中,第一存储器中还存储有以下可被第一处理器执行的指令:向SEAF网元发送网络哈希和期望哈希;其中,网络哈希至少基于派生参数和AUSF网元中存储的归属密钥生成;期望哈希至少基于派生参数和期望响应生成;期望响应至少基于派生参数和归属密钥生成。In an embodiment, the first memory further stores an instruction executable by the first processor to: send a network hash and a desired hash to the SEAF network element; wherein the network hash is based at least on the derived parameter and the AUSF network element The home key stored in the generation; the expected hash is generated based at least on the derived parameters and the expected response; the expected response is generated based at least on the derived parameters and the home key.

在一实施例中,第一存储器中还存储有以下可被第一处理器执行的指令:通过SEAF网元向UE发送第二指示信息;其中,第二指示信息用于指示UE进行快速认证。In an embodiment, the first memory further stores an instruction that is executable by the first processor: sending the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.

本申请实施例还提供一种UE,包括第二存储器和第二处理器,其中,第二存储器中存储有以下可被第二处理器执行的指令:向SEAF网元发送携带有第一指示信息的注册请求;或者,UE接收SEAF网元发送的携带有第一指示信息的消息;其中,第一指示信息用于指示发送方具备执行快速认证的能力。The embodiment of the present application further provides a UE, including a second memory and a second processor, where the second memory stores the following instructions executable by the second processor: sending the first indication information to the SEAF network element Or the UE receives the message that is sent by the SEAF network element and carries the first indication information. The first indication information is used to indicate that the sender has the capability to perform fast authentication.

接收来自SEAF网元的派生参数,向SEAF网元发送认证响应;其中,认证 响应至少基于派生参数和存储的归属密钥生成。A derived parameter from the SEAF network element is received, and an authentication response is sent to the SEAF network element; wherein the authentication response is generated based at least on the derived parameter and the stored home key.

在一实施例中,第一指示信息还包括:第一指示信息的发送方能够使用的快速认证方法的信息。In an embodiment, the first indication information further includes: information of a fast authentication method that the sender of the first indication information can use.

在一实施例中,第二存储器中还存储有以下可被第二处理器执行的指令:接收来自SEAF网元的第二指示信息;其中,第二指示信息用于指示UE进行快速认证。In an embodiment, the second memory further stores the following instructions executable by the second processor: receiving second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication.

在一实施例中,第二存储器中还存储有以下可被第二处理器执行的指令:接收来自SEAF网元的网络哈希。In an embodiment, the second memory further stores an instruction executable by the second processor to receive a network hash from the SEAF network element.

至少基于派生参数和存储的归属密钥生成期望网络哈希。A desired network hash is generated based at least on the derived parameters and the stored home key.

响应于确定期望网络哈希与接收的网络哈希相同,发送认证响应。An authentication response is sent in response to determining that the desired network hash is the same as the received network hash.

Claims (24)

一种认证方法,包括:An authentication method that includes: 第一网元接收来自安全锚点功能SEAF网元且携带有第一指示信息的请求;其中,所述第一指示信息用于指示第二网元具备执行快速认证的能力;The first network element receives the request from the security anchor function SEAF network element and carries the first indication information, where the first indication information is used to indicate that the second network element has the capability of performing fast authentication; 所述第一网元根据所述第一指示信息,与所述第二网元执行快速认证。The first network element performs fast authentication with the second network element according to the first indication information. 根据权利要求1所述的认证方法,其中,所述第一网元为认证服务功能AUSF网元,且所述第二网元为用户终端UE;The authentication method according to claim 1, wherein the first network element is an authentication service function AUSF network element, and the second network element is a user terminal UE; 或者,所述第一网元为所述UE,且所述第二网元为所述AUSF网元。Or the first network element is the UE, and the second network element is the AUSF network element. 根据权利要求2所述的认证方法,其中,在所述第一网元为所述UE,且所述第二网元为所述AUSF网元的情况下,所述第一网元根据第一指示信息,与所述第二网元执行快速认证,包括:The authentication method according to claim 2, wherein, in a case where the first network element is the UE, and the second network element is the AUSF network element, the first network element is according to the first Instructing information, performing fast authentication with the second network element, including: 所述UE向所述SEAF网元发送携带有第二指示信息的注册请求;其中,所述第二指示信息用于指示所述AUSF网元进行快速认证;Transmitting, by the UE, the registration request that carries the second indication information to the SEAF network element, where the second indication information is used to indicate that the AUSF network element performs fast authentication; 所述UE接收所述AUSF网元通过所述SEAF网元发送的派生参数;其中,所述派生参数由所述AUSF网元生成。The UE receives a derived parameter sent by the AUSF network element by using the SEAF network element, where the derived parameter is generated by the AUSF network element. 根据权利要求2所述的认证方法,其中,在所述第一网元为所述AUSF网元,且所述第二网元为所述UE的情况下,所述第一网元根据第一指示信息,与所述第二网元执行快速认证,包括:The authentication method according to claim 2, wherein, in a case where the first network element is the AUSF network element and the second network element is the UE, the first network element is according to the first Instructing information, performing fast authentication with the second network element, including: 所述AUSF网元通过所述SEAF网元向所述UE发送派生参数;其中,所述派生参数由所述AUSF网元生成。The AUSF network element sends a derivation parameter to the UE by using the SEAF network element; wherein the derivation parameter is generated by the AUSF network element. 根据权利要求1所述的认证方法,其中,所述第一指示信息还包括:所述第一网元能够使用的快速认证方法的信息。The authentication method according to claim 1, wherein the first indication information further comprises: information of a fast authentication method that the first network element can use. 根据权利要求3或4所述的认证方法,还包括:The authentication method according to claim 3 or 4, further comprising: 所述AUSF网元根据所述第一指示信息确定发送所述派生参数的消息。The AUSF network element determines, according to the first indication information, a message that sends the derived parameter. 根据权利要求3或4所述的认证方法,还包括:The authentication method according to claim 3 or 4, further comprising: 所述AUSF网元向所述SEAF网元发送网络哈希和期望哈希;其中,所述网络哈希基于所述派生参数和所述AUSF网元中存储的归属密钥生成;所述期望哈希基于所述派生参数和期望响应生成;所述期望响应基于所述派生参数和所述归属密钥生成。The AUSF network element sends a network hash and a desired hash to the SEAF network element; wherein the network hash is generated based on the derived parameter and a home key stored in the AUSF network element; Generating based on the derived parameters and expected responses; the expected response is generated based on the derived parameters and the home key. 根据权利要求4所述的认证方法,还包括:The authentication method according to claim 4, further comprising: 所述AUSF网元通过所述SEAF网元向所述UE发送第二指示信息;其中, 所述第二指示信息用于指示所述UE进行快速认证。The AUSF network element sends the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication. 一种认证方法,包括:An authentication method that includes: 用户终端UE向安全锚点功能SEAF网元发送携带有第一指示信息的注册请求;或者,所述UE接收所述SEAF网元发送的且携带有第一指示信息的消息;其中,所述第一指示信息用于指示发送方具备执行快速认证的能力;The user terminal UE sends a registration request carrying the first indication information to the security anchor function SEAF network element; or the UE receives the message sent by the SEAF network element and carrying the first indication information; An indication message is used to indicate that the sender has the ability to perform fast authentication; 所述UE接收来自所述SEAF网元的派生参数,向所述SEAF网元发送认证响应;其中,所述认证响应基于所述派生参数和存储的归属密钥生成。The UE receives a derived parameter from the SEAF network element, and sends an authentication response to the SEAF network element; wherein the authentication response is generated based on the derived parameter and the stored home key. 根据权利要求9所述的认证方法,所述第一指示信息还包括:所述第一指示信息的发送方能够使用的快速认证方法的信息。The authentication method according to claim 9, wherein the first indication information further comprises: information of a fast authentication method that the sender of the first indication information can use. 根据权利要求9所述的认证方法,所述向SEAF网元发送认证响应前,还包括:The authentication method of claim 9, before the sending the authentication response to the SEAF network element, the method further includes: 所述UE接收来自所述SEAF网元的第二指示信息;其中,所述第二指示信息用于指示所述UE进行快速认证。The UE receives the second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication. 根据权利要求11所述的认证方法,还包括:The authentication method according to claim 11, further comprising: 所述UE接收来自所述SEAF网元的网络哈希;The UE receives a network hash from the SEAF network element; 所述UE基于所述派生参数和存储的归属密钥生成期望网络哈希;Generating, by the UE, a desired network hash based on the derived parameter and the stored home key; 响应于确定所述期望网络哈希与所述接收的网络哈希相同,所述UE发送所述所述认证响应。The UE transmits the authentication response in response to determining that the desired network hash is the same as the received network hash. 一种第一网元,包括:A first network element, including: 接收模块,设置为接收来自SEAF网元的携带有第一指示信息和永久用户标识的认证请求;其中,所述第一指示信息用于标识与所述永久用户标识对应的UE具备执行快速认证的能力;a receiving module, configured to receive an authentication request that carries the first indication information and the permanent user identifier from the SEAF network element, where the first indication information is used to identify that the UE corresponding to the permanent user identifier is configured to perform fast authentication. ability; 处理模块,设置为根据所述第一指示信息,与第二网元执行快速认证。The processing module is configured to perform fast authentication with the second network element according to the first indication information. 根据权利要求13所述的第一网元,其中,所述第一网元为AUSF网元,且所述第二网元为UE;The first network element according to claim 13, wherein the first network element is an AUSF network element, and the second network element is a UE; 或者,所述第一网元为所述UE,且所述第二网元为所述AUSF网元。Or the first network element is the UE, and the second network element is the AUSF network element. 根据权利要求14所述的第一网元,其中,在所述第一网元为所述UE,且所述第二网元为所述AUSF网元的情况下,所述处理模块设置为:The first network element according to claim 14, wherein, in a case that the first network element is the UE, and the second network element is the AUSF network element, the processing module is configured to: 向所述SEAF网元发送携带有第二指示信息的注册请求;其中,所述第二指示信息用于指示所述AUSF网元进行快速认证;Sending, to the SEAF network element, a registration request that carries the second indication information, where the second indication information is used to indicate that the AUSF network element performs fast authentication; 接收所述AUSF网元通过所述SEAF网元发送的派生参数;其中,所述派生参数由所述AUSF网元生成。Receiving a derived parameter sent by the AUSF network element by using the SEAF network element; wherein the derived parameter is generated by the AUSF network element. 根据权利要求14所述的第一网元,在所述第一网元为所述AUSF网元,且所述第二网元为所述UE的情况下,所述处理模块设置为:The first network element according to claim 14, wherein in the case that the first network element is the AUSF network element and the second network element is the UE, the processing module is configured to: 通过所述SEAF网元向所述UE发送派生参数;其中,所述派生参数由所述AUSF网元生成。Deriving parameters are sent to the UE by the SEAF network element; wherein the derived parameters are generated by the AUSF network element. 根据权利要求13所述的第一网元,所述第一指示信息还包括:所述第一网元能够使用的快速认证方法的信息。The first network element according to claim 13, wherein the first indication information further comprises: information about a fast authentication method that the first network element can use. 根据权利要求15或16所述的第一网元,The first network element according to claim 15 or 16, 所述处理模块,还设置为根据所述第一指示信息确定发送所述派生参数的消息。The processing module is further configured to determine, according to the first indication information, a message that sends the derived parameter. 根据权利要求15或16所述的第一网元,The first network element according to claim 15 or 16, 所述处理模块,还设置为向所述SEAF网元发送网络哈希和期望哈希;其中,所述网络哈希基于所述派生参数和所述AUSF网元中存储的归属密钥生成;所述期望哈希基于所述派生参数和期望响应生成;所述期望响应基于所述派生参数和所述归属密钥生成。The processing module is further configured to send a network hash and a desired hash to the SEAF network element, where the network hash is generated based on the derived parameter and a home key stored in the AUSF network element; The desired hash is generated based on the derived parameter and the expected response; the expected response is generated based on the derived parameter and the home key. 根据权利要求16所述的第一网元,The first network element according to claim 16, 所述处理模块,还设置为通过所述SEAF网元向所述UE发送第二指示信息;其中,所述第二指示信息用于指示所述UE进行快速认证。The processing module is further configured to send the second indication information to the UE by using the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication. 一种用户终端UE,包括:A user terminal UE includes: 处理模块,设置为向SEAF网元发送携带有第一指示信息的注册请求,或者,接收所述SEAF网元发送的且携带有第一指示信息的消息;其中,所述第一指示信息用于指示所述UE具备执行快速认证的能力;The processing module is configured to send a registration request carrying the first indication information to the SEAF network element, or receive a message sent by the SEAF network element and carrying the first indication information, where the first indication information is used for Instructing the UE to have the capability of performing fast authentication; 接收模块,设置为接收来自所述SEAF网元的派生参数,向所述SEAF网元发送认证响应;其中,所述认证响应基于所述派生参数和存储的归属密钥生成。The receiving module is configured to receive a derived parameter from the SEAF network element, and send an authentication response to the SEAF network element; wherein the authentication response is generated based on the derived parameter and the stored home key. 根据权利要求21所述的UE,所述第一指示信息还包括:所述第一指示信息的发送方能够使用的快速认证方法的信息。The UE according to claim 21, wherein the first indication information further comprises: information of a fast authentication method that the sender of the first indication information can use. 根据权利要求21所述的UE,The UE according to claim 21, 所述接收模块,还设置为接收来自所述SEAF网元的第二指示信息;其中,所述第二指示信息用于指示所述UE进行快速认证。The receiving module is further configured to receive second indication information from the SEAF network element, where the second indication information is used to indicate that the UE performs fast authentication. 根据权利要求23所述的UE,The UE according to claim 23, 所述接收模块,还设置为接收来自所述SEAF网元的网络哈希;The receiving module is further configured to receive a network hash from the SEAF network element; 所述处理模块,还设置为基于所述派生参数和存储的归属密钥生成期望网络哈希;The processing module is further configured to generate a desired network hash based on the derived parameter and the stored home key; 还包括:发送模块,设置为响应于确定所述期望网络哈希与所述接收的网络哈希相同,发送所述所述认证响应。Also included is a transmitting module configured to transmit the authentication response in response to determining that the desired network hash is the same as the received network hash.
PCT/CN2019/076823 2018-04-04 2019-03-04 Authentication method and network element Ceased WO2019192275A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810301013.0 2018-04-04
CN201810301013.0A CN110366178A (en) 2018-04-04 2018-04-04 An authentication method and network element

Publications (1)

Publication Number Publication Date
WO2019192275A1 true WO2019192275A1 (en) 2019-10-10

Family

ID=68099771

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/076823 Ceased WO2019192275A1 (en) 2018-04-04 2019-03-04 Authentication method and network element

Country Status (2)

Country Link
CN (1) CN110366178A (en)
WO (1) WO2019192275A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788598A (en) * 2019-11-01 2021-05-11 华为技术有限公司 Method and device for protecting parameters in authentication process

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830985B (en) * 2019-11-11 2022-04-29 重庆邮电大学 A 5G lightweight terminal access authentication method based on trust mechanism

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566115A (en) * 2016-07-01 2018-01-09 华为技术有限公司 Key configuration and security policy determination method and device
WO2018053271A1 (en) * 2016-09-16 2018-03-22 Idac Holdings, Inc. Unified authentication framework
US20180084427A1 (en) * 2016-09-16 2018-03-22 Zte Corporation Security features in next generation networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566115A (en) * 2016-07-01 2018-01-09 华为技术有限公司 Key configuration and security policy determination method and device
WO2018053271A1 (en) * 2016-09-16 2018-03-22 Idac Holdings, Inc. Unified authentication framework
US20180084427A1 (en) * 2016-09-16 2018-03-22 Zte Corporation Security features in next generation networks

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3GPP: "3GPP. Technical Specification Group Services and System Aspects; Security Architecture and Procedures for 5G System (release 15)", 3GPP TS 33.501, vol. SA WG3, no. V1.0.0, 15 March 2018 (2018-03-15) - 31 March 2018 (2018-03-31), pages 1 - 128, XP051450455 *
ZT E: "Lightweight Secure Way for Protecting Anchor Key Transmitting-EAP-AKA", 3GPP TSG SA WG3 (SECURITY) MEETING #88 , S 3-171759, vol. SA WG3, 6 August 2017 (2017-08-06) - 11 August 2017 (2017-08-11), XP051310881 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788598A (en) * 2019-11-01 2021-05-11 华为技术有限公司 Method and device for protecting parameters in authentication process
CN112788598B (en) * 2019-11-01 2022-11-11 华为技术有限公司 Method and device for protecting parameters in authentication process

Also Published As

Publication number Publication date
CN110366178A (en) 2019-10-22

Similar Documents

Publication Publication Date Title
US20230007475A1 (en) Method for Performing Verification by Using Shared Key, Method for Performing Verification by Using Public Key and Private Key, and Apparatus
US11405780B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US11496320B2 (en) Registration method and apparatus based on service-based architecture
KR100704675B1 (en) Authentication Method and Related Key Generation Method for Wireless Mobile Internet System
CN112566119B (en) Terminal authentication method, device, computer equipment and storage medium
CN108848112B (en) Cut-in method, equipment and the system of user equipment (UE)
US20180131519A1 (en) Devices and methods for client device authentication
US10462671B2 (en) Methods and arrangements for authenticating a communication device
JP7237200B2 (en) Parameter transmission method and device
WO2020007461A1 (en) Authentication and key agreement between a network and a user equipment
US11159940B2 (en) Method for mutual authentication between user equipment and a communication network
JP2007522695A (en) System, method, and device for authentication in a wireless local area network (WLAN)
CN108353279B (en) Authentication method and authentication system
CN111866881B (en) Wireless LAN authentication method and wireless LAN connection method
US11445370B2 (en) Method and device for verifying key requester
KR20160058491A (en) Method and apparatus for providing services based on identifier of user device
CN104145465A (en) Group based bootstrapping in machine type communication
US20160227412A1 (en) Wireless Terminal Configuration Method, Apparatus, and Wireless Terminal
EP3413508A1 (en) Devices and methods for client device authentication
CN107820242A (en) A kind of machinery of consultation of authentication mechanism and device
WO2018126791A1 (en) Authentication method and device, and computer storage medium
WO2019192275A1 (en) Authentication method and network element
CN117098111A (en) Registration method and device of user equipment, computer readable medium and electronic equipment
WO2019024937A1 (en) Key negotiation method, apparatus and system
CN110536289B (en) Key issuing method and device, mobile terminal, communication equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19780969

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04/02/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19780969

Country of ref document: EP

Kind code of ref document: A1